On February 19, 2026, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with a substance use disorder treatment provider in Illinois for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
The Risk Analysis provision of the Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information PHI (ePHI) they hold.
The settlement resolves an investigation initiated by OCR after the provider reported a breach in March 2023. A successful phishing attack allowed an unauthorized third party to access ePHI through a workforce member’s email account, compromising information for 1,980 patients. OCR’s investigation found that the provider had failed to conduct an accurate and thorough risk analysis as required under the HIPAA Security Rule.
Under the terms of the resolution agreement, the provider agreed to implement a corrective action plan monitored by OCR for two years and paid $103,000. The corrective action plan requires the provider to:
- Conduct and complete a thorough risk analysis to determine potential risks and vulnerabilities to ePHI;
- Develop and implement a risk management plan addressing identified security risks;
- Maintain and revise written policies and procedures to comply with HIPAA Privacy, Security, and Breach Notification Rules; and
- Provide annual training for workforce members who have access to ePHI on the organization’s HIPAA policies and procedures.
OCR recommends that HIPAA-covered healthcare providers, health plans, clearinghouses, and business associates take steps to mitigate or prevent cyber threats, including identifying where ePHI is located, how it flows through the organization, and how it is accessed and transmitted.
Compliance Perspective
Issue
The HIPAA Security Rule requires covered entities and business associates to protect the confidentiality, integrity, and availability of ePHI. This includes conducting thorough risk analyses to identify potential threats and vulnerabilities, implementing risk management strategies, maintaining written policies and procedures, and training the workforce on safeguards for ePHI. Failure to establish and follow effective security controls can increase the risk of data breaches, unauthorized access, and regulatory enforcement actions.
Discussion Points
- Review and update policies and procedures related to the security of ePHI, including risk analysis, risk management, access controls, and incident response. Policies should clearly define responsibilities for identifying and mitigating risks and align with HIPAA Security Rule requirements. Facilities may benefit from working with a compliance consultant to conduct targeted assessments and ensure policies meet current regulatory expectations.
- Train staff who use or maintain the organization’s computer systems on HIPAA Security Rule requirements, including conducting risk assessments and safeguarding ePHI. Include instruction on avoiding phishing, malware, unauthorized disclosures, and detecting and reporting security threats. Med-Net Academy offers the course HIPAA Security Rule Security Incident Procedures, which covers the background of the Security Rule, developing policies and procedures for security incidents, forming incident response teams, audit log review, threat mitigation, data backup strategies, documenting incidents, and breach reporting obligations.
- Periodically audit systems, processes, and access to ePHI to verify that policies are being followed and controls are effective. Audits can include vulnerability testing, access reviews, and mock assessments conducted in collaboration with external compliance support to identify gaps and inform corrective actions.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*