July 9, 2025 Handling a HIPAA investigation is stressful enough. Add a ransomware attack in the mix? A HIPAA nightmare. The Office for Civil Rights (OCR) announced its first fine under the latest Director, Paula M. Stannard—a behavioral health organization fined $225,000 and placed under a two-year Corrective Action Plan (CAP). This fine culminated several violations, but at its core, it was the lack of a Security Risk Analysis (SRA). This latest enforcement highlights the OCR’s ongoing heightened enforcement and the importance of a thorough, proactive compliance program before issues occur. What Happened? The behavioral health provider, Deer Oaks, a Texas-based Covered Entity, was first investigated in May 2023 following a patient complaint. It was discovered that following a pilot program for an online patient portal wasn’t properly coded, publicly disclosing 35 patients’ Protected Health Information (PHI). This PHI included sensitive discharge paperwork and medical assessments that were easily accessible online. Unfortunately, this was only the beginning of the investigation for Deer Oaks. The OCR expanded its investigation when the behavioral health provider faced a ransomware attack in August 2023. A malicious actor used a compromised account and held over 170,000 patients’ information for ransom. While there is no confirmation if the provider paid the ransom, improper account security led to this massive breach. With two major HIPAA breaches within three months, the OCR didn’t have to dig deep to find the common thread: the missing SRA. The SRA is a thorough assessment of potential vulnerabilities a practice might face. In this situation, an SRA could have identified the employee portal or account password management as a concern. This would allow the practice to address these issues proactively. From the initial investigation triggered by a patient complaint in May 2023 to the ransomware breach in August, the OCR fined the practice nearly a quarter of a million dollars and mandated two years of government oversight. These costly few months served as a valuable lesson in proactive compliance. Protecting Your Practice A lapse in compliance, no matter how short, can lead to serious consequences. That’s why proactive compliance is essential. Need a wake-up call? Over $7 million in fines have been levied since the beginning of 2025. The OCR has heightened its enforcement, already eclipsing the number of penalties from last year. As the OCR continues enforcing HIPAA legislation, a robust compliance program is vital for your practice’s success. With the right solution, your practice can streamline HIPAA compliance and easily complete requirements, like the SRA, without disrupting your practice’s workflow. Meet with a compliance expert today to learn more about streamlining HIPAA compliance for your practice.
Small Practices, Big Fines: Understanding HIPAA Penalties
July 7, 2025 Did you know that over half of physicians work in small medical practices with 10 or fewer physicians? You likely wear many hats when working in or even running your small practice, from taking care of patients to clerical work, and of course, HIPAA compliance. Although other priorities may push HIPAA compliance to the side, being compliant is essential for the success of your practice. It’s a common misconception that since a practice is small, the Office for Civil Rights (OCR) will not investigate it if an issue occurs. The OCR has fined several small practices recently, with ramped-up enforcement, nearing $10 million within the year’s first half. Here are some of the most recent fines imposed on small medical practices and how your practice can avoid them. The SRA Superpower Comprehensive Neurology, PC, a small neurology practice in New York, was recently fined $25,000 after a ransomware attack exposed the practice’s insufficient protections for securing Protected Health Information (PHI). Specifically, the practice did not have a Security Risk Analysis (SRA). The SRA is an annual assessment of your practice’s administrative, technical, and physical safeguards, reviewing potential vulnerabilities. When handled properly, the SRA allows you to mitigate risks before a situation occurs. While commonly missed, the SRA is the foundation of a successful practice. To combat this, the OCR has recently enacted the Risk Analysis Initiative, which has brought increased scrutiny and led to nearly a million dollars in fines since its implementation late last year. Completing an SRA is paramount to protect your small medical practice from similar initiatives. The SRA is a crucial protective barrier, proactively preventing issues before they escalate into significant problems. For instance, if the practice completed an SRA, they could have seen any technological shortcomings that led to the severity of the ransomware attack. Alert the Press! Vision Upright MRI, a small California healthcare provider focused on medical imaging, was fined $5,000 in May. In addition to missing an SRA following a breach, the small practice from California did not adequately inform patients. As part of the Breach Notification Rule, relevant parties, like impacted patients, the OCR, and, depending on the size of the breach, the media, and more, must all be notified following a breach. Patients can decide how to secure their information by being informed, and the practice should pay for credit monitoring. With over 21,000 patients’ PHI compromised, the practice needed to notify several parties quickly. Regardless of the breach’s size, a practice must inform all affected patients within 60 days of discovery. However, given that this breach affected over 500 patients, the OCR, media, and some states (like California), the state attorney general also required notification within that time frame. Once you have mitigated the situation and understood the full scope, it’s time to alert all necessary parties. If the breach impacts fewer than 500 patients, while patients still need to be notified within 60 days, the practice must notify the OCR within 60 days of the calendar year in which it occurred. Deliver Records Swiftly Gums Dental Care LLC, a small dental practice in Maryland, was fined $70,000 after refusing to provide a patient’s medical records. Under the HIPAA Privacy Rule, patients must receive their medical records within 30 days of request. This requirement, known as the Right of Access, is one of the most common violations. In this situation, Gums Dental Care provided records three years after the initial request. To avoid similar penalties, ensure all staff are trained efficiently to provide patient records. Quickly addressing patient requests prioritizes their needs, secures your practice, and builds patient trust. Simplifying Compliance for Your Small Practice While following the complexities of HIPAA might feel overwhelming, with the right solution, it doesn’t have to be. Intelligent software can streamline compliance for your practice, alleviating the responsibility and freeing time to spend with patients. Smart solutions also encompass HIPAA’s requirements, including the SRA, breach logs, and staff training. Schedule a consultation today to learn more about simplifying compliance for your small practice.
OSHA’s Rapid Response: Why Every Practice Needs a Safety Culture
June 19, 2025 The success of your practice hinges on the safety of your staff. When staff feel unsafe, OSHA quickly demonstrates its commitment to staff protection. A recent healthcare OSHA fine highlights how efficiently OSHA complaints are handled. Opulent Pediatrics faced expedited penalties following a staff complaint, just months after the initial complaint. From the case opening in March to its resolution in June, OSHA underscored the severity and importance it places on staff complaints. Complaints are also the most common way HIPAA investigations are initiated. This rapid response showcases the need for practices to provide a safe work environment and foster a culture of compliance, empowering staff members to communicate needs and concerns. What Happened? In March 2025, a staff member of Opulent Pediatrics sent a formal complaint to OSHA due to unsafe working conditions. The Roanoke regional office investigated the pediatric practice unannounced, not providing time for the practice to address any concerns. Following their investigation, it was discovered that the practice violated several safety requirements, such as bloodborne pathogen safety, improper medical services, or missing first aid unavailable to staff, improper handling of wiring and equipment, and insufficient hazard communication documentation. After the investigation, by April, OSHA noted seven citations and issued an initial penalty of over $14,000. It’s inferred that the practice was willing and cooperative, with the final fine totalling over $2,000 by the abatement date in May. Protecting Staff in Healthcare While Opulent Pediatrics dodged a more significant fine, this enforcement action demonstrates OSHA’s swift investigative response to complaints. From the initial investigation to its conclusion, the case only took three months. OSHA can and will investigate without notice, so ensure your OSHA program documentation is readily available. With the right tools, ensuring staff safety can be simplified. In this case, training and proper documentation could have avoided these fines. Consider how an intelligent OSHA software solution centralizes training, such as for bloodborne pathogens, hazard communication, and all other OSHA documentation, making it easily accessible to every staff member within a compliance hub. Moreover, by prioritizing safety in your practice, staff can feel empowered to communicate concerns. To learn more about streamlining OSHA compliance in your healthcare practice, schedule a consultation with an expert today.
Ransomware Reality Check: Business Associate Pays Big HIPAA Fine
6/2/2025 Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities? Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons. A medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities. This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA. What Happened? In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data. While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA. After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA. Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative. Streamlining the SRA with Software When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI. With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI. To learn more about how your organization can easily complete the SRA, meet with a compliance expert today.
BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access
May 29, 2025 A successful practice is built upon a strong foundation of well-trained and aware staff. Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine. Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.” What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well. This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later. After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access. This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges. Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose. Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review. While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences. Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error. Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI. With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice.
Small Size, Same Rules: HIPAA Fine Serves as Reminder for All Healthcare Providers
May 19, 2025 HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized. The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes: “Cybersecurity threats affect large and small covered healthcare providers.” Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR. This fine showcases that no practice, big or small, must be followed to keep patient data safe. What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation. The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data. The SRA is critical for a compliant practice and should be completed annually and after any breaches. While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document. In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule. The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring. Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR. Meet with an expert today to learn how to automate your compliance program.
Phishing Risks and Notification Delays: A Lesson in Managing a HIPAA Breach
4.24.25 As we head into the middle of the year, it’s safe to say that the Office for Civil Rights (OCR) is ramping up enforcement. Since the beginning of this year, over $6M in fines have been levied, with new penalties being announced weekly. The latest fine showcases that the OCR can and will investigate breaches no matter your organization’s size. The latest HIPAA fine was imposed on PIH Health, Inc. (PIH), a California health network comprised of over a hundred health practices throughout the state. PIH’s HIPAA violations have cost the organization $600,000. Due to these violations, the organization will be monitored for two years under a Corrective Action Plan (CAP). These violations exposed numerous shortcomings of the organization due to a phishing attack, emphasizing the importance of thorough safeguards for practices of all sizes. What Happened? In June 2019, a phishing attack compromised 45 PIH employee accounts. This breach devastated an organization with millions of patients, putting nearly 200,000 patients at risk. While the phishing attempt occurred in the summer of 2019, the breach was not reported to affected patients or the OCR until January 2020. When a breach impacts over 500 patients, time is of the essence. Parties must be notified within 60 days of the breach, including widespread press releases for the media. More issues were brought to light once the OCR was aware of this breach. The organization lacked a sufficient Security Risk Analysis (SRA). The SRA is an exhaustive assessment of a practice, reviewing all safeguards and highlighting any vulnerabilities before a breach occurs. This is at the base of a compliant practice, and the OCR has introduced the Risk Analysis Initiative to ensure that practices have this documentation in place. Overall, this successful phishing attempt revealed inadequacies and several HIPAA violations. In addition, the organization’s failure to notify the OCR and patients promptly also contributed to the severity of the fine. Protecting Patient Data The healthcare industry’s sensitive data makes it the prime target for phishing attacks. Healthcare organizations must provide comprehensive staff training to avoid suspicious emails and, in general, risk mitigation techniques. Healthcare practices must always address the breaches quickly. Timely notification of the OCR and affected patients ensures that all parties are aware of the breach’s impact and understand how to monitor their data. No matter the organization’s size, using smart software can help simplify compliance, avoid significant fines, and reduce patient data risk. For example, the SRA can be streamlined with compliance software, ensuring your practice knows the appropriate safeguards before an incident occurs. Intelligent solutions also provide your practice with a centralized compliance hub, letting staff know precisely what they need to secure patient Protected Health Information (PHI). To learn more about how your practice can streamline common HIPAA violations, schedule a meeting with a compliance expert today.
Don’t Be Next: HIPAA Fine Shows Risk of Ignoring Security Risk Analysis
April 17, 2025 Let’s make this clear: The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is the proactive assessment of your practices’ physical, technical, and administrative safeguards. Physical safeguards include alarms, codes, and other procedures or devices your practice might deploy. Technical safeguards involve cybersecurity protocols, like firewalls, antivirus software, encryption, and other security measures. Lastly, the administrative safeguards are your practice’s actions, such as using visitor IDs, maintaining a sign-in sheet, or even posting about patients on social media. The latest HIPAA fine is another reminder of the importance of the SRA in protecting patient data. This is the sixth Risk Analysis Initiative enforcement since the end of last year. The Office for Civil Rights (OCR) is serious about ensuring that practices know this requirement. This focus has remained consistent even during administration transitions. Said best by OCR Acting Director Anthony Archeval, “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.” What Happened? Northeast Radiology, P.C. (NERAD), a healthcare provider specializing in medical imaging clinical services in New York and Connecticut, experienced a significant breach that exposed nearly 300,000 patients’ Protected Health Information (PHI). The breach, which occurred from April 2019 to January 2020, was caused by unauthorized individuals accessing radiology images of patients due to a compromised server. When the OCR began investigating the practice in March 2020, it was discovered that NERAD did not have an SRA. Due to the absence of this document and the sheer size of the breach, the organization was fined $350,000 and will undergo a two-year Corrective Action Plan (CAP). Completing an SRA NERAD’s HIPAA settlement with the OCR is a clear reminder that your practice needs to complete an SRA long before a breach occurs. While an SRA might seem daunting, addressing problems before patients’ information is at risk is much easier. Completing this risk assessment can help your practice identify vulnerabilities before they escalate into compliance issues. While the SRA mandates practices to analyze and review existing procedures thoroughly, this process doesn’t need to be overwhelming or costly. With smart solutions, your practice can answer simple questions about your practice while the software intuitively builds out an SRA report, analyzes the current situation, and provides recommendations to mitigate potential risks. To learn more about how your practice can streamline the SRA, schedule a consultation with an expert today.
Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine
March 27, 2025 With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI). The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide. After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP). At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities. This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement. This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement. What Happened? In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue. Four breach reports describing this incident were filed from the end of 2018 into early 2019. This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024. The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities. As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years. How to Protect Your Organization When working with PHI, all involved parties must know their responsibilities. For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities. Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.
Denied, Delayed, Fined: OHSU’s $200K HIPAA Fine
March 13, 2025 Oregon Health & Science University (OHSU), an academic research institution with public health centers, is the latest Covered Entity to be fined for a HIPAA Right of Access violation. Unfortunately, Right of Access fines are common, usually sparked by a patient complaint. OHSU’s violation was no different, with a patient waiting for records much longer than the 30-day federal requirement. This 53rd Right of Access rule enforcement showcases the critical importance of prioritizing patient requests. What Happened? A patient of OHSU required their medical records, and a medical representative requested records multiple times for years. The representative’s initial written request was on April 24, 2019. At first, OHSU quickly addressed this request, having a Business Associate provide medical records to the representative by April 29, 2019. However, these were partial records, not including all of the vital information the patient needed. The representative sent another request at the beginning of November 2019, which OHSU incorrectly denied due to a missing date. The representative submitted another request at the end of the month, which OHSU once again erroneously denied, this time for invoices. When OHSU again only provided partial records after the representative asked for the records in May 2020, the representative filed a complaint with the Office for Civil Rights (OCR). After another denial of medical records in July, the OCR closed the case in September, providing OHSU technical assistance to properly send medical records. However, the records were still not provided as of January 2021, when the representative submitted a second complaint to the OCR. The OCR notified the university on August 21, 2021. Within the week, OHSU provided the representative with medical records. All medical records were sent to the representative by the end of September. Over two years had passed from the first request in April 2019 to finally receiving the records in late 2021. This request’s drawn-out, back-and-forth nature resulted in OHSU being fined a $200,000 Civil Monetary Penalty. Prioritize Patient Requests Almost half a million patient complaints have been received from the OCR. By prioritizing patient requests for records, your practice can avoid potential investigations, fines, and in general, unhappy patients. When working in healthcare, your goal is to provide the best care for patients. Ignoring patients’ needs will leave them unhappy and dissatisfied, seriously impacting the overall quality of care your practice can provide. Intelligent compliance software solutions allow your practice to proactively identify and address vulnerabilities while educating staff on essential compliance requirements. By streamlining compliance, your staff can be well aware of the importance of prioritizing patient requests, leading to a more successful practice with higher patient satisfaction. To learn more about simplifying compliance, schedule a consultation with a compliance expert.