6/2/2025 Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities? Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons. A medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities. This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA. What Happened? In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data. While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA. After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA. Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative. Streamlining the SRA with Software When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI. With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI. To learn more about how your organization can easily complete the SRA, meet with a compliance expert today.
BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access
May 29, 2025 A successful practice is built upon a strong foundation of well-trained and aware staff. Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine. Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.” What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well. This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later. After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access. This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges. Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose. Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review. While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences. Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error. Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI. With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice.
Small Size, Same Rules: HIPAA Fine Serves as Reminder for All Healthcare Providers
May 19, 2025 HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized. The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes: “Cybersecurity threats affect large and small covered healthcare providers.” Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR. This fine showcases that no practice, big or small, must be followed to keep patient data safe. What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation. The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data. The SRA is critical for a compliant practice and should be completed annually and after any breaches. While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document. In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule. The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring. Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR. Meet with an expert today to learn how to automate your compliance program.
Phishing Risks and Notification Delays: A Lesson in Managing a HIPAA Breach
4.24.25 As we head into the middle of the year, it’s safe to say that the Office for Civil Rights (OCR) is ramping up enforcement. Since the beginning of this year, over $6M in fines have been levied, with new penalties being announced weekly. The latest fine showcases that the OCR can and will investigate breaches no matter your organization’s size. The latest HIPAA fine was imposed on PIH Health, Inc. (PIH), a California health network comprised of over a hundred health practices throughout the state. PIH’s HIPAA violations have cost the organization $600,000. Due to these violations, the organization will be monitored for two years under a Corrective Action Plan (CAP). These violations exposed numerous shortcomings of the organization due to a phishing attack, emphasizing the importance of thorough safeguards for practices of all sizes. What Happened? In June 2019, a phishing attack compromised 45 PIH employee accounts. This breach devastated an organization with millions of patients, putting nearly 200,000 patients at risk. While the phishing attempt occurred in the summer of 2019, the breach was not reported to affected patients or the OCR until January 2020. When a breach impacts over 500 patients, time is of the essence. Parties must be notified within 60 days of the breach, including widespread press releases for the media. More issues were brought to light once the OCR was aware of this breach. The organization lacked a sufficient Security Risk Analysis (SRA). The SRA is an exhaustive assessment of a practice, reviewing all safeguards and highlighting any vulnerabilities before a breach occurs. This is at the base of a compliant practice, and the OCR has introduced the Risk Analysis Initiative to ensure that practices have this documentation in place. Overall, this successful phishing attempt revealed inadequacies and several HIPAA violations. In addition, the organization’s failure to notify the OCR and patients promptly also contributed to the severity of the fine. Protecting Patient Data The healthcare industry’s sensitive data makes it the prime target for phishing attacks. Healthcare organizations must provide comprehensive staff training to avoid suspicious emails and, in general, risk mitigation techniques. Healthcare practices must always address the breaches quickly. Timely notification of the OCR and affected patients ensures that all parties are aware of the breach’s impact and understand how to monitor their data. No matter the organization’s size, using smart software can help simplify compliance, avoid significant fines, and reduce patient data risk. For example, the SRA can be streamlined with compliance software, ensuring your practice knows the appropriate safeguards before an incident occurs. Intelligent solutions also provide your practice with a centralized compliance hub, letting staff know precisely what they need to secure patient Protected Health Information (PHI). To learn more about how your practice can streamline common HIPAA violations, schedule a meeting with a compliance expert today.
Don’t Be Next: HIPAA Fine Shows Risk of Ignoring Security Risk Analysis
April 17, 2025 Let’s make this clear: The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is the proactive assessment of your practices’ physical, technical, and administrative safeguards. Physical safeguards include alarms, codes, and other procedures or devices your practice might deploy. Technical safeguards involve cybersecurity protocols, like firewalls, antivirus software, encryption, and other security measures. Lastly, the administrative safeguards are your practice’s actions, such as using visitor IDs, maintaining a sign-in sheet, or even posting about patients on social media. The latest HIPAA fine is another reminder of the importance of the SRA in protecting patient data. This is the sixth Risk Analysis Initiative enforcement since the end of last year. The Office for Civil Rights (OCR) is serious about ensuring that practices know this requirement. This focus has remained consistent even during administration transitions. Said best by OCR Acting Director Anthony Archeval, “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.” What Happened? Northeast Radiology, P.C. (NERAD), a healthcare provider specializing in medical imaging clinical services in New York and Connecticut, experienced a significant breach that exposed nearly 300,000 patients’ Protected Health Information (PHI). The breach, which occurred from April 2019 to January 2020, was caused by unauthorized individuals accessing radiology images of patients due to a compromised server. When the OCR began investigating the practice in March 2020, it was discovered that NERAD did not have an SRA. Due to the absence of this document and the sheer size of the breach, the organization was fined $350,000 and will undergo a two-year Corrective Action Plan (CAP). Completing an SRA NERAD’s HIPAA settlement with the OCR is a clear reminder that your practice needs to complete an SRA long before a breach occurs. While an SRA might seem daunting, addressing problems before patients’ information is at risk is much easier. Completing this risk assessment can help your practice identify vulnerabilities before they escalate into compliance issues. While the SRA mandates practices to analyze and review existing procedures thoroughly, this process doesn’t need to be overwhelming or costly. With smart solutions, your practice can answer simple questions about your practice while the software intuitively builds out an SRA report, analyzes the current situation, and provides recommendations to mitigate potential risks. To learn more about how your practice can streamline the SRA, schedule a consultation with an expert today.
Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine
March 27, 2025 With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI). The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide. After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP). At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities. This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement. This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement. What Happened? In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue. Four breach reports describing this incident were filed from the end of 2018 into early 2019. This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024. The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities. As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years. How to Protect Your Organization When working with PHI, all involved parties must know their responsibilities. For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities. Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.
Denied, Delayed, Fined: OHSU’s $200K HIPAA Fine
March 13, 2025 Oregon Health & Science University (OHSU), an academic research institution with public health centers, is the latest Covered Entity to be fined for a HIPAA Right of Access violation. Unfortunately, Right of Access fines are common, usually sparked by a patient complaint. OHSU’s violation was no different, with a patient waiting for records much longer than the 30-day federal requirement. This 53rd Right of Access rule enforcement showcases the critical importance of prioritizing patient requests. What Happened? A patient of OHSU required their medical records, and a medical representative requested records multiple times for years. The representative’s initial written request was on April 24, 2019. At first, OHSU quickly addressed this request, having a Business Associate provide medical records to the representative by April 29, 2019. However, these were partial records, not including all of the vital information the patient needed. The representative sent another request at the beginning of November 2019, which OHSU incorrectly denied due to a missing date. The representative submitted another request at the end of the month, which OHSU once again erroneously denied, this time for invoices. When OHSU again only provided partial records after the representative asked for the records in May 2020, the representative filed a complaint with the Office for Civil Rights (OCR). After another denial of medical records in July, the OCR closed the case in September, providing OHSU technical assistance to properly send medical records. However, the records were still not provided as of January 2021, when the representative submitted a second complaint to the OCR. The OCR notified the university on August 21, 2021. Within the week, OHSU provided the representative with medical records. All medical records were sent to the representative by the end of September. Over two years had passed from the first request in April 2019 to finally receiving the records in late 2021. This request’s drawn-out, back-and-forth nature resulted in OHSU being fined a $200,000 Civil Monetary Penalty. Prioritize Patient Requests Almost half a million patient complaints have been received from the OCR. By prioritizing patient requests for records, your practice can avoid potential investigations, fines, and in general, unhappy patients. When working in healthcare, your goal is to provide the best care for patients. Ignoring patients’ needs will leave them unhappy and dissatisfied, seriously impacting the overall quality of care your practice can provide. Intelligent compliance software solutions allow your practice to proactively identify and address vulnerabilities while educating staff on essential compliance requirements. By streamlining compliance, your staff can be well aware of the importance of prioritizing patient requests, leading to a more successful practice with higher patient satisfaction. To learn more about simplifying compliance, schedule a consultation with a compliance expert.
Warby Parker’s $1.5 Million HIPAA Fine: A Security Risk Analysis Eye-Opener
March 6, 2025 Warby Parker, the popular prescription eyewear retailer with a strong online presence and expanding physical stores, was recently fined $1.5 million for a HIPAA violation. This enforcement highlights that no matter how big your organization is, the government can and will investigate breaches of PHI. In 2025, the Office for Civil Rights (OCR) has issued over $5 million in fines so far, almost all of which involved a missing Security Risk Analysis (SRA). The SRA thoroughly assesses your practice’s physical, technical, and administrative safeguards for securing patient Protected Health Information (PHI). The Warby Parker fine is a stark reminder that the SRA, a detailed examination of your PHI safeguards, is not just a recommendation; it’s a necessity. What Happened? In late 2018, Warby Parker experienced numerous unusual login attempts on its site. It was discovered that customer logins were breached through credential stuffing or when information was pulled from unrelated breaches. For example, a customer’s login was likely reused on another hacked site. The OCR began its investigation in December 2018, but the flurry of attacks continued. Warby Parker, which also provides eye exams, issued several addendums to its initial breach report, revealing that additional customer and patient accounts were compromised. Additional attacks occurred in 2020 and 2022. Overall, these cybercrimes impacted almost 200,000 patients. As the OCR investigated Warby Parker, it discovered that Warby Parker did not conduct an adequate security risk analysis, implement sufficient technical safeguards to prevent further attacks, or regularly review system access. These failures to protect PHI led to a $1.5 million Civil Monetary Penalty (CMP), demonstrating that even massive organizations need to comply with HIPAA requirements. How to Protect Your Organization The first step to HIPAA compliance for your practice is proactively maintaining an SRA. By evaluating and identifying your vulnerabilities, your practice can address these weaknesses before they become serious problems. As stated before, no matter how small or large your organization is, you must complete the SRA annually. Regular reviews of PHI access are essential to identify and address breaches promptly, minimizing the number of affected patients. Implementing an access log is crucial as well, ensuring staff is held accountable for documenting when they interact with PHI. Utilizing a compliance software solution can alleviate the stress of managing numerous requirements. Software solutions can streamline compliance and offer a SRA and an access log within the program. By outsourcing compliance, your team can focus more time on patient care. To learn how to simplify HIPAA compliance for your practice, schedule a consultation with a compliance expert today.
Choose Your Business Associates Wisely: An $80K Mistake
January 8, 2025 As we ring in the new year, it’s important to remember that Business Associates (BAs) are just as responsible for protecting patient health data as their Covered Entity counterparts. A major misstep by a BA was highlighted recently on a federal level, and the first fine of 2025 was imposed. Elgon, a Massachusetts-based medical record and billing support company for Covered Entities, was levied a $80,000 fine due to numerous violations of the Security Rule, which were exposed by the fallout of a ransomware attack. As a proposed update to the Security Rule is currently open for public comment and may take effect in the spring, it is crucial for Covered Entities to select Business Associates (BAs) who prioritize compliance. BAs are just as responsible for ensuring that Protected Health Information (PHI) is kept secure. What Happened? Elgon was the victim of a ransomware attack on March 25, 2023. Unfortunately, the BA didn’t realize the intrusion of its firewalls for over a week until a ransom note was discovered. Elgon then reported the breach, which affected over 30,000 patients of a Covered Entity. Thousands of social security numbers, addresses, and other personally identifiable information were leaked from the attack. When Elgon was investigated, it was uncovered that the organization failed to recognize its risks in a Security Risk Analysis (SRA). The SRA is at the foundation of a successful practice or business, giving an organization a benchmark on how it handles PHI and how it can improve. This fine is also the second enforcement of the OCR’s Risk Analysis Initiative, highlighting the importance of completing and maintaining this assessment. How to Protect Your Organization Covered Entities and Business Associates need to uphold their commitment to protecting patient data. This recent fine is a stark reminder of what can happen when the proper procedures are not followed, exposing the personal information of thousands of patients. To avoid and mitigate situations like this, Covered Entities must carefully choose the right BA to work with, ensuring they also understand the importance of protecting patient data. For BAs, having the proper safeguards in place is vital, earning trust from Covered Entities that you can keep their patients’ PHI safe. A key document that establishes the liability of both parties is the Business Associate Agreement (BAA). The BAA is a written document required when working with Business Associates and vice versa. This signed agreement ensures both parties know their responsibilities when handling patient data. Proposed updates to the Security Rule expand on this, with BAs potentially having to verify they are enforcing the proper safeguards on a yearly basis, certified by a compliance expert. Overall, this fine sets the tone for a new year of significant changes and enforcement by the OCR. Covered Entities and Business Associates must both understand their critical role in protecting patients. To learn more about how you can become HIPAA compliant, schedule a consultation with our team of experts today.
The Price of Delay: A Costly HIPAA Lesson
December 2, 2024 Over a million dollars in HIPAA fines have been levied in the past few months, and like this winter’s snow, the fines continue to pile up, with a $100,000 fine recently announced. Last week, Rio Hondo Community Mental Health Center, an outpatient program managed by the Los Angeles Department of Health, was fined for a Right of Access violation. This marks the 51st enforcement of the Right of Access rule, highlighting the importance of handling patient records in a timely manner. What Happened? A patient requested a copy of their records on March 18, 2020. As we all know, March 2020 was marked by the beginning of the unprecedented COVID-19 virus, which led to the mental health center’s closure after the Governor of California put into action a “stay-at-home” order. However, the center reopened at the beginning of May 2020, allowing some staff to return to the facility. While the patient was told her records would be ready at this time, she was misinformed and began the summer with a flurry of calls and other forms of contact to request her medical records. After her requests were unfulfilled several times, the patient filed a complaint with the Office for Civil Rights (OCR) at the end of August 2020. The OCR then began investigating the Rio Hondo at the beginning of October. The medical records were finally sent on October 20, 2020, 216 days after the first request. The Right of Access rule requires Covered Entities to provide patients with their medical records within 30 days of the initial request. While the medical center was under a “stay-at-home” order during those 30 days, this was still significantly longer than the extension period of an additional 30 days and could have been handled when it was first deemed safe for staff to return to the medical center. This fine comes after a series of Right of Access fines, including another significant fine of $70,000 imposed at the end of October. The numerous fines issued this past year regarding the Right of Access initiative demonstrate the government’s commitment to this important aspect of patients’ rights. Protect Your Practice from Costly Mistakes Even during the peak of the global health crisis, HIPAA regulations stayed in effect. Implementing software solutions can help safeguard your practice. To ensure your staff remains compliant, it is highly recommended to use automated software that keeps you and your team in check, regardless of the circumstances. Schedule a consultation today to learn more about automated compliance for your practice.