HIPAA Compliance News Archives

IT Administrative Rights and Requirements

Suze Shaffer August 15, 2025August 15, 2025

This case illustrates why a HIPAA Security Officer must have administrative rights access to their organization’s IT infrastructure. Although the compliance officer may not know what to do with this access, it is required so you have control over your network. Should the need arise to replace your IT administrator or IT vendor, you won’t be held hostage. Also, this demonstrates the necessity to check references and BEFORE you terminate someone, be sure their access has been removed.

In the incident below, a fired IT administrator used his elevated access to disable firewalls, delete company data, remove email security filters, and block the business from its own systems—crippling operations. If only a single IT employee holds full administrative control, the organization becomes vulnerable to sabotage, insider threats, and operational paralysis if that person is unavailable, leaves unexpectedly, or acts maliciously.

For HIPAA-regulated entities, losing access to security systems or audit logs can also prevent breach detection and reporting, creating compliance violations and potential fines. A HIPAA Security Officer with administrative rights ensures independent oversight, immediate access to critical systems, and the ability to secure PHI systems without relying solely on IT staff—safeguarding both security and compliance.

If you need assistance with IT services, we work with some of the best in the industry. Use the Contact Us page and we will send our recommendations.

5 Felony Charges for Palm Coast IT Administrator Accused of Launching Cyber Attack on His Company After He’s Fired

Taken from Flagler Live

A 41-year-old resident of Palm Coast was arrested on five felony charges following a Florida Department of Law Enforcement investigation that found him to have allegedly carried out a cyber-attack on his company’s computer infrastructure in retaliation for the company firing him. The attack crippled some of the company’s functions.

“Dude I think I got my company in a choke hold,” the father of two young children, is alleged to have written in a message to someone after the cyber-attack.

The Spice and Tea Exchange, an online and in-store retailer originally founded in St. Augustine and based in Palm Harbor, hired an IT System Administrator in mid-October 2024. (The FDLE refers to it as The Spice and Tea Company.) He was fired last Jan. 14. “Within minutes, the company’s firewall, E-mail, and physical security was infiltrated,” FDLE’s warrant states, resulting “in completed deletion of company data.”

A human resources executive at the company told the FDLE investigator that while his position was being eliminated, he had “displayed very concerning behaviors while employed,” such as having a short fuse. The day of the firing he was working from home. The HR executive called him at noon to let him know he was fired. The conversation lasted just under 10 minutes.

According to the warrant, he “made several threatening statements prior to terminating the call. For one, [he] had stated ‘your company is not prepared for what is coming your way.’”

Almost as soon as he was fired the company would have disconnected him from its firewall and restricted access. That was to be done while the HR executive was still on the phone with him. But in what appeared to have been a movie-like race between IT employees, he was a step ahead of his ex-IT colleague at the Spice and Tea Exchange. He’d logged into the system at the same time that his colleague was racing to restrict access. He “overtook” him and the entirety of the business’ email access. The company “immediately lost access to the company firewall and emails,” the warrant states. He removed the firewall and obstructed business “continuity.”

He’d left one of his company laptops at the office. His colleague opened it–there was no expectation of privacy with a company laptop–and noticed that had his logon to his Chrome and Gmail accounts was automatic, and that it was syncing his other devices with his work computer, a violation of company policy. Within an hour or so of his firing, his history showed he had searched for “Florida Unemployment” and “Palm Coast Lawyers.”

The colleague also discovered that an email filtering service blocking spam and malware had been removed, requiring 3,800 emails to be manually approved. The company was no longer able to log into its own firewall and eventually learned from the Sisco Meraki Company, which provided the firewall data for the Exchange, that the company was deleted from Meraki’s database. So, there were no logs of the attack he allegedly orchestrated.

FDLE confirmed that the last user to make changes to the account had a username of his first initial and last name. FDLE also subpoenaed information from Google and was informed by Charter Communications of further data that led to his house in Palm Coast. Circuit Judge Chris France signed a search warrant, which was served on April 25.

He acknowledged his role when he was IT administrator but denied accessing the firewall.

France signed the FDLE warrant for his arrest on July 7. On Wednesday, he was driving his vehicle on State Road 11 in Flagler County when he was pulled over by a Flagler County Sheriff’s deputy, arrested, and taken to jail, where he was booked and soon released on $25,000 bond.

He faces three charges of computer fraud, a charge of tampering with computer intellectual property and a charge of unlawful use of a two-way communication device. Four of the charges are third-degree felonies, each with a maximum penalty of five years in prison. One of the charges is a second-degree felony, with a 15-year maximum if convicted.

New I-9 Requirements

Suze Shaffer August 1, 2025August 15, 2025

Although this is not a HIPAA requirement, it does affect every business.

Here are the highlights:

Updated Form I‑9

Business should use the new form dated January 20, 2025, with an expiration date of May 31, 2027, if you are not doing so already.
Prior editions from August 1, 2023 will remain valid until their respective expiration dates—either May 31, 2027 or July 31, 2026.
Employers using electronic I‑9 systems must update to reflect the form version with the May 31, 2027 expiration by July 31, 2026.

Key Form Changes

Section 1 terminology

The fourth citizenship attestation box now reads “An alien authorized to work”, replacing the former phrase “A noncitizen authorized to work.”

List B document descriptions

Minor updates include replacing the term “gender” with “sex” in two acceptable documents (e.g. driver’s license), for improved clarity.

Instructions and DHS Privacy Notice

Newly added statutory language and updated Department of Homeland Security Privacy Notice appear in the guidance section of the new form.

E-Verify & E‑Verify+ Updates (Effective April 3, 2025)

The citizenship status selection in E‑Verify and E‑Verify+ now displays “An alien authorized to work” for consistency. Even if the legacy form still shows “A noncitizen authorized to work.”
For E‑Verify Web Services submissions, back‑end systems automatically convert the older phrasing to the updated version. Developers should ensure platforms transmit “An alien authorized to work” to maintain compliance.

Employer Responsibilities & Compliance Tips

Adopt the 01/20/2025 edition as soon as possible—especially for newly hired employees.
Continue using valid older editions until their expiration, but update your electronic systems by July 31, 2026 to the correct version expiration date.
Train HR and hiring staff on the updated language, document descriptions, and instruction changes.
Ensure E-Verify users select “An alien authorized to work” regardless of what appears on older I‑9 forms during data entry.

Summary

The new I-9 form adoption deadline for electronic systems is July 2026, but manual use of the updated form is recommended immediately.
Terminology and document description are minor—but important for alignment with federal law.
HR and compliance teams should confirm systems, forms, and procedures are updated to avoid inconsistencies or audit risks.

The new form and instructions can be found here: https://www.uscis.gov/i-9

Why HIPAA Compliance Matters When Outsourcing Your Medical Billing

Suze Shaffer July 24, 2025July 24, 2025

As today’s healthcare organizations work to streamline operations and control administrative costs, outsourcing medical billing has emerged as a smart and efficient solution. However, while outsourcing medical billing can improve performance, it does not absolve you of your responsibility to protect patient data.

When third-party vendors handle patient information, ensuring HIPAA compliance becomes even more critical.

Whether you’re considering outsourcing for the first time or re-evaluating your current vendor, understanding how HIPAA impacts third-party billing is essential. In this post, we’ll break down what compliance really means, common risks to watch out for, and how choosing the right partner can make all the difference.

What Is HIPAA—and Why Does It Apply to Your Billing Vendor?

The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patients’ medical information and ensure that it’s used and stored securely. Any person or organization that handles protected health information (PHI)—including third-party billing companies—is legally obligated to follow HIPAA rules.

Here’s the catch: Just because you outsource billing doesn’t mean you outsource responsibility.

If your vendor mishandles PHI, your organization can still face the consequences—ranging from steep fines to lawsuits and reputational harm.

How HIPAA Applies to Outsourced Medical Billing

Under HIPAA, billing vendors are considered Business Associates. That means they must implement the same level of data privacy and security protections as healthcare providers.

To stay compliant, your billing partner should:

Sign a Business Associate Agreement (BAA) with your organization
Encrypt patient data during storage and transmission
Monitor and restrict employee access to PHI
Provide regular HIPAA training to all staff

HIPAA compliance isn’t just a box to check—it’s a shared responsibility that protects both your practice and your patients.

Common HIPAA Pitfalls in Outsourced Billing

Even experienced practices can run into trouble if the billing partner isn’t on top of compliance. Some common red flags include:

Sending PHI over unsecured email or messaging platforms
Poor handling or storage of patient information
Staff who haven’t been trained on HIPAA guidelines
Delayed reporting of potential data breaches

Your vendor should be able to clearly explain how they protect PHI—and provide documentation to back it up.

How to Choose a HIPAA-Compliant Billing Partner

When you’re evaluating a medical billing partner, cost and turnaround time matter—but HIPAA compliance should be non-negotiable.

Look for a billing provider that offers:

Secure systems with two-factor authentication
Routine internal audits and risk assessments
A signed and current Business Associate Agreement (BAA)
HIPAA-trained staff who understand billing complexities
Clear, written policies for PHI access, storage, and disposal

Why It Pays to Work with a HIPAA-Compliant Vendor

Beyond just staying legal, partnering with a HIPAA-compliant billing company offers real business benefits:

Lower risk of data breaches and penalties
Fewer denied claims thanks to accurate submissions
Faster reimbursements and stronger cash flow
Peace of mind during audits or compliance reviews
Enhanced patient trust in your organization’s professionalism

How Emerald Health Keeps Your Practice Compliant

At Emerald Health Medical Billing, HIPAA compliance isn’t an afterthought—it’s the foundation of everything we do.

From insurance verification to payment posting, every process is built with data protection in mind. Here’s how we help safeguard your patients’ information:

End-to-end encryption of all communications
Role-based access controls and detailed audit logs
HIPAA-certified staff across every department
Real-time transparency through client dashboards
Zero-tolerance policy for non-compliance

Whether you’re a small clinic or a multi-location practice, our solutions are designed to support your growth and your peace of mind.

Final Thoughts

As the healthcare industry becomes more digital and regulated, the stakes around data privacy have never been higher.

When you outsource your billing, you’re not just hiring a vendor—you’re choosing a guardian for your patients’ most sensitive data.

Dr. Arun Rajan, President & CEO of Emerald Health and a board-certified neurologist, leads our team with a deep understanding of clinical care and operational excellence. Our goal is simple: help practices run more efficiently—without compromising on compliance. https://emeraldhealthllc.com/

Chiropractor HIPAA Violations and Fines

Suze Shaffer July 15, 2025July 15, 2025

Avoid common misconceptions about HIPAA compliance. Learn the critical steps needed to avoid Chiropractor HIPAA violations and fines. Many chiropractor practices think the Government SRA tool is all they need for their HIPAA risk assessment. Keep in mind, it does not include policies and procedures, therefore you must create your own. Also, many chiropractic practices are members of a group that supply a “HIPAA Binder”. Again, most of these groups do not include policies and procedures. Without proper documentation, a chiropractic practice can be assessed with HIPAA violations and fines.

Another common misconception is that small practices believe they are too small to attract attention from the Office for Civil Rights (OCR). In reality, it takes just one patient complaint, a dissatisfied employee, or a data breach to initiate an audit. Remember, once an investigation begins, the OCR will examine your entire HIPAA compliance program — not just the specific incident in question.

Lastly, many organizations think HIPAA can be a once and done process. This can cost you $$$$$$ in fines! HIPAA requires every organization that is involved with patient data to document their ongoing compliance efforts.

Here are a few examples of Chiropractic practices and some multi-specialty practices that have been fined:

Arkansas Chiropractic Clinics — $321,000 fine
Two chiropractic clinics in Arkansas were fined a total of $321,000 after improperly disposing of patient records by dumping them in a public park, violating HIPAA’s privacy and secure disposal requirements.
Illinois Chiropractic Offices — Ransomware and data breach incidents
Several chiropractic practices in Illinois experienced ransomware attacks, with ransom demands reaching up to $10,000. While specific OCR fines were not disclosed, these events highlight serious security lapses and the risk of significant penalties.
Stolen devices containing ePHI — $150,000 fine
In a case not exclusive to chiropractic, a healthcare provider failed to update and secure outdated systems, leading to a malware breach and resulting in a the fine from the OCR.
Missing risk analysis — $50,000 fine
Another provider, a clinic using mobile devices like tablets or iPads, was fined $50,000 for failing to conduct a risk analysis and implement appropriate security controls on mobile devices. A critical requirement for chiropractic offices using digital tools.

Privacy & Unauthorized Access Stories

Receptionist displaying PHI on a tablet
At a chiropractic office, an iPad used for patient check-in accidentally showed other patients’ names and birthdates, resulting in a HIPAA privacy violation.
Chiropractor misusing patient address to send flowers
In Colorado, a chiropractor accessed a patient’s medical record to obtain her address and sent her unsolicited flowers. This was widely viewed as a serious breach of patient privacy and another type of violation of the HIPAA privacy rule.

Ask yourself: How much of your hard-earned revenue are you willing to risk?

Remember, it only takes a single patient complaint or one disgruntled employee to prompt an investigation by the Office for Civil Rights (OCR). Once that happens, every aspect of your compliance program will come under scrutiny.

Ask yourself: Are you confident your documentation can stand up to that level of review? Most practices lack the required policies and documentation.

Are you ready to protect your practice? We are here to help you avoid common misconceptions about HIPAA compliance. Do you have the critical steps needed to avoid Chiropractor HIPAA violations and fines? Our online HIPAA Keeper™ includes all policies and procedures required under HIPAA. We also include patient and HIPAA documentation. When HIPAA rules are updated or added, we update our system to keep you up to date. Also, we are always improving our system to make sure users are aware of new threats and how to protect their organization.

Still not sure? Check out our video that explains our 7-Steps in the HIPAA Keeper™ or Schedule a live demonstration to see for yourself how easy maintaining HIPAA compliance can be!

DOJ Reveals Largest Coordinated Healthcare Fraud Effort in Agency History

Suze Shaffer July 1, 2025July 9, 2025

The U.S. Department of Justice (DOJ) has announced its largest-ever coordinated healthcare fraud takedown, charging 324 individuals, including 96 doctors, nurses, and other licensed medical professionals, across the country. The alleged schemes involved nearly $14.6 billion in fraudulent claims to federal healthcare programs such as Medicare and Medicaid, with actual estimated losses of around $2.9 billion.

There are approximately 66,000,000 Medicare beneficiaries, and 80 million on Medicaid or Children’s Health Insurance Program (CHIP). There are another 20 million people on the exchanges that could be affected by this fraud.

The DOJ, working alongside the Department of Health and Human Services (HHS) and other federal agencies, successfully blocked most of these fraudulent payments, preventing billions in losses. Authorities also seized over $245 million in cash, luxury items, and other assets connected to the schemes. The DOJ stated, “We’ve moved from ‘pay-and-chase’ to ‘stop-and-catch’—CMS and HHS‑OIG teams swiftly identified fraud, suspended payments, and seized tens of millions.”

A major portion of the fraud — known as Operation Gold Rush — centered on a transnational network involving Eastern European and Russian groups. These criminals allegedly used stolen identities of over 1 million Americans and acquired more than 30 U.S.-based medical supply companies to submit massive false claims for items such as urinary catheters and glucose monitors. In total, these companies alone tried to bill Medicare for more than 1 billion unnecessary devices.

This sweeping operation highlights both the scale of organized healthcare fraud and the government’s commitment to protecting taxpayer funds and patient identities. Officials emphasized ongoing efforts to strengthen oversight, including using advanced data analytics and AI tools to detect and stop fraud more effectively in the future.

Christopher Delgado is the acting deputy assistant director for the FBI’s Criminal Investigative Division that handles healthcare fraud. Here is an excerpt from the announcement that was made. “Possible health care fraud is not a victimless crime. Every dollar stolen from deceitful billing or unnecessary procedures is a dollar taken away from patients who truly need care and taxpayers who fund these critical programs”.

“Schemes like what was mentioned above drive medical costs up and strain federal healthcare budgets and ultimately impact every American who relies on Medicare, Medicaid, and other public and private insurance programs”.

“It’s also not just about financial losses. It’s about Patients being exposed to unnecessary procedures, false diagnosis and delayed care. That kind of exploitation isn’t just unethical, it’s dangerous and has no place in our healthcare system. Services that are wasteful and should not be offered to the American people because they could hurt them”.

Centers for Medicare and Medicaid Services (CMS) just launched a new model called WISeR (Wasteful and Inappropriate Service Reduction). The WISeR Model will help protect American taxpayers by leveraging enhanced technologies, such as Artificial Intelligence (AI) and Machine Learning (ML), along with human clinical review, to ensure timely and appropriate Medicare payment for select items and services. The voluntary model will encourage care navigation, encouraging safe and evidence-supported best practices for treating people with Medicare. WISeR will run for six performance years from January 1, 2026 to December 31, 2031. The application period opened on June 27, 2025.

They are asking that anyone that suspects waste, fraud, or abuse of our healthcare system to report this by calling 1-800 HHS TIPS or go to their website:

https://oig.hhs.gov/fraud

The content provided reflects the most up-to-date information available at the time of writing and should not be considered legal advice.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

What You Should Do After National Watchdog Warns of Data Breach Affecting 184 Million Passwords

Suze Shaffer June 3, 2025June 3, 2025

A leading national consumer watchdog group has sounded the alarm on a massive data breach, warning that as many as 184 million passwords may have been compromised. If confirmed, this breach would be one of the largest in recent history, potentially exposing sensitive login credentials and personal data for millions of users. Whether your data was directly affected or not, now is the time to take swift and smart action.

What We Know About the Breach

While details are still emerging, the watchdog group has reported that the breach involves leaked password databases that may have been collected through previous hacks, phishing schemes, or compromised third-party services. The data has reportedly surfaced on dark web forums and hacking communities, increasing the risk of identity theft, credential stuffing attacks, and financial fraud.

What You Should Do Immediately

1. Change Your Passwords—Starting with the Most Sensitive Accounts

Focus first on accounts that hold financial or sensitive information:

Bank accounts
Email accounts
Healthcare portals
Social media accounts linked to other logins

Use a strong, unique password for each account. Avoid reusing passwords across multiple sites.

2. Enable Multi-Factor Authentication (MFA)

MFA adds a second layer of security by requiring you to enter a verification code from your phone or authentication app. This can stop attackers even if they have your password.

3. Use a Password Manager

A password manager can help generate and securely store unique, complex passwords for all your accounts. This helps eliminate the temptation to reuse passwords and improves overall security.

4. Check If Your Passwords Were Compromised

Use a reputable service like:

HaveIBeenPwned.com
Your password manager’s breach monitoring tool
These tools can alert you if your email or credentials have been found in leaked data.

5. Monitor Your Accounts for Suspicious Activity

Regularly review your bank statements, credit card transactions, and email account access logs. If anything seems unusual, contact the relevant provider immediately.

6. Beware of Phishing Emails

After a major breach, phishing attempts tend to rise. Be cautious with emails that ask you to “verify your account,” click on suspicious links, or download unexpected attachments.

What Businesses Should Do

Implement mandatory password resets.
Audit your security protocols and consider third-party penetration testing.
Educate your employees on how to spot phishing and secure their accounts.

Final Thoughts

Cybersecurity experts have long warned that massive credential breaches are not a matter of if, but when. With the watchdog group raising this new alert, every consumer and organization should treat this as a wake-up call. The good news is that with the right precautions, you can minimize the damage and protect your digital life going forward.

Stay alert. Stay secure. And take action now—before someone else takes control of your data.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Understanding HIPAA Resolution Agreements and Compliance Obligations

Suze Shaffer May 2, 2025June 3, 2025

A Resolution Agreement is a formal settlement between the U.S. Department of Health and Human Services (HHS) and a HIPAA-covered entity or business associate. Under the agreement, the organization agrees to take specific corrective actions and submit regular compliance reports to HHS, typically over a three-year period. During this time, HHS monitors the organization’s adherence to these requirements.

If a covered entity fails to demonstrate compliance or complete corrective actions satisfactorily—whether through informal resolution or a resolution agreement—civil money penalties (CMPs), commonly referred to as HIPAA fines, may be imposed.

Common Requirements in a Resolution Agreement

Some typical obligations in a resolution agreement include:

Payment: The covered entity must pay the agreed-upon settlement amount within 30 days of the agreement’s effective date.
Policy Review: Within 30 days, the entity must review and, if needed, revise its policies related to patient access to protected health information (PHI), including methods for calculating fees.
Training: Within 60 days, training materials must be developed and provided to staff on patients’ rights to access their PHI.
Access Log Reporting: Every 90 days, starting within 90 days of HHS approval of policies, the entity must submit a log of PHI access requests, including key details such as dates, formats, and costs.
Implementation Report: Within 120 days of HHS’s approval of the policies, a written implementation status report must be submitted.
Annual Reporting: Each year of the compliance term (e.g., three years) is considered a “Reporting Period.” The entity must submit an annual report to HHS within 60 days of the end of each period.

Additional Enforcement Authorities

In addition to HHS and the Office for Civil Rights (OCR), other agencies may impose penalties:

State Attorneys General: For example, Florida’s Consumer Protection Division enforces the Florida Deceptive and Unfair Trade Practices Act and has recovered over $10 billion since 2011.
Federal Agencies: The Department of Justice (DOJ), Office of Inspector General (OIG), and Federal Trade Commission (FTC) can also pursue penalties for fraud, privacy violations, or deceptive practices.

Helpful Links:

Corrective Action Plans (CAPs)

Most resolution agreements include a Corrective Action Plan (CAP) monitored by OCR, typically for two years. CAPs require the entity to take defined steps to address HIPAA compliance deficiencies, including:

Conducting a comprehensive risk analysis of potential threats to ePHI.
Implementing a risk management plan based on identified vulnerabilities.
Updating and maintaining written HIPAA policies and procedures.
Providing tailored HIPAA training to workforce members.

OCR Recommendations for Preventing Cyber Threats

To reduce cybersecurity risks, OCR recommends that HIPAA-covered entities and business associates:

Identify how ePHI flows through their systems.
Integrate risk analysis and management into daily operations.
Implement and review audit controls regularly.
Use authentication mechanisms to ensure only authorized access to PHI.
Encrypt ePHI in transit and at rest when appropriate.
Learn from past security incidents to strengthen future protections.
Provide HIPAA training for all staff.

By proactively implementing these measures, organizations can better protect patient data and avoid costly penalties, enforcement actions, and reputational damage.

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

HIPAA Settlement of $25K with New York Neurology Practice Over Ransomware Attack

Suze Shaffer April 25, 2025June 3, 2025

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, a small neurology practice based in New York, following a potential violation of the HIPAA Security Rule. The investigation stemmed from a ransomware attack that compromised the electronic protected health information (ePHI) of patients.

OCR’s investigation revealed potential failures by the practice to implement adequate security measures required under the HIPAA Security Rule, such as conducting a thorough risk analysis and maintaining appropriate safeguards to protect ePHI. The breach impacted sensitive health data and underscored vulnerabilities in the practice’s cybersecurity defenses.

Ransomware and hacking remain the leading cyber threats to electronic health information in the healthcare sector. Ransomware, a form of malicious software (malware), is designed to block access to a user’s data—typically by encrypting it—until a ransom is paid. This settlement represents the 12th enforcement action related to ransomware and the 8th action under OCR’s ongoing Risk Analysis Initiative.

As part of the settlement, Comprehensive Neurology agreed to pay a monetary fine of $25K and implement a corrective action plan that will be monitored for two years to strengthen its HIPAA compliance program, including risk assessments, updated security policies, and staff training.

This case highlights the importance of proactive cybersecurity measures for all healthcare providers, regardless of size, and reinforces OCR’s commitment to protecting patient data in the face of increasing cyber threats like ransomware.

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Another Phishing Attack results in a $600,000 settlement

Suze Shaffer April 24, 2025April 24, 2025

PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).

The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.

Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.

Due to the high value of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.

In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.

Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.

What to do to prevent a Breach?

Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.

OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes regularly.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

HIPAA updates for 2025 and beyond

Suze Shaffer April 2, 2025April 28, 2025

What you need to know

In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.

Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
Reproductive healthcare and how you protect privacy (this may change).
Substance Abuse and Mental Health Services Administration updates.
A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
New patient authorization attestation requirements.
The posting of estimated fee schedules may be required.
Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
Language assistance notice (and staff training on the tools utilized).
Conscience rights notice.
Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.

The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.

Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:

understanding how to identify phishing attempts,
using strong passwords, and
implementing multi-factor authentication.

Data security proposed changes:

Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.

Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.

Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.

Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software.

ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time.

Keep in mind, cyber-security is essential for patient privacy and safety.

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.

HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”

Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.

Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.

Summary

Our HIPAA Keeper™ online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!

“Simplifying HIPAA through Automation, Education, and Support”

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.