Summer is in full swing, but the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) is doing anything but taking a vacation from HIPAA. In May and June, OCR issued five resolution agreements (bringing the total to seven for the year), called for comments on multiple proposed rules, announced the 90-day post-COVID transition period for telehealth, and published a Cybersecurity Newsletter on HIPAA and Cybersecurity Authentication.

In a notable trend, the balance of OCR’s efforts this year has doubled down on security concerns, as distinct from recent prior years where much of OCR’s attention focused on its Patient Right of Access Initiative (the “Initiative”). While right of access is still in the mix (with two resolution agreements related to the Initiative this year), five resolution agreements in 2023 have focused on cybersecurity failures, such as hacking and unsecured servers, and even its privacy enforcement actions have had a distinct technology focus, with enforcement around improper disclosures focused on responses to online reviews and workforce snooping.

Collectively, these enforcement actions serve as a clear reminder to covered entities and business associates that cybersecurity threats are real and ubiquitous, and organizations that fail to comply with HIPAA requirements or safeguard the privacy and security of protected health information can get burned. Below, we discuss the most recent group of OCR’s publications from June.

Resolution Agreement: Responding to Negative Online Reviews

On June 5, 2023, OCR resolved a patient complaint received in April 2020 alleging that a provider of psychiatric services in New Jersey had impermissibly disclosed the protected health information (“PHI”) of a patient in responding to the patient’s negative online review, including specific information about the diagnosis and treatment of the patient’s mental health condition. Upon investigation, OCR also found that the provider had improperly disclosed PHI in response to the negative online reviews of three other patients in the same manner. The provider agreed to pay $30,000 and implement a two-year corrective action plan, in addition to issuing breach notices to all four individuals (or their representatives) affected by the breach. This resolution agreement serves as a good reminder to covered entities to be mindful of sharing PHI in any communication in a public forum (e.g., Google reviews), even in instances where the patient may have initiated the interaction.

Resolution Agreement: Employee Snooping

On June 15, 2023, OCR announced a resolution agreement with a non-profit community hospital in Washington State, for a $240,000 settlement with a two-year corrective action plan, to resolve allegations of “snooping” in medical records by workforce members without any job-related purpose. OCR’s investigation followed a 2018 breach report that 23 security guards working in the hospital’s emergency department had improperly used their login credentials to access the electronic medical records of 419 patients. The information accessed included patient names, addresses, dates of birth, medical record numbers, certain treatment notes, and insurance information. Thus, covered entities should ensure that workforce members fully understand that having login credentials alone does not give carte blanche access to PHI and access to any PHI should be limited to employment-related uses only.

Resolution Agreement: Unsecured Server

On June 28, 2023, OCR announced a resolution agreement with a “Business Associate” as defined under 45 C.F.R. § 160.103. The resolution agreement, two-year corrective action plan, and $75,000 resolution amount are the result of an August 2017 breach report from the Business Associate. On August 22, 2017, the Business Associate reported that the electronic protected health information (“ePHI”) of 267 individuals was impermissibly disclosed from the Business Associate’s electronic server by an unauthorized individual on May 2, 2017. Through its investigation, OCR determined that the Business Associate “did not conduct an accurate and thorough assessment of the vulnerabilities” related to the ePHI held and stored by the Business Associate on its servers. The corrective action plan requires the Business Associate to conduct a risk analysis, develop and implement risk management plans, and revise its policies and procedures as necessary to comply with the federal standards governing the privacy and security of PHI. This resolution agreement reminds business associates that they must maintain compliance with the HIPAA rules when storing patient PHI and OCR’s enforcement actions are not limited to covered entities.

Cybersecurity Newsletter: Cybersecurity Authentication

On June 29, 2023, OCR published a “June 2023 ORC Cybersecurity Newsletter” focused on “HIPAA and Cybersecurity Authentication.” The newsletter addressed the importance of strong authentication processes in protecting an organization’s sensitive information, including PHI, against malicious intrusions and attacks. Authentication can be analogized to a “locked door” and ensures that only authorized individuals or entities are permitted access to an organization’s information systems, resources, and data. Focus on authentication processes is critical, as OCR cites in its newsletter that “a recent analysis of cyber breaches reported that 86% of attacks to access an organization’s Internet-facing systems (e.g., web servers, email servers) used stolen or compromised credentials.” Implementing authentication procedures is a critical component of compliance with the HIPAA Security Rule. OCR notes in its newsletter that “non-compliance with the Security Rule’s authentication standard continues to leave regulated entities vulnerable to successful cyber-attacks and breaches of ePHI,” and has formed a basis for penalties in recent resolution agreements. Organizations should evaluate their existing authentication processes and consider whether they are sufficient to ensure the confidentiality, integrity, and availability of their PHI.

Conclusion

Covered entities and business associates should consider taking time for a mid-year check-in on their annual HIPAA compliance endeavors and to evaluate whether any adjustments should be made to stay responsive to the evolving pressures of the dynamic cybersecurity and enforcement climate.