By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Prior to the changeover of the administration, the HHS Office for Civil Rights went on a bit of a HIPAA settlement bender. The fast pace of announced settlements felt a bit like a clearing of the decks. The various settlements continued recent trends around the issues being selected by OCR for settlement along with the still random amount of settlements.
Can any lessons or insights be gleaned from all of the settlements? Time will tell, though there will likely be a shift in priorities and timing as new leadership comes into OCR.
The Settlements
Number 1: Elgon Information Systems
The settlement with Elgon Information Systems announced on January 7, 2025 focused on the fallout from a ransomware attack. The settlement stemmed from a ransomware attacked that started on March 25, 2023 that went undetected for six days until March 31, 2023 when Elgon found a ransom note. Elgon ultimately determined that information of over 31,000 patients was impacted. The big finding from OCR was an alleged failure of Elgon to conduct the necessary risk analysis.
Aside from the impact of the ransomware attack, the fallout was an $80,000 payment owed by Elgon to resolve the matter. Focusing on the lack of a risk analysis was intentional by OCR. The settlement announced in fact identified the resolution as the second enforcement action in OCR’s self-identified risk analysis initiative. Not seeing a risk analysis is a consistent finding, which means every organization must carefully focus on that aspect of HIPAA compliance.
Number 2: Virtual Private Network Solutions
The settlement with Virtual Private Network Solutions was also announced on January 7, 2025. Similar to the Elgon settlement, OCR noted that the VPNS settlement was also part of its risk analysis initiative. In the instance of VPNS, a breach notification, as required by HIPAA, was filed with OCR on December 30, 2021. The report stated a ransomware attacked occurred that resulted in encryption of data stored by VPNS on behalf of about a dozen covered entities. The attack was discovered on October 31, 3021.
The resulting investigation found VPNS did not conduct the required risk analysis. The cost of that failure was $90,000 for VPNS. The lack of detail does not help too much, but the second settlement announcement on the same day makes it clear that OCR is hammering home the need to conduct the risk analysis.
Number 3: USR Holdings
The settlement with USR Holdings was announced on January 8, 2025. The investigation of USR Holdings started after submission of a breach report that revealed an unauthorized party accessed a database containing patient information from August 23, 2018 through December 8, 2018. Not only did the outside actor have access to the data for about four months, but information was also deleted from the database.
What did OCR’s investigation find? A failure to conduct a risk analysis and a failure to adequately implement measures to audit and review network activity. In finding alleged failings beyond the lack of a risk analysis, USR Holdings was required to make a settlement payment of $337,750. Was the lack of review the basis for the jump in the settlement amount?
Number 4: Solara Medical Supplies
The settlement with Solara Medical Supplies was announced on January 14, 2025. Solara’s troubles stemmed from submitting reports of two different breaches stemming from the same issue. The first problem was a cyberattack stemming from eight employees failing victim to a phishing attack. The successful phishing attack enabled the attackers to access the compromised email accounts from April through June 2019. Solara submitted its breach report of that issue in November 2019.
After disclosing the breach, Solara started the mandated breach notification process to individuals. Unfortunately, the notification process had its own issues. Solara sent around 1,500 of the notification letters to the wrong address, which continued a second breach that Solara told OCR about in January 2020.
As a result of the two breach notifications, OCR found a number of alleged deficiencies in Solara’s HIPAA compliance. The usual finding of an inadequate risk analysis and lack of appropriate security measures was one group of findings. Interestingly, a second group of findings focused on Solara’s approach to the breach notification. Leaving aside the problem of sending notices to the wrong address, OCR for maybe one of the first or very few times faulted an organization for not timely notifying the appropriate parties (including OCR and the media) of the breach. Delays in sending the required notifications are a frequent question on the outside. Will more settlements focusing on that issue come in the future?
What did all of those issues cost Solara? A $3,000,000 settlement. Is the amount a message in and of itself?
Number 5: South Broward Hospital District d/b/a Memorial Healthcare System
The settlement with Memorial Healthcare System was announced on January 15, 2025. Memorial Healthcare System was the 52nd organization to be the subject of a right of access settlement. Memorial Healthcare System operates a comprehensive set of facilities and services across the spectrum of healthcare services. On March 3, 2020 the complaining individual had an EEG performed at one of Memorial’s locations. Toward the end of the year on December 30, 2020 the individual requested a copy of the EEG tracings on a CD.
Memorial acknowledged receipt of the request on December 31, 2020. Memorial did not provide the requested records. The individual resubmitted the request for the records on April 25, 2021, again through the patient portal. The individual also mailed a letter with the request. Still nothing was produced.
The individual sent a reminder through the patient portal on May 23, 2021 and did not get a response. The individual filed a complaint with OCR on May 30, 2021, which complaint was closed without investigation. OCR does not state why the first complaint was closed without taking any action.
The individual, showing a lot of persistence, filed a second complaint with OCR on June 23, 2021 stating that requested records were not provided. OCR notified Memorial of the start of its investigation on September 22, 2021. Memorial in response to the notification from OCR provided the requested records to the individual on September 29, 2021.
After trying to resolve the issue with Memorial through informal guidance, OCR took the step of sending a notice of its investigatory findings to Memorial and the intent to impose a penalty. Memorial responded, but only said a penalty was not justified because the alleged noncompliance only involved one individual. OCR did not find that statement compelling because the lack of respect for the right of access was still an instance of noncompliance.
All of the back and forth resulted in a final penalty of $100,000. Reading a little between the lines, it is always a good idea for an organization subject to an investigation to play ball with OCR and implement suggested or recommended changes.
Number 6: Northeast Surgical Group
The settlement agreement with Northeast Surgical Group was announced on January 15, 2025. The NSG settlement was also identified by OCR as part of its risk analysis initiative. As usual, OCR did not reveal much of what happened. NSG submitted a breach notification report on March 6, 2023 revealing a ransomware attack that occurred in January 2023.
The resulting investigation came up with the standard finding that a risk analysis was not done. The end result was a settlement for an amount of $10,000. Again, as stated with the other settlements, the risk analysis must happen.
More OCR Action Coming?
As noted above, the change over in the administration leaves it quite uncertain as to the immediate future in terms of OCR’s approach to alleged instances of noncompliance with HIPAA. The previous Trump administration did announce a relatively consistent number of settlements throughout the 4 years, but it may take some time to ramp up. Additionally, there could be some question as to what issues the new administration will hone in on when it comes to complying with HIPAA.
Instead of waiting for future actions from OCR, organizations should take the moment now to reassess internal operations and step up compliance operations. Double checking one’s own posture when it comes to compliance is always a good idea, but especially when there are consistent actions and findings underpinning those actions. There is not a lot of mystery as to what OCR is concerned about, so heed the lessons and don’t become the next example.
This article was originally published on The Pulse blog and is republished here with permission.