The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate cases of alleged violations of HIPAA. The settlements include resolution agreements and civil monetary penalties.

One of the settlements and resolution agreements continues to show OCR’s emphasis on patients’ rights to access their protected health information. That settlement, dated November 19, 2024, was against Rio Hondo Community Mental Health Center in California required the covered entity to pay the OCR $100,000.

On November 26, 2024, the OCR settled with Holy Redeemer Family Medicine over the disclosure of a patient’s protected health information, including reproductive health information, to the patient’s prospective employer without her consent. The OCR alleged that the patient provided consent for the covered entity to send the results of one test that had no relevance to her reproductive health to the prospective employer. Instead, the covered entity sent “her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care” to the prospective employer. Holy Redeemer paid $325,581 and agreed to a corrective action plan with monitoring by the OCR for two years.

On December 3, 2024, the OCR imposed a $1.19 million penalty against Gulf Coast Pain Consultants (GCPC) for alleged violations of the HIPAA Security Rule. The OCR started an investigation against GCPC after a data breach notification. OCR’s investigation found that impermissible access to patients’ protected health information occurred on three occasions when a former contractor of GCPC accessed GCPC’s “electronic medical system to retrieve PHI for use in potential fraudulent Medicare claims.” The impermissible access affected 34,310 patients, including their names, addresses, dates of birth, Social Security numbers, insurance information, and primary care information.

On December 5, 2024, the OCR imposed a penalty against Children’s Hospital Colorado for $548,265 for alleged HIPAA Privacy and Security Rules violations. According to the OCR, Children’s Hospital Colorado notified the OCR following two breaches of email accounts following phishing attacks. In the first phishing attack, an email account containing the personal health information (PHI) of 3,370 individuals occurred because multi-factor authentication was disabled on the email account. Three email accounts containing 10,840 individuals’ PHI were compromised in the second incident. The OCR found that employees gave up their credentials to the threat actor in the attack, allowing unauthorized access to the email accounts.

On December 10, 2024, the OCR settled with Health Care Clearinghouse and Inmediata Health Group over allegations that they left PHI unsecured on the internet. According to the OCR, between May 2016 and January 2019, 1,565,338 individuals’ PHI “was made publicly available online.” The PHI included names, dates of birth, addresses, Social Security numbers, claims information, and treatment information. During its investigation, the OCR found “multiple potential HIPAA Security Rule Violations,” including failing to conduct a compliant risk analysis and to monitor and review the health information systems’ activity; the entities agreed to pay the OCR $250,000. They previously agreed to implement corrective actions with 33 states that addressed OCR’s findings. All of these actions and settlements provide clues to covered entities about the OCR’s priorities and conduct it finds violative of HIPAA. It has been an active two months for enforcement. We will continue to follow the OCR’s enforcement actions and see what the new year brings regarding its enforcement priorities.