Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Category: HIPAA Compliance Fines

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

Posted bySuze Shaffer

OCR Issues 15th Ransomware Enforcement Action and 10th Enforcement Action in Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York-based public accounting, business advisory, and management consulting firm, for potential violations of the HIPAA Security Rule. As a business associate, BST received financial data containing protected health information (PHI) from a HIPAA covered entity.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules

This require covered entities (health plans, health care clearinghouses, and most providers) and business associates like BST to safeguard PHI. The HIPAA Security Rule establishes national standards that protect ePHI through administrative, physical, and technical safeguards. Its Risk Analysis provision requires regulated entities to conduct accurate and thorough assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

OCR considers a HIPAA risk analysis essential for locating ePHI and determining what security measures are needed to protect it,”

As quoted by OCR Director Paula M. Stannard. “Conducting a thorough risk analysis that drives a risk management plan serves as a foundation for preventing or mitigating cyberattacks and breaches.”

OCR launched its investigation after BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it discovered ransomware on part of its network that affected PHI belonging to a covered entity client. Investigators determined that BST had failed to conduct an accurate and thorough risk analysis of its ePHI environment.

Under the resolution agreement

BST agreed to pay $175,000, implement a corrective action plan monitored by OCR for two years, and strengthen its HIPAA Security Rule compliance. BST must:

  • Conduct a thorough risk analysis of its ePHI environment;
  • Develop and implement a risk management plan to address identified risks;
  • Maintain and revise written HIPAA Privacy and Security Rule policies and procedures; and
  • Expand HIPAA and security training, including annual training for workforce members with PHI access.

OCR urged all covered entities and business associates to reduce cyber threats by:

  • Identifying where ePHI resides and how it flows across systems;
  • Performing and updating risk analyses, and implementing risk management measures;
  • Maintaining audit controls and reviewing system activity;
  • Authenticating user access and encrypting ePHI in transit and at rest;
  • Incorporating lessons learned from incidents into security management; and
  • Delivering workforce training tailored to organizational roles and responsibilities.

This case is a clear warning: even trusted professional firms can face HIPAA penalties if they overlook basic security requirements. A thorough risk analysis and an active risk management plan are not just regulatory obligations, they’re essential safeguards for protecting patient data and maintaining client trust.

At Aris Medical Solutions, our HIPAA Keeper platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules – all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Syracuse ASC fined $250K for Ransomware

Posted bySuze Shaffer

A Costly Reminder of HIPAA’s Ransomware Readiness Requirements. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Syracuse ASC, LLC, doing business as Specialty Surgery Center of Central New York, for potential violations of the HIPAA Security and Breach Notification Rules. This case marks OCR’s 14th ransomware enforcement action, reinforcing the growing federal focus on cybersecurity preparedness across the healthcare sector.

History

Syracuse ASC is a single-facility ambulatory surgery center in Liverpool, New York, specializing in ophthalmic, ENT, and pain management procedures. In March 2021, the center experienced a ransomware attack involving the PYSA variant—a sophisticated cross-platform malware known for targeting healthcare organizations.

The incident compromised electronic protected health information (ePHI) for 24,891 individuals. OCR initiated an investigation in October 2021 after Syracuse ASC reported the breach to HHS. The investigation revealed that the center had never conducted an accurate and thorough HIPAA risk analysis, as required by the Security Rule. OCR also found that Syracuse ASC failed to provide timely breach notifications to both affected individuals and HHS.

Settlement Terms

Under the Resolution Agreement, Syracuse ASC agreed to:

  • Pay $250,000 to HHS OCR.
  • Implement a Corrective Action Plan (CAP) monitored for two years.

The CAP requires Syracuse ASC to:

  • Conduct a complete and thorough risk analysis of ePHI systems.
  • Develop and implement a risk management plan to address identified vulnerabilities.
  • Review and revise policies and procedures to ensure compliance with HIPAA.
  • Provide annual HIPAA training for all workforce members handling PHI.

OCR’s Message: Ransomware Risks Are Real

OCR Director Paula M. Stannard stressed the critical importance of proactive cybersecurity, stating:

“Conducting a thorough HIPAA-compliant risk analysis—and developing and implementing risk management measures to address identified risks and vulnerabilities—is even more necessary as sophisticated cyberattacks increase. HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

This case underscores that failing to complete and document a proper risk analysis not only weakens an organization’s defenses but also constitutes a direct violation of the HIPAA Security Rule.

The Role of the Breach Notification Rule

In addition to security failures, OCR determined that Syracuse ASC violated the HIPAA Breach Notification Rule, which requires covered entities and their business associates to:

  • Notify affected individuals without unreasonable delay (no later than 60 days after discovery).
  • Report the breach to HHS within the same timeframe.
  • Document the scope, cause, and mitigation actions taken.

Delayed notification denies patients their right to act quickly to protect their personal and financial information and signals poor incident response readiness.

OCR’s Recommendations for Preventing Cyber Threats

To help prevent or mitigate ransomware and other cyber threats, OCR recommends that all healthcare entities and business associates:

  • Identify where ePHI is stored, transmitted, and processed across all systems.
  • Conduct and regularly update risk analyses.
  • Implement and maintain a risk management plan addressing identified threats.
  • Establish audit controls to monitor system activity.
  • Authenticate all users accessing ePHI.
  • Encrypt ePHI both at rest and in transit.
  • Incorporate lessons learned from past incidents into the security program.
  • Provide ongoing, role-specific HIPAA training for all staff.

Summary

Ransomware attacks are no longer rare events – they’re a daily threat to healthcare organizations of all sizes. OCR’s 14th ransomware enforcement action makes one thing clear: a missing or incomplete risk analysis is a direct pathway to vulnerability and liability.

Every covered entity and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients, data, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Deer Oaks – The Behavioral Health Solution fined $225K

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has the authority to investigate complaints and conduct compliance reviews involving potential violations of the HIPAA Privacy, Security, and Breach Notification Rules by covered entities and business associates.

Deer Oaks – The Behavioral Health Solution, an Affiliated Covered Entity under 45 C.F.R. §§ 160.103 and 164.105, is subject to these HIPAA requirements.

Background

On December 6, 2021, HHS received a complaint alleging that Deer Oaks Geriatric Services PC, doing business as Deer Oaks Consultation Services (DOCS), impermissibly disclosed protected health information (PHI) by making patient discharge forms publicly accessible online. These forms contained sensitive data including patient names, dates of birth, identification numbers, facilities, and diagnoses. The exposed PHI was finally secured in May 2023.

Further, on August 29, 2023, Deer Oaks experienced a cybersecurity breach when a threat actor exploited a network vulnerability, exfiltrated patient data, and demanded ransom to prevent publication of the PHI on the dark web.

OCR Findings

Following its investigation, OCR determined that Deer Oaks engaged in the following conduct:

  • Impermissible disclosure of PHI not required or permitted under the HIPAA Privacy Rule (45 C.F.R. § 164.502(a)).
  • Failure to perform an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, as required by the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Settlement Terms

To resolve these findings, Deer Oaks agreed to:

  • Pay $225,000 to HHS in a single lump-sum payment.
  • Enter into a Corrective Action Plan (CAP) monitored by OCR.

Under the CAP, Deer Oaks must implement a comprehensive HIPAA compliance program, including a full risk analysis, risk management plan, and updated policies, procedures, and workforce training to prevent future violations.

OCR clarified that this resolution does not release Deer Oaks from any future enforcement actions unrelated to the covered conduct or from potential criminal liability under 42 U.S.C. § 1320d-6.

Key Takeaway

This case is another reminder that HIPAA compliance goes far beyond securing data – it requires knowing where your data resides and who has access to it.
Without a system-wide risk analysis to map data flow and identify vulnerabilities, covered entities and business associates leave themselves open to both cyberattacks and regulatory penalties.

At Aris Medical Solutions, our HIPAA Keeper platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules—all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Comstar, a Business Associate fined $75K for Ransomware Attack

Posted bySuze Shaffer

The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.

History

On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.

HHS’ investigation indicated that the following conduct occurred:

  • Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.

Resolution Agreement

  • Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
  • Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
  • HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  • The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.

Summary

This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.

Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Baycare Health System fined $800K for Impermissible Access Exploited by a Malicious Insider

Posted bySuze Shaffer

This reinforces the Need for Strong Access Controls under HIPAA

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with BayCare Health System, a Florida-based healthcare provider, for potential violations of the HIPAA Security Rule. The case stemmed from a complaint alleging impermissible access to a patient’s electronic protected health information (ePHI), highlighting the ongoing need for covered entities to manage and monitor system access carefully.

BayCare agreed to pay $800,000 and implement a two-year Corrective Action Plan (CAP) to resolve OCR’s findings and strengthen its data security practices.

History

In October 2018, OCR received a complaint from a patient who reported being contacted by an unknown individual possessing photographs and a video of her printed medical records. The images appeared to show someone scrolling through her records on a computer screen after she received care at a BayCare facility.

OCR’s investigation revealed that the login credentials used to access the records belonged to a non-clinical former employee of a physician practice that had access to BayCare’s electronic medical record system for shared patient care. The improper access exposed weaknesses in BayCare’s user authorization and monitoring controls.

OCR’s Findings

OCR determined that BayCare potentially violated multiple provisions of the HIPAA Security Rule, including failure to:

  • Implement proper policies and procedures for authorizing access to ePHI consistent with the Privacy Rule.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Regularly review audit logs and system activity to detect unauthorized access.

These lapses allowed a former staff member to retain and misuse access credentials—an avoidable risk that underscores the importance of continuous access management and workforce oversight.

Settlement Terms

Under the Resolution Agreement, BayCare will:

  • Pay $800,000 to HHS OCR.
  • Undergo a two-year Corrective Action Plan monitored by OCR.
  • Conduct a complete risk analysis to identify potential threats and vulnerabilities to ePHI.
  • Develop and implement a risk management plan to mitigate identified security risks.
  • Revise its policies and procedures to ensure compliance with the HIPAA Security Rule.
  • Provide HIPAA training to all workforce members who have access to ePHI.

OCR’s Message to the Healthcare Industry

OCR Acting Director Anthony Archeval emphasized the importance of strict access controls, stating:

“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs. Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”

This case serves as a warning that insider threats and credential misuse remain one of the most common—and preventable—sources of patient data breaches.

Best Practices Recommended by OCR

To help prevent similar incidents, OCR recommends that all HIPAA-regulated entities:

  • Identify where ePHI resides and how it moves throughout the organization.
  • Integrate risk analysis and risk management into everyday operations.
  • Maintain audit controls and regularly review system activity for anomalies.
  • Implement user authentication mechanisms and remove access promptly when workforce changes occur.
  • Encrypt ePHI in transit and at rest.
  • Apply lessons learned from prior incidents to strengthen security.
  • Provide role-specific HIPAA training on a regular basis.

Summary

The BayCare settlement underscores a critical lesson: HIPAA compliance isn’t only about external cyberattacks—it’s also about managing internal access.
Even trusted users can become a liability when access privileges aren’t properly controlled, monitored, or revoked.

A thorough, documented risk analysis, an active risk management plan, and strong access control policies are essential for preventing unauthorized disclosures and OCR enforcement actions.

At Aris Medical Solutions, our online HIPAA Keeper™ system helps healthcare providers and business associates maintain full compliance through guided risk assessments, policy updates, training, and audit tracking. All in one secure, cloud-based system.

Don’t leave patient data exposed. Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.

Vision Upright MRI fined $25K

Posted bySuze Shaffer

OCR Settlement with Vision Upright MRI: The Risk of Unsecured PACS Servers

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI LLC (VUM) after finding that the medical imaging provider exposed patient information online through an unsecured Picture Archiving and Communication System (PACS) server.

This case serves as another reminder that failing to secure medical imaging systems or perform a HIPAA compliant risk analysis can result in costly investigations, corrective action plans, and long-term monitoring by federal regulators.

How the Breach Happened

VUM operated a PACS server used to store and share diagnostic images such as MRIs, CT scans, and X-rays. OCR received reports that this server allowed public access to patients’ protected health information (PHI), including images, metadata, and identifying details.

On December 1, 2020, OCR notified VUM of a formal investigation into potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. The inquiry focused on whether VUM had conducted proper risk assessments, secured its systems, and met notification deadlines required after discovering a breach.

OCR’s Findings

OCR determined that Vision Upright MRI:

  • Failed to conduct a HIPAA risk analysis — VUM had never performed an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), violating 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • Failed to issue timely breach notifications — The organization did not notify affected individuals within 60 days of discovering the exposure, violating 45 C.F.R. § 164.404(a).

These lapses demonstrated that VUM lacked essential safeguards and incident-response procedures required under the HIPAA Security Rule.

Settlement Terms and Corrective Actions

As part of the settlement, VUM agreed to pay the Resolution Amount and implement a comprehensive Corrective Action Plan (CAP) overseen by OCR. The CAP requires the practice to:

  • Conduct a full organization-wide risk analysis, including vulnerability scans and penetration testing.
  • Develop a risk management plan to mitigate identified security gaps.
  • Update and distribute HIPAA Privacy, Security, and Breach Notification policies to all workforce members.
  • Provide annual HIPAA training for all staff with access to ePHI.
  • Investigate and report workforce noncompliance events on a quarterly basis.
  • Submit annual compliance reports to OCR and retain related documentation for six years.

This agreement is binding on VUM and its successors, emphasizing OCR’s expectation that covered entities maintain compliance over time—not just during the settlement period.

Lessons for Healthcare Providers and Business Associates

The VUM case highlights several key takeaways for any healthcare organization that handles PHI:

  1. Unsecured PACS servers are a known risk.
    Imaging systems frequently store and transmit PHI yet are often overlooked in IT risk analyses. Ensure every device and data repository is included in your risk inventory and tested for vulnerabilities.
  2. Risk analysis is not optional.
    HIPAA requires ongoing, accurate, and thorough assessments. This is not a one-time checkbox. Document each risk analysis, update it annually, and link findings directly to your risk-management plan.
  3. Breach notifications must be timely.
    Delays beyond 60 days can lead to enforcement actions. Have an incident-response plan ready so you can notify affected individuals and OCR within the required window.
  4. Policies and training are the front line of compliance.
    Workforce awareness is critical. Staff who access PHI must understand how to handle data securely and report potential issues immediately.
  5. OCR oversight can last years.
    Corrective Action Plans often require multi-year reporting and documentation retention. Establishing compliance habits early reduces disruption and risk later.

Summary

This settlement underscores a critical lesson: A thorough, documented risk analysis, an active risk management plan, and appropriate policies and procedures are essential in preventing data breaches. This process is long and grueling and could have easily been avoided.

HIPAA Keeper™ by Aris Medical Solutions simplifies compliance with:

  • Built-in risk analysis and management plans
  • Customizable policies and procedures
  • Workforce training tracking and certificates
  • Secure Breach Notification and Incident Response forms

Stay ahead of OCR investigations—protect your patients, your reputation, and your practice.

Don’t leave patient data exposed.

Schedule your HIPAA Risk Analysis with Aris Medical Solutions today.

Change Healthcare Cyberattack

Posted bySuze Shaffer

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter about the Change Healthcare cyberattack. OCR also opened an official investigation. The attack affects Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other healthcare organizations.

The cyberattack has disrupted health care and billing operations nationwide. It poses a direct threat to patient care and critical health system functions.

OCR enforces HIPAA Privacy, Security, and Breach Notification Rules. These rules require covered entities and business associates to protect patient data and to notify HHS and affected individuals after a breach.

Cyberattacks remain the top threat in healthcare. In the past five years, large breaches involving hacking increased 256%. Ransomware attacks rose 264%. In 2023, hacking caused 79% of all large breaches, affecting 134 million people, a 141% increase from 2022.

Given the unprecedented size of this cyberattack, OCR has launched an investigation to protect patients and healthcare providers. The investigation will examine whether a breach of protected health information occurred and whether Change Healthcare and UHG complied with HIPAA Rules.

OCR considers its review of other entities connected to Change Healthcare and UHG as secondary. While OCR is not prioritizing investigations of providers, health plans, or business associates impacted by the attack, it is reminding all partners of their obligations. Entities must maintain business associate agreements and provide timely breach notifications to HHS and affected individuals as HIPAA requires.

Safeguarding protected health information remains OCR’s top priority. To support this effort, OCR is sharing resources to help organizations protect record systems and patients from cyberattacks.

OCR HIPAA Security Rule Guidance Material This webpage offers educational resources on the HIPAA Security Rule and standards for protecting electronic protected health information (ePHI). Resources include a Recognized Security Practices video, the Security Rule Education Paper Series, HIPAA Security Rule guidance documents, OCR Cybersecurity Newsletters, and more.

OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks – This video explains how the HIPAA Security Rule helps covered entities and business associates defend against cyberattacks. It covers breach trends, common attack methods, and key findings from OCR investigations.

OCR Webinar on HIPAA Security Rule Risk Analysis Requirement – This webinar explains the HIPAA Security Rule requirements for performing a complete risk assessment of potential threats and vulnerabilities to electronic protected health information (ePHI). It also reviews common risk analysis deficiencies that OCR has found during its investigations.

HHS Security Risk Assessment Tool – This tool helps small- and medium-sized entities perform an internal security risk assessment to meet the HIPAA Security Rule’s risk analysis requirements. You must also create and implement the policies and forms required in this tool.

Factsheet: Ransomware and HIPAA – This resource explains what ransomware is, outlines steps covered entities and business associates must take if their systems are infected, and details HIPAA breach reporting requirements.

Montefiore Medical Center fined $4.75M for Malicious Insider

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $4.75 million settlement with Montefiore Medical Center, a New York City hospital system. The settlement resolves multiple potential HIPAA Security Rule violations.

OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules. HIPAA requires health care providers, insurers, and other entities to protect the privacy and security of patient information.

Montefiore failed to safeguard its systems. An employee stole and sold the protected health information (PHI) of 12,517 patients over six months. Montefiore reported the breach after the NYPD uncovered the theft in 2015.

OCR’s investigation found Montefiore failed to:

  • Analyze and identify risks to PHI.
  • Monitor activity on its information systems.
  • Implement effective policies and procedures.

Because of these failures, Montefiore did not prevent or detect the attack until years later.

Settlement Terms

Montefiore must pay $4.75 million and follow a Corrective Action Plan (CAP). The CAP requires Montefiore to:

  • Conduct a complete risk analysis.
  • Develop and implement a risk management plan.
  • Install monitoring systems to record and review PHI activity.
  • Review and update HIPAA policies and procedures.
  • Train staff on HIPAA requirements.

OCR will monitor Montefiore for two years.

Key Quotes

OCR Director Melanie Fontes Rainer said:
“Cyber-attacks from malicious insiders are not uncommon. The risks to patient information cannot be ignored. Health care systems must follow the law and act quickly to protect records.”

HHS Deputy Secretary Andrea Palm added:
“Patients must trust providers to protect their records. Our priority remains safeguarding patients and ensuring providers implement strong security policies.”

OCR reported that 134 million people were affected by large breaches in 2023, compared to 55 million in 2022. OCR urges health care providers, health plans, and business associates to:

  • Conduct regular risk analyses.
  • Monitor information system activity.
  • Use multi-factor authentication.
  • Encrypt PHI.
  • Train staff frequently.
  • Update policies based on lessons learned from incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Ensure your Compliance Officer understands their responsibility.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Patient Right of Access delays cost Optum Medical Care $160K

Posted bySuze Shaffer

Optum Medical Care (formerly known as Riverside Medical Group and Riverside Pediatric Group) is a large multi-specialty physician group serving patients throughout New Jersey and Southern Connecticut. Optum has agreed to pay $160,000 and implement a Corrective Action Plan (CAP) to resolve potential violations of the HIPAA Privacy Rule’s Right of Access provision.

This case marks OCR’s 46th Right of Access enforcement action, reinforcing that timely access to medical records is a fundamental patient right under HIPAA.

History

In the Fall of 2021, OCR received six complaints alleging that Optum Medical Care failed to provide patients or parents of minor patients with copies of their requested medical records. The investigation revealed delays ranging from 84 to 231 days, which are well beyond the HIPAA requirement to provide access within 30 calendar days of a valid request.

OCR began its investigation in February 2022 and determined that Optum’s failure to respond within the legally required timeframe constituted a potential violation of the HIPAA Right of Access Rule.

Settlement Terms

Under the Resolution Agreement, Optum Medical Care will:

  • Pay $160,000 to the U.S. Department of Health and Human Services.
  • Implement a Corrective Action Plan (CAP) monitored by OCR for one year.
  • Revise and update policies and procedures to ensure timely responses to access requests.
  • Train workforce members on the Right of Access requirements under HIPAA.
  • Report to OCR on all medical record access requests received and their fulfillment status.

OCR’s Message to Providers

OCR Director Melanie Fontes Rainer emphasized the importance of prioritizing patient access, stating:

“Health care providers must make responding to parents’ or patients’ requests for access to their medical records in a timely manner a priority. Access to medical records is a fundamental right under HIPAA… providers must proactively respond to record requests and ensure timely access.”

Rainer added that timely access empowers patients and families to make informed decisions and improve their health outcomes—reinforcing that patient rights are central to HIPAA’s mission.

What the HIPAA Right of Access Rule Requires

Under the HIPAA Privacy Rule, individuals (or their personal representatives) have the right to access, inspect, or receive copies of their health information maintained by a covered entity. Providers must:

  • Respond to access requests within 30 calendar days of receipt (may be reduced to 15 days).
  • Provide access in the format requested, if readily producible.
  • Charge only a reasonable, cost-based fee for copying, mailing, or preparing records.
  • Document and justify any extensions (up to an additional 30 days) with written notice to the requester.

Key Lessons for Healthcare Providers

This case underscores that even large, established medical groups are not exempt from enforcement. To stay compliant and avoid costly penalties, healthcare providers should:

  • Review and update Right of Access policies and procedures.
  • Maintain a tracking system for record requests and response deadlines.
  • Ensure all staff are trained to recognize and properly handle patient record requests.
  • Conduct periodic audits to verify timely responses.
  • Document all communications related to record requests.

HIPAA compliance is not just about data security; it’s about respecting patients’ rights. Failing to provide timely access to medical records not only violates the law but also erodes patient trust.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules including the Right of Access.

Don’t risk costly penalties. Ensure your team knows the rules and your policies support timely patient access.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Green Ridge Behavioral Health is Second Ransomware Settlement

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.

Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.

OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”

The Breach

In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:

  • No complete risk analysis of electronic PHI.
  • No effective security measures to reduce risks.
  • No sufficient monitoring of system activity.

Settlement Terms

Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:

  • Conduct a full risk analysis.
  • Create a risk management plan.
  • Update policies and procedures.
  • Train its workforce on HIPAA.
  • Audit third-party vendors and ensure business associate agreements.
  • Report workforce HIPAA violations to OCR.

Recommendations

Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.

OCR recommends medical providers and business associates:

  • Regularly perform risk analysis and risk management.
  • Monitor and audit system activity.
  • Use multi-factor authentication and encryption.
  • Ensure strong vendor agreements.
  • Provide frequent, role-specific workforce training.
  • Apply lessons from past incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC