HHS Settles With Mental Health Provider Over HIPAA Claims
A mental health provider will pay $225,000 over claims it violated health privacy law by publicly sharing users’ sensitive information online, the Health and Human Services Office of Civil Rights announced Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Deer Oaks provides psychological and psychiatric service to residents of long-term care and assisted living facilities. HHS began investigating the company in 2023.
The provider violated the Health Insurance Portability and Accountability Act when it disclosed “the ePHI of individuals, including patient names, dates of birth, patient identification numbers, facilities, and diagnoses, by making patient discharge summaries publicly accessible online,” HHS claimed. “OCR’s investigation substantiated the allegations and verified that the ePHI was accessible publicly via the Internet.”
The investigation was expanded in August 2023 after a cybersecurity breach of company networks, said HHS: “Based on its investigation into both incidents, OCR found that Deer Oaks failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held.”
Deer Oaks agreed to implement a corrective action plan with HHS oversight for two years and pay $225,000. The company didn’t comment.