Attorneys See Trump’s HHS Maintaining Focus on HIPAA Security Rule

The HHS Office of Civil Rights on July 7 announced a $225,000 settlement with mental health provider Deer Oaks (see 2507080052). OCR found the company “failed to conduct an accurate and thorough risk analysis” under the Security Rule.

OCR in October 2024 announced its Risk Analysis Initiative to focus “select investigations on compliance with the HIPAA Security Rule Risk Analysis provision.” It called the provision the “foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).”

Jennifer Pike, an Alston & Bird attorney, said, “For several years now, [risk analysis] has been the top failure referenced in these settlements and fines as the rationale for agency action, and they’ve shown no signs of slowing down on that.” It’s not possible to create an effective risk management program if a company can’t locate its ePHI and identify the associated risks, she added.

Failure to conduct a security risk analysis is “an extremely common finding,” said Holland & Knight attorney Dianne Bourque. “It’s almost a given when you see a significant incident.”

These findings typically revolve around a lack of analysis, lack of updates to the program, lack of risk management or bad policies and procedures established in connection with the risk analysis, said Bourque. “All these things that they’re finding and flagging as concerns, that’s exactly what we would expect.”

The Deer Oaks settlement detailed a coding error that apparently led to the ePHI exposure and a separate and subsequent ransomware attack “resulting from a compromised account,” it said. OCR doesn’t usually take significant action against an entity for inadvertent mistakes like a coding error, but the office pinned that mistake as well as the cyber attack to the lack of risk analysis, Pike said.

Bourque said she was surprised that a breach impacting more than 170,000 individuals resulted in a fine of only $225,000. “That’s a pretty big breach,” and the data is now on the dark web, she said. “I would have expected a higher penalty. ... I don’t want to draw administration lines and say the Trump administration doesn’t fine people as much as the Biden administration, but in the recent past, we all sort of got used to seeing seven-figure fines. It was not unusual in a large-scale data breach to issue a seven-figure fine.”

Pike said settlements are based on several factors, including the stability and size of the organization and whether it has recognized security practices in place. “Recognized security practices are one way in which an organization can voluntarily put mechanisms and controls in place” that could help its case in settlement discussions, she said.

This settlement shows OCR is still prioritizing crackdowns on companies failing to comply with the HIPAA Security Rule, said Fox Rothschild attorney Elizabeth Litten. Pike and Litten noted how the preamble to HHS’ proposed update to the Security Rule (see 2503140058) signals the agency remains focused on compliance with ensuring thorough and accurate risk assessments under the Security Rule.

Litten said OCR’s notice in response to the coding error should have been a wake-up call for Deer Oaks to conduct a thorough risk assessment: “That’s when you need to make sure you’re doing everything you can to comply, because you’ve got the spotlight of the regulator on you.”

She recommended covered entities review the Security Risk Assessment Tool, and the associated document, “Basics of Risk Analysis and Risk Management.” The latter worksheet provides “bare-bones basics” for conducting a risk assessment, she said: “It’s easy to read and [it] walks through” the entire checklist. HHS will likely be more lenient with entities that show they’ve tried to follow the guidance in those documents, Litten said.