Privacy & Information Security Law Blog

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced two settlements over alleged violations of the HIPAA Security Rule— one with BayCare Health System, a Florida health care provider, and the other with Comstar, LLC, a Massachusetts billing services company — underscoring the agency’s continued HIPAA enforcement focus. Both settlements emphasize the importance of HIPAA compliance, particularly with respect to implementing proper access controls, conducting HIPAA risk analyses, and maintaining comprehensive security protocols to safeguard electronic protected health information (ePHI).

In the BayCare matter, OCR investigated a complaint involving the alleged unauthorized access and disclosure of a patient’s medical records. According to OCR, a former non-clinical staff member affiliated with a physician practice accessed BayCare’s electronic medical record system and later shared images and video recordings of the complainant’s medical records. Although the physician’s practice had access to BayCare’s systems for continuity of care purposes, OCR determined that BayCare failed to appropriately restrict access to sensitive data and did not implement sufficient oversight mechanisms to monitor system activity.

OCR’s investigation revealed several potential violations of the HIPAA Security Rule. Specifically, OCR alleged that BayCare had not implemented adequate policies and procedures for authorizing access to ePHI and had not taken reasonable steps to reduce known risks and vulnerabilities. In addition, the provider allegedly failed to regularly review information system activity as required by the Security Rule. To resolve the matter, BayCare agreed to pay $800,000 and implement a two-year corrective action plan monitored by OCR. The plan requires BayCare to conduct a thorough HIPAA risk analysis, develop a risk management plan, revise its HIPAA policies and procedures as appropriate, and train its workforce on HIPAA compliance obligations related to ePHI access and data security.

In a separate action, OCR reached a settlement with Comstar, LLC, a business associate providing billing and related services to emergency ambulance services. The case arose from a ransomware breach reported in May 2022, which affected the ePHI of over 585,000 individuals. OCR determined that Comstar had not conducted a proper HIPAA risk analysis to identify potential security vulnerabilities.

The affected data in the Comstar breach included clinical information such as medical assessments and medication records. At the time of the incident, Comstar served as a business associate to more than 70 covered entities. To settle the alleged HIPAA violations, Comstar agreed to pay $75,000 and enter into a two-year corrective action plan. The plan requires Comstar to conduct a comprehensive HIPAA risk analysis, implement a risk management strategy, update its written HIPAA policies and procedures as appropriate,  and ensure workforce training on HIPAA compliance.

Acting OCR Director Anthony Archeval emphasized that security failures can make HIPAA-regulated entities attractive targets. “Failure to conduct a HIPAA risk analysis can cause health care entities to be more susceptible to cyberattacks,” he said, adding that identifying and managing risks to ePHI is “effective cybersecurity, and a HIPAA Security Rule requirement.”

Taken together, these enforcement actions signal OCR’s continued focus on ensuring that both covered entities and their business associates meet the requirements of the HIPAA Security Rule, particularly with respect to authorized access and data security.