Deer Oaks – The Behavioral Health Solution Pays $225,000 Fine to Resolve HIPAA Investigation
The HHS’ Office for Civil Rights has announced another settlement to resolve an alleged violation of the risk analysis provision of the HIPAA Security Rule. Deer Oaks – The Behavioral Health Solution has agreed to pay a financial penalty of $225,000 to close the investigation and will adopt a corrective action plan to address the areas of HIPAA non-compliance identified by OCR during its investigation.
Deer Oaks provides psychological and psychiatric services to residents of long-term care and assisted living facilities throughout the U.S. On December 6, 2021, OCR received a complaint about an alleged impermissible disclosure of patient data. According to the complaint, patient discharge forms were accessible over the Internet. The discharge summaries contained protected health information such as names, dates of birth, patient identification numbers, facilities, and diagnoses.
OCR initiated an investigation in May 2023 and confirmed that the forms were not protected and could be accessed by anyone between at least December 2021 and May 19, 2023. The discharge forms related to 35 patients, and according to Deer Oaks, were exposed due to a coding error in a pilot program for an online patient portal that has since been discontinued.
OCR also investigated an August 2023 ransomware attack and data breach involving the protected health information (PHI) of 171,871 patients. A hacker obtained files, including PHI, and threatened to publish the data if the ransom was not paid. OCR determined that Deer Oaks had not conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to PHI, and patient data was disclosed in a manner not required or permitted by the HIPAA Privacy Rule.
Deer Oaks was given the opportunity to settle the alleged HIPAA violations informally with OCR, which results in a lower penalty than if a civil monetary penalty is imposed. The settlement is not an admission of liability or non-compliance with the HIPAA Rules. A settlement agreement also includes a corrective action plan, which in this case includes the following requirements:
Deer Oaks must:
- Conduct a comprehensive and accurate risk analysis
- Reduce all identified risks to a reasonable and appropriate level
- Develop, implement, and maintain written policies and procedures to ensure compliance with the HIPAA Rules
- Distribute those policies and procedures to the workforce
- Provide annual HIPAA training to staff members on those policies and procedures
“Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information,” said OCR Director Paula M. Stannard. “An accurate and thorough HIPAA risk analysis can minimize the exposure of ePHI from both malicious actors and inadvertent errors. Based on OCR’s experience enforcing potential HIPAA Security Rule violations, the covered entity or business associate under investigation will often have deficient risk analysis practices. Common deficiencies include lacking a risk analysis entirely or failing to update existing risk analyses when implementing new technologies or expanding operations that affect the security of ePHI.”
This year, OCR has been highly active enforcing compliance with the HIPAA Rules and has already resolved seventeen investigations with settlements or civil monetary penalties, collecting more than $7 million in fines. The most common HIPAA violation identified this year is the failure to conduct a risk analysis. Under OCR’s latest enforcement initiative, any violation of this Security Rule provision is likely to result in a financial penalty.
