Two notable HIPAA items from HHS-OCR

As March begins, two notable items that were released in February by the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR). First, HHS-OCR announced HIPAA enforcement action related to a phishing attack and the lack of fundamental Security Rule safeguards, including an annual risk analysis. Second, HIPAA Notice of Privacy Practices (NPPs), which now include 42 CFR Part 2 - The Confidentiality of Alcohol and Drug Abuse Patient Records regulations - (Part 2) were required to be updated by February 16, 2026 and HHS-OCR recently updated its website and provided a framework for revised NPPs.

On February 19, 2026, HHS-OCR announced its 11th enforcement action under its Risk Analysis initiative. The settlement involved a substance use disorder treatment center, Top of the World Ranch Treatment Center (TWRTC), and resolves an investigation stemming from a breach report that affected 1,980 patients whose electronic protected health information (ePHI) was compromised by a phishing attack in 2023. “OCR’s investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI … as required by the HIPAA Security Rule.” The resolution agreement included a $103,000 monetary payment and a corrective action plan (CAP) with 2 years of monitoring. In addition to a comprehensive risk analysis, HHS-OCR also saw deficiencies with related areas of training, effective policies and procedures and a risk management plan – all of which were incorporated into the CAP.

As HHS-OCR highlighted in its press release, knowing the ingress and egress of data, ensuring that system activity is reviewed regularly, encrypting data both at rest and in transit and providing workforce members HIPAA training that is specific to the organization and curtailing or highlighting how risks emerge in different roles and departments can mitigate the risk of attack and an enforcement action. Additionally, organizations should consider the likelihood of a class action lawsuit.

In addition to the February 16, 2026 deadline to revise NPPs to align Part 2 with HIPAA, HHS-OCR announced that it will be implementing its new program consistent with the February 2024 final rule and enforcing the requirements, which extend beyond revised NPPs. This marks the first time that HHS-OCR can utilize civil enforcement mechanisms (i.e., resolution agreements and civil monetary penalties). As OCR Director Paula M. Stannard stated, “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens.”

Importantly, Part 2 Programs are a very specific type of provider, so just because SUD is referenced in a medical record or a person comes into the emergency room or walk-in clinic for treatment for a drug overdose, does not mean that the provider qualifies as a Program under Part 2. Having said that, Part 2 Program records may be requested by or sent to a non-Program provider, which is a covered entity under HIPAA; however, patient authorization is expressly required. Even if providers do not anticipate receiving a request by a patient for Part 2 records to be sent or having to request them, updating the NPPs is still required.

In sum, these two notable items underscore the importance of re-reading the February 2024 Final Rule to update training and policies and procedures, in addition to NPPs. They also underscore HHS-OCR’s continuing commitment to enforcing HIPAA and urging both covered entities and business associates to take proactive measures, which have been required for over 20 years by the HIPAA Privacy Rule and Security Rule.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.