HIPAA Biannual Update

Digital Debut

HIPAA Biannual Update

July to December 2025

BY MAIA KUNKEL | FEBRUARY 25, 2025

During the final half of 2025, healthcare organizations across the country posted 268 breaches of protected health information (PHI) affecting 500 or more individuals. This is the lowest number of breaches reported in a six-month span since the last half of 2020, and is a 19 percent decrease since the previous update.

OCR Breach Investigations, January–June 2023

SOURCE: ASCA

Consistent with previous updates, rises in unauthorized access or hacking comprised 98 percent of the breaches. The percentage of breach investigations due to improper disposal, loss or theft of PHI continues to decrease. For the first time since 2023, improper disposal of PHI was not cited as a cause of a breach investigation.

Within the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others. Three examples of recent resolution agreements are provided below, along with precautions ASCs can take to avoid similar violations.

Concentra, Inc. (Concentra)

What happened: OCR began investigating in 2018 after receiving a complaint that an individual was not given timely access to their health information, despite making six requests. The individual did not receive their requested records until March 2019, more than a year after the initial request. OCR’s investigation determined that Concentra failed to take timely action in response to the individual’s right of access requests. Prior to an administrative hearing, OCR and Concentra resolved the enforcement action and agreed to a monetary penalty of $112,500.

Takeaways for ASCs: In 2019, OCR introduced the HIPAA Right of Access Initiative, a specific provision of the HIPAA Privacy Rule related to health information technology (HIT) to help enforce and support individuals’ right to timely access their health records at a reasonable cost. Since 2019, OCR has announced 54 enforcement actions as part of this initiative. ASCs should review their policies and training programs to ensure that they are able to meet all HIPAA obligations when a patient requests access to their medical records. ASCs should keep in mind that it remains critical that patients are able to access their own medical information in a timely manner and be able to promptly take charge of healthcare decisions.

Cadia Healthcare Facilities

What happened: Cadia Healthcare Facilities provides rehabilitation, skilled nursing and long-term care services in Delaware. OCR began its investigation in 2021, after receiving a complaint that Cadia Healthcare Facilities had impermissibly disclosed a patient’s PHI, including their name, photograph, conditions, treatment and recovery, online as a “success story.” OCR discovered that Cadia Healthcare Facilities had posted 150 patients’ PHI online as part of a social media campaign without first obtaining a valid, written HIPAA authorization form, and further failed to provide breach notifications to the impacted individuals. Cadia Healthcare Facilities agreed to implement a corrective action plan, including a $182,000 settlement and two years of monitoring by OCR.

Takeaways for ASCs: Social media and websites can be a powerful tool for marketing but require numerous steps to ensure patients have the autonomy to participate or decline sharing their information. Once authorized, patient information must be posted in a respectful and appropriate manner. Before posting, ASCs must verify that the HIPAA Privacy Rule permits the disclosure and determine if a valid, written HIPAA authorization form is needed. All members of staff, including marketing personnel, should be aware of all HIPAA policies, procedures and obligations.

PIH Health (PIH) BST & Co. CPAs, LLP (BST)

What happened: BST, a New York public accounting, business advisory and management consulting firm and a HIPAA business associate, filed a breach report with OCR in 2020. It was reported that BST discovered part of its network was infected with ransomware in 2019, impacting the PHI of its covered entity client. After investigating, OCR concluded that BST had failed to conduct an accurate and thorough risk analysis and imposed a corrective action plan with a $175,000 monetary penalty and two years of monitoring by OCR.

Takeaways for ASCs: In 2024, OCR launched a risk analysis initiative, focused on enforcing the HIPAA Security Rule’s risk analysis requirement. Since launching the initiative, OCR has announced 10 enforcement actions. ASC staff and patients alike should be confident that electronic PHI (ePHI) is secured and inaccessible from bad actors, both internally and externally. While the task of safeguarding PHI in an increasingly targeted sector might feel onerous, OCR has shared several strategies that all healthcare entities covered by HIPAA, including ASCs and business associates, can implement now to strengthen their defenses.

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through and leaves the organization’s information systems.
  • Periodically conduct, and update as needed, a risk analysis and develop and implement risk management measures to address identified risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize mechanisms to authenticate users seeking access to ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

To help ASCs remain compliant with HIPAA, ASCA provides the HIPAA Resource page that can be found in the federal regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, enforcement and breach notification.

Write Maia Kunkel at mkunkel@ascassociation.org with questions.