January was a busy month. Below are some brief summaries of notable developments in health privacy and telehealth.
HHS/OCR Issues Proposed Changes to HIPAA Security Rule
Just before the new year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing an overhaul of the HIPAA Security Rule. The proposals, designed to address the increasing cybersecurity threats in healthcare, include measures difficult for many healthcare providers to implement. OCR summarizes its proposed changes here. It is unclear whether the current administration will work to finalize these proposed rules or not.
The comment submission deadline is March 7, 2025. It is relatively easy to submit comments through the online portal and is the best opportunity to influence any final rule. As we saw with the DEA telehealth prescribing rules, public comments can have a major impact on keeping problematic proposed rules from being finalized.
DEA Issued a Final Rule Adopting Pandemic-Era Telehealth Prescribing Rules
On January 15, 2025, the Drug Enforcement Agency (DEA) issued a final rule adopting some of the telehealth flexibilities granted during the COVID public health emergency. The DEA also issued a proposed rule outlining the long-awaited special registration process that would permit registered providers to prescribe through telehealth without needing an in-person medical evaluation. The DEA explains its rules here.
For historical perspective on this issue, see DEA Extends COVID Telehealth Controlled Substance Prescribing Flexibilities For a Third Time.
2024 HIPAA Enforcement Summary
Below is a side-by-side comparison of HIPAA enforcement actions since 2019. There are several notable items about 2024 discussed below.
| 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | |
| Announced Resolutions | 16 | 13 | 22 | 14 | 19 | 10 |
| Amount collected | $9,263,846 | $4,176,500 | $2,170,140 | $5,982,150 | $13,554,900 | $12,274,000 |
| Civil Money Penalties (CMPs) v. Settlements | 7 CMPs; 9 settlements | All settlements | 2 CMP; 20 settlements | 1 CMP; 13 settlements | All settlements | 2 CMPs; 8 settlements |
| Most common issue | Risk Analysis (10) | Risk Analysis (6) | Right of Access (17) | Right of Access (12) | Right of Access (11) | Risk Analysis (6) |
| Right of Access | $420,000 (5) | $271,500 (4) | $859,000 (17) | $857,150 (12) | $537,500 (11) | $170,000 (2) |
| Risk Analysis | $8,808,265 (10) | $3,555,000 (6) | $875,000 (1) | $5,125,000 (2) | $10,977,400 (6) | $8,365,500 (6) |
Items of Note:
- There were seven civil money penalties imposed in 2024 amounting to nearly 25% ($2,298,265) of the overall settlement and penalty amounts for the year; a substantially higher number than in previous years.
- HHS emphasized ransomware settlements – several in 2024 – after announcing the first in 2023.
- The details on several enforcement actions are no longer available on the government’s website, most notably the enforcement action against Holy Redeemer Family Medicine in late November 2024 for improperly disclosing sensitive protected health information to a patient’s employer including reproductive health information.
- Not surprisingly, failure to conduct an adequate risk analysis retains the top enforcement topic, which is found in each enforcement action involving a cyber incident.
2025 HIPAA Enforcement Year is Off to a Hot Start
With six announced HIPAA enforcement actions so far this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) is off to a hot start. Five of the six involved cyber incidents (including three ransomware situations) where OCR alleged a failure to conduct an adequate risk analysis. The sixth is a Right of Access matter. In total, settlements stand at $3,577,750.