HIPAA and Health Information

Subscribe to HIPAA and Health Information via RSS

On September 30, 2025, the Office for Civil Rights of the Department of Health and Human Services (OCR) announced a settlement with Cadia Healthcare Facilities, a provider of rehabilitation, skilled nursing and long-term care services located in Delaware “for potential violations…of HIPAA Privacy and Breach Notification Rules.”

According to the OCR’s press release, the

Recently, the United States District Court in the Southern District of Texas granted summary judgment for the defendant hospital in Sweat v. Houston Methodist Hospital, No. 4:24-cv-00775 (S.D. Tex. 9/22/25). The court had previously dismissed the plaintiffs’ claim for invasion of privacy. The motion for summary judgment concentrated on the plaintiffs’ claims that

This post was co-authored with Ivy Miller, legal intern at Robinson+Cole. Ivy is admitted to practice in Massachusetts.

On September 10, 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed an appeal of the federal court ruling vacating key provisions of the HIPAA reproductive health care regulations, which appears to signal the end

In August, the Office for Civil Rights (OCR) published guidance relating to individuals’ rights to access their protected health information (PHI) under HIPAA. As we covered in our earlier blog post about the August guidance, the new FAQs came amidst OCR’s continued enforcement focus on its Right of Access initiative, under which the OCR has

On August 11, 2025, the Office for Civil Rights (OCR) published updated guidance relating to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule) in the form of two new FAQs. The FAQs clarify the OCR’s position on (1) permitted disclosures of protected health information (PHI) to value-based care arrangements and (2)

Reproductive health privacy is once again in the legal spotlight with a recent federal district court decision that struck down nearly all of a recent rule under the Health Insurance Portability and Accountability Act (HIPAA) that protected reproductive healthcare-related information privacy.

In a ruling issued on June 18, 2025, in Purl v. Department of Health

The Office for Civil Rights (OCR) entered into two recent settlements with covered entities alleging that they failed to conduct security risk assessments. The settlements indicate that OCR will continue to aggressively regulate potential violations of the Health Insurance Portability and Accountability Act (HIPAA), particularly for failure to conduct risk assessments.

Deer Oaks

On July 7

Healthcare system Ascension has notified 437,329 patients of a data breach exposing “demographic information, such as name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers, as well as clinical information related to an inpatient visit.”

Ascension indicated that the incident occurred when it “inadvertently disclosed information to a former

PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and

Eyeglass manufacturer and retailer Warby Parker recently settled a 2018 data breach investigation by the Office for Civil Rights (OCR) for $1.5 million. According to OCR’s press release, Warby Parker self-reported that between September and November of 2018, unauthorized third parties had access to customer accounts following a credential stuffing attack. The names, mailing and