In the resolved case of a notable breach of patient privacy, Deer Oaks – The Behavioral Health Solution, has settled with the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), following a series of incidents that compromised the sensitive personal health information (PHI) of individuals under its care. The behavioral health provider, which specializes in services for long-term care and assisted living facility residents, was investigated for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, as per the U.S. Department of Health and Human Services.
The initial inquiry started in May 2023, after allegations surfaced of Deer Oaks making ePHI, including patient names, dates of birth, diagnoses, and other sensitive details, publicly available online. OCR's investigation substantiated the claims, finding that Deer Oaks had impermissibly disclosed the ePHI of 35 individuals by allowing access to their discharge summaries and initial assessments online – a consequence, they say, of a coding error in a yet-to-be robust online patient portal. Moreover, in July 2024, OCR had to expand its investigation when Deer Oaks experienced a data breach where a bad actor reportedly exfiltrated data and sought payment to prevent it from surfacing on the dark web.
According to the findings of the OCR, the lack of a thorough and accurate risk analysis by Deer Oaks was a pinpointed failing – a step that's vital in determining the possible risks and vulnerabilities to ePHI. "Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information," OCR Director Paula M. Stannard explained, highlighting how common deficiencies, such as incomplete or outdated risk analyses, can lay the groundwork for security oversights, per the U.S. Department of Health and Human Services.
Under the settlement, Deer Oaks has agreed to a corrective action plan under OCR's watchful eye for the next two years – a plan which comes with a $225,000 tag. The plan mandates Deer Oaks review, update its risk assessments annually, and develop strategies to mitigate any identified security risks. Additionally, the company is required to curate and maintain apt written policies and procedures that align with HIPAA Regulations, and furnish annual training to any workforce member with access to PHI on these policies and procedures.
