Last month, the Department of Health and Human Services' Office of Civil Rights ("OCR") published its 19th Resolution Agreement this year after an investigation into a ransomware attack that resulted in the disclosure of protected health information ("PHI") of over 170,000 individuals by a business associate subject to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA").  Resolution Agreements provide helpful insight into OCR's investigations and provide a roadmap of best practices to ensure compliance with HIPAA.  

The following is a list of the top five HIPAA lessons that plan sponsors of group health plans can learn from the Resolution Agreements OCR has published to date.

1. HIPAA Security Risk Assessment.  OCR has noted that one of the most frequent HIPAA violations is noncompliance with the HIPAA Security Rule, particularly the requirement for a covered entity or business associate to document compliance with the Standards and Implementation Specifications in a “Security Risk Assessment” (sometimes referred to as an “SRA”).  Group health plans that are subject to HIPAA are required to conduct and document the SRA and provide this documentation to HHS upon request.
2. HIPAA Privacy Procedures.  Develop, maintain, and revise as necessary, written policies and procedures to comply with HIPAA and distribute any updated HIPAA policies and procedures to employees that have access to PHI. Employers that sponsor a group health plan should make sure any employees that work on behalf of the plan have received a copy of the HIPAA Privacy Procedures or know where to access it.
3. Business Associate Agreements. Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
4. Training.  Provide HIPAA privacy training and reinforce workforce members’ critical role in protecting privacy and security.
5. Notice of Privacy Practices. Update and distribute the HIPAA Notice of Privacy Practices by February 16, 2026, to include information to address Part 2's privacy requirements for substance use disorder records. You can read more about these requirements here.

The resolution agreement and corrective action plan may be found here. 

* * * 

For deep dive coverage, topic-specific analysis, and other Groom benefits, health, and retirement content, visit our website at www.groom.com.