By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA.
A Health Care Provider Defense and Compliance Firm

The Office for Civil Rights (OCR) just sent a message loud and clear to drug treatment centers and behavioral health providers: if you’re going to roll out a patient portal, even in a pilot program, you must do your HIPAA homework first. Deer Oaks, a provider of behavioral health services in long-term care and assisted living facilities, agreed to pay $225,000 and enter into a two-year corrective action plan with OCR. The case stemmed from the unauthorized public exposure of patient discharge summaries and assessments via an online portal. The exposed ePHI was cached by search engines for over a year and a half.

This case is particularly relevant for behavioral health and substance use disorder (SUD) providers now heavily relying on portals and cloud-based documentation systems. Here’s what went wrong and how your center can avoid the same fate.

The Breakdown: What Deer Oaks Did Wrong

1. Failed to Conduct a HIPAA Risk Analysis Before Portal Use

   Deer Oaks rolled out a pilot patient portal without first performing the required HIPAA Security Rule risk analysis. That’s not just bad practice it’s a direct violation. OCR continues to stress that one of the most common compliance failures it sees is “lacking a risk analysis entirely or failing to update existing risk analyses when implementing new technologies.”

2. Public Exposure of ePHI via Online Portal

   Due to a coding error, ePHI (including names, DOBs, IDs, diagnoses, and facility information) was made publicly available online from December 2021 to May 2023. Anyone, including Google, could see and index it. The portal wasn’t properly secured, monitored, or reviewed.

3. A Second, Unrelated Breach Compounded the Damage

   In August 2023, Deer Oaks suffered a separate ransomware-style attack after an account was compromised. The attacker claimed to have stolen sensitive data from over 171,000 individuals and demanded payment to avoid releasing it on the dark web.

4. Inadequate Policies and Training

   OCR also found Deer Oaks lacked adequate HIPAA policies, risk mitigation strategies, and workforce training around data security and breach prevention.

Practical Takeaways for Drug Treatment and Behavioral Health Centers

1. Portals = High Risk = Mandatory Risk Analysis

   Launching or modifying any patient-facing tech (e.g., portals, telehealth platforms, billing systems) without a current risk analysis is non-negotiable. It’s not enough to rely on your vendor’s representations as a covered entity, you’re still legally responsible under HIPAA.

2. Lock Down Public Access

   Double-check that ePHI isn’t publicly accessible. Routinely audit your web portals, cloud storage links, and URL settings.

3. Breach Notifications Aren’t a Shield

   Even though Deer Oaks properly notified OCR and the affected individuals after their breach, that didn’t eliminate liability. Proactive prevention, not reactive notice, is what matters.

4. HIPAA Training Must Be Continuous and Job-Specific

   OCR expects tailored, role-specific HIPAA training that’s reviewed and updated annually. Training your intake coordinator once five years ago doesn’t cut it.

Final Thought

If you’re a behavioral health or drug treatment provider using an online portal or considering one, now is the time to get your HIPAA house in order. Risk analyses must be done before going live, and they must be updated regularly. If you’re using third-party tech, you need robust BAAs and must still conduct your own risk review. The cost of noncompliance is rising, and the margin for error, especially with portals, is shrinking. If you have any questions or comments about the subject of this blog, please contact Parrella Health Law at 857.328.0382 or Chris directly at cparrella@parrellahealthlaw.com.