Good Morning Everyone,
This week’s roundup tracks how legacy vulnerabilities—like outdated risk assessments and weak access controls—are colliding with emerging compliance risks tied to AI and automation. OCR continues to hammer organizations that failed to perform basic, enterprise-wide risk analyses, even as AI-driven patient engagement tools face growing scrutiny under the TCPA. Meanwhile, insider threats and ransomware actors are exploiting these gaps, prompting regulators to issue new corrective action plans and hefty fines. Whether you're deploying a chatbot or preparing for a data migration, the signal is clear: modern threats demand modern controls. Full details below:
Regulatory Updates
AI-powered chatbots may trigger TCPA liability
As AI transforms patient engagement through voice bots, chat platforms, and automated reminders, digital health companies are being warned: TCPA compliance is now just as critical as HIPAA. The Telephone Consumer Protection Act (TCPA)—originally enacted to combat telemarketing abuse—restricts calls and texts made using “automatic telephone dialing systems” or “artificial/prerecorded voices” without prior express consent. Recent FCC rulings confirm that AI-generated voices count as artificial under the TCPA, and courts are now grappling with whether chatbots and text-based virtual assistants fall under the same rules. Even patient-centric outreach like appointment reminders or refill alerts may carry risk if automated. HIPAA does not override TCPA restrictions, and many state laws impose even stricter rules.
To mitigate exposure, digital health providers should conduct TCPA risk assessments, audit consent flows, and obtain written consent where ambiguity exists—especially for outreach that could be construed as marketing. As AI blurs regulatory lines, staying ahead of case law developments is key to avoiding costly litigation. Learn more at The National Law Review
Enforcement Actions
BayCare pays $800K over insider snooping incident
BayCare Health System, a Florida provider network, has reached an $800,000 HIPAA settlement with OCR after a malicious insider used shared access to view and photograph a patient’s medical records—then shared them outside the organization. The investigation revealed that the credentials belonged to a non-clinical former staffer from an affiliated physician group who retained access to BayCare’s EHR platform, despite no longer having a clinical role. OCR cited BayCare for failing to implement effective access controls, neglecting to audit system activity, and not mitigating known risks to ePHI. As part of a two-year corrective action plan, BayCare must now conduct a full risk analysis, retrain staff on HIPAA policies, and implement tighter controls around role-based access. The case underscores OCR’s growing focus on internal misuse and shared-credential risks as a vector for privacy violations. Learn more at HHS.gov
Comstar pays $75K after ransomware breach exposes 585K records
OCR has announced its 13th ransomware enforcement action—and 9th under its Risk Analysis Initiative—following a settlement with Comstar, LLC, a Massachusetts-based billing and ambulance services vendor. The case stems from a 2022 ransomware attack that compromised the electronic protected health information (ePHI) of 585,621 individuals across more than 70 HIPAA-covered entities. OCR’s investigation determined that Comstar failed to conduct a HIPAA-compliant risk analysis, a foundational requirement under the Security Rule.
As part of a two-year corrective action plan, Comstar will now be required to complete a full risk analysis, implement a risk management plan, update its policies and procedures, and retrain staff handling PHI. The settlement amount—$75,000—is modest, but the case reinforces that OCR views risk-analysis lapses as a key vulnerability, even for business associates. Learn more at HHS.gov
Closing Thoughts
The lesson this week is clear: risk analysis is no longer a one-time compliance task—it’s the operational foundation regulators expect to be active, accurate, and actionable. Both BayCare and Comstar learned this the hard way, paying the price for stale access policies and missing risk reviews. And as AI platforms push patient communications into automated territory, staying ahead of TCPA interpretations is now table stakes. Let’s double down on our fundamentals: review your access controls, refresh your enterprise risk assessments, and treat consent flows and contract clauses as frontline defenses.
Stay smart, stay secure, and thank you for all you do!
