Posts Tagged violation

10 Common HIPAA Violations and How to Avoid Them

10 Common HIPAA Violations and How to Avoid Them

For health care providers, arguably your most valuable asset is your patient information. Patients assume you will protect their private information.  Unfortunately, many practices are not implementing even the basic safeguards required under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, Consumer Reports recently warned their subscribers (your patients) they need to protect themselves from improper handling of protected health information (PHI) by hospitals, doctors and insurance companies. HIPAA Compliance should not be a one-time, “set-it-and-forget-it” process. Instead, protecting the privacy and security of patient information should be a culture lived and implemented by the organizational leaders and followed by their employees. Risks are no longer insignificant. Fines range from $10,000 per incident up to $1.5 million per year. The reputation of the practice can be crippled if a data breach occurs and proper protocols aren’t followed.

10 Common HIPAA Violations, and How to Avoid Them 

  1. No Updated Policies and Procedures:  HIPAA requires documentation to show you understand what is required by law and your practice has the policies and procedures in place. It’s a best practice to purchase a set of policies and review them with your team annually. You can also subscribe to a service like OfficeSafe where policies are online, employees can log in anytime, and updates are automatic.
  2. No Risk Assessment on File:  You must perform an adequate risk assessment to determine your vulnerabilities. HIPAA does not define “how” an assessment needs to be performed, it only states you need to document your risk level, key vulnerabilities and plans to fix them. Having a risk assessment on file and showing you are making progress implementing key safeguards required under HIPAA will materially mitigate your risks.
  3. Lack of Employee Training Documentation:  Employees are the first line of defense for your practice. Employees also make human errors. Making training a priority is key to creating a culture of compliance for your practice.  Employees can also watch for phishing scams, other employee behaviors, help identify privacy issues and more.
  4. Loss of a Device:  Losing a laptop or mobile device that stores PHI is a HIPAA violation unless you can prove the data stored was encrypted and/or the device was secure. To mitigate risks, don’t store PHI on these devices and setup controls to wipe data from mobile phones if they are used inside your practice.
  5. No Emergency or Incident Response Planning:  HIPAA law now requires that every practice document an Emergency and Incident Response Plan. Also, with all of the hurricane’s, fires, ransomware attacks, and other incidents, it makes sense to document your plans in case an emergency does occur. HIPAA requires: 1) a Data Backup Plan, 2) a Data Restoration Plan and 3) an Emergency Mode Operations Plan.
  6. A Ransomware Attack:   Your patient information is valuable to a hacker. If obtained, they sell it on the Dark Web. Phishing scams lead to ransomware attacks and not only can this harm your practice, but a ransomware attack is also considered a data breach under HIPAA. Your patients may have to be informed unless a forensic investigation can prove data was not accessed. For more information on ways to prevent a ransomware attack, you can learn more at Top 10 Ways to Fight Ransomware
  7. A Credit Card Data Breach:  Every practice handles patient credit card information. A Payment Card Industry (PCI) violation can also end up being a reportable breach under HIPAA. Securing and properly handling credit card data is imperative. Don’t store any credit card information in QuickBooks, Excel or any other software. Also, make sure you are PCI certified and using EMV devices to limit chargeback liabilities.
  8. Violations Under the HIPAA Privacy Rule:  Too many health care professionals do not have a clear understanding of The HIPAA Privacy Rule. Not only does PHI need to be secure, but it also needs to be kept private. Practices need to have an updated Notice of Privacy Practices shared with patients and posted in the practice. Also, employees need to understand under what circumstances PHI can and cannot be shared. It’s important (and the law) to designate a HIPAA Privacy and Security Officer for the practice. They can learn the basics and quickly mitigate behaviors that may be leading to unnecessary risks.
  9. No Encryption Safeguards:  HIPAA does not state you have to use encrypted solutions, but it’s a good idea. Your PHI should be backed up using an encrypted solution.  It also should be backed up in the cloud with multiple days of backup sets. Also, when e-mailing PHI, you should be using an e-mail encryption service. Encryption mitigates human e-mail error and also protects the unauthorized access of data.
  10. Lack of Compliance Documentation and Execution of Business Associate Agreements:  We often see practices struggling to execute their Business Associate Agreements, Employee and Patient Acknowledgments, Authorizations, and overall HIPAA compliance. Compliance isn’t a he-said, she-said proof exercise. You must have updated policies, procedures, and proof you are implementing the proper HIPAA safeguards.


OfficeSafe was designed to ease the administrative burdens and uncertainties associated with HIPAA compliance and financially protect you in case of a ransomware attack, HIPAA audit, or patient data breach.

Posted in: HIPAA

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.





PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at and

Posted in: MVP

Leave a Comment (0) →