HIPAA & Security

Medical Informatics Engineering paid $100,000 after hackers used a compromised user ID and password to access ePHI for about 3.5 million people. OCR found that MIE had not conducted a comprehensive risk analysis before the breach. As part of corrective action, MIE agreed to perform an accurate and thorough risk analysis that included an inventory of facilities, equipment, data systems, and applications holding ePHI.

A stolen laptop can expose patient records if portable devices are not properly secured. In the Massachusetts Eye and Ear case, the theft involved a laptop storing 3,621 patient records, and OCR alleged failures around risk analysis and policies restricting access to ePHI on portable devices. The post emphasizes that HIPAA Security compliance must be prioritized by management and implemented throughout the organization.

Aetna's settlement followed three breaches in six months, including web documents accessible without login credentials, HIV medication wording visible through envelope windows, and research study information visible on envelopes. OCR also cited failures involving periodic evaluations, identity verification, minimum necessary disclosures, and safeguards for PHI. Aetna agreed to pay $1 million and implement corrective policies, workforce distribution, and training records.

The BST ransomware settlement shows that OCR expects business associates to perform an accurate and thorough risk analysis, create a risk management plan, update policies and procedures, train the workforce, and document actions. The post stresses that any partner that creates, receives, maintains, or transmits ePHI must meet Security Rule standards. Ransomware incidents can quickly become formal investigations when basic controls are missing.

Yes, the post says direct patient contact is not the test. A vendor that creates, receives, maintains, or transmits ePHI can be a business associate even if it never treats patients. Examples include accountants, billing firms, IT providers, cloud hosts, shredding services, law firms, and transcription services.

Patient success stories can create HIPAA risk when they include names, photos, conditions, or treatment details without valid written authorization. Cadia paid $182,000 after OCR found patient stories had been posted online without proper authorization for 150 patients. The corrective action plan required privacy policy updates, workforce training, and formal breach notification to affected individuals.

The post links telemedicine, APIs, remote monitoring, and COVID rollout pressure to a larger attack surface for healthcare data. It cites research finding vulnerable API endpoints, hard-coded credentials, weak mobile app protections, and unauthorized access to patient records through broken authorization. The recommended first step is to start with HIPAA Security standards while recognizing that more work is needed to protect infrastructure and data.

No. The post explains that OCR's good-faith telehealth announcement gave flexibility for telecommunications platforms, but it did not mean HIPAA requirements stopped applying. The recommendation was to complete the annual SRA as usual, review telecommunication technologies closely, obtain a signed BAA from the provider, and confirm video storage and connections are encrypted.

The cybercrime post lists practical defensive steps such as keeping firewalls turned on, installing or updating antivirus and antispyware software, keeping operating systems up to date, being careful with downloads, and turning off computers when they are not needed. It frames these steps as part of recognizing that cybercrime is real. The post also points to education and security certification as important responses.

The 2020 cybercrime post highlights weak or stolen credentials, back doors, application vulnerabilities, malware, social engineering, excessive permissions, insider threats, improper configuration, and user error. It also recommends updating systems, training users, monitoring activity, performing ongoing risk assessments, and staying current with threats and solutions. The post treats these steps as basic prevention measures.

After the Change Healthcare incident, OCR focused on whether a breach of PHI occurred and whether Change Healthcare and UnitedHealth Group complied with HIPAA Privacy, Security, and Breach Notification Rules. OCR also reminded organizations partnered with those entities about their own regulatory duties. The post specifically mentions business associate agreements, breach notification requirements, and urgent cybersecurity review.

The cyber security post describes social engineering, phishing attacks, unpatched software, and social media information gathering as common cyberattack categories. Social engineering tricks people into trust, phishing impersonates reputable organizations, unpatched software leaves known holes open, and social media can help criminals gather details about a target. The post concludes that user education remains one of the best cybersecurity measures.

The post explains that HIPAA Privacy requires a Privacy Officer and HIPAA Security requires a Security Officer. The Privacy Officer mostly deals with privacy issues and hardcopies, while the Security Officer deals with cybersecurity and electronic health information. The article connects this role to the rise in ransomware, data breaches, government audits, and Omnibus Rule changes.

The cybertools post says antivirus and antimalware share the goal of stopping malicious software, but antivirus deals with older threats while antimalware is designed for newer types of threats. It also names training and firewalls as important tools. The first step is identifying weaknesses in systems and applications before choosing the right defenses.

The Cyber Tools post recommends cloud computing, ransomware solutions, SSL, and training as practical defenses. SSL is described as an encrypted link between a server and browser that helps protect customer information during browsing. The post also warns that there is no single perfect defense, so organizations should identify vulnerabilities and make a prevention plan.

The encryption post explains that encryption changes information from a readable format to an unreadable one to help protect data from unauthorized people. It cites HIPAA Security provisions for encryption and decryption of ePHI and for encrypting ePHI whenever appropriate. The post recommends asking the Security Officer about encryption resources and how to use them.

The year-end deadlines post treats the SRA as part of a connected compliance plan because missing an SRA, a MIPS submission, or an updated Notice of Privacy Practices can trigger penalties, audits, or reputation damage. It says the SRA anchors MIPS Promoting Interoperability and ransomware investigation readiness. The post recommends turning SRA findings into a Security Management Plan with owners and timelines.

The post says that to earn more than zero points in the Promoting Interoperability category, clinicians must attest yes to both a Security Risk Analysis and an annual self-assessment using the High Priority Practices SAFER Guide. A no response to the SAFER Guide measure gives the PI category a zero score, regardless of other PI data. The post recommends scheduling this work before year end.

The Ascension post says the attack disrupted critical systems, forced reliance on paper records, and affected patient care. Emergency services had to redirect patients, and systems such as MyChart, telephony services, and electronic prescription platforms were heavily impacted. Ascension also had to postpone elective procedures and appointments while patients were asked to provide manual medical histories.

The breach response post recommends confirming whether the incident is a HIPAA breach, activating the incident response team, and immediately containing ongoing unauthorized access. Depending on the incident, containment may include password resets, token revocation, MFA, isolating infected systems, remote wiping, or terminating insider access. Every containment action should be documented with timestamps.

When notification is required, the post says affected individuals must be notified within 60 days of breach discovery. If 500 or more individuals are affected, OCR must be notified within 60 days through the breach portal, and prominent media outlets also must be notified. If fewer than 500 individuals are affected, OCR reporting is handled through an annual report within 60 days of calendar year end.

The post warns that ePHI can live in equipment beyond servers, computers, and mobile devices. Multi-function printers, standalone photocopiers, fax machines, voice recorders, dictation systems, and wearable health devices can all store or expose patient information. The recommended controls include comprehensive risk assessments, encryption, access controls, updated security protocols, and ongoing HIPAA staff training.

The hidden business associate post names cloud service providers, IT support and maintenance vendors, and medical transcription services as vendors that can be overlooked. It also stresses that subcontractors must maintain their own HIPAA training and policies rather than relying only on a covered entity's materials. Covered entities should assess all business associates, establish BAAs, and confirm independent compliance protocols.

The HIPAA post says covered entities needed updated Notices of Privacy Practices, updated business associate contracts, updated policies and procedures, and centralized evidence of their actions. It warns that policies are living documents and should not be templates left unused on a shelf. The post also notes that Privacy and Security require different actions from covered entities and business associates.

The 2013 update post describes the Omnibus Rule as a 563-page update with an effective date of March 26, 2013 and compliance due 180 days after posting. It says the rule made sweeping changes to HIPAA Privacy and Security, enhanced patient privacy rights, and strengthened OCR enforcement. The post emphasizes that the changes affected health plans, healthcare providers, and business associates.

The 2025 PHI sharing post says PHI may be disclosed for treatment without patient authorization, including with value-based groups such as ACOs. Treatment is described broadly as providing, coordinating, or managing care, including consultations and referrals among treating providers. The post also says the minimum necessary standard does not apply to treatment disclosures, though teams should still share thoughtfully.

The post says the designated record set includes records a provider or plan uses to make decisions about a person. Examples include medical and billing records, enrollment, payment, claims, case management, and other decision-making records. It also says patient access can include PHI held by business associates, while separate psychotherapy notes and documents created only for legal actions are excluded.

The 2026 HIPAA requirements post says covered entities and business associates must update their Notice of Privacy Practices by February 16, 2026. The update is tied largely to confidentiality rules for substance use disorder patient records under 42 CFR Part 2. The post clarifies that this is an NPP update deadline, not an entirely new HIPAA program.

The post says the NPP update aligns HIPAA with stricter rules for substance use disorder records. Practices must explain SUD data handling and tell patients that SUD records cannot be used in court without special permission or a unique court order. Staff should understand that a simple subpoena is no longer sufficient to release SUD records.

The 2026 requirements post recommends conducting a Security Risk Analysis, training leadership through certified HIPAA Security Officer programs, creating a network map and device inventory, implementing MFA, and reviewing vendor and Business Associate agreements. It presents these steps as preparation for the security overhaul. The checklist also ties security readiness to staff awareness and updated privacy forms.

The HIPAA 5010 post says Version 5010 was a prerequisite for ICD-10, corrected outdated transaction standards, and improved administrative data exchanges. It included front matter, technical, structural, and data content improvements. The post also describes opportunities in eligibility checks, coordination of benefits, claims status, electronic remittance, and revenue cycle process improvement.

No. The HIPAA 5010 enforcement post says CMS postponed enforcement until March 31, 2012, but clarified that enforcement was not the same as compliance. Level II compliance remained December 31, 2011, meaning covered entities needed end-to-end testing with trading partners and the ability to operate in production mode using the new standards.

The OCR audit checklist says auditors look for current policies and procedures, a risk analysis and risk management plan, security awareness training proof, anti-malware and patching evidence, backup documentation, access controls, audit logs, breach procedures, device and media controls, facility and workstation safeguards, BAAs, and six-year documentation retention. The post emphasizes that OCR measures proof, not promises.

The second phase audit post says the response time changed to ten days instead of about a month in previous cases. It also notes that business associates would be audited and that the audit protocol had more than 180 questions. The recommended preparation included completing a risk analysis, risk management plan, updated NPP, business associate list, and policy review.

The business associate agreement post says covered entities must obtain satisfactory assurances that business associates will safeguard PHI. It also says the chain of custody must extend to subcontractors, business associates are directly liable for HIPAA Security compliance, and noncompliant relationships may need to be terminated. Field findings included missing or noncompliant BAAs, no evidence of security officers, prior risk assessments, or policies.

The 2025 business associate post says proposed changes would require business associates to notify covered entities within 24 hours after starting an emergency plan. It also says business associates would provide an annual written assurance that required technology safeguards are in place, checked by a subject matter expert and signed by leadership. Covered entities would need to review those assurances before sharing health information.

The enforcement post uses Premera Blue Cross and Athens Orthopedics to show that organizations may believe they have security programs but still lack proof of compliance. It highlights the need to address HIPAA Security standards, understand business associate duties, and conduct an accurate and thorough risk analysis. The post warns that mandatory fines can reach $50,000 per incident.

The HITECH audits and risk analysis post says risk analysis is required by HIPAA Security and is also part of Meaningful Use requirements. Meaningful Use is treated as all or nothing, so failure to meet one measure can require forfeiting incentive money and repayment within 60 days. The post also ties retained overpayments to potential False Claims Act liability.

The media sanitization post says a vendor statement that a drive was wiped is not enough. HIPAA requires ePHI on a device to be truly unusable or unreadable before it leaves organizational control. The accepted clean paths described are a NIST SP 800-88 purge with documentation and proof, or physical destruction with documentation and proof.

The HIPAA non-compliance post lists several easy-to-spot indicators: failing to post the Notice of Privacy Practices, failing to update the NPP, using business associate agreements that have not been updated since March 2013, texting or sending emails in clear text, and failing to conduct an annual security risk assessment with a security management plan. The post frames these as common violations.

The Omnibus Rule deadline post recommended updating the Notice of Privacy Practices, updating HIPAA Security and Privacy policies, training staff, identifying business associate relationships, and updating business associate agreements. It also said practices should obtain assurances from business associates about compliance actions. The post warns that simply having policies and an NPP was not enough if gap analysis, risk analysis, and HITECH requirements were ignored.

The certification post says complying with HIPAA is required by law, but being certified is not. It presents certification as a possible way to show effort, but recommends starting with a gap analysis and risk analysis. The post also advises having a third party review compliance even if an organization believes it is already compliant.

The 2025 proposed changes post says the rule was still in the proposed stage, but the direction was stronger cybersecurity for covered entities and business associates. It highlights removing the addressable versus required distinction, requiring asset inventories and network maps, strengthening risk analysis, requiring MFA and encryption, and demanding documentation such as logs, test results, and reports. The post stresses proof of actual practice.

The proposed changes post says the inventory should include all technology assets that create, receive, maintain, transmit, or affect ePHI. Examples include servers, laptops, tablets, phones, medical devices, network gear, and cloud systems. The inventory should be updated at least every 12 months and after major changes such as a new EHR, new site, or telehealth platform.

The post says the proposed rule would require stronger technical controls and move encryption away from being treated as optional. MFA would be required for systems that access ePHI, especially systems reachable over the internet. Encryption of ePHI at rest and in transit would be required with very limited exceptions.

The physical safeguards post describes them as facility actions and controls that let authorized users access systems while denying access to unauthorized users. It recommends checking device inventories, where devices are located, whether vulnerable devices should be moved, and what controls are used, such as cable locks, privacy screens, secured rooms, cameras, guards, alarms, policies, staff training, and signs.

The policies and procedures post says HIPAA requires covered entities and business associates to implement reasonable and appropriate policies and procedures for the Security Rule standards. It explains that security policies guide employee behavior, protect the organization and employees, support the organization's mission, and should be enforceable. The post also says policies should protect the organization, increase efficiency, and support legal compliance.

The evaluation post says the Evaluation Standard looks at whether an entity's security policies and procedures meet HIPAA Security requirements through periodic technical and nontechnical review. The Risk Analysis standard looks at potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The post concludes that both activities are different, but both require recurring action and documented findings.

No. The myths post says an EHR vendor is a business associate responsible for its product or service, but the healthcare provider is responsible for how that product is used in its own environment. The SRA must cover all ePHI, including data on servers, workstations, laptops, and mobile devices. The vendor can provide technical details, but legal responsibility for a complete SRA remains with the provider.

Yes. The SRA myths post says HIPAA rules apply to all covered entities that handle ePHI, regardless of size. That includes solo practices, small clinics, and large hospital systems. The post also warns that smaller practices may be easier targets because they often have fewer security resources.

No. The myths post says a penetration test is a simulated cyberattack used to find technical weaknesses, while an SRA is broader. A HIPAA SRA also considers employee training, physical access to facilities, backup plans, and other administrative, physical, and technical safeguards. A penetration test can support an SRA, but it does not replace one.

The post says the proposed Health Infrastructure Security and Accountability Act would require healthcare organizations to conduct annual HIPAA Security Risk Analyses through independent third-party firms. It would also direct HHS to establish minimum cybersecurity standards, provide $800 million over two years to support hospitals, increase oversight and audits, and add penalties for non-compliance. The post urges organizations not to wait before improving cybersecurity.

Yes. The system patches post says failing to patch, update, or migrate systems may be interpreted as a violation of HIPAA Security's requirement to prevent, detect, contain, and correct security violations. It notes that patching can be difficult because updates may be frequent or cause compatibility problems. Still, the post cites a settlement where malware could have been avoided if software patches had been installed.

The HIPAA SRA post says a strong SRA identifies where ePHI lives or travels, including EHRs, laptops, cloud systems, billing platforms, email, and old servers. It identifies threats and vulnerabilities, reviews safeguards, assesses likelihood and impact, and documents findings and fixes. It should also feed into a Security Management Plan and be repeated at least yearly or after major changes.

The HIPAA SRA post says MIPS Promoting Interoperability requires clinicians to attest yes to conducting or reviewing an SRA and addressing deficiencies. If an organization says yes without a valid documented SRA, the post says it may be giving false information to the government to receive higher Medicare payments. CMS may demand repayment, add penalties, or refer the case for investigation.

The HIPAA SRA post says required HIPAA documentation, including SRA and risk management records, must be kept for at least six years from creation or from when it was last in effect. The government can ask for SRA records going back six years. If an organization cannot show the documents, regulators may treat the SRA as if it never happened.

The hard drive post describes the Affinity Health Plan settlement, where photocopiers were returned without erasing data on their hard drives. The settlement was $1,215,780 and included failures to include copier hard drives in the risk analysis and to implement return policies and procedures. The post recommends gap analysis, risk analysis, updated policies, business associate review, and staff training.

The HITECH audits post recommends printing all information when submitting attestation, keeping an electronic copy, and creating a book of evidence for each entity. It also recommends completing an annual risk analysis and keeping the report with important documents. Providers should monitor email because future audit inquiries may come that way.

The medical record release post says HIPAA permits only a reasonable, cost-based fee for patient-requested PHI copies. For electronic PHI maintained electronically, per-page fees are not allowed. A covered entity may charge a flat fee for electronic copies of PHI maintained electronically, but the post says that fee cannot exceed $6.50 including labor, supplies, and postage.

The nursing home post recommends annual Security Risk Analyses, clear and updated policies and procedures, regular IT patches, end-to-end encryption, staff training, a dedicated HIPAA officer, and proper management of business associates. It says nursing homes are attractive targets because they hold valuable PHI and may rely on outdated technology. The post also stresses that penalties and reputational damage can be severe.

The ransomware settlement post says OCR identified failures involving a compliant risk analysis, a written risk management plan, information system activity review, incident response, backup and data recovery protocols, access controls, authentication, and workforce training. Plastic Surgery Associates of South Dakota settled for $500,000 after the ransomware incident. The corrective plan emphasized annual SRAs, written mitigation plans, secure backups, MFA, encryption, and training.

The post says the HIPAA Security Rule does not specify one fixed frequency for every covered entity, but the risk analysis process should be ongoing and updated as needed. It also says industry practice is to conduct an SRA yearly, and CMS guidance for eligible hospitals and CAHs required a security risk analysis or review at least once each calendar year. The post recommends yearly SRA work as the safer path.

The SRA season post says OCR may ask practices for the current year's SRA, and checking an attestation box without doing the SRA can create serious risk. It describes a proper SRA as covering more than 200 sections of HIPAA Security, including IT, physical safeguards, and administrative requirements. The post warns that incomplete vendor work can still leave the covered entity responsible.

The Solara post says cybercriminals accessed eight employee email accounts over two months in 2019, exposing ePHI for more than 114,000 patients. Solara also delayed notification to affected individuals and regulators, triggering OCR investigation. The $3 million settlement included a two-year corrective action plan with risk analysis, risk management, HIPAA policies and procedures, and workforce training.

The phishing post says staff should watch for suspicious sender addresses, generic greetings, urgent or threatening language, unexpected attachments, and links or phone numbers pushing them to verify information. It recommends verifying requests through trusted channels, using known phone numbers or websites instead of links in the message. Staff should avoid unexpected links and attachments and report suspicious items to security.

The tracking technologies post says tools such as cookies, web beacons, and session replay scripts can collect information about website or app interactions. On authenticated pages such as patient portals or telehealth platforms, vendor access to user data can create business associate concerns. On unauthenticated pages, organizations must assess whether PHI is collected and implement safeguards, privacy policies, authorizations, BAAs, and breach reporting where needed.

The Montefiore post says an employee stole and sold patients' PHI over six months, affecting more than 12,000 patients. Montefiore settled for $4.75 million after OCR found failures to analyze risks, monitor system activity, and maintain adequate policies and procedures. The corrective action plan required risk assessments, risk management strategies, monitoring improvements, policy revisions, and staff training.

The business associate compliance post says HITECH and the Omnibus Rule increased obligations for business associates. It lists administrative, physical, and technical safeguards, along with policies, procedures, and documentation requirements, as areas business associates must address. The post also warns that mandatory fines can range from $100 to $50,000 per incident and can reach $1.5 million quickly.

The State of Compliance post recommends selecting a compliance champion, giving that person a chance to learn, creating a team atmosphere, holding subcontractors accountable, and keeping the program simple. The post says many organizations struggle with weak SRAs, overloaded managers, poor policies, and subcontractors that do not meet basic HIPAA Security requirements. Training and an action plan are presented as the path forward.

The HIPAA Unveiled post compares several settlements and shows recurring corrective actions. The common items include a risk assessment, a risk management plan, reviewing or revising policies, and revising the training program. The post also quotes OCR's emphasis that organizations must complete comprehensive risk analyses and establish strong policies and procedures to protect patient health information.

The Texas HHSC post says ePHI for 6,617 individuals became viewable over the internet after an internal application was moved from a private, secure server to a public server and a software flaw allowed access without credentials. OCR found impermissible disclosure, failure to conduct an enterprise-wide risk analysis, and failure to implement access and audit controls. The penalty was $1.6 million.

The SRA importance post says a Security Management Plan outlines an organization's approach to safeguarding ePHI. It includes policies and procedures, risk assessment, risk management, ongoing monitoring, and evaluation. The SRA is used to build that plan by identifying risks and vulnerabilities that need corrective action.

The OCR audit checklist says auditors want system activity review and audit logs that show who accessed PHI and when. These records support HIPAA audit controls and information system activity review requirements. The post frames logs as evidence that access is being monitored rather than merely promised in a policy.

The Solara post says a phishing breach should lead to a comprehensive risk analysis, a written risk management plan, updated HIPAA policies and procedures, and workforce training. It also highlights OCR recommendations for vendor and business associate management, routine risk analysis, audit controls, MFA, encryption, and incident response lessons learned. The point is to build prevention into normal operations after the incident.

The SRA importance post says HIPAA requires an accurate inventory of equipment that receives, maintains, or transmits ePHI. That includes computers, laptops, smartphones, tablets, servers, and other devices handling sensitive patient data. The inventory should be included in the SRA and used to identify where safeguards, business associate review, and security management actions are needed.

The tracking technologies post says vendors involved with authenticated pages such as patient portals or telehealth platforms may become business associates when they access customer data protected by HIPAA. BAAs define the vendor's responsibility to safeguard PHI and comply with HIPAA. The post recommends assessing tracking practices and using BAAs to manage unauthorized access and breach risks.