HIPAA Was Built For An Analog Era, Healthcare AI Has Outgrown It – Above the Law
United States Medical Device Cybersecurity Services Market – openPR.com
EMR Practice Management Software Buyer’s Guide
Selecting EMR practice management software requires evaluating scheduling, specialty support, charting flexibility, billing, patient engagement tools, support, integrations, future product development, and HIPAA compliance so the platform can support clinical operations, administrative workflows, and long-term practice growth without creating avoidable operational or regulatory risk. An EMR practice management platform affects how a practice books appointments, documents care, collects payment, communicates with patients, coordinates prescriptions and lab work, and protects electronic protected health information. A poor fit creates friction across the entire organization. A strong fit supports daily workflows, reduces administrative burden, and gives the practice room to expand services without replacing core systems.
This buyer’s guide is built around the questions that matter during product evaluation. It focuses on workflow fit, support access, integration depth, product maturity, and compliance controls so practices can assess whether a platform meets current operational needs and can continue to support the business as it grows.
Part 1 – The Essentials Features of EMR Practice Management Software
Is there appointment scheduling?
When selecting EMR practice management software, you want to make sure that it supports your appointment-setting workflow. A few EMRs offer scheduling modules, which allows you to book appointments either in-office or patients can book themselves through a booking link embedded on your website.
Having multiple ways for patients to schedule appointments helps to facilitate the sign-up process for patients while cutting down on time needed for providers to manually input all appointments.
What specialties does the EMR support?
Not all EMRs are designed to support every specialty equally. Some platforms are built for a single use case, while others offer flexibility across modalities.
When asking questions on a demo, you should confirm:
- Whether the EMR supports your current specialty
- Whether it can support additional services in the future
- How charting, workflows, and templates differ by modality
How flexible is the charting and documentation?
When comparing EMRs, evaluate the flexibility of their charting as well as any templates provided. You should ask if SOAP and non-SOAP formats are supported, if the provided templates are able to be customized, and if intake forms and documents easily integrated into the chart.
Flexible charting reduces provider burden and improves documentation quality.
What billing and payment options are available?
An EMR should support a variety of revenue models, including:
- Insurance billing
- Cash-pay
- Subscriptions
- Installment plans
- Superbills
- Integrated payment gateways
This way you are not limited in the ways you can accept payment, which is better for your business and your patients.
Does it include tools for patient engagement?
An EMR should make all interactions between patient and practitioner as seamless as possible. Your EMR should offer the ability for online appointment scheduling along with automated appointment reminders to help limit no-shows. A patient portal is a necessity to help facilitate check in with digital intake forms, access medical records, treatment plans, and invoices, and securely message with the provider with HIPAA compliant messaging.
An EMR focused on patient engagement should also include automated, personalized follow-up to maintain client retention.
Are you locked into a contract?
When selecting an EMR, make sure the billing and contract terms work with your business. Some EMRs require an annual contract with upfront payment, others work on a month-to-month basis with tiered pricing.
When evaluating platforms, choose the one that best fits your budget and financial plans.
Part 2 – Customer Support from EMR Practice Management Software Vendors
Is there a phone line you can call?
When you’re working in a busy practice, you want to ensure that you can pick up the phone and call someone if you’re having any issues with your EMR/EHR. When evaluating systems, be sure to inquire if they offer live assistance. Additionally, check that the support team is US-based, as outsourced support lines tend to operate on different schedules than your practice hours.
Can you speak to someone on the weekends?
If your practice is open on the weekends, you want to be sure that the EMR you choose has support options for you during those open hours. Many EMRs don’t offer live support on the weekends, so this is a good question to ask when demoing products.
Are there onboarding options?
Some EMRs offer multiple onboarding options, some have an onboarding cost required, and other EMRs don’t offer onboarding assistance at all. When evaluating platforms, consider how much time you will have to dedicate to learning the platform and setting up your workflows.
Is support included in the cost?
When inquiring about support options, ask if there is an additional cost for levels of support. Some EMRs include all support options (phone, text, tickets, 1:1s) for free while others charge for certain levels of support.
Part 3 – EMR Practice Management Software Integrations
Does it integrate with labs?
EMRs should integrate with a variety of labs to give you options that can best fit your specialties’ needs. Lab integrations within the EMR should allow you to submit orders and receive results directly in the platform, saving time and minimizing room for errors.
Does it have an integration with pharmacies for e-prescribing?
EMRs should integrate with e-prescription networks to help facilitate workflow. These connections should allow practitioners to submit prescriptions to their patients’ preferred pharmacies directly from the platform.
EMRs that focus on Integrative clinics should also integrate with supplement dispensaries which can help to supply supplements and nutraceuticals directly to the patients from the EMR.
Does it have AI scribing?
Often EMRs integrate with AI Scribes, such as DeepCura, to generate clinic notes in real time. Some EMRs have their own native scribes.
This functionality helps providers save time on charting and follow-ups, while also helping with accuracy of clinical documentation. When inquiring about AI scribing capabilities, be sure to ask if the scribe is able to capture medication and diagnosis names. Some scribes that are not built with healthcare in mind, struggle to capture this data.
Does it integrate with CRMs?
Your EMR should help your practice grow. An EMR that integrates with a CRM helps you improve patient retention and engagement through automated reminders to schedule new appointments, seasonal promotions, and regular email follow-up.
It also ensures data accuracy across both systems. When you have your CRM integrated with your EMR, you ensure that the records are the same in both instances, reducing potential error.
Does it connect to health trackers?
EMRs can connect to different health trackers to provide practitioners with the data received from them inside the EMR. This can help to see patient fitness information such as step count, heart rate and sleep quality to best help aid in their health journey.
This is valuable data to collect from your patients and can improve your care plans and diagnoses. When demoing with EMRs, be sure to ask which (if any) health trackers they connect to. Popular ones include FitBit, Apple Watches, and Oura Rings.
Part 4 – Future-Proofing EMR Practice Management Software
How often are they releasing new features?
Your EMR should be focused on constant improvement. An EMR that listens to its practitioners, and makes changes accordingly, is valuable. A platform that values user feedback should update at least quarterly, with some EMRs releasing new functionality as often as once a month.
Are they utilizing AI?
AI tools can allow you to spend more deliberate time with patients, and less time on documentation. An EMR that is keeping up with the times, will have AI capabilities built into the system or have an integration that facilitates AI within the system.
Can you add additional modalities?
If your business offerings change, you want your EMR to still be able to support you. It is time-consuming and can be expensive to switch EMRs, so you should either be certain that you will only be offering services under your current modality in the future, or ensure that your EMR can grow with your practice.
Part 5 – Compliance Considerations
Do they have a Business Associate Agreement?
The EMR you select should have a BAA that you can easily access. It must be signed prior to creating, receiving, maintaining, or transmitting PHI within the platform.
Are their patient communication tools HIPAA-compliant?
HIPAA compliant two-way texting, text and email appointment reminders, one-off text and emails, and access to a patient portal with messaging should be available through your EMR. Patient portals should include the ability to securely communicate with providers, complete consent and intake forms, and pay bills or invoices through the platform.
Is their data storage method HIPAA-compliant?
HIPAA requires EMRs to encrypt all ePHI using strong standards, retain records for a minimum of 6 years, have secure and regular backups with copies stored in a separate secure location, maintain detailed audit logs, and have role-based access controls.
When searching for the right EMR for your practice, it is critical that you assess their compliance standards. Choosing a platform that does not abide by these standards, can put your patients’ data at risk.
Choose an EMR Practice Management Software That has Everything You Need
This guide recommends selecting an EMR practice management software that is designed for customizability, and adaptability to your practice speciality. It should not only include basic key features, but offer in-depth tools that help manage day to day operations with fluidity. It calls for an EMR that offers advanced scheduling options, patient communication tools, integrations with labs, E-prescribing, up-to-date technology, customer support, and HIPAA compliance features. It supports that an EMR should fit into your practices’ needs with workflows that create structure and save time.
The post EMR Practice Management Software Buyer’s Guide appeared first on The HIPAA Journal.
Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach – The HIPAA Journal
Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack
A consolidated class action lawsuit against Long Island Plastic Surgical Group, P.C has been resolved with a $2,600,000 settlement. Legal action was taken by patients of the Garden City, New York-based private, academic plastic surgery practice in response to a January 4, 2024, ransomware attack by the ALPHV/BlackCat ransomware group. The forensic investigation confirmed that the BlackCat group accessed its network between January 4, 2024, and January 8, 2024, and used ransomware to encrypt files. Prior to encrypting files, sensitive data was exfiltrated from the network, including personal identifiable information (PII) and protected health information (PHI).
Data stolen in the incident included full names, Social Security numbers, driver’s license numbers or state identification numbers, dates of birth, biometric information, account numbers, credit or debit card information, medical information, patient photographs, health insurance policy information, and patient account numbers. In total, more than 161,000 current and former patients were affected. The BlackCat ransomware group demanded payment to prevent the publication of the stolen data on its dark web data leak site. Long Island Plastic Surgical Group chose to pay the ransom to prevent the release of the stolen data and received confirmation that the stolen data had been deleted.
On October 4, 2024, the affected individuals were notified by mail. Shortly after issuing notifications, seven putative class action lawsuits were filed by patients over the incident, alleging they had suffered harm as a result of the data breach. The lawsuits were consolidated – Baum et al. v. Long Island Plastic Surgical Group, P.C. – in the Supreme Court of the State of New York, County of Nassau.
The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the New York Consumer Law for Deceptive Acts and Practices Act. Long Island Plastic Surgical Group denies the allegations and all liability, including claims that the defendants suffered any injury or damage as a result of the incident. To avoid the time, expense, and uncertainties of defending protracted litigation, the defendant agreed to settle the litigation. Class counsel and the class representatives agreed to the settlement as they concluded it was in the best interests of the class members.
Under the terms of the settlement, Long Island Plastic Surgical Group will establish a $2,600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may choose to receive an alternative pro rata cash payment. An additional pro rata cash payment of up to $1,000 may be claimed by class members who had clinical photographs compromised in the incident.
The amount paid to class members claiming alternative cash payments will depend on the number of claims received, including claims for the additional cash payments. The additional cash payments may also be reduced depending on the remaining funds after legal costs and expenses, service awards, administration and notification costs, and claims for reimbursement of losses have been paid. The deadline for objection to and exclusion from the settlement is May 4, 2026. Claims must be submitted by May 18, 2026, and the final approval hearing has been scheduled for June 2, 2026.
The post Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack appeared first on The HIPAA Journal.
Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach
Orthopaedic Institute of Western Kentucky has notified patients that their PHI was compromised in two security incidents at their managed IT services provider. Supportive Home Health Care and Patriot Outpatient has identified unauthorized access to an employee’s email account.
Orthopaedic Institute of Western Kentucky
Orthopaedic Institute of Western Kentucky (now Mercy Health — Western Kentucky Orthopedics) in Paducah, Kentucky, has been affected by two security incidents at one of its business associates, the managed IT services provider Keystone Technologies.
Keystone Technologies notified the orthopedic institute about unauthorized access to Keystone systems on two occasions: the first between April 21, 2025, and April 26, 2025, and the second between July 19, 2025, and August 1, 2025. During both periods, unauthorized individuals exfiltrated files containing patient information. The affected files were reviewed, and the affected individuals were identified in December 2025 and January 2026. Data compromised in the incident included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information. Electronic medical records were not subject to unauthorized access, nor were any of Mercy Health’s systems.
The affected individuals have now been notified and offered a complimentary 12-month membership to a credit monitoring and identity theft protection service. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Supportive Home Health Care and Patriot Outpatient
Superior Care Plus, LLC, doing business as Supportive Home Health Care and Patriot Outpatient, LLC (Patriot), a provider of home healthcare services in Northeast Ohio, has announced a data breach affecting 1,415 of its patients.
On November 17, 2025, suspicious activity was identified within an employee’s email account. An investigation was launched to determine the nature and scope of the activity, and Patriot confirmed that the email account was compromised as a result of the employee responding to a phishing email. No other email accounts or systems were compromised in the incident.
On January 9, 2026, the forensic investigation was completed, and Patriot confirmed that the compromised account contained first and last names, city/ZIP codes, email addresses, health insurance policy numbers, medical treatment information, admission/discharge dates, patient logs, referring facility, start care date, policy name, and referring primary care physician name. A limited number of individuals also had their Social Security numbers and/or Medicare numbers exposed.
Patriot has taken several steps to prevent further unauthorized access to email data. The affected email account was deleted, and the individual, and a new account was created, rather than reactivating the account after a password change. Further training has been provided to the workforce on email security and phishing email identification, and third-party cybersecurity experts have helped Patriot enhance its technical security measures and procedures.
The post Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach appeared first on The HIPAA Journal.