HIPAA Advice

What Is Healthcare-Adjacent Data?

Posted February 6, 2026 by Steve Alder

Healthcare-adjacent data is any health‑related or health‑influenced information that falls outside HIPAA’s definition of Protected Health Information because it is not created, received, maintained, or transmitted by a covered entity or business associate, or because it is not processed for a HIPAA‑regulated activity.

As digital health tools, wearables, and AI‑driven services become more common, a growing amount of information sits near the edges of traditional healthcare. This information often looks like health data and can influence health decisions, yet it does not always qualify as Protected Health Information (PHI) under HIPAA.

Understanding the distinction between PHI and healthcare‑adjacent data has become essential for healthcare organizations, business associates, and third‑party service providers. They now operate in a regulatory environment shaped by overlapping federal and state privacy laws and by a digital ecosystem where data flows freely across clinical, consumer, and commercial systems.

How HIPAA Defines PHI — and What Falls Outside the Definition

HIPAA protects a specific category of individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate for a HIPAA‑regulated activity and that relates to an individual’s health, the provision of healthcare, or payment for healthcare. If any of these elements is missing, the information does not qualify as PHI and is not subject to the HIPAA Rules.

Healthcare‑adjacent data refers to health‑related or health‑influenced information that falls outside this definition. This includes employee health information maintained by a covered entity in its role as an employer, interactions with a hospital’s public social‑media pages, and identifiable information that has no healthcare component, such as data from cafeteria loyalty programs.

It also includes information collected by fitness trackers, consumer health apps, wellness programs, and other health‑related IoT devices. These data streams remain healthcare‑adjacent unless a third‑party service provider collects the information while acting as a business associate and transmits it to a covered entity for inclusion in the patient’s HIPAA‑protected medical record.

When Healthcare-Adjacent Data Becomes PHI

In many situations, healthcare‑adjacent data becomes PHI the moment a covered entity receives it. If a hospital imports information from a wearable or consumer health app, that data becomes PHI because it is now individually identifiable health information in the hands of a HIPAA‑regulated entity. Even non‑health information can take on PHI status if a covered entity stores it in the same designated record set as clinical or billing records.

For business associates, the analysis is more nuanced. When a business associate collects or receives healthcare‑adjacent data while performing services for a covered entity, the information becomes PHI. If the same type of data is collected for the business associate’s own purposes, outside the scope of services provided to a covered entity, it does not qualify as PHI and must be maintained separately.

The reverse scenario also matters. When an individual transfers PHI from a covered entity to a personal device or app, the copy retained by the covered entity remains PHI, but the version stored on the personal device is no longer protected by HIPAA. If the device or app vendor receives health data from the individual’s device, the vendor is not a business associate unless it has a formal business associate agreement with the covered entity that originally held the PHI.

How State Privacy Laws Treat Healthcare‑Adjacent Data

HIPAA is only one layer of the U.S. privacy landscape. Many state privacy laws exclude PHI from their scope but still regulate other types of health‑related data collected by the same organizations. This creates a situation in which a covered entity or business associate may be exempt from a state law for PHI yet fully subject to it for healthcare‑adjacent data.

California illustrates this clearly. The Confidentiality of Medical Information Act (CMIA) protects “medical information” held by providers and plans, while the California Consumer Privacy Act (CCPA/CPRA) exempts PHI but not other health‑related data such as website analytics, app telemetry, wellness‑program information, or health inferences used for marketing. A hospital’s EHR is exempt; its patient‑portal cookies and mobile‑app tracking data are not.

Washington’s My Health My Data Act goes even further. It exempts HIPAA PHI but regulates virtually any health‑related data collected by any entity, including hospitals, when the information is consumer‑generated, inferred, or collected outside treatment, payment, or healthcare operations. Other state privacy laws, including those in Colorado, Connecticut, and Virginia, follow a similar pattern: PHI is exempt, but non‑PHI health data is regulated as “sensitive data.”

This patchwork means that healthcare‑adjacent data often carries privacy obligations even when HIPAA does not apply.

Federal Rules That Affect Healthcare‑Adjacent Data and PHI

When healthcare-adjacent data is breached, the primary federal rule that may apply is the Health Breach Notification Rule. This Rule requires vendors of personal health records and similar services to notify the Federal Trade Commission and affected individuals if unencrypted, individually identifiable health information is exposed. The rule fills part of the regulatory gap for consumer‑generated health data that falls outside the scope of HIPAA.

HIPAA itself also contains provisions that affect how PHI may be shared in contexts that overlap with consumer‑facing technologies. Two important exceptions in the Privacy Rule allow covered entities to disclose PHI without patient authorization.

The first, found in 45 CFR §164.512(b)(1), permits disclosures to FDA‑regulated device vendors for activities related to the quality, safety, or effectiveness of an FDA‑regulated product. This includes personal health devices that transmit data to AI‑driven healthcare solutions.

The second exception, in 45 CFR §164.512(i)(1), allows PHI to be disclosed for preparatory research without de‑identification if the disclosure is approved by an Institutional Review Board or Privacy Board. In these cases, the PHI must remain with the covered entity and may only be used for preparatory activities such as training a supervised learning algorithm.

Together, these federal and state frameworks create a complex environment in which PHI, healthcare‑adjacent data, and consumer‑generated health information may each be subject to different obligations depending on who holds the data, why it was collected, and how it is used.

Must Covered Entities Combine All Health Information Into HIPAA‑Protected Record Sets?

Some organizations believe that covered entities are required to combine all health‑related data into HIPAA‑protected designated record sets to simplify HIPAA compliance. In practice, the picture is mixed.

HIPAA does not require covered entities to consolidate all health‑related data into a designated record set (DRS). A DRS is defined narrowly. It includes medical records, billing records, and other records used to make decisions about individuals. Website analytics, marketing data, app telemetry, and consumer‑generated data do not belong in a DRS unless the covered entity intentionally places them there.

Some organizations do consolidate data to reduce ambiguity and apply HIPAA‑level safeguards universally. This approach simplifies HIPAA training and reduces the risk of misclassification. However, many organizations intentionally keep systems separate because adding data to a DRS increases HIPAA obligations, complicates vendor relationships, and may conflict with state privacy requirements. Marketing platforms, mobile apps, and analytics tools often operate outside HIPAA, and vendors may not sign Business Associate Agreements for non‑clinical data.

The trend is toward hybrid models in which organizations apply HIPAA‑like protections to all health‑related data while still maintaining clear boundaries between PHI and non‑PHI systems for regulatory and operational reasons.

Why Understanding What Healthcare-Adjacent Data is Matters

As healthcare delivery expands beyond traditional clinical settings, more data flows through consumer devices, apps, and AI‑enabled tools that sit outside HIPAA’s boundaries. This creates regulatory gaps, new obligations for vendors, and new risks for covered entities receiving external data.

Understanding what qualifies as PHI, and what qualifies as healthcare-adjacent data, is essential for designing compliant workflows, evaluating vendor relationships, and protecting individuals whose health information now moves across environments both regulated and unregulated by HIPAA.

The post What Is Healthcare-Adjacent Data? appeared first on The HIPAA Journal.

Is Wix HIPAA Compliant?

Posted February 4, 2026 by Steve Alder

When this article was first published in early 2025, Wix was not a HIPAA-compliant service; however, the company has since implemented comprehensive measures to allow its platform to be used by HIPAA-regulated entities, and the company is prepared to sign a business associate agreement with HIPAA-regulated entities.

Wix is a service that helps businesses in all industries easily design, build, and host websites. Depending on the type of subscription, customers’ websites can include appointment scheduling software, e-commerce platforms, and loyalty programs. The service scores highly for performance, reliability, and security, and is certified PCI DSS and ISO 27001 compliant.

With regard to collecting data from website visitors, Wix enables customers to comply with the California Consumer Privacy Act (CCPA) and other state privacy laws that require an affirmative opt-in before data can be used for marketing purposes.

When it comes to collecting Protected Health Information (PHI) from website visitors, HIPAA-regulated entities must ensure that they use a platform that incorporates all of the necessary safeguards to ensure the confidentiality, integrity, and availability of PHI, and a regulated entity must enter into a business associate agreement (BAA) with the platform provider.

Wix has now incorporated a comprehensive range of measures to allow its platform to be used by HIPAA-regulated entities and provides both the tools and contractual safeguards to support HIPAA compliance. Provided customers have the appropriate Wix plan, take certain steps to make their Wix website HIPAA-compliant, and only use Wix’s HIPAA-designated apps and services, then Wix websites can be HIPAA-compliant.

How Does Wix Comply with HIPAA?

Customers with certain Wix plans (supported Premium or Studio plans) can activate a PHI protection feature from the Compliance, Privacy & Cookies section of their site dashboard. Activating this feature provides enhanced administrative, physical, and technical safeguards. These include encryption of ePHI at rest and in transit, access controls, audit logging, and the automatic restriction of non-HIPAA-compliant features and applications.

After activating this feature, users can execute a formal BAA with Wix. The BAA establishes Wix’s obligations under the HIPAA Rules. Wix agrees to comply with the permitted and required uses and disclosures of PHI, maintain appropriate safeguards, comply with data access, amendment, and accounting requirements, and the breach reporting requirements of the HIPAA Breach Notification Rule.

A HIPAA-regulated entity may request a copy of all PHI data on the site and submit a request to have the information securely and permanently deleted. Wix has published resources on its website to help HIPAA-regulated entities ensure HIPAA compliance when using its services: Wix Services and HIPAA and HIPAA Compliance for Your Wix Site.

In order to comply with HIPAA, users must ensure that they only use specific services and apps on their website that have been approved for HIPAA use. Wix has curated a collection of apps in the Wix App Market and explicitly designates which apps and services support HIPAA compliance, allowing regulated entities to clearly identify which apps and services may be used to create, receive, maintain, or transmit ePHI.

What this Means for HIPAA Covered Entities and Business Associates

HIPAA-covered entities and business associates can use a website built on Wix to collect non-health information such as names, phone numbers, and email addresses. This is because information of this type is not considered PHI when it is not maintained in the same designated record set as individually identifiable health information.

Provided that forms are limited in the information they collect, that the appointment scheduling software does not reveal the nature of treatment, and that payment systems are just used for payment processing, covered entities and business associates will not be in violation of HIPAA for creating, receiving, maintaining, or transmitting non-health information via the service.

Before a website built on Wix is used to collect PHI, users must configure the options correctly, enter into a BAA with Wix, and only use apps and services that support HIPAA compliance. If those steps are taken, Wix websites are HIPAA compliant. Further, Wix’s HIPAA compliance features align with the international healthcare information security standard ISO 27799, to support healthcare providers in meeting strict data protection and security requirements, such as the EU’s General Data Protection Regulation (GDPR).

It should be noted that while a company can implement all of the necessary measures to support HIPAA-compliance, including signing a business associate agreement, it is up to each regulated entity to ensure that the product or service is used correctly.

The post Is Wix HIPAA Compliant? appeared first on The HIPAA Journal.

HIPAA Violation Fines

Posted January 28, 2026 by Steve Alder

HIPAA violation fines can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general for failing to comply with HIPAA regulations. Ten Most Common HIPAA Violations In this article, we provide a detailed explanation of HIPAA violation fines that have been imposed on HIPAA-regulated entities found to have violated the HIPAA Rules.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy.

The Majority Of HIPAA Violation Fines are from Settlements

In the majority of cases, covered entities and business associates accept that there have been potential failures to comply with certain elements of HIPAA Rules, a settlement amount is agreed, and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address the HIPAA failures. HIPAA-covered entities and business associates may disagree with the findings of the investigation and challenge the decision to impose a penalty. In such cases, they are given the opportunity to provide evidence to support a waiver of the penalty. If they are unsuccessful, a civil monetary penalty will be imposed. The civil monetary penalty will be more than the penalty they would pay if they settled the alleged violations. OCR cannot impose a corrective action plan when a civil monetary penalty is imposed.

While OCR issues fines for HIPAA violations, attorneys general often choose to pursue financial penalties against HIPAA-regulated entities under state laws rather than HIPAA. Actions for violations of state laws tend to be easier to win, and the penalty structure at the state level may even allow higher financial penalties to be issued. Only a handful of states have exercised their right under HIPAA/HITECH to file lawsuits to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates, although all states have participated in at least one multi-state action.

Penalty Structure for HIPAA Violations

The penalty amounts are adjusted annually to account for the cost-of-living increases. The last update, published in the Federal Register on January 28, 2026, applies to all financial penalties imposed after November 2, 2015. The inflation multiplier for 2025 set by the Office of Management and Budget (OMB) was 1.02598. While OMB states that the multiplier should be applied no later than January 15, 2025, the HHS determines that an exception applies, and typically applies the annual increases much later. For instance, the 2025 inflation multiplier was not applied for more than a year. The current penalties for HIPAA violations in 2026 are detailed in the table below:

Penalty Tier	Level of Culpability	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Limit
Tier 1	Reasonable Efforts	$145	$73,011	$2,190,294
Tier 2	Lack of Oversight	$1,461	$73,011	$2,190,294
Tier 3	Neglect – Rectified within 30 days	$14,602	$73,011	$2,190,294
Tier 4	Neglect – Not Rectified within 30 days	$73,011	$2,190,294	$2,190,294

*Table last updated on January 28, 2026, and includes the cost-of-living adjustment multiplier for 2025 (1.02598).

While the above table shows the official penalty amounts for HIPAA violations, OCR issued a Notice of Enforcement Discretion in April 2019 stating the annual penalty limits in three of the penalty tiers would be reduced following a reexamination of the language of the HITECH Act. The cap on the annual penalty limit was changed to $25,000 for tier 1, $100,000 for tier 2, and $250,000 for tier 3. The maximum annual penalty for Tier 4 remains unchanged at $1,500,000. These caps are also subject to inflation increases. The table below was calculated by the HIPAA Journal, factoring in the annual inflation increases and applying OCR’s Notice of Enforcement Discretion.

The maximum penalty per violation in tier 1 is higher than the annual cap for that tier, as the notice of enforcement discretion only reduced the annual penalty cap, not the maximum penalty for a HIPAA violation. This discrepancy could be addressed when the new reinterpreted penalty structure is formally adopted through future rulemaking; however, the Notice of Enforcement Discretion will remain in effect indefinitely, although it is not legally binding and OCR can choose to rescind that Notice of Enforcement Discretion at any point. Further rulemaking to officially adopt the reinterpreted requirements of the HITECH Act is unlikely, as OCR is pushing to have Congress increase the penalties for HIPAA violations to make them a more effective deterrent.

	Annual Penalty Limit	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Cap
Tier 1	Lack of Knowledge	$145	$36,505.50	$36,505.50
Tier 2	Reasonable Cause	$1,461	$73,011	$146,053
Tier 3	Willful Neglect	$14,602	$73,011	$365,052
Tier 4	Willful neglect (not corrected within 30 days	$73,011	$2,190,294	$2,190,294

*Table last updated on January 28, 2026.

State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. These penalties are also subject to annual adjustments for inflation.

Listed below are the HIPAA violation fines and settlements imposed by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law, and enforcement actions by State Attorneys General for violations of the HIPAA Rules and equivalent state laws.

OCR penalties for HIPAA violations 2009-2025

Funds raised by OCR enforcement actions (2008-2025)

2026 HIPAA Violation Fines and Settlements

The HHS’ Office for Civil Rights has yet to announce any HIPAA violation penalties in 2026.

2025 HIPAA Violation Fines and Settlements

Year	Entity	Amount	Settlement/CMP	Reason
2025	Concentra Inc.	$112,500	Settlement	HIPAA Right of Access violation
2025	Cadia Healthcare Facilities	$182,000	Settlement	Social media disclosure without authorization and Breach Notification Rule failure
2025	Syracuse ASC, dba Specialty Surgery Center of Central New York	$250,000	Settlement	Risk analysis failure; untimely data breach notifications to the HHS Secretary & individuals
2025	Deer Oaks – The Behavioral Health Solution	$225,000	Settlement	Risk analysis failure; impermissible disclosure of ePHI
2025	Comstar LLC	$75,000	Settlement	Risk analysis failure
2025	BayCare Health System	$800,000	Settlement	Information access management (minimum necessary standard), risk management, information system activity review
2025	Vision Upright MRI	$5,000	Settlement	HIPAA Risk Analysis violation, HIPAA breach notification violation
2025	Comprehensive Neurology	$25,000	Settlement	HIPAA Risk Analysis violation
2025	PIH Health	$600,000	Settlement	HIPAA Risk Analysis violation, impermissible disclosure of the ePHI of 189,763 individuals, failure to issue a media breach notice, failure to issue timely breach notifications to the HHS, and the affected patients
2025	Guam Memorial Hospital Authority	$25,000	Settlement	HIPAA Risk Analysis violation
2025	Northeast Radiology	$350,000	Settlement	HIPAA Risk Analysis violation
2025	Health Fitness Corporation	$227,816	Settlement	HIPAA Risk Analysis violation
2025	Oregon Health & Science University	$200,000	Civil Monetary Penalty	Violation of the HIPAA Right of Access
2025	Warby Parker, Inc.	$1,500,000	Civil Monetary Penalty	Violation of the HIPAA Security Rule: Risk analysis, risk management, and monitoring activity in information systems containing ePHI
2024	Northeast Surgical Group	$10,000	Settlement	Failure to conduct a HIPAA-compliant risk analysis
2024	Memorial Health System	$60,000	Settlement	Violation of the HIPAA Right of Access
2024	Solara Medical Supplies	$3,000,000	Settlement	Risk analysis failure, risk management failure, breach notification failure, and the impermissible disclosure of the ePHI of 114,007 and 1,531 patients.
2024	USR Holdings	$337,750	Settlement	Risk analysis failure, failure to record activity in information systems, lack of procedures for creating and maintaining retrievable exact copies of ePHI, and the impermissible disclosure of the ePHI of 2,903 individuals
2024	Virtual Private Network Solutions	$90,000	Settlement	Risk analysis failure
2024	Elgon Information Systems	$80,000	Settlement	Risk analysis failure

2024 HIPAA Violation Fines and Settlements

The OCR Director provided an end-of-year update on December 31, 2024, and confirmed that 22 investigations of data breaches and complaints resulted in civil monetary penalties or settlements in 2024, making it one of the busiest years for HIPAA enforcement; however, only 16 of those enforcement actions were announced in 2024. The remaining six were announced by OCR in early January 2025, before the administration change.

Year	Entity	Amount	Settlement/CMP	Reason
2024	Inmediata Health Group	$250,000	Settlement	Risk analysis failure, failure to monitor activity in information systems, impermissible disclosure of the ePHI of 1,565,338 individuals
2024	Children’s Hospital Colorado Health System	$548,265	Civil Monetary Penalty	Failure to provide HIPAA Privacy Rule training to 6,666 workforce members; failure to conduct a thorough and accurate risk analysis; impermissible disclosure of ePHI of 10,840 individuals
2024	Holy Redeemer Family Medicine	$35,581	Settlement	Impermissible disclosure of a patient’s medical records
2024	Rio Hondo Community Mental Health Center	$100,000	Civil Monetary Penalty	Failure to provide timely access to medical records (7 months)
2024	Bryan County Ambulance Authority	$90,000	Settlement	Never conducted a risk analysis
2024	Plastic Surgery Associates of South Dakota	$500,000	Settlement	Risk analysis failure; risk management failure; no analysis of logs of system activity; no policies for dealing with a security incident
2024	Gums Dental Care	$70,000	Civil Monetary Penalty	Failure to provide timely access to medical records
2024	Providence Medical Institute	$240,000	Civil Monetary Penalty	Failure to only allow authorized persons or software programs access to ePHI; lack of a business associate agreement
2024	Cascade Eye and Skin Centers	$250,000	Settlement	Risk analysis failure; failure to review records of system activity
2024	American Medical Response	$115,200	Civil Monetary Penalty	Failure to provide timely access to medical records (370 days)
2024	Heritage Valley Health System	$950,000	Settlement	Failure to conduct a risk analysis, lack of policies/procedures for responding to an emergency, and a lack of technical policies and procedures for restricting access to systems containing ePHI.
2024	Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center)	$100,000	Civil Monetary Penalty	Failure to provide timely access to medical records.
2024	Phoenix Healthcare	$35,000	Settlement	Failure to provide timely access to medical records.
2024	Green Ridge Behavioral Health	$40,000	Settlement	Failure to conduct a comprehensive risk analysis, failure to reduce risks to ePHI, lack of policies and procedures for monitoring activity in information systems containing ePHI, and an impermissible disclosure of the ePHI of 14,000 individuals.
2024	Montefiore Medical Center	$4,750,000	Settlement	Failure to conduct a comprehensive risk analysis, failure to implement procedures to regularly review records of information system activity, and the failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.

2023 HIPAA Violation Fines and Settlements

Year	Entity	Amount	Settlement/CMP	Reason
2023	Optum Medical Care of New Jersey	$160,000	Settlement	Failure to provide 6 patients with timely access to their medical records.
2023	Lafourche Medical Group	$480,000	Settlement	No risk analysis prior to a 2021 security breach, and no procedures to regularly review logs of system activity prior to the breach.
2023	St. Joseph’s Medical Center	$80,000	Settlement	A reporter was allowed access to 3 patients and their clinical information without first obtaining authorizations from the patients.
2023	Doctors’ Management Services	$100,000	Settlement	Risk analysis, review records of system activity, reasonable and appropriate policies/procedures to comply with the HIPAA Security Rule, and an impermissible disclosure of the PHI of 206,695 individuals
2023	L.A. Care Health Plan	$1,300,000	Settlement	Risk analysis, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, impermissible disclosure of the ePHI of 1,498 individuals.
2023	UnitedHealthcare	$80,000	Settlement	HIPAA Right of Access Failure
2023	iHealth Solutions, dba Advantum Health	$75,000	Settlement	Failure to secure a server, resulting in the theft of ePHI. Risk analysis failure and the impermissible disclosure of the ePHI of 267 individuals.
2023	Yakima Valley Memorial Hospital	$240,000	Settlement	23 security guards in the emergency department snooped on the medical records of 419 patients. OCR determined there was a lack of HIPAA policies and procedures.
2023	Manasa Health Center, LLC	$30,000	Settlement	Impermissible disclosure of the PHI of 4 individuals in response to negative Google Reviews. Failure to implement HIPAA Privacy and Breach Notification Rule policies and procedures
2023	MedEvolve Inc.	$350,000	Settlement	Impermissible disclosure of the PHI of 230,572 individuals. No BAA with a subcontractor, incomplete risk analysis
2023	David Mente, MA, LPC	$15,000	Settlement	HIPAA Right of Access failure
2023	Banner Health	$1,250,000	Settlement	Risk analysis, reviews of system activity, verification of identity for access to PHI, and lack of technical safeguards
2023	Life Hope Labs, LLC	$16,500	Settlement	HIPAA Right of Access failure

2022 HIPAA Violation Fines and Settlements

Year	Entity	Amount	Settlement/CMP	Reason
2022	Health Specialists of Central Florida Inc	$20,000	Settlement	HIPAA Right of Access failure
2022	New Vision Dental	$23,000	Settlement	Impermissible PHI disclosure, notice of privacy practices, and releasing PHI on social media
2022	Great Expressions Dental Center of Georgia, P.C.	$80,000	Settlement	HIPAA Right of Access failure (delay/fee)
2022	Family Dental Care, P.C.	$30,000	Settlement	HIPAA Right of Access failure
2022	B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental	$25,000	Settlement	HIPAA Right of Access failure
2022	New England Dermatology and Laser Center	$300,640	Settlement	Improper disposal of PHI, failure to maintain appropriate safeguards
2022	ACPM Podiatry	$100,000	Civil Monetary Penalty	HIPAA Right of Access failure
2022	Memorial Hermann Health System	$240,000	Settlement	HIPAA Right of Access failure
2022	Southwest Surgical Associates	$65,000	Settlement	HIPAA Right of Access failure
2022	Hillcrest Nursing and Rehabilitation	$55,000	Settlement	HIPAA Right of Access failure
2022	MelroseWakefield Healthcare	$55,000	Settlement	HIPAA Right of Access failure
2022	Erie County Medical Center Corporation	$50,000	Settlement	HIPAA Right of Access failure
2022	Fallbrook Family Health Center	$30,000	Settlement	HIPAA Right of Access failure
2022	Associated Retina Specialists	$22,500	Settlement	HIPAA Right of Access failure
2022	Coastal Ear, Nose, and Throat	$20,000	Settlement	HIPAA Right of Access failure
2022	Lawrence Bell, Jr. D.D.S	$5,000	Settlement	HIPAA Right of Access failure
2022	Danbury Psychiatric Consultants	$3,500	Settlement	HIPAA Right of Access failure
2022	Oklahoma State University – Center for Health Sciences	$875,000	Settlement	Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
2022	Dr. Brockley	$30,000	Settlement	HIPAA Right of Access
2022	Jacob & Associates	$28,000	Settlement	HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
2022	Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A.,	$50,000	Civil Monetary Penalty	Impermissible disclosure on social media
2022	Northcutt Dental-Fairhope	$62,500	Settlement	Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

2021 HIPAA Violation Fines and Settlements

Year	Entity	Amount	Settlement/CMP	Reason
2021	Advanced Spine & Pain Management	$32,150	Settlement	HIPAA Right of Access failure
2021	Denver Retina Center	$30,000	Settlement	HIPAA Right of Access failure
2021	Dr. Robert Glaser	$100,000	Civil Monetary Penalty	HIPAA Right of Access failure
2021	Rainrock Treatment Center LLC (dba monte Nido Rainrock)	$160,000	Settlement	HIPAA Right of Access failure
2021	Wake Health Medical Group	$10,000	Settlement	HIPAA Right of Access failure
2021	Children’s Hospital & Medical Center	$80,000	Settlement	HIPAA Right of Access failure
2021	The Diabetes, Endocrinology & Lipidology Center, Inc.	$5,000	Settlement	HIPAA Right of Access failure
2021	AEON Clinical Laboratories (Peachstate)	$25,000	Settlement	HIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures)
2021	Village Plastic Surgery	$30,000	Settlement	HIPAA Right of Access failure
2021	Arbour Hospital	$65,000	Settlement	HIPAA Right of Access failure
2021	Sharpe Healthcare	$70,000	Settlement	HIPAA Right of Access failure
2021	Renown Health	$75,000	Settlement	HIPAA Right of Access failure
2021	Excellus Health Plan	$5,100,000	Settlement	Multiple violations: Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records.
2021	Banner Health	$200,000	Settlement	HIPAA Right of Access failure

2020 HIPAA Violation Fines and Settlements

Year	Entity	Amount	Settlement/CMP	Reason
2020	Peter Wrobel, M.D., P.C., dba Elite Primary Care	$36,000	Settlement	HIPAA Right of Access failure
2020	University of Cincinnati Medical Center	$65,000	Settlement	HIPAA Right of Access failure
2020	Dr. Rajendra Bhayani	$15,000	Settlement	HIPAA Right of Access failure
2020	Riverside Psychiatric Medical Group	$25,000	Settlement	HIPAA Right of Access failure
2020	City of New Haven, CT	$202,400	Settlement	Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals
2020	Aetna	$1,000,000	Settlement	Failure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020	NY Spine	$100,000	Settlement	HIPAA Right of Access failure
2020	Dignity Health, dba St. Joseph’s Hospital and Medical Center	$160,000	Settlement	HIPAA Right of Access failure
2020	Premera Blue Cross	$6,850,000	Settlement	Risk assessment failure, risk management failure, insufficient hardware, and software controls,
2020	CHSPSC LLC	$2,300,000	Settlement	Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020	Athens Orthopedic Clinic PA	$1,500,000	Settlement	Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce.
2020	Housing Works, Inc.	$38,000	Settlement	HIPAA Right of Access failure
2020	All Inclusive Medical Services, Inc.	$15,000	Settlement	HIPAA Right of Access failure
2020	Beth Israel Lahey Health Behavioral Services	$70,000	Settlement	HIPAA Right of Access failure
2020	King MD	$3,500	Settlement	HIPAA Right of Access failure
2020	Wise Psychiatry, PC	$10,000	Settlement	HIPAA Right of Access failure
2020	Lifespan Health System Affiliated Covered Entity	$1,040,000	Settlement	Lack of encryption, device and media controls, and business associate agreement failures.
2020	Metropolitan Community Health Services dba Agape Health Services	$25,000	Settlement	Systemic noncompliance with the HIPAA Security Rule
2020	Steven A. Porter, M.D	$100,000	Settlement	Risk analysis and risk management failures

2019 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2019	West Georgia Ambulance	$65,000	Settlement	Risk analysis failure, no security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures.
2019	Korunda Medical, LLC	$85,000	Settlement	HIPAA Right of Access failure.
2019	Sentara Hospitals	$2,175,000	Settlement	Breach notification failure; business associate agreement failure
2019	University of Rochester Medical Center	$3,000,000	Settlement	Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019	Elite Dental Associates	$10,000	Settlement	Social media disclosure, notice of privacy practices. and impermissible PHI disclosure.
2019	Bayfront Health St Petersburg	$85,000	Settlement	HIPAA Right of Access failure
2019	Medical Informatics Engineering	$100,000	Settlement	Risk analysis failure; impermissible disclosure of 3.5 million records
2019	Touchstone Medical Imaging	$3,000,000	Settlement	No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019	Texas Department of Aging and Disability Services	$1,600,000	Civil Monetary Penalty	Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients’ ePHI
2019	Jackson Health System	$2,154,000	Civil Monetary Penalty	Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations

2018 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2018	Fresenius Medical Care North America	$3,500,000	Settlement	Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018	Filefax, Inc.	$100,000	Settlement	Impermissible disclosure of PHI
2018	University of Texas MD Anderson Cancer Center	$4,348,000	Civil Monetary Penalty	Impermissible disclosure of ePHI; No Encryption
2018	Massachusetts General Hospital	$515,000	Settlement	Filming patients without consent
2018	Brigham and Women’s Hospital	$384,000	Settlement	Filming patients without consent
2018	Boston Medical Center	$100,000	Settlement	Filming patients without consent
2018	Anthem Inc	$16,000,000	Settlement	Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018	Allergy Associates of Hartford	$125,000	Settlement	PHI disclosure to a reporter; No sanctions against employees
2018	Advanced Care Hospitalists	$500,000	Settlement	Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018	Pagosa Springs Medical Center	$111,400	Settlement	Failure to terminate employee access; No BAA
2018	Cottage Health	$3,000,000	Settlement	Risk analysis failure; Risk management failure; No BAA

2017 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2017	21st Century Oncology	$2,300,000	Settlement	Multiple HIPAA Violations
2017	Memorial Hermann Health System	$2,400,000	Settlement	Careless Handling of PHI
2017	St. Luke’s-Roosevelt Hospital Center Inc.	$387,000	Settlement	Unauthorized Disclosure of PHI
2017	The Center for Children’s Digestive Health	$31,000	Settlement	Lack of a Business Associate Agreement
2017	Cardionet	$2,500,000	Settlement	Impermissible Disclosure of PHI
2017	Metro Community Provider Network	$400,000	Settlement	Lack of Security Management Process
2017	Memorial Healthcare System	$5,500,000	Settlement	Insufficient ePHI Access Controls
2017	Children’s Medical Center of Dallas	$3,200,000	Civil Monetary Penalty	Impermissible Disclosure of ePHI
2017	MAPFRE Life Insurance Company of Puerto Rico	$2,200,000	Settlement	Impermissible Disclosure of ePHI
2017	Presense Health	$475,000	Settlement	Delayed Breach Notifications

2016 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2016	University of Massachusetts Amherst (UMass)	$650,000	Settlement	Failure to Manage Security Risks
2016	St. Joseph Health	$2,140,500	Settlement	Failure to Conduct Risk Analysis
2016	Care New England Health System	$400,000	Settlement	Lack of a Business Associate Agreement
2016	Advocate Health Care Network	$5,550,000	Settlement	Multiple HIPAA Violations
2016	University of Mississippi Medical Center	$2,750,000	Settlement	Multiple HIPAA Violations
2016	Oregon Health & Science University	$2,700,000	Settlement	Lack of a Business Associate Agreement
2016	Catholic Health Care Services of the Archdiocese of Philadelphia	$650,000	Settlement	Failure to Safeguard ePHI
2016	New York Presbyterian Hospital	$2,200,000	Settlement	Filming Patients without Authorization
2016	Raleigh Orthopaedic Clinic, P.A. of North Carolina	$750,000	Settlement	Lack of Business Associate Agreement
2016	Feinstein Institute for Medical Research	$3,900,000	Settlement	Impermissible Disclosure of PHI
2016	North Memorial Health Care of Minnesota	$1,550,000	Settlement	Lack of a Business Associate Agreement
2016	Complete P.T., Pool & Land Physical Therapy, Inc.	$25,000	Settlement	Impermissible Disclosure of PHI
2016	Lincare, Inc.	$239,800	Civil Monetary Penalty	Failure to Safeguard PHI

2015 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2015	University of Washington Medicine	$750,000	Settlement	Failure to Conduct Risk Analysis
2015	Triple S Management Corporation	$3,500,000	Settlement	Multiple HIPAA Violations
2015	Lahey Hospital and Medical Center	$850,000	Settlement	Multiple HIPAA Violations
2015	Cancer Care Group, P.C.	$750,000	Settlement	Failure to Conduct Risk Analysis
2015	St. Elizabeth’s Medical Center	$218,400	Settlement	Multiple HIPAA Violations
2015	Cornell Prescription Pharmacy	$125,000	Settlement	Improper Disposal of PHI

2014 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2014	Anchorage Community Mental Health Services	$150,000	Settlement	Failure to Manage Risks to ePHI
2014	Parkview Health System, Inc.	$800,000	Settlement	Failure to Safeguard PHI
2014	New York and Presbyterian Hospital and Columbia University	$4,800,000	Settlement	Failure to Conduct Risk Analysis
2014	QCA Health Plan, Inc., of Arkansas	$250,000	Settlement	Failure to Safeguard ePHI
2014	Concentra Health Services	$1,725,220	Settlement	Failure to Safeguard ePHI
2014	Skagit County, Washington	$215,000	Settlement	Failure to Safeguard ePHI

2013 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2013	Adult & Pediatric Dermatology, P.C.	$150,000	Settlement	Failure to Safeguard ePHI
2013	Affinity Health Plan, Inc.	$1,215,780	Settlement	Failure to Permanently Erase ePHI
2013	WellPoint	$1,700,000	Settlement	Failure to Safeguard ePHI
2013	Shasta Regional Medical Center	$275,000	Settlement	Disclosure of PHI Without Patient Consent
2013	Idaho State University	$400,000	Settlement	Failure to Safeguard ePHI

2012 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2012	The Hospice of Northern Idaho	$50,000	Settlement	Theft of an Unencrypted Laptop
2012	Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc.	$1,500,000	Settlement	Multiple HIPAA Violations
2012	Alaska DHSS	$1,700,000	Settlement	Failure to Perform Risk Analysis/Risk Management Failures
2012	Phoenix Cardiac Surgery	$100,000	Settlement	Lack of HIPAA Safeguards
2012	Blue Cross Blue Shield of Tennessee	$1,500,000	Settlement	Failure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2011	University of California at Los Angeles Health System	$865,500	Settlement	Failure to Restrict Access to Medical Records
2011	General Hospital Corp. & Massachusetts General Physicians Organization Inc.	$1,000,000	Settlement	Failure to Safeguard PHI
2011	Cignet Health of Prince George’s County	$4,300,000	Civil Monetary Penalty	Denying Patients Access to Medical Records

2010 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2010	Management Services Organization Washington Inc.	$35,000	Settlement	Risk Analysis Failures / Insufficient Security Measures
2010	Rite Aid Corporation	$1,000,000	Settlement	Multiple HIPAA Violations

2009 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2009	CVS Pharmacy Inc.	$2,250,000	Settlement	Multiple HIPAA Violations

2008 HIPAA Violation Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
2008	Providence Health & Services	$100,000	Settlement	Failure to Implement Appropriate Administrative Safeguards

State Attorneys General HIPAA Fines and Settlements

State attorneys general have the authority to impose financial penalties for HIPAA violations, but oftentimes, while HIPAA has been violated, fines are imposed for violations of state laws. The list below includes civil monetary penalties and settlements that have been imposed for HIPAA violations and/or violations of equivalent state laws.

Cases have been included if there have been potential violations of HIPAA Rules, even if the financial penalty was issued for violations of state laws.

Year	State	Entity	Amount	Individuals affected	Reason
2026	Massachusetts & Connecticut	Comstar LLC	$515,000	585,621 individuals (326,426 Massachusetts residents & 22,829 Connecticut residents)	Violations of the HIPAA Security Rule and the Massachusetts Data Security Regulations
2025	New York	Orthopedics NY LLP	$500,000	656,086	Violations of the HIPAA Security Rule and state healthcare privacy and security laws
2024	Indiana	Westend Dental	$350,000	Unknown	Violations of the HIPAA Privacy, Security & Breach Notification Rules; Indiana Disclosure of Security Breach Act; Indiana Deceptive Consumer Sales Act
2024	New York	HealthAlliance	$1,400,000 ($850,000 suspended)	242,641	Violations of New York Business and Executive Law
2024	New York	Albany ENT & Allergy Services	$1,000,000 ($500,000 suspended); $2.24M investment in cybersecurity	213,935	Violations of New York Business and Executive Law
2024	New York, New Jersey, Connecticut	Enzo Biochem/Enzo Clinical Labs	$4,500,000	2,400,000	Violations of 12 provisions of the HIPAA Security Rule and a violation of New York General Business Law
2024	Washington	Allure Esthetic	$5,000,000	21,000	Falsification of online reviews, illegal non-disclosure agreements, and forcing patients to give up HIPAA rights
2024	California	Adventist Health Hanford	$10,000	2	Alleged unlawful disclosures of patient information to law enforcement
2024	California	Blackbaud	$6,750,000	5,500,000	Failure to implement appropriate safeguards to ensure data security and breach response failures – Violations of the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
2024	California	Quest Diagnostics	$5,000,000 and an investment of $1.2 million in cybersecurity	Unconfirmed	Illegal disposal of hazardous waste, medical waste, and patients’ personal health information
2024	New York	Refuah Health Center Inc.	$450,000 and an investment of $1.2 million in cybersecurity	260,740	Multiple violations of the HIPAA Security Rule, violation of the HIPAA Breach Notification Rule, and violations of New York Business Law
2023	New York	New York Presbyterian Hospital	$300,000	54,396	Violation of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels and other website tracking tools that disclosed PHI to third parties.
2023	New York	Healthplex	$400,000	89,955 (62,922 New York residents)	Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
2023	Indiana	CarePointe ENT	$120,000	48,742	Failure to address known vulnerabilities and a business associate agreement failure.
2023	New York	U.S. Radiology Specialists	$450,000	198,260 (92,540 New York residents)	A failure to upgrade hardware to address a known vulnerability in a reasonable time frame.
2023	New York	Personal Touch Holding Corp	$350,000	753,107 (316,845 New York residents)	Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training.
2023	Multistate (32 states and PR)	Inmediata	$1.4 million	1,565,338	Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws
2023	Multistate (49 states and DC)	Blackbaud	$49.5 million	5,500,000	Violations of HIPAA and state consumer protection laws: Lack of adequate safeguards for protecting sensitive information, and breach response/ notification failures.
2023	Colorado	Broomfield Skilled Nursing and Rehabilitation Center	$60,000 ($25,000 suspended)	677	Violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices.
2023	Indiana	Schneck Medical Center	$250,000	89,707	Violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; Indiana Disclosure of Security Breach Act; Indiana Deceptive Consumer Sales Act.
2023	California	Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals	$49,000,000	7,700	Violations of the HIPAA Rules, California Hazardous Waste Control Law, Medical Waste Management Act, California Confidentiality of Medical Information Act, California Customer Records Law, and California Unfair Competition Law
2023	California	Kaiser Permanente	$450,000	167,095	Impermissible disclosure of PHI and negligent maintenance or disposal of PHI in violation of the California Confidentiality of Medical Information Act (CMIA)
2023	New York	Professional Business Systems Inc (dba Practicefirst Medical Management Solutions and PBS Medcode Corp	$550,000	1,200,000	Data security failures: Patch management, data encryption, vulnerability scans, and penetration tests
2023	Oregon, New Jersey, Florida, Pennsylvania	EyeMed Vision Care	$2,500,000	2,100,000	Data security failures, including access controls
2023	New York	Heidell, Pittoni, Murphy & Bach LLP	$200,000	61,438	Violation of 17 HIPAA Privacy and Security Rule provisions
2023	Pennsylvania/Ohio	DNA Diagnostics Center	$400,000	2,100,000	Lack of safeguards, failure to update asset inventory, and failure to disable/remove assets not used for business purposes.
2022	Oregon/Utah	Avalon Healthcare	$200,000	14,500	Breach notification delay and information security program failures
2022	Massachusetts	Aveanna Healthcare	$425,000	166,000	Lack of security safeguards to combat phishing, including no multifactor authentication
2022	New York	EyeMed Vision Care	$600,000	2,100,000	Multiple violations of HIPAA and New York General Business Law.
2021	New Jersey	Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC)	$425,000	105,000	Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021	New Jersey	Command Marketing Innovations, LLC and Strategic Content Imaging LLC	$130,000 (Plus $65,000 suspended)	55,715	Failure to ensure the confidentiality of PHI, lack of PHI safeguards, and a failure to review security measures following changes to procedures.
2021	New Jersey	Diamond Institute for Infertility and Menopause	$495,000	14,663	Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act.
2021	Multistate	American Medical Collection Agency	$21 million (suspended)	21,000,000	Security failures, including the failure to detect a data breach.
2020	Multistate	CHSPSC LLC	$5,000,000	6,100,000	Failure to implement and maintain reasonable security practices
2020	Multistate	Anthem Inc	$48.2 million	78,000,000	Multiple violations of HIPAA and state laws
2019	Multistate	Premera Blue Cross	$10,000,000	10,400,000	Multiple HIPAA violations
2019	Multistate	Medical Informatics Engineering	$900,000	3,500,000	Multiple HIPAA violations
2019	CA	Aetna	$935,000	1,991	2 mailings exposed PHI (Afib, HIV)
2018	MA	McLean Hospital	$75,000	1,500	Loss of backup tapes
2018	NJ	EmblemHealth	$100,000	81,000	Mailing error exposed SSNs
2018	NJ	Best Transcription Medical	$200,000	1,650	Exposure of ePHi via search engines
2018	CT	Aetna	$99,959	13,160	2 mailings exposed PHI (Afib, HIV data)
2018	NJ	Aetna	$365,211.59	13,160	2 mailings exposed PHI (Afib, HIV data)
2018	DC	Aetna	$175,000	13,160	2 mailings exposed PHI (Afib, HIV data)
2018	MA	UMass Memorial Medical Group / UMass Memorial Medical Center	$230,000	15,000	Failure to secure ePHI and multiple breaches
2018	NY	Arc of Erie County	$200,000	3,751	Failure to secure ePHI
2018	NJ	Virtua Medical Group	$417,816	1,654	Multiple violations of HIPAA Rules
2018	NY	EmblemHealth	$575,000	81,122	Impermissible disclosure of ePHI
2018	NY	Aetna	$1,150,000	12,000	2 mailings exposed PHI (Afib, HIV data)
2017	CA	Cottage Health System	$2,000,000	>54,000	Failure to adequately protect medical records
2017	MA	Multi-State Billing Services	$100,000	2,600	Theft of an unencrypted laptop containing PHI
2017	NJ	Horizon Healthcare Services Inc.,	$1,100,000	3,700,000	Loss of unencrypted laptop computers
2017	VT	SAManage USA, Inc.	$264,000	660	Spreadsheet indexed by search engines and PHI viewable
2017	NY	CoPilot Provider Support Services, Inc	$130,000	221,178	Delayed breach notification
2015	NY	University of Rochester Medical Center	$15,000	3,403	A list of patients was provided to a nurse who took it to a new employer
2015	CT	Hartford Hospital/ EMC Corporation	$90,000	8,883	Theft of an unencrypted laptop containing PHI
2014	MA	Women & Infants Hospital of Rhode Island	$150,000	12,000	Loss of backup tapes containing PHI
2014	MA	Boston Children’s Hospital	$40,000	2,159	Loss of a laptop containing PHI
2014	MA	Beth Israel Deaconess Medical Center	$100,000	3,796	Loss of a laptop containing PHI
2013	MA	Goldthwait Associates	$140,000	67,000	Improper disposal
2012	MN	Accretive Health	$2,500,000	24,000	Mishandling of PHI
2012	MA	South Shore Hospital	$750,000	800,000	Loss of backup tapes containing PHI
2011	VT	Health Net Inc.	$55,000	1,500,000	Loss of unencrypted hard drive/delayed breach notifications
2011	IN	WellPoint Inc.	$100,000	32,000	Failure to report a breach in a reasonable timeframe
2010	CT	Health Net Inc.	$250,000	1,500,000	Loss of unencrypted hard drive/delayed breach notifications

FAQs About HIPAA Violation Fines

Does the above list represent all the HIPAA violation fines issued by OCR?

As of June 2022, despite receiving more than 300,00 complaints and reports of data breaches, the HHS´ Office for Civil Rights has only issued fines or agreed settlements in 110 cases. Most of the other cases – in which a violation of HIPAA is considered to have occurred – have been resolved by technical assistance and/or corrective action plans.

Can OCR also pursue criminal charges for violations of HIPAA?

If the Office for Civil Rights reviews a case and believes there are grounds for a possible criminal conviction, the case is referred to the Department of Justice. The Department of Justice has the authority to pursue criminal charges for violations of HIPAA, and several individuals responsible for violating HIPAA have received jail sentences. These include:

Why are so many of the latest settlements for HIPAA Right of Access failures?

Since 2019, the Office for Civil Rights has been running a Right of Access enforcement initiative to address the increasing number of complaints from patients who have experienced obstacles or delays in accessing copies of PHI. This does not mean OCR is turning a blind eye to other types of HIPAA violations, and the agency continues to investigate other violations and data breaches.

Why are some HIPAA violation fines more than the annual penalty limit?

The annual penalty limit applies per violation type. Therefore, if a covered entity is found non-compliant in (for example) four areas, the non-compliant covered entity could receive four fines, each up to the maximum penalty per violation or annual penalty limit (per violation), depending on their level of culpability.

What do the four penalty/level of culpability tiers represent?

Tier 1: A violation that a Covered Entity or Business Associate was unaware of and could not have realistically avoided had a reasonable amount of care been taken to comply with HIPAA.

Tier 2: A violation that a Covered Entity or Business Associate should have been aware of but could not have avoided even with a reasonable amount of care to comply with HIPAA.

Tier 3: A violation suffered as a direct result of “willful neglect” in cases where a Covered Entity or Business Associate has made an attempt to correct the violation.

Tier 4: A violation of HIPAA attributable to willful neglect, where no attempt has been made to correct the violation by a Covered Entity or Business Associate.

The post HIPAA Violation Fines appeared first on The HIPAA Journal.

Is Saying Someone Died a HIPAA Violation?

Posted January 19, 2026 by Steve Alder

In answer to the question is saying someone died a HIPAA violation, it depends on who is making the statement, who the statement is made to, and what other information is disclosed with the statement. Saying someone died can be a HIPAA violation, but – as this blog discusses – in most cases it is not.

Among other purposes, the HIPAA Privacy Rule protects the privacy of individually identifiable health information relating to the past, present, or future health condition of an individual. Organizations subject to the HIPAA Privacy Rule – and their workforces – must comply with this requirement with respect to a deceased individual “for a period of 50 years following the death of the individual”.

However, not all organizations are subject to the HIPAA Privacy Rule. If, for example, an employee of a private nursing home which does not qualify as a HIPAA “covered entity” revealed somebody had died, it is not a HIPAA violation because the nursing home is not required to protect the privacy of individually identifiable health information (Note: although this might not be a violation of HIPAA, disclosing private information of this nature may violate state privacy laws in some circumstances).

Even when an organization is subject to the HIPAA Privacy Rule, it is not automatically the case that saying someone died is a HIPAA violation. “Covered entities” are permitted to disclose individually identifiable health information to specific people, subject to the disclosure being limited to the minimum necessary to achieve the purpose of the disclosure, and subject to any prior expressed wish of the deceased relating to what information can be disclosed. Healthcare providers should receive HIPAA training on permitted disclosures of this nature.

Who Can Be Told Someone Has Died Under HIPAA?

The HIPAA Privacy Rule stipulates who can be told when someone has died in sections §164.510(b) and §164.512(g). The first section allows covered entities to disclose information about deceased individuals to family members, other relatives, close personal friends, or any other individual identified by the deceased individual while they were alive. All disclosures to people in this group are subject to the verification requirements of §164.514(h).

Persons or entities that were involved in the deceased person´s care or payment for health care can also be told the patient has died under §164.510(b), while §164.512(g) permits covered entities to disclose individually identifiable health information to a coroner or medical examiner to identify the deceased person, determine the cause of death, or other duty as authorized by law. Under this section, covered entities can also tell funeral directors somebody has died.

In all permitted circumstances, the information disclosed must be the minimum necessary to achieve the purpose of the disclosure, and must respect any wishes known by the covered entity prior to the patient’s death. If a patient died (say) due to injuries sustained in a road accident, but also suffered from a lung condition, covered entities are not permitted to disclose the lung condition or any other related treatment or payment for the treatment.

When is Saying Someone Died a HIPAA Violation?

There are not many circumstances when saying someone died is a HIPAA violation and usually violations of this nature only occur when a member of a covered entity’s workforce:

Discloses information to somebody not permitted by the HIPAA Privacy Rule,
Discloses more than the minimum necessary information about the deceased, or
Discloses information it is known the deceased did not want disclosed.

However, it is important to note the HIPAA Privacy Rule generally applies to a deceased person’s health information in the same way as a living person’s health information. In the same way as an individual’s “personal representative” can authorize disclosures of health information not permitted by the HIPAA Privacy Rule on the individual’s behalf when they are alive, a personal representative can do the same when the individual is deceased.

In most states, a deceased individual’s “personal representative” is the next of kin. If the next of kin authorizes a disclosure to somebody not permitted by the HIPAA Privacy Rule, a disclosure of more than the minimum necessary information, or a disclosure of information the deceased did not want disclosed, these events are no longer HIPAA compliance violations. If you are still uncertain about when is saying someone died a HIPAA violation, you should seek professional compliance advice.

The post Is Saying Someone Died a HIPAA Violation? appeared first on The HIPAA Journal.

HIPAA Risk Assessment

Posted January 16, 2026 by Steve Alder

A HIPAA risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level.

The requirements for covered entities and business associates to conduct a HIPAA risk assessment appear twice in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. However, it may be necessary for organizations to conduct risk assessments beyond these requirements.

The first requirement to conduct a HIPAA risk assessment appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). This standard requires covered entities and business associates to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”.

The second requirement appears in the HIPAA Breach Notification Rule (45 CFR § 164.402). This standard only applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI (in any format), and a HIPAA risk assessment is necessary to determine whether the event is notifiable to HHS and the affected individual(s).

However, beyond the HIPAA risk assessment requirements of the HIPAA Security and Breach Notification Rules, risks exist to the confidentiality, integrity, and availability of PHI when it is not in electronic format – for example, when unauthorized disclosures are made verbally or when a printed medical report is left unattended in an area of public access.

Because of these risks, it may be necessary to conduct a HIPAA privacy risk assessment which not only takes into account risks to the confidentiality, integrity, and availability of non-electronic PHI, but which also covers individuals’ access rights (to their PHI), Business Associate Agreements, and other Organizational Requirements of HIPAA.

HIPAA Security Risk Assessment

The objective of a HIPAA security risk assessment is outlined in the General Rules (CFR 45 § 164.306) that precede the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule. These are to:

Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
Ensure compliance with this subpart (the HIPAA Security Rule) by its workforce. Note: This is achieved via security awareness training and the enforcement of a sanctions policy.

With regards to the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, the General Rules allow a “flexibility of approach” in how the standards are implemented. Despite the flexibility of approach clause, it is important that all standards are implemented unless an implementation specification is not “reasonable and appropriate” and an equivalent alternate measure is implemented in its place. The full list of Administrative, Physical, and Technical implementation specifications is:

Standards	Sections	Implementation Specifications (R)=Required, (A)=Addressable	Implementation Commentary
Security Management Process	164.308(a)(1)	Risk Analysis (R), Risk Management (R), Sanction Policy (R), Information System Activity Review (R)	Organizations should perform a comprehensive risk analysis to identify potential vulnerabilities to ePHI. Develop and document a risk management strategy that prioritizes remediation activities. Enforce a sanction policy for employees who fail to comply with security policies, and implement tools for reviewing system activity regularly to detect any unauthorized access.
Assigned Security Responsibility	164.308(a)(2)	(R)	Assign a senior-level individual (such as a CISO or Privacy Officer) to be responsible for ensuring the implementation and oversight of security policies and procedures across the organization. This individual should have authority and resources to enforce HIPAA compliance.
Workforce Security	164.308(a)(3)	Authorization and/or Supervision (A), Workforce Clearance Procedure (A), Termination Procedures (A)	Establish and document procedures for supervising workforce members who access ePHI. Screen employees before granting access, and ensure prompt deactivation of accounts and access upon termination or role change to prevent unauthorized access.
Information Access Management	164.308(a)(4)	Isolating Health Care Clearinghouse Function (R), Access Authorization (A), Access Establishment and Modification (A)	Create controls to isolate systems that manage ePHI, especially if a healthcare clearinghouse is part of a larger organization. Define procedures for granting, modifying, and removing user access based on job roles. Access should be reviewed periodically and updated accordingly.
Security Awareness and Training	164.308(a)(5)	Security Reminders (A), Protection from Malicious Software (A), Log-in Monitoring (A), Password Management (A)	Develop a formal training program that includes regular security updates, awareness of phishing and malware threats, instructions for recognizing suspicious activities, and best practices for password management. Training should be documented and mandatory for all employees.
Security Incident Procedures	164.308(a)(6)	Response and Reporting (R)	Develop and maintain a written incident response plan that defines how to detect, report, and respond to security incidents. Train staff on recognizing incidents, and test the plan through simulated exercises to improve readiness.
Contingency Plan	164.308(a)(7)	Data Backup Plan (R), Disaster Recovery Plan (R), Emergency Mode Operation Plan (R), Testing and Revision Procedure (A), Applications and Data Criticality Analysis (A)	Implement a robust contingency planning framework that includes regular data backups, disaster recovery procedures, and emergency mode operations to ensure continuity of care. Conduct periodic testing and revise plans based on outcomes. Assess and prioritize data and application criticality to focus recovery efforts effectively.
Evaluation	164.308(a)(8)	(R)	Regularly evaluate your security program’s effectiveness through audits, risk assessments, and policy reviews. Document evaluation results and implement improvements as needed to address any weaknesses or evolving threats.
Business Associate Contracts	164.308(b)(1)	Written Contract or Other Arrangement (R)	Enter into Business Associate Agreements (BAAs) with all vendors who handle ePHI on your behalf. Ensure these agreements outline security responsibilities and establish that the associate is subject to HIPAA rules.
Facility Access Controls	164.310(a)(1)	Contingency Operations (A), Facility Security Plan (A), Access Control and Validation Procedures (A), Maintenance Records (A)	Implement procedures to control physical access to facilities where ePHI is stored. This includes locking doors, using ID badges, and ensuring that emergency access is planned. Document maintenance activities and control how visitors and staff are validated before entering sensitive areas.
Workstation Use	164.310(b)	(R)	Define appropriate uses of workstations that access ePHI. Restrict the use of unauthorized software and internet access, and place workstations in secure locations where unauthorized individuals cannot view screen content.
Workstation Security	164.310(c)	(R)	Physically secure workstations by using cable locks, locking office doors, and ensuring terminals are not left unattended when logged in. This helps prevent unauthorized access or tampering.
Device and Media Controls	164.310(d)(1)	Disposal (R), Media re-use (R), Accountability (A), Data Backup and Storage (A)	Develop policies for securely disposing of media containing ePHI, such as shredding paper records or wiping hard drives. Maintain a media tracking system to ensure accountability and store backups securely offsite or in the cloud.
Access Control	164.312(a)(1)	Unique User Identification (R), Emergency Access Procedure (R), Automatic Logoff (A), Encryption and Decryption (A)	Assign unique user IDs for tracking access to systems containing ePHI. Ensure emergency access is available when needed. Set automatic logoff policies to reduce risk from unattended terminals, and encrypt data both at rest and in motion where appropriate.
Audit Controls	164.312(b)	(R)	Use software tools that track and log all access to ePHI, including login attempts, file accesses, and modifications. Regularly audit these logs to identify unusual activity and respond to potential breaches.
Integrity	164.312(c)(1)	Mechanism to Authenticate Electronic Protected Health Information (A)	Use checksums, digital signatures, or similar tools to ensure that ePHI has not been altered or destroyed in an unauthorized manner. Validate these mechanisms regularly to ensure reliability and security.
Person or Entity Authentication	164.312(d)	(R)	Ensure users authenticate themselves before accessing ePHI using secure methods such as strong passwords, biometric verification, or multi-factor authentication. Regularly update and review authentication policies.
Transmission Security	164.312(e)(1)	Integrity Controls (A), Encryption (A)	Encrypt data transmissions such as emails or data sent via APIs to protect ePHI from interception. Implement integrity controls like message authentication codes to ensure that data is not altered during transmission.

The final section of the HIPAA Security Rule covers Business Associate Agreements and other Organizational Requirements. This section requires covered entities to ensure their Business Associate Agreements require business associate to comply with the HIPAA Security Rule and report any security incidents (not just data breaches) to the covered entity. With regards to the Organization Requirements, the standard in 45 CFR § 164.314 applies to group health plans; but all covered entities in hybrid, affiliated, or OHCA arrangements should review the content of this standard as well.

HIPAA Breach Risk Assessment

The second “required” HIPAA risk assessment is actually optional inasmuch as the HIPAA Breach Notification Rule states any that impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless a low probability of compromise can be demonstrated via a risk assessment that takes at least the following factors into account:

The nature and extent of breached PHI including the types of identifiers and the likelihood of reidentification,
The unauthorized person (if known) who acquired, accessed, or used the breached PHI or to whom an impermissible disclosure was made,
Whether PHI was actually acquired or viewed (read HHS’ guidance on ransomware to establish what constitutes “acquired or viewed” in cyberattacks),
The extent to which the risk to PHI has been mitigated.

The reason for the HIPAA breach risk assessment being described as optional is that covered entities and business associates could – if they wish – skip this HIPAA assessment and notify every impermissible acquisition, access, use, or disclosure of PHI. The drawback to this approach is that it may result in business disruption if HHS’ Office for Civil Rights feels your organization is experiencing an above-average number of data breaches and decides to conduct a compliance review.

It can also cause a loss of trust from individuals served by the organization if patients and plan members are receiving frequent breach notifications – especially if they are advised to take measures to protect themselves against fraud, theft, and loss unnecessarily because “breached” PHI has not actually been acquired or viewed. Although “optional”, it can be a good idea to conduct a HIPAA breach risk assessment to prevent unavoidable notifications.

HIPAA Risk Assessment Workflow- the hipaajournal.com

HIPAA Privacy Risk Assessment

Due to the requirement to conduct risk assessments being in the HIPAA Security Rule, many covered entities and business associates overlook the necessity to conduct a HIPAA privacy risk assessment. A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business.

In order to complete a HIPAA privacy risk assessment, an organization should appoint a Privacy Officer, whose first task it is to identify organizational workflows and get a “big picture” view of how the requirements of HIPAA Privacy Rule impact the organization´s operations. Thereafter the Privacy Officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.

The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy assessment and should be reviewed as new work practices are implemented or new technology is deployed.

As required by 45 CFR § 164.530, it is essential employees are trained on any policies and procedures developed as a result of a HIPAA privacy risk assessment and when material changes to policies and procedures impact employees’ functions. Although covered entities and business associates may comply with this requirement “to tick the box”, better trained staff make fewer HIPAA errors, so training on HIPAA policies and procedures should be embraced as a risk mitigation strategy.

Not Identifying Risks Can be Costly

The severity of fines for non-compliance with HIPAA has historically depended on the number of patients affected by a breach of PHI and the level of negligence involved. Few fines are now issued in the lowest “Did Not Know” HIPAA violation category, because there is little excuse for not knowing a legal requirement exists to protect PHI.

More recently, the majority of fines have been under the “Willful Neglect” HIPAA violation category, where organizations knew – or should have known – they had a responsibility to safeguard PHI. Many of the largest fines – including the $5.5 million fine issued against the Advocate Health Care Network – are attributable to organizations failing to identify where risks to the integrity of PHI exist.

However, since the start of the second round of HIPAA audits, fines have also been issued for potential breaches of PHI. These are where flaws in an organization´s security have not been uncovered by a HIPAA risk assessment, or where no assessment has been conducted at all. In March 2016, North Memorial Health Care of Minnesota paid more than $1.5 million to settle related HIPAA violation charges.

It’s Not Just Large Organizations in the Firing Line

Although the majority of headlines relating to HIPAA violations concern large medical organizations and large fines for non-compliance, there are very many small medical practices also investigated by the Office for Civil Rights (OCR) or subject to HIPAA audits. Since 2003, OCR has received more than 300,000 reports of alleged HIPAA violations. Less than 2% of these relate to data breaches involving 500 individuals or more.

A significant problem for small and medium sized medical practices is that not all insurance carriers cover the cost of a HIPAA breach. The cost of a HIPAA breach not only includes the fine, but also the cost of hiring IT specialists to investigate the breach, the cost of repairing public confidence, and the cost of providing credit monitoring services for individuals. Insurers may also limit their coverage according to the nature of the HIPAA violation and the level of negligence.

Without insurance coverage, the cost of a HIPAA breach could potentially close a small medical practice. However, this scenario can be mitigated by conducting a HIPAA risk assessment and implementing measures to resolve any uncovered issues. An assessment can be complicated and time-consuming, but the alternative is potentially terminal to small medical practices and their business associates.

Business Associates Must Be Included

Every covered entity that creates, receives, maintains, or transmits PHI has to conduct an accurate and thorough HIPAA risk assessment in order to comply with the Security Management requirements of the HIPAA Security Rule. This condition of HIPAA compliance not only applies to medical facilities and health plans. Business associates, subcontractors, and vendors must also conduct a HIPAA security risk assessment. Similar to covered entities, fines for non-compliance can be issued by OCR against business associates for potential breaches of PHI.

OCR treats these risks seriously. In December 2014, the agency revealed that 40% of all HIPAA breaches involving an exposure of more than 500 patient records are attributable to the negligence of business associates. In June 2016, it issued its first fine against a business associate – the Catholic Health Care Services of the Archdiocese of Philadelphia agreeing to pay $650,000 following a breach of 450 records. The non-profit organization had failed to conduct a HIPAA risk assessment since 2013.

More recently, the proportion of data breaches attributable to a lack of compliance by business associates may appear to have reduced, but this is not necessarily the case. Under the HIPAA Breach Notification Rule (CFR § 164.410), a business associate is required to notify a covered entity when a breach of unsecured PHI occurs. It is then the covered entity’s responsibility to notify HHS and the affected individual(s) – so it may be the case many data breaches are recorded as being attributable to a covered entity when in fact a business associate is at fault.

Developing a Risk Management Plan and Implementing New Procedures

A HIPAA risk assessment should reveal any areas of an organization’s security that need attention. Organizations then need to compile a risk management plan in order to address the weaknesses and vulnerabilities uncovered by the assessment and implement new procedures and policies where necessary to close the vulnerabilities most likely to result in a breach of PHI.

The risk levels assigned to each vulnerability will give an organization direction on the priority that each vulnerability needs to be given. The organization can then create a remediation plan to tackle the most critical vulnerabilities first. The remediation plan should be complemented with new procedures and policies where necessary, and appropriate workforce training and awareness programs.

It has been noted by OCR that the most frequent reason why covered entities and business associates fail HIPAA audits is because of a lack of procedures and policies – or inadequate policies and procedures. It is important that the appropriate procedures and policies are implemented in order to enforce changes to the workflow that have been introduced as a result of the HIPAA risk assessment.

Tools to Assist with a HIPAA Risk Assessment

Conducting a HIPAA risk assessment on every aspect of an organization’s operations – not matter what its size – can be complex. This is particularly true for small medical practices with limited resources and no previous experience of complying with HIPAA regulations. To help reduce the complexity of conducting HIPAA risk assessments, in 2014, OCR released a downloadable Security Risk Assessment (SRA) tool that helps small and medium sized medical practices with the compilation of a HIPAA risk assessment.

The SRA tool is very helpful in helping organizations identify some locations where weaknesses and vulnerabilities may exist – but not all. In the User Guide accompanying the software, it is stated at the beginning of the document “the SRA tool is not a guarantee of HIPAA compliance”. This is because, although the tool consists of 156 questions relating to the confidentiality, availability, and integrity of all PHI, there are no suggestions on how assign risk levels or what policies and procedures to introduce.

Much the same applies to other third-party tools that can be found on the Internet. They may also help organizations identify some weaknesses and vulnerabilities, but not provide a fully compliant HIPAA risk assessment. Indeed, many third-party vendors publish disclaimers in the small print of their terms and conditions similar to that at the beginning of the SRA tool User Guide. The conclusion is that tools to assist with a HIPAA risk assessment can be helpful for identifying issues but are not suitable for providing solutions to all issues.

HIPAA Risk Assessment FAQ

Where are risks most commonly identified?

Where risks are most commonly identified vary according to each organization and the nature of its activities. For example, a small medical practice may be at greater risk of impermissible disclosures through personal interactions, while a large healthcare group may be at greater risk of a data breach due to the misconfiguration of cloud servers.

What is a “reasonably anticipated threat”?

A reasonably anticipated threat is any threat to the privacy of individually identifiable health information or to the confidentiality, integrity, or availability of PHI that is foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training. This is why a “big picture” view of organizational workflows is essential to identify reasonably anticipated threats.

What is the difference between a risk assessment and a risk analysis?

The difference between a risk assessment and a risk analysis is that a risk assessment identifies the risks to HIPAA compliance, whereas a risk analysis assigns risk levels for vulnerability and impact combinations. The objective of assigning risk levels to each risk is so that risks with the potential to be most damaging can be addressed as priorities. Most HIPAA risk analyses are conducted using a qualitative risk matrix.

Who is responsible for conducting a HIPAA security risk assessment?

The responsibility for conducting a HIPAA security risk assessment usually lies with a HIPAA Compliance Officer; or, if the responsibility for HIPAA compliance is shared between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be conducted by the HIPAA Security Officer with assistance from his or her colleague depending on the nature of risks identified.

Are there different types of risk assessment for covered entities and business associates?

There are not different types of risk assessment for covered entities and business associates. Both covered entities and business associates need to conduct “A-to-Z” risk assessments for any Protected Health Information created, used, or stored. While business associates may experience a lower volume of PHI than a covered entity, the risk assessment has to be just as thorough and just as well documented.

What is a HIPAA risk assessment?

A HIPAA risk assessment is a risk assessment that organizations subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act have to complete in order to be compliant with the “Security Management Process” requirements. Non-compliant organizations have been filed for failing to comply with this requirement of HIPAA.

What is the difference between a HIPAA risk assessment and a HIPAA compliance assessment?

The difference between a HIPAA risk assessment and a HIPAA compliance assessment is that a HIPAA risk assessment identifies potential threats and vulnerabilities so measures can be implemented to mitigate their likelihood. A HIPAA compliance assessment is usually an assessment performed by a third party to assess an organization´s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Why can I not find a HIPAA risk assessment template on the Internet?

You will not find a HIPAA risk assessment template on the Internet because covered entities and business associates vary significantly in size, complexity, and capabilities, and there is no “one-size-fits-all” HIPAA risk assessment. Due to the number of variables, there is no such thing as a HIPAA risk assessment template; and, if you do source a template from the Internet, you should treat it with caution as it may not include every potential risk to PHI maintained by your organization.

When is a HIPAA risk assessment necessary?

A HIPAA risk assessment is necessary in two instances. The first instance appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). The second instance occurs under the HIPAA Breach Notification Rule (45 CFR § 164.402), which applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI. However, organizations should conduct risk assessments more often than these requirements, particularly related to non-electronic PHI and organizational requirements.

What is the objective of a HIPAA security risk assessment?

The objective of a HIPAA security risk assessment is to identify risks to the confidentiality, integrity, and availability of all electronic PHI the covered entity or business associate creates, receives, maintains, or transmits. The risk assessment should not only focus on external threats, but also those within the organization attributable to malicious insiders or a lack of security awareness training.

What factors are considered in a HIPAA breach risk assessment?

The factors considered in a HIPAA breach risk assessment include the nature and extent of breached PHI, the types of identifiers and the likelihood of re-identification, the unauthorized person who accessed or used the breached PHI, whether PHI was actually acquired or viewed, and the extent to which the risk to PHI has been mitigated.

What could be the consequence of not identifying risks to PHI in a risk assessment?

The consequences of not identifying risks to PHI in a risk assessment are an increased likelihood of a data breach or impermissible disclosure, and – following on from such an event – a sanction issued by HHS’ Office for Civil Rights for failing to conduct a thorough risk assessment. It is important to be aware there are no excuses for failing to conduct a thorough risk assessment as covered entities and business associates “know or should know” they have a responsibility to safeguard PHI.

Do the HIPAA risk assessment requirements apply to Business Associates?

The HIPAA risk assessment requirements apply to business associates as business associates are required to comply with the HIPAA Security and Breach Notification Rules and the two HIPAA standards relating to HIPAA risk assessments appear in these Rules. Business associates are also advised to conduct HIPAA Privacy Rule risk assessments if the nature of their activities for a covered entity could violate the privacy of individually identifiable health information.

What tools can assist organizations with a HIPAA risk assessment?

The tools that can assist organizations with a HIPAA risk assessment include a downloadable Security Risk Assessment (SRA) tool released by HHS’ Office for Civil Rights in 2014 to help small and medium-sized medical practices with the compilation of a HIPAA risk assessment. There are also many tools available from third party compliance experts that are best used for identifying issues in situations not covered by the Security Risk Assessment Tool (i.e., HIPAA Privacy Rule compliance).

The post HIPAA Risk Assessment appeared first on The HIPAA Journal.

HIPAA Compliance for Business Associates

Posted April 30, 2025 by Steve Alder

HIPAA compliance for business associates has acquired greater significance since the publication of proposals to align the HIPAA Security Rule more closely with HHS’ Healthcare Sector Cybersecurity Strategy – among which is a requirement for covered entities to obtain verifications from business associates that they have implemented measures to protect electronic Protected Health Information.

The implication of this requirement – if finalized – is that covered entities will only be permitted to contract services from business associates that can demonstrate compliance with HIPAA. However, demonstrating compliance with HIPAA is not straightforward for many business associates because what HIPAA compliance for business associates consists of can vary considerably depending on the type of service provided to or on behalf of a covered entity.

Despite the variety of compliance requirements, some areas of HIPAA compliance are common to all business associates. Business associates that can demonstrate compliance with these common areas via independent certification are likely to have a competitive advantage against other service providers to the healthcare industry. This article explains what these common areas of compliance are and what business associates need to do to comply with HIPAA.

What is a HIPAA Business Associate?

A HIPAA business associate is an organization, or a person who is not a member of a covered entity’s workforce, that provides services to or on behalf of a covered entity which enable the business associate to have “persistent access” to Protected Health Information (PHI). Examples of HIPAA business associates include medical billing service providers, software providers (including Managed Service Providers), and accreditation organizations with access to PHI.

There are exceptions to this definition of a HIPAA business associate. Some providers of healthcare and payment services, and organizations or persons for whom access to PHI is incidental or transient, do not qualify as HIPAA business associates. Researchers also do not qualify as HIPAA business associates when PHI is disclosed for research because the purpose of the disclosure is not regulated by the HIPAA Administrative Simplification Regulations.

When an organization or person qualifies as a HIPAA business associate, they are required to comply with all applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations. Each HIPAA business associate must determine which standards, requirements, and implement specifications are applicable to the service being provided, and implement policies, procedures, and other measures as necessary.

Why HIPAA Compliance for Business Associates is Important

When the HIPAA Privacy Rule was published in 2002, covered entities were required to obtain “satisfactory assurances” HIPAA business associates would only use PHI disclosed to them for the purposes of the service being provided, would safeguard the information from misuse, and would help the covered entity comply with some of their HIPAA Privacy Rule obligations by providing a service that enabled the covered entity to carry out its functions compliantly.

However, until the passage of the HITECH Act in 2009, HIPAA business associates could not be held accountable for the failure to uphold their satisfactory assurances. The HITECH Act made HIPAA business associates and their downstream subcontractors directly liable for compliance with certain requirements of the HIPAA Rules. The direct liability of HIPAA business associates and downstream subcontractors was codified in the HIPAA Omnibus Final Rule in 2013.

“Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.” (§160.102(b))

More recently, The Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking in January 2025 which, when finalized, will require covered entities to obtain written verifications from their HIPAA business associates that each HIPAA business associate has deployed and is operating technical safeguards that protect the confidentiality, integrity, and availability of PHI maintained on electronic information systems.

As the Notice of Proposed Rulemaking has the objective of aligning the HIPAA Security Rule with HHS’ Cybersecurity Performance Goals, and as compliance with HHS’ Cybersecurity Performance Goals may also become a condition of participation in Medicare and Medicaid, verifiable HIPAA compliance for business associates may soon become a condition for providing services to or on behalf of covered entities in the healthcare industry.

The Responsibilities of HIPAA Business Associates

The responsibilities of HIPAA business associates are much the same as they were in 2002 – only use PHI for the purposes of the service being provided, safeguard the information from misuse, and support the covered entity’s functions by providing a HIPAA compliant service. HIPAA business associates may use PHI for internal management and administration purposes, but there must be a documented chain of custody if PHI is disclosed to downstream subcontractors.

How HIPAA business associates fulfil their responsibilities depends on their existing status. For example, a software provider that wants to break into the healthcare market may only now be starting their journey to HIPAA compliance, while a Managed Service Provider with existing healthcare clients may already be fulfilling some responsibilities of HIPAA business associates – but not all – and may need to review and revise its operations to achieve full HIPAA compliance.

For the benefit of organizations and persons starting their journeys to HIPAA compliance, this article focuses on the common areas of HIPAA compliance for business associates from start to finish. Existing HIPAA business associates can use this article to identify gaps in compliance activities, while those with additional or uncommon HIPAA compliance responsibilities should seek advice from an independent compliance professional.

The Basics

Do You Qualify as a HIPAA Business Associate?

The first thing to determine is whether the service being provided qualifies you as a HIPAA business associate or subcontractor. If the service does not involve disclosures of PHI by a covered entity or upstream business associate, if disclosures of PHI are incidental or transient, or if the service is exempted under the HIPAA definition of a business associate, it is not necessary to comply with HIPAA (although other privacy and security regulations may apply).

Are disclosures of PHI involved?

Examples of when a service does not involve disclosures of PHI by a covered entity to a third party include when an organization provides email services to a healthcare provider, but the healthcare provider does not use email service to send, receive, or store PHI. Alternatively, an organization could provide software for an on-premises email server, but the organization does not have access to PHI sent, received, stored, or transmitted by the on-premises email server.

Are disclosures of PHI incidental?

Incidental disclosures of PHI are usually considered to be disclosures secondary to permitted disclosures of PHI that cannot reasonably be prevented. In the context of HIPAA compliance for business associates, incidental disclosures are when a third party whose services do not ordinarily involve uses and disclosures of PHI has unintended access to PHI. Examples could include a landscape gardener who recognizes a patient in the garden of a nursing home.

Is access to PHI transient?

Transient disclosures of PHI are disclosures to transmission-only services that do not have repeated or routine access to PHI. Example of third parties that do not qualify as a HIPAA business associate because their access to PHI is transient include the US Postal Service and other private couriers such as Fed-Ex, UPS, and DHL. Internet Service Providers also do not qualify as HIPAA business associates when they are used for transmission purposes only.

Is the service exempted?

Several types of services are exempted from qualifying as HIPAA business associates when the service being provided on behalf of a covered entity is for the treatment of a patient (i.e., medical specialists, laboratories, etc.) or for payment processing. However, the exemption for payment processing only applies to financial institutions providing their “normal” services for customers – not to developers and vendors of payment processing applications.

If You Qualify as a HIPAA Business Associate … …

If you qualify as a HIPAA business associate, there are several activities you must undertake before providing a service for or on behalf of a covered entity. The first is to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. The HIPAA Privacy Officer is responsible for ensuring compliance with all applicable HIPAA Administrative Simplification Requirements, while the HIPAA Security Officer is responsible for implementing the HIPAA Security Rule Safeguards.

Both roles can be outsourced, designated to existing employees, or – in smaller organizations – designated to the same employee. However, other than in exceptional circumstances, it is important to appoint both roles. It is rare that HIPAA compliance for business associates can be accomplished complying solely with the requirements of the HIPAA Security Rule. In most cases a more holistic approach to HIPAA compliance for business associates is necessary.

Business Associate Agreements

Before any PHI is disclosed to a HIPAA business associate, upstream covered entities must enter into a HIPAA Business Associate Agreement with the business associate. The Agreement establishes the permissible uses and disclosures of PHI by the business associate, how the business associate will respond to patients exercising their HIPAA rights, and responsibility for reporting disclosures of PHI not permitted by the Agreement, security incidents, and data breaches.

If your organization (as a HIPAA business associate) is using a service provided by a third party subcontractor (i.e., Microsoft 365) in the provision of the service to the covered entity, and PHI will be disclosed to the downstream subcontractor, your organization must also enter into a Business Associate Agreement with the downstream subcontractor. Some subcontractors (i.e., Microsoft) have a standard Business Associate Agreement that your organization must agree to.

Why Business Associate Agreements are Important

Determine which standards apply

Determining which standards of HIPAA apply to a service is one of the most complicated areas of HIPAA compliance for business associates. This is because, while most business associates are aware the service has to comply with the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, many overlook the Security Rule’s General Requirements – including the requirement to:

“Protect against any reasonably anticipated uses or disclosures [of PHI] that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).” (§164.306(a))

In addition to being aware of which uses and disclosures of PHI are permitted by the HIPAA Privacy Rule – and in what circumstances – and implementing policies and procedures to prevent violations of the HIPAA Privacy Rule, business associates may also have to prepare for individuals exercising their HIPAA rights and security incident notifications – the responsibility for which may be subject to the terms of upstream and downstream Business Associate Agreements.

Map the flow of PHI in all formats

One of the factors that can affect which standards of HIPAA apply is how PHI is created, received, maintained, or transmitted by the organization. For example, if PHI is received verbally, written down, and then transferred to an electronic system for storage, it will be necessary to have procedures in place to compliantly dispose of the media on which the PHI was written down as well as the final disposition of PHI stored on the electronic system.

Mapping the flow of PHI in all formats will also enable HIPAA business associates to determine when an individual’s consent or authorization is required prior to further disclosing PHI (for example, Substance Use Disorder records), or when an attestation is required from the recipient of PHI that the information will not be used to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.

Conduct Risk Analyses

Determining which HIPAA standards apply and mapping how PHI flows through the organization will help HIPAA business associates better prepare for a risk analysis – a process required by the HIPAA Security Rule, but also potentially necessary for PHI in all formats depending on the nature of the service(s) being provided to a covered entity. HIPAA risk analyses should be based on guidance published by HHS and adjusted as necessary to accommodate uncommon circumstances.

Identify and document potential vulnerabilities and threats to PHI

Business associates are required to identify and document vulnerabilities which, if triggered by a reasonably anticipated threat, would create a risk of unauthorized access to – or disclosure of – PHI. All vulnerabilities and reasonably anticipated threats from both internal and external sources must be documented.

Assess the capabilities of existing policies and security measures

Most organizations will already have some policies and security measures in place to support HIPAA compliance for business associates. However, business associates should assess whether the existing policies and security measures are sufficient to reduce identified vulnerabilities and risks to a reasonable and appropriate level.

Determine the likelihood and impact of a threat occurrence

It is not possible to eliminate all risks to the confidentiality, integrity, and availability of PHI, but by determining the likelihood and impact of a threat occurrence, HIPAA business associates should be able to prioritize which vulnerabilities should be addressed either by implementing additional technical safeguards or the provision of workforce training.

Determine the level of risk and potential consequences

Determining the level of risk to PHI and the potential consequences of a data breach will help HIPAA business associates with the development of contingency plans, data backup plans, and emergency mode operation plans (as required by the Administrative Safeguards) to ensure the availability of covered entities’ PHI during a HIPAA security incident

Implement additional policies and security measures as required

If existing policies and security measures are not sufficient to reduce identified vulnerabilities and risks to a reasonable and appropriate level, business associates are required to implement additional policies and security measures as required, and document the reasons for them based on the previous steps in the risk analysis process.

Reassess periodically and in response to a regulatory or operational change

A risk analysis is required every time there is a change in regulations or work practices, and when new technology is implemented. If none of these events occur, HIPAA business associates must still perform a periodic technical and non-technical evaluation to ensure policies and security measures remain effective and in compliance with HIPAA.

Common Safeguards

Because business associates must implement administrative, physical, and technical safeguards based on the outcome of a risk analysis, there is no one-size-fits-all guidance for what safeguards must be implemented in order to accomplish HIPAA compliance for business associates. Nonetheless, there are several common safeguards that must be implemented in order for HIPAA business associates to comply with HIPAA.

Physical security

Secure locations in which PHI in all formats is stored and restrict physical access to systems on which PHI is maintained. It may also be necessary to secure workstations and other devices or media which can access PHI depending on whether PHI is stored locally on the workstations, devices, and media, and what other technical safeguards exist to prevent unauthorized access.

Unique user IDs

Although HIPAA does not stipulate password requirements, business associates are required to assign unique user IDs for all members of the workforce. If user IDs consist of a username and password, it is important to enforce the use of strong passwords and be conscious that the mandatory use of MFA is included in the proposed update to the HIPAA Security Rule.

Minimum Necessary

Other than in exempted circumstances, uses and disclosures of PHI must be limited to the minimum necessary to fulfil the purpose of a use or disclosure. This means assigning different access permissions to systems depending on their functions, and different access permissions to workforce members depending on their roles.

Maintain audit logs

One of the purposes of assigning unique user IDs is to create audit logs and monitor access to PHI by workforce members. For this reason, it is important workforce members are instructed not to share login credentials with other members of the workforce. The audit logs should also monitor access to PHI by applications and be configured to flag anomalies that could indicate unauthorized access.

Workforce training

A common issue with HIPAA compliance for business associates is that the security awareness training provided by business associates is generic. According to the General Requirements of the HIPAA Security Rule, workforce training must be designed to protect against reasonably anticipated uses or disclosures of PHI not required or permitted by the HIPAA Privacy Rule.

Sanctions Policy

Business associates are required to apply sanctions against workforce members for any violation of the HIPAA Privacy Rule or for any violation of a policy implemented by the business associate to comply with the HIPAA Security Rule. Business associates that do not have, do not explain, or do not enforce a sanctions policy are themselves in violation of HIPAA.

Incident Management Preparation

According to §164.304 of the HIPAA Security Rule, the definition of a HIPAA security incident is any “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” The reason that unsuccessful security incidents must be monitored is to identify trends in failed access attempts in order to identify future potential risks to the security of PHI.

System configurations

In order to monitor unsuccessful security incidents, systems should be configured where it is possible to automatically detect and log events such as unsuccessful brute force attacks on log-in credentials, pings, and scans looking for undefended network ports. Anti-virus software and email systems should also be monitored for increasing volumes of detected malware and spam emails.

Reporting procedures

Procedures should also be developed for members of the workforce to report incidents that have evaded detection by security software or that have resulted from their own actions. In some cases, it can be beneficial to implement a system that facilitates anonymous reports to ensure that workforce members report an incident before it develops into a more serious event.

Incident management plan

Business associates must develop an incident management plan that includes incident monitoring, tracking, handling, and response for each type of incident. The plan must be documented and include the procedures for determining whether an incident is notifiable to an upstream covered entity. This can depend on the content of the Business Associate Agreement.

Incident preparedness testing

The incident management plan must be tested periodically for each type of incident and revised as necessary if vulnerabilities are discovered or if an analysis of detected unsuccessful security incidents identifies an increasing incident type. It may also be necessary to test workforce members on their abilities to identify and report incidents using a safe or sandboxed environment.

Procedures for receiving notifications

If a HIPAA business associate uses services provided by a downstream subcontractor, and the Business Associate Agreement with the downstream subcontractor specifies the business associate must be notified of security incidents and data breaches, the business associate must have procedures in place for receiving notifications (i.e., a point of contact, the method of notification, etc.).

Procedures for making notifications

Procedures must also be in place for notifying upstream covered entities when a HIPAA security incident or data breach occurs. Depending on the content of the Business Associate Agreement with the upstream covered entity, it may also be necessary to have procedures in place to notify affected individuals and HHS’ Office for Civil Rights in the event of a data breach.

Documentation and Reviews

One of the most important elements of HIPAA compliance for business associates is documentation. The accurate documentation of how PHI flows through the organization, risk analyses, and policies and procedures to support HIPAA compliance are essential. It is also important that all HIPAA training is documented as well as any sanctions imposed for violations of HIPAA. Business Associate Agreements and breach notifications must also be documented.

Organized documentation implies operational efficiency, which can help build trust in upstream covered entities. Organized documentation also makes it easier to keep on top of periodic reviews and evaluations. In addition, although documentation alone will not absolve a business associate from liability in the event of an avoidable HIPAA violation, organized documentation provides visible evidence of a business associate’s good faith effort to be HIPAA compliant.

It is important for certain documents to be reviewed periodically (risk analyses, incident management plans, etc.). However, HIPAA documentation is not the only regulatory requirements business associates may have to comply with and it is advisable to implement a policy management platform that not only manages HIPAA documentation and reviews, but also other documentation required by other federal and state agencies (i.e., OSHA, CMS, etc.).

The Strategic Advantage of HIPAA Compliance for Business Associates

HIPAA compliance is often seen as a legal obligation, but for business associates, it can also serve as a strategic advantage. By embracing HIPAA standards, demonstrating a commitment to safeguarding PHI via independent certification, and aligning HIPAA compliance activities with broader privacy and security frameworks, business associates not only fulfill their HIPAA compliance responsibilities but can also enhance their reputation and unlock growth opportunities.

Demonstrating compliance with applicable HIPAA Administrative Simplification Regulations via white papers, case studies, and independent certifications positions HIPAA business associates as reliable and attractive partners. This can serve as a differentiator in the healthcare industry when a compliance-certified HIPAA business associate is compared to other vendors and service providers – opening doors to business opportunities, contracts, and collaborations.

Business associates that invest in HIPAA compliance are better positioned to adapt to new laws and industry standards. The processes and systems established for HIPAA compliance often lay the groundwork for meeting future regulatory requirements, ensuring long-term sustainability and success. For those willing to embrace the challenges and opportunities of HIPAA compliance for business associates, the rewards extend far beyond meeting regulatory requirements – they lead to lasting business growth and innovation.

The post HIPAA Compliance for Business Associates appeared first on The HIPAA Journal.

HIPAA Rules and Regulations

Posted July 4, 2024 by Steve Alder

The HIPAA rules and regulations are the standards and implementation specifications adopted by federal agencies to streamline healthcare transactions and protect the privacy and security of individually identifiable health information. This guide explains why the HIPAA rules and regulations exist, what they consist of, and who they apply to.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) with the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto plan members and employers, and that this would negatively impact tax revenues, Congress added a second Title to HIPAA – “Preventing Health Care Fraud and Abuse; Administrative Simplification”.

The measures in Title II were intended to neutralize the cost of the reforms. The measures introduced to prevent health care fraud and abuse gave HHS’ Office of Inspector General more resources to identify fraud and abuse in the healthcare industry, increased the civil and criminal penalties for violations of the Social Security Act, and widened the criteria for exclusion from federal health programs such as Medicare and Medicaid.

The Administrative Simplification measures instructed the Secretary for Health and Human Services to standardize the administration of healthcare transactions, adopt security standards for health information maintained or transmitted electronically, and “make recommendations with respect to the privacy of certain health information.” These instructions evolved into what many consider to be the HIPAA Rules and Regulations.

The HIPAA Administrative Simplification Regulations

The HIPAA Administrative Simplification Regulations occupy Parts 160, 162, and 164 in Title 45 of the Code of Federal Regulations (Public Welfare).

Part 164 includes General Provisions (Subpart A), the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E).
Part 162 includes further General Provisions (Subpart A), the Identifier Regulations (Subparts D to F), and the Transactions and Code Sets Rules (Subparts I to S).
Part 160 also includes General Provisions (Subpart A), as well as the Enforcement Rule (Subparts C and E), and the process for determining HIPAA Civil Penalties (Subpart D).

The above HIPAA rules and regulations are mostly administered and enforced by HHS’ Office for Civil Rights (Parts 160 and 164) and HHS’ Centers for Medicare and Medicaid (Part 162). Other agencies involved in administrative activities include the Internal Revenue Service (who issue Employer ID Numbers), while the Federal Trade Commission has its own Health Breach Notification Rule for organizations not covered by the HIPAA rules and regulations.

In addition, State Attorneys General can take enforcement action against covered entities and business associates when a breach of unprotected health information harms a resident of the state, or when an organization violates a state privacy or security regulation that preempts HIPAA. Some states also have Breach Notification Rules with shorter notification periods than HIPAA and/or consumer data protection laws that allow for a private right of action.

The HIPAA Rules and Regulations in Part 164

General Provisions

All three Parts of the HIPAA Rules and Regulations commence with the General Provisions for that Part. General Provisions typically consist of an introduction to the Part, a list of definitions for terms that are only used in the Part, and any unique arrangements that apply to the Part. For example, the General Provisions of Part 164 include a definition of hybrid entities and standards for how the healthcare component(s) of a hybrid entity should operate.

The HIPAA Security Rule

The HIPAA Security Rule contains the standards and implementation specifications considered necessary to ensure the confidentiality, integrity, and security of electronic Protected health Information (ePHI). The Rule applies to all covered entities, business associates, and subcontractors with access to ePHI, who are responsible for ensuring all members of the workforce comply with this Subpart regardless of their access to ePHI.

The HIPAA Security Rule

HIPAA Risk Assessments

HIPAA Rules on Contingency Planning

HIPAA Medical Records Destruction Rules

How to Make Your Email HIPAA Compliant

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule exists to ensure covered entities alert patients and plan members to a data breach in a timely manner so the victims of a breach can take steps to protect themselves against fraud and identity theft. The Rule covers topics such as the burden of proof, non-notifiable disclosures, law enforcement delays, notifications to HHS’ Office for Civil Rights, and – when required – notifications to the media.

The HIPAA Breach Notification Rule

Breach Notification Requirements

Healthcare Data Breach Statistics

Healthcare Data Breaches due to Phishing

How to Respond to a Healthcare Data Breach

The HIPAA Privacy Rule

The HIPAA Privacy Rule has two objectives – the protect the privacy of individually identifiable health information and increase individuals’ rights over how their health information is used and who it is disclosed to. Individuals also have the right to request copies of their health information, review it for errors, request amendments when errors exist, and transfer their health information to a different provider or health plan.

The HIPAA Privacy Rule

HIPAA Privacy Guidelines

Patient Rights under HIPAA

HIPAA Permitted Disclosures

The HIPAA Photography Rules

HIPAA and Social Media Guidelines

HIPAA Guidelines on Telemedicine

HIPAA Compliance for Home Health Care

HIPAA Rules on Disclosures to Family and Friends

How to Handle a HIPAA Privacy Complaint

The HIPAA Rules and Regulations in Part 162

General Provisions

The HIPAA rules and regulations in Part 162 apply to covered entities that conduct covered transactions in-house, health care clearinghouses, and business associates that conduct covered transactions on behalf of a covered entity. It is also necessary for healthcare providers who outsource covered transactions to monitor business associate compliance with the HIPAA rules and regulations in Part 162 for the reasons given below.

HIPAA Unique Health Identifier Regulations

Unique health identifiers are used to identify employers (EINs) when a plan member is enrolled or disenrolled from a health plan, and to identify healthcare providers (NPIs) in all HIPAA covered transactions. Healthcare providers need to ensure NPIs are used correctly in all covered transactions – regardless of whether they are conducted in–house or subcontracted – to prevent delayed eligibility checks, treatment authorizations, and payments.

HIPAA Unique Identifiers Explained

HIPAA Transactions and Code Sets Rules

The HIPAA transactions and code sets rules determine whether a healthcare provider qualifies as a covered entity or not. If a healthcare provider conducts any transactions electronically for which code sets exists, they qualify as a covered entity. If they do not conduct covered transactions electronically (i.e., only bill patients directly), they do not qualify as a covered entity and do not have to comply with the HIPAA rules and regulations.

HIPAA Transactions and Code Set Rules

The HIPAA Rules and Regulations in Part 160

General Provisions

The General Provisions in Subpart A of Part 160 and the section relating to the Preemption of State Law in Subpart B are very important in the context of understanding the HIPAA rules and regulations because they clarify when standards and implementation specifications apply to business associates, provide definitions of the most commonly used terms in HIPAA, and explain when a provision of state law preempts a provision of HIPAA.

What are Covered Entities?

What is PHI under HIPAA?

Limited Data Sets under HIPAA?

Complying with HIPAA California Law

When Does State Privacy Law Supersede HIPAA?

The HIPAA Enforcement Rule

The Enforcement Rule was originally one Subpart of Part 160 – “Procedures for Investigations, Imposition of Penalties, and Hearings”. As the number of standards increased and the penalty structure was amended by the HITECH Act, the Enforcement Rule was split into separate Subparts “Investigations” (Subpart C) and “Hearings“ (Subpart E). The “Imposition of Penalties” now occupies Subpart D as HIPAA civil penalties are amended annually.

HIPAA Enforcement Rule

Can HIPAA be Waived?

HIPAA Enforcement Discretion

What Happens if You Violate HIPAA?

What Happens after a HIPAA Complaint is Filed?

HIPAA Civil Penalties

The HIPAA Civil Penalties are often a last resort for persistent offenders – HHS agencies preferring to “seek and promote voluntary compliance” with the HIPAA rules and regulations. However, although organizations might not be fined by HHS’ Office for Civil Rights, compliance with the HIPAA rules and regulations may be considered the “standard of care” in State Attorney General civil actions, private lawsuits, and class action lawsuits.

Penalties for HIPAA Violations

HIPAA Violation Fines

Enforcement Trends and Outlook

HIPAA Enforcement by State Attorneys General

MedData Settles Class Action Lawsuit for $7 Million

Who Do The HIPAA Rules and Regulations Apply To?

The HIPAA rules and regulations apply to health plans, health care clearinghouses, and healthcare providers who conduct covered transactions electronically – collectively “covered entities”. An individual or organization that provides a service for or on behalf of a covered entity – other than as a member of the covered entity’s workforce – is a business associate if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).

Business associates and subcontractors of business associates are required to comply with the Security and Breach Notification Rules, any other Administrative Simplification Regulations that apply to the service being provided, and any specific provisions included in the Business Associate Agreement between the parties. Compliance is required even when a business associate or subcontractor has “no view access” to Protected Health Information.

Workforce members are also required to comply with HIPAA. Workforce compliance is often assumed to be limited to workplace policies and procedures. However, §164.530(e)(1) requires covered entities to apply sanctions against workforce members” who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D of this part [the Breach Notification Rule]”

Applicability, Exceptions, and the Flexibility of Approach

In the context of who do the HIPAA rules and regulations apply to, it is important to be aware that covered entities, business associates, and workforce members do not have to comply with every standard and implementation specification – only those that are applicable to their operations. Those that are applicable should be determined by conducting a HIPAA risk assessment to identify where PHI is created, received, stored, or transmitted.

In addition, there are also a number of HIPAA exceptions. These can apply in circumstances where – for example – a state law preempts HIPAA, a patient provides their authorization for an otherwise impermissible disclosure, or when a covered entity conducts a patient safety activity such as a fire drill. Some third party service providers may also not be required to comply with the HIPAA rules and regulations if they are exempted by the HIPAA Conduit Exception Rule.

The flexibility of approach provisions can also affect how a covered entity or business associate complies with HIPAA. The provisions in §164.306(b) allow covered entities and business associates to take into account factors such as complexity, capabilities, and costs when deciding how they will comply with the Security Rule. Any decisions made on the basis of these factors must be justified and documented in case of a subsequent compliance investigation.

Future Changes to the HIPAA Rules and Regulations

In addition to complying with the current HIPAA rules and regulations, it is necessary to be aware of future changes to the HIPAA rules and regulations. This is because, when a new or revised standard is published, there is a limited time between publication, the effective date, and the compliance date. Some organizations may find it difficult to make whatever changes are necessary and provide workforce training on the changes within the time allowed.

When large scale changes occur – such as happened in 2013 with the HIPAA Omnibus Rule – almost every covered entity and business associate is impacted by the changes. This makes it harder to seek appropriate guidance from HHS and raises the likelihood of standards being misinterpreted. Fortunately, the changes since 2013 have been limited in scale (i.e., the NIC amendment to the Privacy Rule) or regular in nature (i.e., HCPCS code updates).

However, there is a growing list of HIPAA updates and changes in the pipeline – ranging from new Part 162 standards for electronic signatures on healthcare transactions, to new Security Rule standards to comply with HHS’ Healthcare Sector Cybersecurity Strategy. Significantly, it has been hinted that a failure to comply with the new Security Standards might not only result in a civil monetary penalty, but also in expulsion from federal health programs such as Medicare.

HIPAA Omnibus Rule

HHS Part 2 Final Rule

Reproductive Health Care Privacy Rule

HIPAA Updates and HIPAA Changes

New HIPAA Regulations

HIPAA Compliance Needs to be Approached Holistically

Because of the wide range of applicable HIPAA rules and regulations, the wide range of covered entities and business associates they apply to, and the potential for exceptions, flexibilities, and changes, compliance with the HIPAA rules and regulations needs to be holistic, rather than piecemeal. Individuals and organizations subject to HIPAA compliance are advised to seek professional compliance advice if assistance is needed adopting a holistic approach to HIPAA compliance.

HIPAA Compliance Checklist

HIPAA Policies and Procedures

HIPAA Data Retention Requirements

HIPAA Business Associate Agreements

Latest HIPAA News

The post HIPAA Rules and Regulations appeared first on The HIPAA Journal.

HIPAA Transactions and Code Sets Rules

Posted July 3, 2024 by Steve Alder

The HIPAA transactions and code sets rules have the objective of replacing non-standard descriptions of healthcare activities with standard formats for each type of activity in order to streamline administrative processes, lower operating costs, and improve the quality of data.

During the 1970s and 1980s, an increasing number of organizations in the healthcare and health insurance industries adopted Electronic Data Interchanges (EDIs) to accelerate manual healthcare processes such as eligibility checks, treatment authorizations, and remittance advices. However, many organizations developed proprietary transaction and code set formats to describe specific healthcare activities based on the formats used for internal operations.

Consequently, prior to the passage of HIPAA, it was estimated there were up to 400 proprietary formats in use. Acknowledging this would be a barrier to the objectives of the Administrative Simplification Regulations, Congress instructed the Secretary of Health and Human Services (HHS) to adopt standard HIPAA transactions and code sets rules for health plans, health care clearinghouses, and healthcare providers that transmitted health information electronically.

HIPAA Transactions and Code Sets Rules Adopted Quickly

At the time, most federal agencies and larger private organizations had adopted formats based on the ICD-9-CM and ASC X12N classification systems for diseases and medical data elements (i.e., diagnoses, procedures, and drugs). Indeed, many of the classification systems that would eventually be adopted as the HIPAA transactions and code sets rules were already mandated for use in some federal and state healthcare programs – including Medicare and Medicaid.

Because the adoption of standard formats was at an advance stage, it did not take long for proposed HIPAA transactions and code sets rules to be published (May 1998), and for the rules to be finalized (August 2000). The rules omitted code sets for health claims attachments and first report of injury transactions (which are still “deferred”), but included code sets for coordination of benefits transactions. The list of HIPAA transactions for which code sets apply are:

Payment and Remittance Advice and Electronic Funds Transfer.

Health Care Claims Status.

Health Plan Eligibility Benefit Inquiry and Response.

Claim or Equivalent Encounter Information.

Health Plan Enrollment and Disenrollment.

Referral Certification and Authorization.

Health Plan Premium Payments.

Coordination of Benefits.

The Standards for Code Sets are Updated Frequently

While the only change to the list of transactions was the addition of code sets for Medicaid pharmacy subrogation transactions in January 2009, the standards for the code sets used in HIPAA transactions are updated frequently. For example, ICD-9-CM code sets were replaced by ICD-10-CM in October 2015, Healthcare Common Procedure Coding System (HCPCS) code sets are updated quarterly, and the National Drug Code Directory is updated daily.

In addition, since January 2014, health plans have had to comply with the HIPAA Operating Rules as required by §1104 of the Patient Protection and Affordable Care Act. The HIPAA Operating Rules place additional requirements on health plans to provide quicker, more complete responses to healthcare providers when healthcare providers make inquiries about individuals’ eligibility for benefits, claim statuses, fund transfers, and remittance advices.

How Compliance with the Rules is Enforced

Compliance with the HIPAA transactions and code sets rules is enforced by HHS’ Centers for Medicare and Medicaid Services (CMS). CMS has the authority to investigate complaints made by covered entities when another covered entity is using incorrect transaction codes or HIPAA identifiers, or not complying with the HIPAA Operating Rules. Covered entities can test compliance with the HIPAA transactions and code sets rules and file complaints via CMS’ ASETT portal.

If a complaint is investigated and found to be justified, CMS has the same enforcement powers as HHS’ Office for Civil Rights. This means CMS can impose corrective action plans or civil money penalties for compliance failures. In addition, via HHS’ Office of Inspector General, CMS can also exclude healthcare providers from federal healthcare programs if the failure to comply with the HIPAA transactions and code set rules is attributable to fraud, theft, abuse, neglect, or an unlawful activity.

The post HIPAA Transactions and Code Sets Rules appeared first on The HIPAA Journal.

HIPAA Unique Identifiers Explained

Posted July 2, 2024 by Steve Alder

The requirement to adopt HIPAA unique identifiers for individuals, employers, health plans, and healthcare providers was originally included in the text of HIPAA in order to improve the efficiency of healthcare transactions and to reduce administrative costs. However, no standards were ever adopted for individuals, and the standards for health plans were rescinded in 2019.

The requirement for the Secretary of Health and Human Services (HHS) to adopt HIPAA unique identifiers appears in §1173 of HIPAA (42 USC 1320d-2(b)). Referred to as “unique health identifiers” in the text of HIPAA, the standard instructs the Secretary to:

“Adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers”.

The instruction was part of a larger goal to achieve uniform national health data standards that would support the efficient electronic exchange of health information used in HIPAA-covered transactions (the “health care system” mentioned above). However, the instruction was only partly complied with due to the cost and complexity of standardizing HIPAA unique identifiers for individuals and health plans.

The Cost of Adopting Individual HIPAA Identifiers

In 1998, HHS published a white paper containing multiple options for adopting individual HIPAA unique identifiers. The white paper listed 30 criteria for evaluating the options, and discussed the pros and cons of each identifier type. It also discussed the practicalities of adopting specific identifiers and the cost of implementation. Due to the costs of implementation and for converting existing systems, no standards for individual HIPAA unique identifiers were ever adopted.

The Quick Fix for Employer HIPAA Unique Identifiers

Employer HIPAA unique identifiers are necessary when an employer enrolls or disenrolls an employee in a health plan, or when a health plan needs to keep track of premium payments or contributions from a certain employer for certain types of benefit. As all employers are required by 26 USC 6011(b) to have an IRS-issued Employer Identification Number (EIN), HHS published a Final Rule in May 2002 adopting EINs as employer HIPAA unique identifiers.

The Complexity of Using Four Health Plan Identifiers

Due to the different ways in which health plans function, multiple codes of different lengths and formats were in use by the time HHS published a Final Rule in 2012. Even then, rather than there being one unique identifier for health plans, there were four. Due to the complexity of using the identifiers and the manual processes still required to process HIPAA transactions, the standards were never enforced and the HIPAA identifiers for health plans were rescinded in 2019.

Healthcare Provider Identifiers Were Already in Use

Prior to the passage of HIPAA, the Health Care Finance Administration (now known as CMS) had been working on a National Provider Identifier (NPI) for use in Medicare and Medicaid programs. In 1998, HHS proposed the NPI should be extended to all health plans. The proposal was finalized in 2004, and a National Plan and Provider Enumeration System was set up to assign HIPAA unique identifiers to healthcare providers not yet issued an NPI.

Unique Identifiers Should Not be Confused with PHI Identifiers

Several sources discussing HIPAA identifiers confuse employer and provider identifiers with the PHI identifiers that must be removed from a designated recorded set before any health information remaining in the record set can be considered de-identified under the safe harbor method of de-identification. It is important to understand the difference between the two types of identifiers to avoid preventable HIPAA violations.

Employer and provider identifiers are identifiers that must be used in healthcare transactions between providers (or their business associates) and health plans. PHI identifiers are individually identifying information that can identify the subject of PHI. Covered entities and business associates who are uncertain about the difference between HIPAA unique identifiers and PHI identifiers are advised to seek HIPAA compliance advice.

The post HIPAA Unique Identifiers Explained appeared first on The HIPAA Journal.