May 19, 2025 HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized. The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes: “Cybersecurity threats affect large and small covered healthcare providers.” Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR. This fine showcases that no practice, big or small, must be followed to keep patient data safe. What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation. The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data. The SRA is critical for a compliant practice and should be completed annually and after any breaches. While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document. In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule. The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring. Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR. Meet with an expert today to learn how to automate your compliance program.
A Dentist’s Guide to OSHA Compliance
May 15, 2025 On a global scale, more than 2 million healthcare workers experience needle-stick injuries on an annual basis. Dentists are at the most at risk, with 59% of dentists studied experiencing needle stick injuries. Dentists are particularly susceptible to OSHA violations due to the daily use of sharps and the increased possible exposure to bloodborne pathogens and saliva when working in patients’ mouths. Protecting your dental team through safety and compliance isn’t just a good idea—it’s essential. Here’s a clear look at the standard preventive measures for OSHA in dentistry. First Line of Defense: Training There are numerous safety precautions to keep staff safe, but the first layer of protection is proper training and procedures. Before working with patients, staff must be thoroughly trained on the possible risks and mitigation techniques. Staff must also be provided a walk-through of the practice, assuring they know where all emergency equipment and exits are located. Training programs must review all possible risks, like sharps, bloodborne pathogens, radiation, etc. Videos and training materials must be easily accessible for staff to review. All relevant policies outlining compliant procedures for various situations must also be accessible to all staff members. Training is the foundation of a compliant practice, and with proper OSHA in dentistry training, your staff can feel confident handling any situation. Always Wear Personal Protective Equipment While it might not always be the most fashionable decision, wearing Personal Protective Equipment (PPE) is imperative to keep staff safe. It is key that staff always wear PPE when working with patients. PPE can be defined as gloves, masks, gowns, face shields, and more. By wearing PPE, your staff have a barrier when working with patients, minimizing the risks of exposure. PPE must be provided to staff free of charge, cultivating a safe environment. Staff must also be appropriately trained to use PPE when working with patients, ensuring all know the necessary steps to protect themselves. PPE minimizes exposure to risks by limiting contact with patients, and is a staple for a safe healthcare practice. Stay Sharp: Handling Needles Carefully Dentists are well aware of the risks associated with working with needles, scalers, and other sharps. Use sharps carefully and utilize devices with safety features when working with sharps. Many sharps have preventative measures, like retractable needles after use, self-sheathing blades, and reinforced containers for sharps. When using sharps, ensure your staff wear gloves and other applicable PPE. Sharps handling, from initial use on a patient to disposal, requires strict adherence to safety protocols to minimize the risk of accidental sticks and the transmission of bloodborne pathogens. Bloodborne Pathogens 101 Working in healthcare, especially dentistry, puts staff at risk for exposure to bloodborne pathogens. Bloodborne pathogens are microorganisms that cause disease, like hepatitis B, C, and HIV. The World Health Organization states that 3 million healthcare workers are exposed to bloodborne diseases through skin puncture injuries each year. With PPE and appropriate sharps equipment, your staff is already significantly mitigating risk. However, if a sharp needle or blade pricks a staff member, it is essential to receive First Aid to protect the wound immediately. The staff member should have their blood tested as soon as possible. Depending on the situation, time is of the essence after a sharps incident. Some diseases, like HIV, can be prevented within 3 days of exposure. While it can be overwhelming, staff must stay calm and follow the proper procedures after an incident, with most sharps incidents not resulting in an infection. Simplifying OSHA Compliance As you can see, handling OSHA compliance in dentistry can be daunting. With the correct compliance program to address numerous risks, your dental staff can feel secure and concentrate on delivering excellent patient care. Intelligent OSHA software offers automatically generated policies, required forms, and training resources in a centralized compliance hub, providing a documented compliance program for your team. Meet with a compliance expert today to learn more about how you can streamline your OSHA compliance program.
Phishing Risks and Notification Delays: A Lesson in Managing a HIPAA Breach
4.24.25 As we head into the middle of the year, it’s safe to say that the Office for Civil Rights (OCR) is ramping up enforcement. Since the beginning of this year, over $6M in fines have been levied, with new penalties being announced weekly. The latest fine showcases that the OCR can and will investigate breaches no matter your organization’s size. The latest HIPAA fine was imposed on PIH Health, Inc. (PIH), a California health network comprised of over a hundred health practices throughout the state. PIH’s HIPAA violations have cost the organization $600,000. Due to these violations, the organization will be monitored for two years under a Corrective Action Plan (CAP). These violations exposed numerous shortcomings of the organization due to a phishing attack, emphasizing the importance of thorough safeguards for practices of all sizes. What Happened? In June 2019, a phishing attack compromised 45 PIH employee accounts. This breach devastated an organization with millions of patients, putting nearly 200,000 patients at risk. While the phishing attempt occurred in the summer of 2019, the breach was not reported to affected patients or the OCR until January 2020. When a breach impacts over 500 patients, time is of the essence. Parties must be notified within 60 days of the breach, including widespread press releases for the media. More issues were brought to light once the OCR was aware of this breach. The organization lacked a sufficient Security Risk Analysis (SRA). The SRA is an exhaustive assessment of a practice, reviewing all safeguards and highlighting any vulnerabilities before a breach occurs. This is at the base of a compliant practice, and the OCR has introduced the Risk Analysis Initiative to ensure that practices have this documentation in place. Overall, this successful phishing attempt revealed inadequacies and several HIPAA violations. In addition, the organization’s failure to notify the OCR and patients promptly also contributed to the severity of the fine. Protecting Patient Data The healthcare industry’s sensitive data makes it the prime target for phishing attacks. Healthcare organizations must provide comprehensive staff training to avoid suspicious emails and, in general, risk mitigation techniques. Healthcare practices must always address the breaches quickly. Timely notification of the OCR and affected patients ensures that all parties are aware of the breach’s impact and understand how to monitor their data. No matter the organization’s size, using smart software can help simplify compliance, avoid significant fines, and reduce patient data risk. For example, the SRA can be streamlined with compliance software, ensuring your practice knows the appropriate safeguards before an incident occurs. Intelligent solutions also provide your practice with a centralized compliance hub, letting staff know precisely what they need to secure patient Protected Health Information (PHI). To learn more about how your practice can streamline common HIPAA violations, schedule a meeting with a compliance expert today.
Don’t Be Next: HIPAA Fine Shows Risk of Ignoring Security Risk Analysis
April 17, 2025 Let’s make this clear: The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is the proactive assessment of your practices’ physical, technical, and administrative safeguards. Physical safeguards include alarms, codes, and other procedures or devices your practice might deploy. Technical safeguards involve cybersecurity protocols, like firewalls, antivirus software, encryption, and other security measures. Lastly, the administrative safeguards are your practice’s actions, such as using visitor IDs, maintaining a sign-in sheet, or even posting about patients on social media. The latest HIPAA fine is another reminder of the importance of the SRA in protecting patient data. This is the sixth Risk Analysis Initiative enforcement since the end of last year. The Office for Civil Rights (OCR) is serious about ensuring that practices know this requirement. This focus has remained consistent even during administration transitions. Said best by OCR Acting Director Anthony Archeval, “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.” What Happened? Northeast Radiology, P.C. (NERAD), a healthcare provider specializing in medical imaging clinical services in New York and Connecticut, experienced a significant breach that exposed nearly 300,000 patients’ Protected Health Information (PHI). The breach, which occurred from April 2019 to January 2020, was caused by unauthorized individuals accessing radiology images of patients due to a compromised server. When the OCR began investigating the practice in March 2020, it was discovered that NERAD did not have an SRA. Due to the absence of this document and the sheer size of the breach, the organization was fined $350,000 and will undergo a two-year Corrective Action Plan (CAP). Completing an SRA NERAD’s HIPAA settlement with the OCR is a clear reminder that your practice needs to complete an SRA long before a breach occurs. While an SRA might seem daunting, addressing problems before patients’ information is at risk is much easier. Completing this risk assessment can help your practice identify vulnerabilities before they escalate into compliance issues. While the SRA mandates practices to analyze and review existing procedures thoroughly, this process doesn’t need to be overwhelming or costly. With smart solutions, your practice can answer simple questions about your practice while the software intuitively builds out an SRA report, analyzes the current situation, and provides recommendations to mitigate potential risks. To learn more about how your practice can streamline the SRA, schedule a consultation with an expert today.
The HIPAA Audit Wake-Up Call: Is Your Practice Compliant?
April 10, 2025 The HIPAA Audit program is back in business. Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) has been able to audit practices, ensuring they follow HIPAA standards. While the revival of the audit program was announced last May, new information was confirmed at the latest HIPAA Summit, with 50 Covered Entities and Business Associates being selected to be audited. This program was last active from 2016-2017, which highlighted that, unfortunately, noncompliance with HIPAA is far too common in regulated entities. In fact, only 14% of Covered Entities, like medical practices, could produce a compliant Security Risk Analysis (SRA). The healthcare industry is entering a new era of HIPAA compliance in the wake of the largest ever healthcare data breach. New HIPAA legislation is being reviewed and the Office of the Inspector General (OIG) is recommending stricter audit processes. With millions in fines already imposed in 2025, proactive preparation is now critical for healthcare providers and their business partners. What is the Audit Program? The audit program was first introduced when the HITECH Act was enacted in 2009. While the majority of the investigations the OCR conducts are reactive, resulting after a patient complaint or a breach, the audit program is random. The OCR will thoroughly review the selected organization’s documentation and current processes as the audit program resumes. A compliant HIPAA program entails much more than training; it also requires comprehensive, continuous protocols to ensure patient data is being protected. The basis of a compliant practice is being able to present an SRA. As stated earlier, previous audit programs spotlighted the shortcomings of regulated entities completing this. The SRA is a thorough assessment of your practice. This includes reviewing the safeguards your practice currently has in place. Technical, physical, and administrative safeguards all play a role in securing Protected Health Information (PHI). This would include a deep dive into the technology your practice uses, the physical protections your practice might have (like alarms), and the administrative policies your practice follows. Completing this analysis will allow your practice to identify vulnerabilities before a breach occurs. Proactive compliance, addressing issues before they affect patients, is key to a successful practice. In addition to providing an SRA, practices must also prove compliance with other pillars of HIPAA compliance, such as the Right of Access (or sending requested medical records to practices in a timely manner), the Breach Notification Rule, the Privacy Rule, and more. After the rise in ransomware attacks in recent years, with a nearly 300% increase in ransomware-related breaches, regulated entities’ cybersecurity practices will likely be scrutinized, ensuring that those audited are aware of their technology responsibilities. What can I do? Your practice must be aware of HIPAA and implement the appropriate safeguards to be prepared for the possibility of an audit. While this can be a daunting task, it is imperative for your practice to follow HIPAA compliance before a situation occurs. Thankfully, smart software can streamline and simplify HIPAA for your practice, providing a roadmap to compliance. With the right solution, your practice can see exactly what the OCR requires, which will be asked for if ever audited. To learn more about becoming audit-ready, schedule an educational consultation with our team of experts.
Navigating HIPAA in the Digital Age: Patient Communication Essentials
April 2, 2025 When 80% of patients prefer digital communication, exploring this opportunity to better serve your patients is crucial. In the digital world, it’s easier than ever to connect with others and build relationships with others through technology. Connecting with patients via technology is simple, but practices must ensure that all communication, including emails, texts, and calls, adheres to HIPAA regulations. What is HIPAA-Compliant Communication? HIPAA, or the Health Insurance Portability and Accountability Act, is focused on ensuring the security of patients’ Protected Health Information (PHI). PHI includes anything personally identifiable about a patient, including Social Security Numbers, full names, addresses, medical history, and more. When communicating with a patient, it’s vital to implement the proper protocols to keep patient data safe. When patient data isn’t secured through traditional channels, using a regular phone doesn’t cut it. For instance, channels need to be encrypted, providing extra layers of protection. Additionally, it’s important to communicate with patients using the minimum amount of information necessary for a conversation. For example, if a patient texts asking to reschedule an appointment, a practice should offer new times and not go in-depth about a patient’s medical history. Communication should remain brief and focus on justifiable reasons to talk to a patient, like scheduling, post-op instructions, and test results. Patients need to consent to different forms of communication, like texts. The practice is responsible for receiving consent when a patient begins seeing a practice. How can I Implement HIPAA-Compliant Communication? An encrypted communication service is the easiest way to ensure secure communication channels. As communication with patients has become normalized in the healthcare industry, numerous organizations offer HIPAA-compliant communication systems. These systems include compliant and encrypted end-to-end phone calls, texts, and emails. Ensure these companies also do their due diligence and sign a Business Associate Agreement (BAA) with your communications provider. Once a suitable communication system is in place, training staff on communicating effectively and safely with patients electronically is crucial. Staff should be well-versed in the proper procedures for digital patient communication. This includes understanding the Minimum Necessary standard, carefully reviewing messages before sending them to patients (especially to ensure information is being sent to the correct patient), and recognizing phishing scams to verify the authenticity of communications before responding. What’s Next? Communicating with patients leads to a more successful practice, with higher attendance rates and more engaged patients. Digital communication is the future, and with the right tools, you can easily navigate HIPAA-compliant communication. In addition to using digital communication systems, implementing a smart software solution is key to a compliant practice. A centralized compliance hub allows you to easily see your vulnerabilities and organize vital documentation, like BAAs with third-party vendors you may use. Looking to learn more about how you can make your practice more efficient while still following rigorous HIPAA laws? Schedule a meeting with a compliance expert today.
Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine
March 27, 2025 With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI). The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide. After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP). At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities. This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement. This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement. What Happened? In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue. Four breach reports describing this incident were filed from the end of 2018 into early 2019. This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024. The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities. As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years. How to Protect Your Organization When working with PHI, all involved parties must know their responsibilities. For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities. Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.
What is Right of Access?: Understanding the HIPAA Privacy Rule
March 20, 2025 HIPAA is often misunderstood as only addressing the security of medical information. However, it encompasses more than that. The Health Insurance Portability & Accountability Act also defines how medical information must be shared with patients through the Privacy Rule. This highlights another key responsibility healthcare providers must be accountable for. Alongside the Security Rule and the Breach Notification Rule, the Privacy Rule provides patients additional rights regarding how their medical records are handled. The Privacy Rule created the Right of Access, requiring practices to provide patients with their medical records in a timely manner. With the latest fine for HIPAA being a Right of Access violation, it’s vital for practices to be aware of this requirement and how it pertains to the care they provide. What is Right of Access? Right of Access gives practices 30 days to fulfill a patient’s request for their records. In some situations, these thirty days can be extended to an additional 30 days, but that is the longest period of time allowed to provide a patient with their records. This is a federal requirement, but the timeline could be even shorter depending on where the practice is located. For instance, if the practice is in California, staff must provide patients with medical records within 15 days. Your practice can charge for medical records, but it needs to be reasonable. The Office for Civil Rights (OCR) defines this as the average cost of supplies, limited labor, and postage when providing medical records to a patient. However, instead of calculating this cost, the OCR also suggested a flat fee not to exceed $6.50 when handling electronic records. Once again, other guidance can be levied on the state level, like California’s cap on the cost of medical records at 25¢ a page plus a reasonable clerical fee. From the moment a practice receives a request, it must be addressed quickly. Staying on top of these requests is crucial for staying compliant and maintaining patient satisfaction. How to Stay Compliant While this might seem simple, many practices have been fined in the past for violating this right of patients. In 2024 alone, Right of Access fines accounted for nearly $500,000. The OCR introduced a Right of Access Initiative to ensure that these patient requests are taken seriously. Many of these investigations and fines stem from patient complaints, showing the importance of complying with this HIPAA component. Utilizing smart software solutions can assist your team in ensuring that all staff members are aware of their responsibilities when handling PHI, including the responsibility to address patient requests quickly. This empowers your team to take accountability and keep patients happy. To learn more about how to comply with HIPAA Right of Access legislation, meet with our team of compliance experts today.
Inside a HIPAA Investigation: A 4-Part Educational Series
March 17, 2025 Getting a HIPAA investigation letter can be overwhelming, but your practice can successfully navigate the process with the right resources. This series is designed to be your easy-to-read guide, walking you through each step of the process. We’ll break down everything from understanding the initial letter to navigating potential outcomes, providing you with best practices to keep your practice confident and prepared if you ever receive a letter. Blog 1: Is Your Practice Prepared for a HIPAA Breach? A common misconception is that a HIPAA breach causes your practice to be fined. Instead, your practice’s lack of proactive measures and proper response to a breach is what leads to disciplinary action. Although it’s impossible to prevent breaches completely, the proper safeguards can minimize their risk and impact. Learn more about breach mitigation here. Blog 2: Decoding the HIPAA Investigation Letter: What to Expect and How to Respond The official start of an investigation is when your practice receives the data request letter from the Office for Civil Rights (OCR). The letter is thorough, with the OCR inspecting your practice’s safeguards in the wake of a breach or a complaint. Learn more about what your practice can expect if they receive a letter here. Blog 3: Responding to a HIPAA Investigation: A Guide to Document Organization From the second your practice gets a letter from the OCR, it’s time to start organizing documentation. Organizing documentation is vital for streamlining the investigation process. Having organized documentation is the key to passing an investigation and avoiding fines. Learn more here. Blog 4: The Final Verdict: HIPAA Investigation Outcomes After months of investigation, the OCR will send a letter to your practice. Various outcomes can occur, from closing the investigation with no fines to corrective action. Learn more about the outcomes of an investigation here. While we hope your practice never has to experience an investigation, things happen. With the right proactive safeguards in place, your practice can minimize the chance of an investigation and be organized and ready if one occurs. With the right resources, like a compliance software solution, your practice can streamline compliance, take control, and easily identify vulnerabilities before they become serious issues. Want to learn more about how you can protect your practice? Meet with a compliance expert today.
Denied, Delayed, Fined: OHSU’s $200K HIPAA Fine
March 13, 2025 Oregon Health & Science University (OHSU), an academic research institution with public health centers, is the latest Covered Entity to be fined for a HIPAA Right of Access violation. Unfortunately, Right of Access fines are common, usually sparked by a patient complaint. OHSU’s violation was no different, with a patient waiting for records much longer than the 30-day federal requirement. This 53rd Right of Access rule enforcement showcases the critical importance of prioritizing patient requests. What Happened? A patient of OHSU required their medical records, and a medical representative requested records multiple times for years. The representative’s initial written request was on April 24, 2019. At first, OHSU quickly addressed this request, having a Business Associate provide medical records to the representative by April 29, 2019. However, these were partial records, not including all of the vital information the patient needed. The representative sent another request at the beginning of November 2019, which OHSU incorrectly denied due to a missing date. The representative submitted another request at the end of the month, which OHSU once again erroneously denied, this time for invoices. When OHSU again only provided partial records after the representative asked for the records in May 2020, the representative filed a complaint with the Office for Civil Rights (OCR). After another denial of medical records in July, the OCR closed the case in September, providing OHSU technical assistance to properly send medical records. However, the records were still not provided as of January 2021, when the representative submitted a second complaint to the OCR. The OCR notified the university on August 21, 2021. Within the week, OHSU provided the representative with medical records. All medical records were sent to the representative by the end of September. Over two years had passed from the first request in April 2019 to finally receiving the records in late 2021. This request’s drawn-out, back-and-forth nature resulted in OHSU being fined a $200,000 Civil Monetary Penalty. Prioritize Patient Requests Almost half a million patient complaints have been received from the OCR. By prioritizing patient requests for records, your practice can avoid potential investigations, fines, and in general, unhappy patients. When working in healthcare, your goal is to provide the best care for patients. Ignoring patients’ needs will leave them unhappy and dissatisfied, seriously impacting the overall quality of care your practice can provide. Intelligent compliance software solutions allow your practice to proactively identify and address vulnerabilities while educating staff on essential compliance requirements. By streamlining compliance, your staff can be well aware of the importance of prioritizing patient requests, leading to a more successful practice with higher patient satisfaction. To learn more about simplifying compliance, schedule a consultation with a compliance expert.