October 29, 2025 By now, you’d have to be hiding under a rock to miss the headlines surrounding the government shutdown. The impact of this federal funding freeze is hitting nearly every major industry in the United States. While we aren’t sure when it will end, it’s shaping up to possibly be the longest government shutdown ever. However, lost in the political chess match is news about a vital resource for medical practices: The Health and Human Services Office for Civil Rights (HHS OCR) Security Risk Analysis (SRA) tool has been taken offline. The SRA website as of October 29, 2025 This tool is necessary for healthcare practices to analyze the technical, physical, and administrative safeguards they have to secure Protected Health Information (PHI). Without it, practices could be left with serious violations that jeopardize their practice and their patients’ confidential information. While it may not seem like a big deal for a government website to be hit with a “be back soon” message, the SRA is a major resource for healthcare practices looking to implement the most effective and appropriate precautions necessary for compliance. During the last round of audits, only 14% of practices were able to produce compliant documentation, but with the SRA tool rendered ineffective, that number could go even lower. Unfortunately, this isn’t the first time the tool has gone down. So, what do practices do in the meantime? The instability of the government-run SRA highlights the importance of implementing a comprehensive compliance program for every single practice that wants to meet the requirements of federal and state regulations. (Hint: that should be every practice.) How Compliance Software Can Help Your Practice Fortunately, there are solutions available that aren’t beholden to DC downtime, like Abyde. Abye’s medical compliance software offers an SRA tool that was built using the government’s requirements, but presented in a more digestible format. This tool (which is online today!) gives practices the same insight into potential vulnerabilities that could violate compliance and lead to serious consequences. But even better, the software solution dives deeper – after all, the information revealed by the SRA is just the tip of the iceberg. HIPAA compliance is a thorough and continuous process, and your practice must cultivate a culture of compliance to pass audits, protect patient data, and maintain the integrity of your business. The right software can help you not only spot vulnerabilities but mitigate them with end-to-end training, dynamic policy and procedure generation, BA documentation, and more. It also provides resources like compliance checklists that can shield your practice from common pitfalls and costly fines. Beyond the tangible benefits, thorough compliance software offers expert support to assist with HIPAA compliance questions, complaints, breaches, and audits. The SRA tool is a stepping stone to compliance; a centralized hub lets your practice know exactly where it stands. Getting Compliant Today Even amid a shutdown, your HIPAA obligations don’t pause. Sooner or later, the two sides will play nice and we’ll be back to our regularly scheduled investigations. Don’t let your compliance slide in the meantime! A modern platform centralizes your SRA, policies, BAAs, training, and support so you always know what’s done, what’s due, and what’s at risk. Meet with a compliance expert today to learn more about HIPAA compliance in your practice.
How to Stay HIPAA Compliant When Patients Request Their Medical Records
October 27, 2025 Imagine a scenario that’s played out at your practice a million times: a patient calls and asks for a copy of their medical records. Simple, right? Believe it or not, what seems like a routine request can quickly become a compliance risk if your employees misunderstand timelines, allowable fees, or who’s allowed to access certain information. With over 50 penalties and millions of dollars in fees issued by the Office for Civil Rights due to Right of Access violations, your practice has a responsibility to understand its role when handling patient requests. By acknowledging your practice’s duties and properly training your staff, you can empower your team to deliver documents in a timely manner that still protects sensitive data. Right of Access 101 Right of Access, established in the HIPAA Privacy Rule, gives patients the right to receive their records within 30 days of the initial request. Depending on the state, the number of days your practice has to fulfill requests may even be less. For example, California legislation requires that patient requests be upheld within 15 days. This timeline is strict and can only be extended once for an additional 30 days. So, once you receive a request, it’s go time. Before the staff gathers anything, the first question is, how should these records be sent out? Even if the request comes through a secure portal, your staff must encrypt any Protected Health Information (PHI) sent electronically. Certified mail is recommended for safe and trackable delivery if the patient requests a physical copy. Now, what can you charge to deliver these records? Patients have a right to their health records, and any associated costs must be minimal to remain HIPAA compliant. According to the OCR, a flat fee of $6.50 for all requests for copies of PHI maintained electronically. Additionally, ensure that thorough documentation, like a current HIPAA consent form, is in place if the requester is not the patient themselves. Keeping Your Practice Compliant So, think back to the scenario we mentioned earlier. Only now, you don’t have to stress! Your team is trained and aware of their responsibility to fulfill patients’ requests. Your patients get what they want, and even better, your practice avoids thousands of dollars in fines and reputational damage. Quickly and compliantly addressing patient requests promotes patient satisfaction and can help your practice avoid thousands of dollars in fines and reputational damage. The proper software solution centralizes all documentation, policies, forms, and training related to Right of Access. This cloud-based hub provides easy access for everyone in your practice, giving staff the tools they need to be successful. To learn more about Right of Access in your practice, meet with a compliance expert today.
Top 5 HIPAA Myths That Put Your Practice at Risk
October 21, 2025 Running a healthcare practice means juggling patient care, staff, and countless responsibilities. Somewhere in the mix, HIPAA can feel like one more thing on the never-ending list. Understandably, compliance might not always top your priorities. But that’s precisely where many practices get caught off guard. Misunderstanding what HIPAA truly requires can lead to costly mistakes. Even the most well-intentioned practices can fall for common HIPAA misconceptions that put them at risk. It’s time to debunk myths and get your practice back on track. Myth 1: HIPAA only applies to large hospitals We hate to break it to you, but if your practice handles Protected Health Information (PHI), you must follow HIPAA. It doesn’t matter if your practice has five employees or 5,000; it’s held to the same standards. HIPAA investigators can and will continue to investigate small practices. In fact, one of the most recent fines was a single facility healthcare provider for $250,000 after a ransomware attack exposed several HIPAA violations. Smaller practices often don’t have the same IT departments, legal teams, or budgets as large hospitals, which makes HIPAA violations even more damaging. A fine or breach can strain finances, disrupt daily operations, and erode patient trust, which took years to build. Myth 2: We do HIPAA training – we’re good! Full HIPAA compliance is much more than training. Thorough HIPAA training is necessary, but ensuring staff are educated on their responsibilities is only scratching the surface of a compliant practice. One of the most commonly missed HIPAA requirements is the Security Risk Analysis (SRA). The SRA is a thorough review of all physical, administrative, and technical safeguards your practice currently has in place. Does your practice have an alarm? If so, does every staff member have individual codes to disarm it? Does your practice deploy antivirus software? Does your staff ensure patients are unable to see computers with PHI? These are all example questions of what the SRA assesses. The SRA is a required document that is strongly recommended to be completed annually. Proposed legislation would require this document yearly for all regulated entities, and Business Associates would have to submit their documentation and be certified by a cybersecurity expert. Unfortunately, only 14% of practices could produce a compliant SRA during the last round of HIPAA audits, making this a commonly missed requirement. The Office for Civil Rights (OCR) is investing more resources to ensure all regulated entities know this document is essential. The OCR has introduced a Risk Analysis Initiative, fining and highlighting practices as an example of missing the SRA. While the SRA is one of the largest requirements for HIPAA, all of its requirements come together like a puzzle. The SRA, training, proper technical safeguards, Business Associate Agreements, documentation, and more all ensure that a practice upholds HIPAA legislation. Myth 3: My IT company handles HIPAA for me If only it were that easy. While having an IT company is encouraged to ensure that your technical safeguards are in place to protect PHI, that doesn’t necessarily mean they handle all your HIPAA requirements. For example, while your IT company can equip your email systems with compliant email encryption, it cannot prevent a breach if a staff member accidentally emails PHI to the wrong patient. If you are investigated because of this, although your IT team can provide technical knowledge, the OCR will request more information about training, documentation, and other areas not within your IT team’s expertise. The human factor is often the weakest link in data protection. Even the best encryption can’t prevent an employee from falling for a phishing scam or leaving a chart open on their desk. That’s why consistent staff training and clear procedures are as essential as your technical defenses. While your IT company can assist with the technical side of HIPAA, it’s strongly recommended that you utilize a compliance platform for training, documentation, your SRA, and more to address the other requirements. Relying solely on your IT provider can leave your practice vulnerable. HIPAA requires comprehensive compliance, secure technology, thorough documentation, SRAs, training, and ongoing monitoring. Myth 4: If a patient posts their own info online, I can comment Even if your patient posts a glowing review of how wonderful their experience was with your practice, you cannot comment on a personal response. By commenting on an individual response, you are confirming that this reviewer was a patient at your practice, a big HIPAA no-no. When answering any review, keep it brief and generic. For instance, “Thank you for your kind words. If you have any questions or further feedback, contact 123-456-7891.” is a compliant response. If you’d like to use a patient’s experience in marketing material, communicate with them through a secure channel and provide a media consent form. If you receive a negative response, take the reviewer offline and provide a secure communication channel, like a phone number or encrypted email. You should never get upset while responding online. Practices have been fined for inappropriate responses, such as leaking PHI to prove a point. Myth 5: A data breach automatically means a fine You can take a deep breath, because not every data breach turns into a hefty fine. Even with strong safeguards, no healthcare practice is entirely immune to risk. With ransomware attacks on the rise, cybercriminals are constantly evolving their tactics to exploit the sensitivity of patient data. It’s important to remember that HIPAA fines stem from missing or insufficient compliance measures, not the breach itself. That’s why proactive compliance is so critical. When your practice maintains proper safeguards and documentation, you significantly reduce your practice’s risks. During an investigation, the OCR will ask for documentation or proof that your practice protected patient data before the situation, how your practice handled the breach, and what your practice currently has in place following the incident. If your documentation is compliant, proving your practice takes the proper precautions and promotes a culture of compliance, the OCR can close the investigation, meaning no fine. What HIPAA Really Means
Abyde Takes the Spotlight: Named One of Florida’s Top 50 Companies to Watch
October 16, 2025 We are incredibly proud to announce that GrowFL has recognized our team at Abyde as one of Florida’s Top 50 Companies to Watch! This prestigious, statewide award is a tremendous honor for us and a powerful testament to the impact Abyde has across the medical compliance industry and our local community right here in Florida. As we officially take our spot among Florida’s top growing companies, we’re reminded that this achievement is built entirely on two things: the dedication and success of our incredible team, and the trust of our amazing customers. This award validates our core commitment to creating an environment where our team can thrive and grow, and our continued mission to simplify HIPAA and OSHA compliance for every practice we serve. What does this mean for Abyde? The Annual GrowFL Florida Companies to Watch Award is a coveted honor for Florida companies with six to 150 employees. Even being named a nominee is an incredible honor, as it highlights a business’s economic performance and organizational growth, outstanding achievements that have significantly impacted Florida’s economy. After a thorough judging process involving a competitive pool of Florida-based companies from various industries, Abyde has been named a top 50 finalist! With 500 nominations for this award, we ranked in the top 10 percent of Florida companies during the 15th Annual GrowFL Florida Companies to Watch Awards. These honorees’ impact on Florida’s economy is significant. With over $700 million in revenue annually and nearly 2,250 employees as of 2024, these numbers are projected to be almost $900 million in revenue and 2,500 employees for 2025. Want to join our journey as we simplify compliance for healthcare practices? Follow Abyde on LinkedIn for company news and the latest career opportunities!
HIPAA Compliance Officers: Building a Culture of Patient Privacy
October 8, 2025 What happens when a patient calls with a complaint about their medical records? Or when a Business Associate requests access to your data? If you’re unsure, it’s time to meet with your practice’s HIPAA Compliance Officer (HCO). HIPAA requires hiring a compliance officer (HCO), which is key to building a foundation of HIPAA compliance for your practice. More than just a box to check, having an HCO provides structure and clarity for your practice, ensuring that all the proper safeguards are in place to secure patient data. While the HCO title might seem like a simple administrative label, the duties are anything but. This vital oversight ensures that everyone knows their HIPAA responsibilities and that patients’ Protected Health Information (PHI) is kept under lock and key. Behind the Badge: Responsibilities of an HCO An HCO wears many hats when it comes to compliance. From safeguarding PHI to managing vendors, these responsibilities form the backbone of a practice’s HIPAA program. First, the HCO needs to complete a Security Risk Analysis (SRA) for the practice. The SRA is a thorough document detailing all physical, technical, and administrative safeguards to keep PHI safe. The HCO should update it annually, and new legislation has been proposed to define this as a yearly requirement strictly. An SRA can be completed by hiring a third-party consultant, leveraging smart software, or even manually entering the information. HCOs should consider time investment, accuracy, and cost before choosing an approach. The HCO must ensure that every staff member is adequately trained and aware of their responsibilities before interacting with PHI. This includes showing new staff where compliance documents (policies, procedures, forms, etc.) are and equipping staff with thorough training to handle any situation with PHI. Additionally, the HCO must ensure all training and documentation are current and in line with the latest legislation. HCOs must also ensure that any relationship with a vendor is handled correctly and there’s documentation to prove it. The vendors, or Business Associates (BAs), that work alongside healthcare providers and have access to PHI must also be HIPAA compliant. One of the most important documents when working with a BA is the Business Associate Agreement (BAA). This required agreement holds both parties liable and defines their responsibilities. Both BAs and Covered Entities must sign this document before working together. The Office for Civil Rights (OCR) can and has fined practices for missing a BAA after a breach. This is only a brief overview of the many responsibilities HCOs take on. A good HCO establishes a culture of compliance, ensuring that protecting patient information becomes second nature for the entire practice. Streamlining HCO Responsibilities At the end of the day, the HCO is the practice’s go-to authority for HIPAA. From handling patient complaints to addressing staff concerns and representing the practice during an investigation, the HCO is the person everyone turns to. While taking on this role might be overwhelming, intelligent solutions can streamline and assist HCOs to ensure they’re always on top of compliance. You can proactively identify gaps and take control by leveraging the right compliance tools. These tools automate and streamline compliance, allowing HCOs to spend less time buried in paperwork and more time guiding their teams. Meet with a compliance expert today to learn more about HIPAA compliance in your practice.
From Success Stories to HIPAA Violations: Cadia Healthcare’s $182K Lesson
October 6, 2025 Remember: sometimes, it’s not your story to tell. While your practice might be excited to share the positive results of quality patient care, it’s your patients’ right to share their stories. Patients’ medical histories and treatment plans are considered Protected Health Information (PHI), and it’s your practice’s responsibility to safeguard all sensitive patient data. Cadia Healthcare Facilities is the latest rehabilitation organization caught in the Office for Civil Rights’ (OCR) crosshairs after improperly disclosing patient health stories online. Notified by a patient complaint, the OCR investigated the organization and settled the violation with a $182,000 fine and a two-year Corrective Action Plan (CAP). A major financial and reputational hit, paired with thorough government monitoring, is a lesson learned for the organization. The 20th fine of the year teaches healthcare practices the importance of HIPAA-compliant marketing, website management, and patient consent. What Happened? The rehabilitation organization implemented a Success Story section on its site, with 150 patients’ stories publicly highlighted on the page. This page had extensive PHI, including a patient’s name, image, conditions, treatment, and recovery plans. While Cadia Healthcare Facilities utilized the website with good intentions, these Success Stories quickly turned into HIPAA horrors. The reason why? Missing HIPAA authorization forms for all 150 featured patients. Then, a patient contacted the OCR with concerns about their image being used without permission on the Cadia Healthcare Facilities website. That’s when the OCR discovered the rehabilitation organization’s noncompliant website and impermissible disclosures. In addition to the fine and government monitoring, the organization must notify all impacted patients that their information was breached on its site, per the Breach Notification Rule. Share Online Compliantly Posting your practice’s accomplishments online might be exciting, but your practice must handle it carefully. Your practice must obtain a HIPAA authorization form before publicly sharing patients’ PHI. This includes before-and-after photos, testimonials, and, in this case, success stories. The forms must be written and specific, and patients can withdraw permission at any time. Your practice’s online presence is likely a new patient’s first impression, so it’s essential to maintain and update your webpage. However, having more likes and views should never outweigh your commitment to compliance and patient protection. Are you confident your staff understands how HIPAA compliance extends to social media and other forms of marketing? With smart software, your practice can easily train and provide staff with the required documents for HIPAA-compliant social media use. The right compliance solution will empower your staff to handle HIPAA compliance with ease, allowing them to build an online presence while keeping patient data safe. To learn more about HIPAA compliance for your practice, meet with a compliance expert today.
Likes Without Liability: HIPAA-Safe Ways to Connect with Patients Online
October 1, 2025 Doing a TikTok with a patient might make your practice go viral for all the wrong reasons. In a world of social media, email marketing, and overall digital communication, connecting with your patients online is a no-brainer. However, the moment you step into the world of patient engagement, you run straight into red tape, the Health Insurance Portability and Accountability Act (HIPAA) regulations. While a photo of a patient might not seem like a big deal, your practice needs to safeguard patient data, or Protected Health Information (PHI). Typical forms of PHI include a patient’s name, image, Social Security Number, and health records. The internet provides numerous ways to connect and market to patients; your practice must do this carefully, securely, and compliantly. Social Media Landmines The very nature of social media sites like TikTok, Instagram, and Facebook encourages quick, personal sharing of content. These all directly conflict with the strict privacy requirements HIPAA upholds. The good news is, your practice can post with patients if the proper steps are followed to ensure HIPAA marketing compliance. First, your patient must sign a media consent form if their image is posted. This includes testimonials as well. Even if a patient had a great experience with your practice and wants to share, this documentation must be completed. This form must be specific and written, allowing the patient to withdraw permission easily. A verbal agreement isn’t going to cut it. PHI also can’t be shared when responding to Google or Yelp reviews. And yes, acknowledging that a patient attended your practice is considered PHI. Keep all responses brief and respectful. If a patient had a bad experience at your practice, try to take it offline and provide a secure channel to continue communication. Remember that HIPAA violations are not limited to your official practice accounts. Any of your practice’s staff is bound to HIPAA legislation. So, train and ensure staff know their responsibilities to keep PHI secure. No selfies at work! Safeguarding your Inbox Chances are, you’re sending emails every day in your practice. Let’s make sure your practice is sending emails compliantly. First up: encryption. Patient emails are considered PHI, so ensure all the necessary technical safeguards are in place to protect your inbox. After double-checking that the right patient receives an email, keep it simple and send only the minimum necessary information. A quick appointment reminder doesn’t need someone’s full health record attached. Next, consent matters. Your patients might be fine getting reminders or lab results by email, but that doesn’t mean they want marketing messages about specials at another location. Respecting their preferences keeps their information safe and your practice out of trouble. Make sure your practice documents this consent, and like media consent forms, allow your patients to change their permissions at any time. Posting with Peace of Mind This is just a quick roadmap for using marketing tools and HIPAA marketing compliance in your practice, but if done correctly, social media and email can be powerful ways to connect with your patients. Staying compliant isn’t just about following rules; it helps build trust with your patients, which is far more valuable than any number of Instagram followers. While your IT provider can always offer guidance on technical safeguards, understanding these basics is essential for keeping your practice and patient information safe. Smart, practical solutions can make HIPAA compliance easier for your practice. Connect with a compliance expert today to take the guesswork out of compliance.
Smile Safely: What Dental Practices Need to Know About Patient Photos
September 25, 2025 Smile! Members of your dental practice look at countless images of your patients’ pearly whites daily. However, it can be a major HIPAA violation if your practice doesn’t handle these images carefully. While X-rays of a patient seem anonymous, X-rays and patient medical imaging are considered Protected Health Information (PHI). PHI is health data that can easily be linked to an individual patient. In fact, X-rays also usually include further information, including a patient’s full name and birthday, to ensure they are appropriately assigned and shared with the right patient. The same goes for images of patients’ teeth taken with a traditional camera. HIPAA is about keeping patient information safe, protecting healthcare data, and holding everyone accountable. So, your practice’s job is to keep patient images from curious eyes peeking where they shouldn’t. No Peeking! When handling X-rays and other forms of dental photography, ensure that role-based permissions are correctly assigned. In other words, ensure that whoever has access to these images truly needs access. For example, your receptionist most likely doesn’t need access to a patient’s X-rays, but your head dentist would. Your practice must assign these roles to keep patient data safe and terminate any access once an employee leaves or roles change. A recent HIPAA fine highlights the importance of this, with an $800,000 fine after one patient became aware of improper staff access. Your practice should also routinely monitor access to PHI, ensuring that a) the viewer can view specific patient images and b) it makes sense when and how long they review PHI. For example, your practice’s billing staff doesn’t need to look at a patient’s health records at 3 a.m. Noticing odd access to PHI can let your practice catch issues quickly, like hackers. Smile for the Camera (and get an Autograph!) While it’s vital to keep patients’ medical images, such as X-rays and traditional photos, under lock and key, with the right documentation, you can share these images publicly. Let’s say your practice wants to share a patient’s orthodontic journey with braces on social media with a before-and-after post. Before posting anything, make sure your patient signs a media consent form. These forms should be thorough and documented by your practice. A patient must be able to revoke consent easily at any time. While you have this consent, keeping any images as anonymous as possible is still best practice. You shouldn’t be tagging your patients in social media posts! Smile with Compliance Confidence As they say, a picture is worth a thousand words, and in healthcare, those words are PHI that must stay protected. Dental images play a key role in diagnosing and treating patients, which is why your practice needs to keep this form of PHI secure. With the right compliance solution, your practice can simplify HIPAA by managing everything in one centralized hub. Important documents, like media consent forms, are always easy to access. Connect with a HIPAA expert today to learn how to streamline compliance.
Introducing Abyde’s Security Risk Analysis for Covered Entities
September 23, 2025 At the foundation of every HIPAA-compliant practice is a Security Risk Analysis (SRA). The SRA is a thorough assessment of all administrative, physical, and technical safeguards your practice has in place to secure Protected Health Information (PHI). The comprehensive SRA needs to include everything your practice does, from using a sign-in sheet to alarms in the practice to how your computer systems are handled. This documentation must be updated annually and completed for every location of a practice. It is also required for MIPS. This analysis allows your practice to identify vulnerabilities before an issue occurs. If your SRA shows a server running an outdated version, fix it now; don’t wait for it to become a breach. A missing SRA is one of the most common HIPAA violations discovered by the Office for Civil Rights (OCR). In fact, during the last round of audits, 86% of Covered Entities, or practices, couldn’t produce a compliant SRA. The OCR has also introduced the Risk Analysis Initiative, focusing on this document when investigating practices. Since the end of 2024, there have been 10 enforcements of this initiative, totalling over a million dollars in fines. During any investigation, the OCR can and will ask you to provide proof of this document. This document sets the groundwork for compliance in your practice and is key to proving proactive compliance if a situation arises. However, completing an SRA is easier said than done. With intricate complexities and the different areas of your practice that must be reviewed, it’s tough to figure out where to start. Manually completing an SRA takes time and is prone to mistakes. Hiring a third-party consultant can get expensive, and you could lose patient time if they need to close your practice while completing the documentation. Streamlining the SRA There is a better way. Abyde has released its Security Risk Analysis for Covered Entities solution to simplify completing this documentation. While this feature is implemented in the full HIPAA for Covered Entities product, alongside training, dynamic policy and procedure documentation generation, Business Associate Agreements, event logs, live support, and more, Abyde has created our latest product to assist practices in taking their first step toward compliance. The Security Risk Analysis for Covered Entities solution is crafted for healthcare practices and streamlines the SRA into an intuitive questionnaire. Instead of closing your practice for the day, complete this questionnaire within an hour with cloud-based software. After completion, the Security Risk Analysis software for healthcare will generate a Scorecard report, highlighting any recommendations for your practice to achieve compliance. The full SRA only needs to be completed once. After that, the software prompts you with ongoing questions whenever updates are required. For example, if your practice isn’t encrypting emails, it will flag this as a high risk and remind you on a monthly basis until your practice takes the proper precautions. Enjoy the SRA? You can easily upgrade the Security Risk Analysis software for healthcare to Abyde’s full HIPAA for Covered Entities product and maintain your SRA. Get Compliant Today A Security Risk Analysis doesn’t have to be complicated or time-consuming. With Abyde’s Security Risk Analysis for Covered Entities software, your practice can complete a thorough, compliant SRA quickly and accurately, without disrupting patient care. Ready to streamline your SRA? Meet with a compliance consultant today.
HIPAA and the Cloud: Is Your Patients’ Data Safe or at Risk?
September 18, 2025 Sure, your dog pics and selfies are safe in the cloud… but what about your patients’ data? When technology advances, your practice evolves too. As a healthcare provider, your job is to keep your patients and their data safe. The Health Insurance Portability and Accountability Act (HIPAA) covers protecting this data, especially how it is stored. For example, what if a bad storm floods your practice and ruins an internal server? With cloud storage, this isn’t an issue. Cloud storage is hosted elsewhere and accessed through an internet connection, keeping your practice’s Protected Health Information (PHI) safe. Cloud storage and computing are encouraged, but it’s up to your practice to utilize them compliantly. Best Tips for Using Cloud Storage It’s time to do research before working with any cloud service provider. Some good questions to ask include: Does this organization highlight its HIPAA policy on its site? Is it clear what safeguards they have in place to protect your data? Will they encrypt the PHI? Are the servers where PHI is stored located within the United States? While this is not a HIPAA requirement, it’s considered more secure than other nations. Most importantly, is this cloud service provider aware of the extent of its HIPAA responsibilities? Cloud service providers are considered Business Associates (BAs) under HIPAA. While BAs might not deal with patients directly, they handle patient data and are required to follow HIPAA legislation. Cloud service providers are considered BAs whether or not they have access to the encrypted data. Since they store it, they are considered BAs. BAs must complete a Security Risk Analysis (SRA), train staff, maintain up-to-date documentation, and more, like any healthcare practice. Before working with a BA, it is essential to complete a Business Associate Agreement (BAA). BAAs are legal contracts with BAs that ensure both parties are aware of their responsibilities when handling PHI and define the course of action if a breach occurs. A BA and Covered Entity (or, healthcare practice) must complete a BAA before entering a business relationship. Your practice should also avoid working with BAs who do not want to be held legally responsible for handling PHI. Not having a BAA with your cloud storage provider can get you into hot water with HIPAA. In fact, a university was fined nearly 3 million dollars by the Office for Civil Rights (OCR). The OCR discovered that the BA and the college never signed a BAA after a breach of student health data. Storing PHI Compliantly While choosing the right cloud service provider can be extensive, it will significantly benefit your practice. In fact, 83 percent of small healthcare practices surveyed named cloud-based EHR implementations the most meaningful business decisions they had made in the last few years. By doing your due diligence, working alongside your IT team, completing a BAA, and continuing to ensure the proper safeguards are in place, your patients’ PHI can be stored safely in the cloud. As your practice adopts more innovative data management methods, your HIPAA compliance should keep pace. With the right compliance software, your practice can easily streamline requirements like the BAA. Meet with an expert today to learn more about HIPAA compliance in your practice.









