July 28, 2025 Healthcare’s cybercrime nightmare just got more expensive. With over half a million dollars in fines and the second HIPAA ransomware fine issued this month alone, it’s time to acknowledge the serious threat cybercrimes pose to healthcare. The Office for Civil Rights (OCR) just announced its latest HIPAA fine, following a ransomware attack affecting a surgery center in New York, totalling $250,000 and placing the practice under a two-year Corrective Action Plan (CAP). The two-year period includes constant government monitoring, ensuring the healthcare provider has taken action to mitigate risks and secure Protected Health Information (PHI). Here’s where things get interesting. Upon further inspection, the exact ransomware variant, PYSA, explicitly targets the healthcare industry. Think about it: cybercriminals know the absolute treasure trove of sensitive patient data a healthcare organization holds. As malicious actors know the importance of patient health records, your practice must be extra vigilant when handling PHI. What Happened? In March 2021, an unauthorized actor gained access to the networks of Specialty Surgery Center of Central New York (also known as Syracuse ASC, LLC). The hacker deployed ransomware in the organization’s networks for over two weeks. This ransomware exposed nearly 25,000 patient records, with access to Social Security numbers, addresses, health histories, and more. Syracuse ASC, LLC, notified the OCR of this breach in October 2021, over six months after the initial intrusion. This wait violated the HIPAA Breach Notification Rule. Given the massive breach, the healthcare provider had to notify the OCR, patients, media, and potentially the State Attorney General within 60 days of discovery. Notifying these parties allows patients to take control and explore options for protecting and monitoring their data post-breach. Additionally, it could have expedited the OCR and State officials’ investigations into the extent of the ransomware attack. During the investigation process, the OCR made another startling discovery: no Security Risk Analysis (SRA) was in place. A thorough SRA is required to maintain your practice’s security. By examining existing safeguards, you can identify and address vulnerabilities proactively before they cause problems. This practice learned the hard way about a common HIPAA pitfall: missing an SRA. Due to this, a hacker infiltrated and exploited the vulnerability of an insecure network, leading to a quarter-million-dollar fine. Protecting Your Practice Against Ransomware Hackers have discovered a gold mine with medical records costing upwards of $1000 on the dark web, compared to the average credit card number fetching 25¢. When hackers directly target healthcare practices, your compliance program and safeguards must be in order. Proactive compliance is key to the security of PHI. Your practice can mitigate and minimize ransomware threats by using the right compliance solutions and robust IT assistance. With the right software, it’s easy to streamline pillars of HIPAA compliance, like the SRA, identifying issues early to avoid risking your patients. Meet with our team of experts to learn more about how you can simplify HIPAA compliance for your practice.
Strong Passwords, Secure Patients: Protecting PHI in Healthcare
July 23, 2025 While Password123 might be easy to remember, it might not be the best password. In our current healthcare landscape, intertwined with technology, from EHR systems to patient communication, it’s time to upgrade password security. A strong password and other layers of protection are key to keeping your practice’s logins secure and, ultimately, patient Protected Health Information (PHI). Thorough password management might be the deciding factor in stopping a major breach. Just look at the Change Healthcare debacle. Billions of dollars lost, systems crashed, insurance claims in limbo, and over 100 million patients exposed. At the root of this? Missing multi-factor authentication (MFA). After major breaches caused by poor password management, it’s time to prioritize your passwords and adhere to best practices. Ditch the Default Password Let’s face it. It’s tempting to use passwords everywhere. However, it’s a password security red flag. When it comes to passwords, we recommend at least eight characters with several unique characters, including a number, an uppercase letter, a lowercase letter, and a symbol. This enhanced security makes unauthorized account access more challenging. Also, if one account is compromised, the breach can be more easily contained than if all logins shared the same password. On that note, ensure all staff have their own logins. This isn’t just about stopping password sharing; it’s about giving your practice the power to keep a close eye on who’s accessing Protected Health Information (PHI) and quickly spotting anything out of the ordinary. When in Doubt, Change it Out We also recommend changing passwords at least three times a year, keeping account access current, and making unauthorized users’ access more difficult. Regular password changes help mitigate risk if an older password is exposed in a data breach, and make it harder for hackers to brute-force guess your password. They also ensure that anyone who has lost access to your accounts, such as offboarded staff, cannot continue to access systems. By consistently making password changes a part of your security routine, you create a dynamic defense that significantly reduces the risk of unauthorized access. Your Password’s Best Friend: Multi-factor Authentication On top of having a secure and current password, having MFA enabled on all your accounts is key to keeping PHI safe. Just like peanut butter and jelly, passwords and MFA are a perfect pair. MFA is that crucial next step, providing an extra layer of security that makes a major difference in keeping your information safe. Common MFA examples include a text, a random code generated, or even through an automated call. That extra protection ensures that the person logging in is authorized and authenticated. This extra level of protection ensures that when someone tries to log into your accounts, it’s truly you. It’s all about verifying and authenticating that the person accessing the account is authorized. With MFA enabled, a hacker won’t be able to log in without that unique code sent to your phone, an app, or even your email. This significantly increases the difficulty for unauthorized access, giving you peace of mind that your PHI remains secure. Securing your Compliance Program The sheer volume of tasks can make managing compliance feel like a full-time job, from multi-factor authentication to complex password policies and regular access reviews. While it’s easy to feel overwhelmed, your practice can streamline this with the right solution. Smart software simplifies compliance for your practice by sending out compliance reminders, such as when it’s time to change your password, providing best tips and practices, and automating policies and procedures for your practice. Meet with an expert today to see how you can streamline compliance for your practice.
The Bite of HIPAA: True Stories of Dental HIPAA Fines
July 15, 2025 Running your dental practice comes with its unique set of challenges. You’re wearing multiple hats, and it’s a stressful fashion statement. While OSHA is always on your radar, just from the nature of dentistry, forgetting about HIPAA can be costly. While you think your practice would never be in the hot seat, small dental practices, you’d be mistaken. See how to avoid these common pitfalls in your dental practice, allowing you to continue running it effectively. Time is of the Essence: Right of Access Under the HIPAA Privacy Rule, HIPAA not only defines how Protected Health Information (PHI) needs to be secured but also how it needs to be shared with authorized parties. Right of Access is a part of this rule. This rule requires healthcare providers to deliver requested patient records within 30 days of the patient’s request. Gums Dental Care, a small Maryland dental practice, was fined for violating this HIPAA requirement. The patient initially requested their records in April 2019. The practice did not provide records until May 2022. The patient alerted the Office for Civil Rights, which started a long, overwhelming journey for Gums Dental. The OCR intervened countless times, requiring the practice to provide the patient with their records. The dental practice continued to refuse to provide the patient with records, leading to more legal battles, money, and time wasted. The grand finale? Over three years from the date of the first request, and countless interventions from the OCR, the practice was fined $70,000. Less is More As the saying goes, “If you can’t say anything nice, don’t say anything at all.” This rule applies to all forms of communication and also works to avoid HIPAA violations. While social media brings people together, you must tread a fine line when handling PHI and posting online. One part of this is responding to patient reviews. You cannot confirm or deny that a patient attended your practice, even if the patient is talking positively about their experience there. If you’d like to use someone’s story for marketing materials, like a before-and-after photo of their smile, ensure they sign a consent form. If someone leaves a negative review, you cannot defend your practice by sharing information about the patient. For example, if a patient consistently posts bad reviews but fails to mention that they are always late, you should not call them out publicly online. Instead, address the issue privately and communicate with them securely. Dentists have been fined for social media violations. Dr. U. Phillip Igbinadolor, a dentist in North Carolina, lost his temper after a patient left a negative review on the practice’s Google page. After the dentist posted PHI in response, ridiculing the patient, the patient reported him to the OCR. As a result, the OCR fined the practice $50,000, showing that the price of failing to simply “keep your words to yourself” can be extraordinarily steep. Coming Clean is Key With cybercrimes in healthcare skyrocketing and large data breaches due to ransomware attacks increasing by 264%, having the proper safeguards in place is crucial. While no practice can be completely immune from a breach, the right barriers in place can mitigate risk and minimize impact. However, if your practice is breached, you must notify the OCR and patients quickly. Under the HIPAA Breach Notification Rule, patients must always be notified within 60 days, regardless of the size of the breach. If the breach affects fewer than 500, your practice must inform the OCR within 60 days after the calendar year in which the event occurred. If a breach affects more than 500, the OCR, and depending on the state, the Attorney General, must be notified within 60 days as well. The Indiana Attorney General recently fined Westend Dental, a multi-location dental practice in Indiana, for its response to a ransomware attack. While the breach occurred in October 2020, the practice did not alert the required parties until October 2022, two years after the initial attack. The Attorney General began investigating this attack after a patient complaint, and it was then discovered that the practice attempted to cover up a ransomware attack. The investigation discovered that, in addition to violating the HIPAA Breach Notification Rule, Westend Dental had improper training, unprotected servers, no Security Risk Analysis (SRA), missing policies, and more. The outcome? A $350,000 fine from the Attorney General, highlighting the importance of proactive compliance and properly notifying affected parties after a healthcare breach. How to Protect Your Dental Practice While compliance for your dental practice might feel overwhelming, the right solutions can streamline your compliance program. Smart software solutions can pinpoint vulnerabilities and provide actionable insights to avoid common pitfalls dental practices face. The right compliance software can also provide a comprehensive hub for everything HIPAA-related for your practice, including right of Access training, social media guidelines, and the SRA. Meet with a compliance expert today to learn more about streamlining compliance for your dental practice.
Double Trouble, Major Fine: How Two Breaches Cost Deer Oaks $225,000
July 9, 2025 Handling a HIPAA investigation is stressful enough. Add a ransomware attack in the mix? A HIPAA nightmare. The Office for Civil Rights (OCR) announced its first fine under the latest Director, Paula M. Stannard—a behavioral health organization fined $225,000 and placed under a two-year Corrective Action Plan (CAP). This fine culminated several violations, but at its core, it was the lack of a Security Risk Analysis (SRA). This latest enforcement highlights the OCR’s ongoing heightened enforcement and the importance of a thorough, proactive compliance program before issues occur. What Happened? The behavioral health provider, Deer Oaks, a Texas-based Covered Entity, was first investigated in May 2023 following a patient complaint. It was discovered that following a pilot program for an online patient portal wasn’t properly coded, publicly disclosing 35 patients’ Protected Health Information (PHI). This PHI included sensitive discharge paperwork and medical assessments that were easily accessible online. Unfortunately, this was only the beginning of the investigation for Deer Oaks. The OCR expanded its investigation when the behavioral health provider faced a ransomware attack in August 2023. A malicious actor used a compromised account and held over 170,000 patients’ information for ransom. While there is no confirmation if the provider paid the ransom, improper account security led to this massive breach. With two major HIPAA breaches within three months, the OCR didn’t have to dig deep to find the common thread: the missing SRA. The SRA is a thorough assessment of potential vulnerabilities a practice might face. In this situation, an SRA could have identified the employee portal or account password management as a concern. This would allow the practice to address these issues proactively. From the initial investigation triggered by a patient complaint in May 2023 to the ransomware breach in August, the OCR fined the practice nearly a quarter of a million dollars and mandated two years of government oversight. These costly few months served as a valuable lesson in proactive compliance. Protecting Your Practice A lapse in compliance, no matter how short, can lead to serious consequences. That’s why proactive compliance is essential. Need a wake-up call? Over $7 million in fines have been levied since the beginning of 2025. The OCR has heightened its enforcement, already eclipsing the number of penalties from last year. As the OCR continues enforcing HIPAA legislation, a robust compliance program is vital for your practice’s success. With the right solution, your practice can streamline HIPAA compliance and easily complete requirements, like the SRA, without disrupting your practice’s workflow. Meet with a compliance expert today to learn more about streamlining HIPAA compliance for your practice.
Small Practices, Big Fines: Understanding HIPAA Penalties
July 7, 2025 Did you know that over half of physicians work in small medical practices with 10 or fewer physicians? You likely wear many hats when working in or even running your small practice, from taking care of patients to clerical work, and of course, HIPAA compliance. Although other priorities may push HIPAA compliance to the side, being compliant is essential for the success of your practice. It’s a common misconception that since a practice is small, the Office for Civil Rights (OCR) will not investigate it if an issue occurs. The OCR has fined several small practices recently, with ramped-up enforcement, nearing $10 million within the year’s first half. Here are some of the most recent fines imposed on small medical practices and how your practice can avoid them. The SRA Superpower Comprehensive Neurology, PC, a small neurology practice in New York, was recently fined $25,000 after a ransomware attack exposed the practice’s insufficient protections for securing Protected Health Information (PHI). Specifically, the practice did not have a Security Risk Analysis (SRA). The SRA is an annual assessment of your practice’s administrative, technical, and physical safeguards, reviewing potential vulnerabilities. When handled properly, the SRA allows you to mitigate risks before a situation occurs. While commonly missed, the SRA is the foundation of a successful practice. To combat this, the OCR has recently enacted the Risk Analysis Initiative, which has brought increased scrutiny and led to nearly a million dollars in fines since its implementation late last year. Completing an SRA is paramount to protect your small medical practice from similar initiatives. The SRA is a crucial protective barrier, proactively preventing issues before they escalate into significant problems. For instance, if the practice completed an SRA, they could have seen any technological shortcomings that led to the severity of the ransomware attack. Alert the Press! Vision Upright MRI, a small California healthcare provider focused on medical imaging, was fined $5,000 in May. In addition to missing an SRA following a breach, the small practice from California did not adequately inform patients. As part of the Breach Notification Rule, relevant parties, like impacted patients, the OCR, and, depending on the size of the breach, the media, and more, must all be notified following a breach. Patients can decide how to secure their information by being informed, and the practice should pay for credit monitoring. With over 21,000 patients’ PHI compromised, the practice needed to notify several parties quickly. Regardless of the breach’s size, a practice must inform all affected patients within 60 days of discovery. However, given that this breach affected over 500 patients, the OCR, media, and some states (like California), the state attorney general also required notification within that time frame. Once you have mitigated the situation and understood the full scope, it’s time to alert all necessary parties. If the breach impacts fewer than 500 patients, while patients still need to be notified within 60 days, the practice must notify the OCR within 60 days of the calendar year in which it occurred. Deliver Records Swiftly Gums Dental Care LLC, a small dental practice in Maryland, was fined $70,000 after refusing to provide a patient’s medical records. Under the HIPAA Privacy Rule, patients must receive their medical records within 30 days of request. This requirement, known as the Right of Access, is one of the most common violations. In this situation, Gums Dental Care provided records three years after the initial request. To avoid similar penalties, ensure all staff are trained efficiently to provide patient records. Quickly addressing patient requests prioritizes their needs, secures your practice, and builds patient trust. Simplifying Compliance for Your Small Practice While following the complexities of HIPAA might feel overwhelming, with the right solution, it doesn’t have to be. Intelligent software can streamline compliance for your practice, alleviating the responsibility and freeing time to spend with patients. Smart solutions also encompass HIPAA’s requirements, including the SRA, breach logs, and staff training. Schedule a consultation today to learn more about simplifying compliance for your small practice.
HIPAA for Chiropractors: What You Need to Know
July 3, 2025 In chiropractic healthcare, staying aligned with regulations is key. While some might consider Chiropractic medicine an alternative healthcare option, the Health Insurance Portability and Accountability Act (HIPAA) covers the field. That means your practice must secure all patient data transmitted to and from a chiropractic office. Protected Health Information (PHI) encompasses all personally identifiable data, such as names, birth dates, and treatment details, and must be securely maintained. For chiropractic offices, this commonly includes comprehensive treatment plans and spinal X-rays. For chiropractic offices, no matter the size, HIPAA for chiropractors isn’t just a recommendation—it’s required whenever patient data is involved. What does this mean for your chiropractic practice? With the right barriers, you can continue to adjust patients while ensuring the safety of Protected Health Information (PHI), promoting patient trust and transparency in protecting their data. What’s Required for HIPAA for Chiropractors? While solely a yearly training might be what your practice expects, HIPAA for chiropractors requires a much more comprehensive approach. HIPAA has three pillars: the Security Rule, the Privacy Rule, and the Breach Notification Rule. The Security Rule is focused on the administrative, technical, and physical safeguards your practice must have to secure patient data. Under this rule, your practice must complete a Security Risk Analysis (SRA) annually. The SRA is an extensive review of your current practices in your chiropractic office. Everything must be documented, from how your practice checks in patients to how your staff electronically sends patient data. By reviewing this every year, your practice can identify vulnerabilities before they become compliance issues. While this annual review might seem simple, unfortunately, it is a frequent pitfall for practices. When randomly audited, only 14% of healthcare practices could produce a compliant SRA. A missing SRA is one of the most common reasons for HIPAA fines, with over $150 million levied to healthcare practices across America. Your chiropractic practice must ensure that the proper safeguards are in place and that PHI is shared carefully. That’s where the Privacy Rule comes into play. According to the Privacy Rule, health information should be shared as little as possible and only when absolutely necessary. For instance, while you may want to share patient stories, all health information must stay confidential. This rule also mandates that patients provide their health records to those who request them within 30 days of the initial request. This rule requires thorough training with staff, making sure all are aware of the responsibility they must uphold when handling patient data. Lastly, the Breach Notification Rule establishes a required course of action after a breach. Even with the proper safeguards and minimum health information shared, breaches can happen. If patient data is breached, chiropractors must notify impacted patients within 60 days of discovery, regardless of the size of the breach. Depending on the number of patients impacted, the Office for Civil Rights (OCR) must also be notified. Did you accidentally print out and provide someone else’s information to a patient? This must be reported to the OCR by 60 days after the end of the calendar year. A major ransomware attack exposed the information of over 500 patients? The OCR must be informed within 60 days. This also depends on what state your chiropractic office is in, so make sure to check state law and see if your state attorney general must also be notified. Adjusting Your Compliance Program While this might feel overwhelming for your chiropractic office to handle, your organization can easily achieve compliance with the right compliance solutions. Due to HIPAA’s complexity, smart software solutions can walk your chiropractic practice through every step of the process. Software can easily streamline annual requirements, like the SRA, asking intuitive questions to identify compliance gaps proactively. Other requirements, like training, policies, and procedures, can also be found in a centralized hub. By simplifying compliance, your chiropractic office can commit to what it does best: adjusting patients to improve their well-being and quality of life. Meet with a compliance expert today to learn more about HIPAA for chiropractors.
Protecting Every Layer: HIPAA Essentials for Your Dermatology Practice
July 1, 2025 HIPAA violations are not skin-deep. Dermatology practices, like all healthcare practices, are subject to HIPAA legislation. Common HIPAA violations erode reputation and patient trust, potentially costing your practice significant legal fees and fines. Dermatology practices have unique data, like photos of skin ailments and reports of skin biopsies, which must be securely handled. Sharing a picture of an abnormal mole without proper documentation, even if it looks harmless, is a HIPAA violation. Why? This is because the image includes identifiable health information about your patient. The good news? Frequent HIPAA pitfalls can easily be prevented with the proper safeguards and education. Being aware and implementing the right proactive safeguards secures your practice. Social Media 101 Before-and-after patient photos can be a powerful marketing tool on social media, but mishandling them could attract unwanted attention from the Office for Civil Rights (OCR). It’s totally normal to be proud of the great results you achieve for your patients. However, if you plan to share how your treatment helped a patient publicly, you must have that patient sign a media consent form. This form explicitly grants permission to share their healthcare procedures or results online. Beyond that, your practice must have a well-defined multimedia policy outlining how social media is handled. This ensures your entire staff is equipped and aware of their responsibilities regarding sharing information online, keeping everyone compliant, and protecting patient privacy. It’s also important to regulate your dermatology staff’s communication with patients on social media. While a patient may leave a positive review about how a chemical peel treatment made them look younger, you cannot confirm or deny whether that patient visited your practice. If you want to use a favorable review in your social media marketing, make sure the patient has signed the media consent form. Even a negative review can lead to a HIPAA violation if you’re not careful. While it’s tempting to defend your practice publicly, the cost of a violation far exceeds the initial frustration. For instance, one practice faced a $10,000 fine for disclosing Protected Health Information (PHI) on Yelp. The right move would have been to move the conversation offline and communicate with the patient privately through a secure channel. Staying Ahead: Security Risk Analysis One of the most common fines is missing a vital piece of proactive compliance. The Security Risk Analysis (SRA) is a thorough assessment of all the safeguards your practice has in place to secure PHI. The minimum annual SRA must be completed before and after a HIPAA breach, showcasing your practice is aware of vulnerabilities and documenting how they are addressed. This isn’t an isolated issue; it’s a widespread compliance gap, with only 14% of healthcare practices able to produce a compliant SRA during random audits. The recent case of a dermatology organization that faced an investigation after a substantial ransomware breach. The incomplete SRA discovered during the investigation led to a hefty $250,000 fine for the practice. It’s a common misconception that fines are solely a consequence of ransomware attacks. However, the true underlying reason for a fine is the failure to implement appropriate preventative safeguards. While ransomware attacks and cybercrimes can certainly occur despite even the most robust safeguards, a practice’s preventative and reactive response and ability to mitigate risk swiftly determine whether a fine is levied. Improper Paper Trails The entire lifecycle of PHI, from generation to deletion, needs to be handled securely. This includes properly shredding and disposing of records. Any image of a patient’s skin, old samples, etc., must be disposed of securely. First, records need to be kept for at least six years, but once disposed of, they cannot be traced to patients and must be destroyed entirely. Simply putting records in the trash isn’t going to cut it. In fact, Business Associates can handle data destruction for your practice. A dermatology practice was fined for improper disposal. Empty specimen containers, with PHI on the label, such as patient names, dates of birth, and more, were thrown in unsecured trash. After discovering that this disposal was typical for the dermatology organization for years, the practice was fined over $300,000. How to Avoid Common Dermatology HIPAA Violations The right HIPAA compliance program can avoid these common missteps. Proactive compliance, including thorough training and a maintained SRA, is key to the success of your dermatology practice. While handling your practice’s compliance program might feel overwhelming, compliance solutions can streamline this process. Intelligent software can easily pinpoint and address common violations in a centralized compliance hub. By maintaining control and proactively addressing compliance gaps, your practice can achieve peace of mind. Meet with a compliance expert today to learn more about simplifying HIPAA compliance for your dermatology practice.
Mid-Year Check-Up: Are You Up-to-Date on Healthcare Compliance?
June 26, 2025 Healthcare compliance is an ever-evolving landscape, with new initiatives and updates announced to better protect patients and staff. As the year progresses to its midpoint, it’s crucial to seize this opportunity to stay informed on the latest developments in the field. HIPAA and OSHA both have new significant updates that will directly impact practices. New HIPAA Security Rule Legislation In December 2024, the Office for Civil Rights (OCR) released proposed updates to the HIPAA Security Rule. One of the pillars of the Health Information Portability and Accountability Act, the Security Rule focuses on the safeguards that must be deployed to keep Protected Health Information (PHI) secure. In response to the rise of large breach ransomware attacks, which have nearly tripled in the last several years, the OCR is increasing cybersecurity requirements when handling patient PHI. For instance, under this new legislation, some new requirements include an asset log, network segmentation, and multi-factor authentication. These requirements are all heightened precautions when protecting patient data. Under this new legislation, the vendors your practice works with will also experience increased scrutiny. For example, under this proposed rule, Business Associates (BAs) now must have their compliance practices verified by a cybersecurity expert annually. BAs must also alert Covered Entities within 24 hours after a breach with a contingency plan. These soon-to-be added responsibilities demonstrate the vital role BAs play in protecting patients. The comment period for these updates wrapped up in March, and the OCR is reviewing all 4,000 comments before a final rule is announced. Workplace Violence Prevention Legislation When healthcare workers are five times as likely to experience workplace violence, federal legislation is soon to follow. While Workplace Violence Prevention currently falls under the General Duty Clause of OSHA, or the basic requirement of providing a safe workplace for employees, state-level legislation focused on this continues to go into effect. State legislation regarding this vastly differs. Nearly every state has heightened charges for attacking a healthcare worker, being classified as a felony rather than a misdemeanor. Still, now many are requiring specialized training and reporting requirements specifically addressing violence in healthcare workplaces. For example, California, Texas, and Virginia all have comprehensive healthcare workplace violence plans. California even requires near misses and threats to be logged for the state. While federal legislation has not been released yet, a Notice of Proposed Rulemaking (NPRM) will likely be announced this year. HIPAA Audit Program & Risk Analysis Initiative The OCR has reintroduced the HIPAA Audit Program, randomly selecting HIPAA-regulated entities and reviewing their current HIPAA programs. The last time this program was in effect was in 2017. The last round of audits found that 86% of Covered Entities could not produce a compliant Security Risk Analysis (SRA) when prompted by the OCR. The SRA is a thorough assessment of the safeguards and routines currently in place to secure PHI. Practices frequently overlook the Security Risk Analysis (SRA), yet it’s a primary defense, proactively addressing concerns. In fact, the OCR’s October 2024 Risk Analysis Initiative specifically targets practices that fail to complete an SRA, and this initiative has already resulted in nearly a million dollars in fines. Right of Access Fines Improper patient records release continue to be a common pitfall for practices. Records must be provided to patients within 30 days of a request. With over 50 enforcements of the Right of Access Initiative, millions of dollars have been paid by practices. This easily preventable fine highlights the significant impact of patient complaints (the leading cause for investigations) and the OCR’s diligence in addressing Right of Access violations. Getting Prepared for the Rest of the Year While it feels like new initiatives are frequently being announced by the OCR, it is your practice’s responsibility to implement new updates. With the right HIPAA compliance program, smart software can ensure your practice will always be prepared, with new legislation instantly updating in the software. To learn more about what’s next in HIPAA, watch our latest webinar regarding current events in HIPAA here.
OSHA’s Rapid Response: Why Every Practice Needs a Safety Culture
June 19, 2025 The success of your practice hinges on the safety of your staff. When staff feel unsafe, OSHA quickly demonstrates its commitment to staff protection. A recent healthcare OSHA fine highlights how efficiently OSHA complaints are handled. Opulent Pediatrics faced expedited penalties following a staff complaint, just months after the initial complaint. From the case opening in March to its resolution in June, OSHA underscored the severity and importance it places on staff complaints. Complaints are also the most common way HIPAA investigations are initiated. This rapid response showcases the need for practices to provide a safe work environment and foster a culture of compliance, empowering staff members to communicate needs and concerns. What Happened? In March 2025, a staff member of Opulent Pediatrics sent a formal complaint to OSHA due to unsafe working conditions. The Roanoke regional office investigated the pediatric practice unannounced, not providing time for the practice to address any concerns. Following their investigation, it was discovered that the practice violated several safety requirements, such as bloodborne pathogen safety, improper medical services, or missing first aid unavailable to staff, improper handling of wiring and equipment, and insufficient hazard communication documentation. After the investigation, by April, OSHA noted seven citations and issued an initial penalty of over $14,000. It’s inferred that the practice was willing and cooperative, with the final fine totalling over $2,000 by the abatement date in May. Protecting Staff in Healthcare While Opulent Pediatrics dodged a more significant fine, this enforcement action demonstrates OSHA’s swift investigative response to complaints. From the initial investigation to its conclusion, the case only took three months. OSHA can and will investigate without notice, so ensure your OSHA program documentation is readily available. With the right tools, ensuring staff safety can be simplified. In this case, training and proper documentation could have avoided these fines. Consider how an intelligent OSHA software solution centralizes training, such as for bloodborne pathogens, hazard communication, and all other OSHA documentation, making it easily accessible to every staff member within a compliance hub. Moreover, by prioritizing safety in your practice, staff can feel empowered to communicate concerns. To learn more about streamlining OSHA compliance in your healthcare practice, schedule a consultation with an expert today.
OSHA in Dermatology: Best Practices to Achieve Compliance
June 12, 2025 While working in a dermatology office might have you focused on taking care of your patients’ skin, your health should be the first priority. It’s easy to incorrectly assume a dermatology office is a relatively “safe” healthcare environment. After all, we’re not typically dealing with the same acute emergencies as an ER. Dermatology presents many challenges when working with patients, such as lasers, sharp instruments, chemicals, potential exposure to bloodborne pathogens, and more. With these unique challenges, your practice must be aware of the safeguards the Occupational Safety and Health Administration (OSHA) requires. More than Skin Deep: Facility Risk Assessment An annual Facility Risk Assessment (FRA) is the foundation of your OSHA compliance program. The FRA is a thorough assessment of the healthcare hazards your practice might face. This assessment spans from your staff is trained, to unique equipment you might use, how situations are prevented, and even how management handles workplace safety. Since this is an annual requirement, this assessment must be kept current. If your practice introduces anything new that might heighten risk, this needs to be documented. For instance, if your practice begins offering laser treatments, this must be mentioned in the FRA and also staff must be trained on how to use it safely. By reviewing and addressing potential vulnerabilities in your practice, you can mitigate risks and ultimately keep patients safe. Personal Protective Equipment (PPE) in Dermatology: Your First Line of Defense While you advise patients on sun protection, remember that your staff’s skin needs protection, too. Always ensure that it remains covered with Personal Protective Equipment (PPE). PPE, like gloves and masks, are essential barriers that keep your team safe. Your practice must supply this PPE and provide comprehensive training on how to use it correctly. For instance, when a staff member is with a patient, a new set of gloves is always required. From putting them on to how they must be disposed of, these are all critical ways to keep staff members safe. Depending on the treatment, your staff may also need eye protection. As a result, it’s essential to review all available forms of PPE with staff before they start working with patients. Dermatology Laser Safety When it comes to lasers in your dermatology practice, preparation is paramount. It’s not enough to just have the equipment; you need to ensure every team member is properly trained and fully aware of the risks associated with these powerful devices. Once again, proper PPE is vital, such as eyewear and gloves. Additionally, the room where the laser is being used must adhere to safety guidelines, including not having any reflective surfaces for the laser to shine off. Your practice should designate a Laser Safety Officer to oversee and enforce compliance. This staff member is likely already your OSHA Safety Officer, or OSO. This Laser Safety Officer needs to ensure staff is routinely trained on lasers, especially if new equipment is being used. For staff safety, the laser device must be off when not in use. While laser treatments offer dermatologists innovative possibilities, proper staff training always remains crucial. Keeping Your Dermatology Practice Safe Ensuring the safety of your dermatology practice is not just about compliance; it’s about fostering a secure environment for both your dedicated staff and your valued patients. Your practice can proactively address potential hazards by diligently conducting annual facility risk assessments, consistently utilizing appropriate personal protective equipment, and prioritizing comprehensive training. With the right solution, your practice can streamline these requirements. Smart software can utilize the answers from your FRA and provide thorough policies and procedures and recommended training. A safe practice is a successful practice. To see how you can streamline compliance for your practice, schedule a meeting with a compliance expert today.