Abyde News

Business Associate Ransomware Fine
Abyde News, Fines, HIPAA

Ransomware Reality Check: Business Associate Pays Big HIPAA Fine

June 2, 2025 No comments yet

6/2/2025   Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities?  Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons.  A medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities.   This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA.    What Happened? In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data.  While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.  After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years.  This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.  Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative.    Streamlining the SRA with Software When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI.  With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI.  To learn more about how your organization can easily complete the SRA, meet with a compliance expert today. 

Abyde Updates 2024-2025
Abyde News

Ahead of the Curve: Abyde’s Latest Updates Keep You Covered

May 29, 2025 No comments yet

May 29, 2025   It’s been a pivotal year for healthcare compliance. The largest ever healthcare data breach occurred at the beginning of 2024, and now the HHS Office for Civil Rights is reviewing and soon implementing new HIPAA legislation.  Don’t worry; as an Abyde customer, we’ve got you covered. Our cloud-based software is rapidly updated with features to address the latest legislation.  To help you keep up with all the compliance changes, Abyde is committed to providing an adaptable software platform to maintain compliance within an ever-changing regulatory environment. We’ve compiled a quick rundown of the most significant Abyde updates from the past year. These updates assist your practice in automating, simplifying, and streamlining compliance.    Business Associate Accountability Abyde expanded our ecosystem with a new product, HIPAA for Business Associates, to serve the vendors of Covered Entities. Even if they don’t directly care for patients, they still play an essential role in keeping that information safe.  Like your Abyde experience, Business Associates (BAs) now have a centralized hub for HIPAA responsibilities. With the Abyde for Business Associates solution, your BAs can take control of their compliance program. Your practice can also have peace of mind that the businesses you work with take compliance seriously.  We’ve also made it easier to manage Business Associate Agreements (BAAs) within our Covered Entities software. Now, BAAs are dynamically updated to be location-specific. BAs can be assigned to one or more locations within multi-location accounts. This helps everyone stay accurate and accountable when handling PHI.  Additionally, when completing your Security Risk Analysis (SRA), your BAs can now assist in answering questions with the new SRA Contributor feature. With the SRA Contributor, BAs or fellow staff can help answer questions you may be unsure of, allowing your practice to receive and review answers while completing the SRA. This enables your BA to provide support with technical questions and permits your practice to complete the SRA more quickly and accurately.  Staying Ahead of the Latest Legislation  Abyde is committed to proactively updating our software to maintain your practice’s compliance with evolving healthcare regulations.  We’ve kept this commitment with our Compliance Task Force team, a team of our experts dedicated to thoroughly addressing new legislation. Our Compliance Task Force reviews and researches new legislation in advance, ensuring Abyde’s software remains compliant with the latest laws.  One example is recent legislation on workplace violence. As healthcare staff is five times as likely to experience workplace violence compared to other workers, federal OSHA legislation is incoming. Abyde quickly updated its platform to reflect Cal/OSHA’s new Workplace Violence Prevention legislation, which requires substantial changes to compliance programs, such as new logs and training. Because Cal/OSHA’s rules frequently become federal standards, Abyde users gain the advantage of early compliance, ensuring they’re ready for future national mandates. In addition, we provided a webinar about these new requirements, ensuring all were aware of their responsibilities.  Another major recent legislative change was introducing a reproductive healthcare attestation form. Initiated by the Biden administration, reproductive healthcare is handled separately, requiring additional paperwork to share PHI. While this update has been contested, practices are prepared with the additional paperwork in the Forms section of the Policies & Procedures module. Abyde software is tailored to federal and state laws. For example, we recently adjusted the New York Breach Notification Policy based on recent state regulations.  Overall, Abyde’s software is equipped to deliver necessary updates promptly in response to new legislation. With new incoming legislation, like the updated Security Rule, it’s vital to use software that makes change easy.    Training Tailored to Your Schedule We understand your time is valuable, so we’ve made managing your team’s HIPAA training easier than ever.  Abyde’s training overhaul in the HIPAA solutions allows HCOs to schedule training. Training for the entire subscription year is now available up front, allowing HCOs to schedule it at their earliest convenience. If you prefer Abyde’s automated scheduling, worry not! The original cadence remains in place as a default.  The new updates, tailored to your practice, also allow for training to be resent. For example, after a breach, reviewing training is key, as is ensuring staff are retrained on best practices to mitigate future risk.  New training has also been revolutionized into three bite-sized pieces, making it more palatable for viewers to retain the information. The update also included structuring insights into three tabs in the training section in both HIPAA solutions to organize the videos easily. Abyde’s streamlined and simplified training process provides flexibility for your practice, empowering your team to create a training schedule that fits your availability.    Reduce Risk for Your Practice Your practice was likely affected by the Change Healthcare Breach in the past year. This massive breach was a wake-up call for everyone in the healthcare industry. The fundamental security oversight was the absence of multi-factor authentication.  As a result of this discovery, Abyde implemented MFA to access our solutions, following best practices. Now, a unique code will be sent when attempting to log into Abyde’s software.  While this update might add a few seconds to your login routine, this extra layer of protection keeps your account secure. It also serves as a great reminder to review passwords and add MFA when possible. This additional cybersecurity measure will also likely become required as part of the new Security Rule updates.    Making Abyde Even Easier If you ever need a quick refresher on the Abyde HIPAA for Covered Entities solution, we’ve recently implemented in-app explainer videos.  These videos can be found throughout the software, providing a short video on each module. Get the answers you need instantly, right where you need them. These short clips ensure everyone feels confident navigating the solution, which means less time searching and more time focused on patient care. And remember, if you ever need any compliance assistance, the subscription includes access to our compliance experts.    Abyde Updates – Protecting your Practice  It’s been a busy year for HIPAA, with legislation updates,

BayCare HIPAA Fine
Abyde News, Fines, HIPAA

BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access

May 29, 2025 No comments yet

May 29, 2025   A successful practice is built upon a strong foundation of well-trained and aware staff.  Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine.  Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”   What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well.  This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later.  After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access.  This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges.  Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose.  Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review.  While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences.    Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error.  Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI.  With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice. 

Small Healthcare Practice HIPAA Fine
Abyde News, Fines, HIPAA

Small Size, Same Rules: HIPAA Fine Serves as Reminder for All Healthcare Providers

May 19, 2025 No comments yet

May 19, 2025   HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized.  The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes:  “Cybersecurity threats affect large and small covered healthcare providers.”  Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR.  This fine showcases that no practice, big or small, must be followed to keep patient data safe.     What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation.  The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data.  The SRA is critical for a compliant practice and should be completed annually and after any breaches.  While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document.  In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule.  The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring.    Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR.  Meet with an expert today to learn how to automate your compliance program.   

OSHA in Dentistry
Abyde News, Best Practices, OSHA

A Dentist’s Guide to OSHA Compliance

May 15, 2025 No comments yet

May 15, 2025   On a global scale, more than 2 million healthcare workers experience needle-stick injuries on an annual basis. Dentists are at the most at risk, with 59% of dentists studied experiencing needle stick injuries.  Dentists are particularly susceptible to OSHA violations due to the daily use of sharps and the increased possible exposure to bloodborne pathogens and saliva when working in patients’ mouths. Protecting your dental team through safety and compliance isn’t just a good idea—it’s essential. Here’s a clear look at the standard preventive measures for OSHA in dentistry.    First Line of Defense: Training There are numerous safety precautions to keep staff safe, but the first layer of protection is proper training and procedures. Before working with patients, staff must be thoroughly trained on the possible risks and mitigation techniques. Staff must also be provided a walk-through of the practice, assuring they know where all emergency equipment and exits are located.  Training programs must review all possible risks, like sharps, bloodborne pathogens, radiation, etc. Videos and training materials must be easily accessible for staff to review. All relevant policies outlining compliant procedures for various situations must also be accessible to all staff members. Training is the foundation of a compliant practice, and with proper OSHA in dentistry training, your staff can feel confident handling any situation.    Always Wear Personal Protective Equipment  While it might not always be the most fashionable decision, wearing Personal Protective Equipment (PPE) is imperative to keep staff safe.  It is key that staff always wear PPE when working with patients. PPE can be defined as gloves, masks, gowns, face shields, and more. By wearing PPE, your staff have a barrier when working with patients, minimizing the risks of exposure.  PPE must be provided to staff free of charge, cultivating a safe environment. Staff must also be appropriately trained to use PPE when working with patients, ensuring all know the necessary steps to protect themselves. PPE minimizes exposure to risks by limiting contact with patients, and is a staple for a safe healthcare practice.    Stay Sharp: Handling Needles Carefully  Dentists are well aware of the risks associated with working with needles, scalers, and other sharps.  Use sharps carefully and utilize devices with safety features when working with sharps. Many sharps have preventative measures, like retractable needles after use, self-sheathing blades, and reinforced containers for sharps.  When using sharps, ensure your staff wear gloves and other applicable PPE. Sharps handling, from initial use on a patient to disposal, requires strict adherence to safety protocols to minimize the risk of accidental sticks and the transmission of bloodborne pathogens.   Bloodborne Pathogens 101  Working in healthcare, especially dentistry, puts staff at risk for exposure to bloodborne pathogens. Bloodborne pathogens are microorganisms that cause disease, like hepatitis B, C, and HIV. The World Health Organization states that 3 million healthcare workers are exposed to bloodborne diseases through skin puncture injuries each year. With PPE and appropriate sharps equipment, your staff is already significantly mitigating risk.  However, if a sharp needle or blade pricks a staff member, it is essential to receive First Aid to protect the wound immediately. The staff member should have their blood tested as soon as possible. Depending on the situation, time is of the essence after a sharps incident. Some diseases, like HIV, can be prevented within 3 days of exposure.  While it can be overwhelming, staff must stay calm and follow the proper procedures after an incident, with most sharps incidents not resulting in an infection.    Simplifying OSHA Compliance As you can see, handling OSHA compliance in dentistry can be daunting. With the correct compliance program to address numerous risks, your dental staff can feel secure and concentrate on delivering excellent patient care. Intelligent OSHA software offers automatically generated policies, required forms, and training resources in a centralized compliance hub, providing a documented compliance program for your team. Meet with a compliance expert today to learn more about how you can streamline your OSHA compliance program. 

PIH HIPAA Phishing Fine
Abyde News, Fines, HIPAA

Phishing Risks and Notification Delays: A Lesson in Managing a HIPAA Breach

April 24, 2025 No comments yet

4.24.25 As we head into the middle of the year, it’s safe to say that the Office for Civil Rights (OCR) is ramping up enforcement. Since the beginning of this year, over $6M in fines have been levied, with new penalties being announced weekly.  The latest fine showcases that the OCR can and will investigate breaches no matter your organization’s size. The latest HIPAA fine was imposed on PIH Health, Inc. (PIH), a California health network comprised of over a hundred health practices throughout the state.  PIH’s HIPAA violations have cost the organization $600,000. Due to these violations, the organization will be monitored for two years under a Corrective Action Plan (CAP). These violations exposed numerous shortcomings of the organization due to a phishing attack, emphasizing the importance of thorough safeguards for practices of all sizes.  What Happened?  In June 2019, a phishing attack compromised 45 PIH employee accounts. This breach devastated an organization with millions of patients, putting nearly 200,000 patients at risk.  While the phishing attempt occurred in the summer of 2019, the breach was not reported to affected patients or the OCR until January 2020.  When a breach impacts over 500 patients, time is of the essence. Parties must be notified within 60 days of the breach, including widespread press releases for the media.  More issues were brought to light once the OCR was aware of this breach. The organization lacked a sufficient Security Risk Analysis (SRA). The SRA is an exhaustive assessment of a practice, reviewing all safeguards and highlighting any vulnerabilities before a breach occurs.  This is at the base of a compliant practice, and the OCR has introduced the Risk Analysis Initiative to ensure that practices have this documentation in place.  Overall, this successful phishing attempt revealed inadequacies and several HIPAA violations. In addition, the organization’s failure to notify the OCR and patients promptly also contributed to the severity of the fine. Protecting Patient Data The healthcare industry’s sensitive data makes it the prime target for phishing attacks. Healthcare organizations must provide comprehensive staff training to avoid suspicious emails and, in general, risk mitigation techniques.  Healthcare practices must always address the breaches quickly. Timely notification of the OCR and affected patients ensures that all parties are aware of the breach’s impact and understand how to monitor their data. No matter the organization’s size, using smart software can help simplify compliance, avoid significant fines, and reduce patient data risk. For example, the SRA can be streamlined with compliance software, ensuring your practice knows the appropriate safeguards before an incident occurs. Intelligent solutions also provide your practice with a centralized compliance hub, letting staff know precisely what they need to secure patient Protected Health Information (PHI).  To learn more about how your practice can streamline common HIPAA violations, schedule a meeting with a compliance expert today.

Risk Analysis Initiative HIPAA Fine
Abyde News, Fines, HIPAA

Don’t Be Next: HIPAA Fine Shows Risk of Ignoring Security Risk Analysis

April 17, 2025 No comments yet

April 17, 2025 Let’s make this clear: The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is the proactive assessment of your practices’ physical, technical, and administrative safeguards. Physical safeguards include alarms, codes, and other procedures or devices your practice might deploy. Technical safeguards involve cybersecurity protocols, like firewalls, antivirus software, encryption, and other security measures. Lastly, the administrative safeguards are your practice’s actions, such as using visitor IDs, maintaining a sign-in sheet, or even posting about patients on social media. The latest HIPAA fine is another reminder of the importance of the SRA in protecting patient data. This is the sixth Risk Analysis Initiative enforcement since the end of last year. The Office for Civil Rights (OCR) is serious about ensuring that practices know this requirement. This focus has remained consistent even during administration transitions. Said best by OCR Acting Director Anthony Archeval, “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”   What Happened?  Northeast Radiology, P.C. (NERAD), a healthcare provider specializing in medical imaging clinical services in New York and Connecticut, experienced a significant breach that exposed nearly 300,000 patients’ Protected Health Information (PHI). The breach, which occurred from April 2019 to January 2020, was caused by unauthorized individuals accessing radiology images of patients due to a compromised server. When the OCR began investigating the practice in March 2020, it was discovered that NERAD did not have an SRA. Due to the absence of this document and the sheer size of the breach, the organization was fined $350,000 and will undergo a two-year Corrective Action Plan (CAP).   Completing an SRA NERAD’s HIPAA settlement with the OCR is a clear reminder that your practice needs to complete an SRA long before a breach occurs. While an SRA might seem daunting, addressing problems before patients’ information is at risk is much easier. Completing this risk assessment can help your practice identify vulnerabilities before they escalate into compliance issues. While the SRA mandates practices to analyze and review existing procedures thoroughly, this process doesn’t need to be overwhelming or costly. With smart solutions, your practice can answer simple questions about your practice while the software intuitively builds out an SRA report, analyzes the current situation, and provides recommendations to mitigate potential risks. To learn more about how your practice can streamline the SRA, schedule a consultation with an expert today.

HIPAA Audit Program
Abyde News, Audits, HIPAA

The HIPAA Audit Wake-Up Call: Is Your Practice Compliant?

April 10, 2025 No comments yet

April 10, 2025   The HIPAA Audit program is back in business.  Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) has been able to audit practices, ensuring they follow HIPAA standards.  While the revival of the audit program was announced last May, new information was confirmed at the latest HIPAA Summit, with 50 Covered Entities and Business Associates being selected to be audited. This program was last active from 2016-2017, which highlighted that, unfortunately, noncompliance with HIPAA is far too common in regulated entities. In fact, only 14% of Covered Entities, like medical practices, could produce a compliant Security Risk Analysis (SRA).  The healthcare industry is entering a new era of HIPAA compliance in the wake of the largest ever healthcare data breach. New HIPAA legislation is being reviewed and the Office of the Inspector General (OIG) is recommending stricter audit processes. With millions in fines already imposed in 2025, proactive preparation is now critical for healthcare providers and their business partners.   What is the Audit Program?  The audit program was first introduced when the HITECH Act was enacted in 2009. While the majority of the investigations the OCR conducts are reactive, resulting after a patient complaint or a breach, the audit program is random.  The OCR will thoroughly review the selected organization’s documentation and current processes as the audit program resumes. A compliant HIPAA program entails much more than training; it also requires comprehensive, continuous protocols to ensure patient data is being protected.  The basis of a compliant practice is being able to present an SRA. As stated earlier, previous audit programs spotlighted the shortcomings of regulated entities completing this.  The SRA is a thorough assessment of your practice. This includes reviewing the safeguards your practice currently has in place. Technical, physical, and administrative safeguards all play a role in securing Protected Health Information (PHI).  This would include a deep dive into the technology your practice uses, the physical protections your practice might have (like alarms), and the administrative policies your practice follows.  Completing this analysis will allow your practice to identify vulnerabilities before a breach occurs. Proactive compliance, addressing issues before they affect patients, is key to a successful practice.  In addition to providing an SRA, practices must also prove compliance with other pillars of HIPAA compliance, such as the Right of Access (or sending requested medical records to practices in a timely manner), the Breach Notification Rule, the Privacy Rule, and more.  After the rise in ransomware attacks in recent years, with a nearly 300% increase in ransomware-related breaches, regulated entities’ cybersecurity practices will likely be scrutinized, ensuring that those audited are aware of their technology responsibilities.    What can I do?  Your practice must be aware of HIPAA and implement the appropriate safeguards to be prepared for the possibility of an audit. While this can be a daunting task, it is imperative for your practice to follow HIPAA compliance before a situation occurs. Thankfully, smart software can streamline and simplify HIPAA for your practice, providing a roadmap to compliance. With the right solution, your practice can see exactly what the OCR requires, which will be asked for if ever audited.  To learn more about becoming audit-ready, schedule an educational consultation with our team of experts.

HIPAA Compliant Communication
Abyde News, Best Practices, HIPAA

Navigating HIPAA in the Digital Age: Patient Communication Essentials

April 2, 2025 No comments yet

April 2, 2025   When 80% of patients prefer digital communication, exploring this opportunity to better serve your patients is crucial. In the digital world, it’s easier than ever to connect with others and build relationships with others through technology. Connecting with patients via technology is simple, but practices must ensure that all communication, including emails, texts, and calls, adheres to HIPAA regulations.   What is HIPAA-Compliant Communication? HIPAA, or the Health Insurance Portability and Accountability Act, is focused on ensuring the security of patients’ Protected Health Information (PHI). PHI includes anything personally identifiable about a patient, including Social Security Numbers, full names, addresses, medical history, and more.  When communicating with a patient, it’s vital to implement the proper protocols to keep patient data safe. When patient data isn’t secured through traditional channels, using a regular phone doesn’t cut it. For instance, channels need to be encrypted, providing extra layers of protection.  Additionally, it’s important to communicate with patients using the minimum amount of information necessary for a conversation. For example, if a patient texts asking to reschedule an appointment, a practice should offer new times and not go in-depth about a patient’s medical history. Communication should remain brief and focus on justifiable reasons to talk to a patient, like scheduling, post-op instructions, and test results.  Patients need to consent to different forms of communication, like texts. The practice is responsible for receiving consent when a patient begins seeing a practice.    How can I Implement HIPAA-Compliant Communication?  An encrypted communication service is the easiest way to ensure secure communication channels. As communication with patients has become normalized in the healthcare industry, numerous organizations offer HIPAA-compliant communication systems. These systems include compliant and encrypted end-to-end phone calls, texts, and emails. Ensure these companies also do their due diligence and sign a Business Associate Agreement (BAA) with your communications provider.  Once a suitable communication system is in place, training staff on communicating effectively and safely with patients electronically is crucial. Staff should be well-versed in the proper procedures for digital patient communication. This includes understanding the Minimum Necessary standard, carefully reviewing messages before sending them to patients (especially to ensure information is being sent to the correct patient), and recognizing phishing scams to verify the authenticity of communications before responding.   What’s Next? Communicating with patients leads to a more successful practice, with higher attendance rates and more engaged patients. Digital communication is the future, and with the right tools, you can easily navigate HIPAA-compliant communication.  In addition to using digital communication systems, implementing a smart software solution is key to a compliant practice. A centralized compliance hub allows you to easily see your vulnerabilities and organize vital documentation, like BAAs with third-party vendors you may use.  Looking to learn more about how you can make your practice more efficient while still following rigorous HIPAA laws? Schedule a meeting with a compliance expert today. 

Business Associate Risk Analysis Initiative Fine
Abyde News, Business Associates, Fines, HIPAA

Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine

March 27, 2025 No comments yet

March 27, 2025   With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI).  The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide.  After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP).  At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities.  This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement.  This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement.    What Happened?  In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue.  Four breach reports describing this incident were filed from the end of 2018 into early 2019.  This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024.  The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities.  As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years.    How to Protect Your Organization  When working with PHI, all involved parties must know their responsibilities.  For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities.  Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.

How does AI impact your practice? Join our next webinar to learn the latest.

REGISTER NOW
X

Are you ready for an audit? Use our new HIPAA Audit Checklist to get prepared.

DOWNLOAD NOW
X