HIPAA

HIPAA for Dermatology
Abyde News, HIPAA

Dermatology’s Hidden Layer: Unpacking HIPAA Compliance

June 5, 2025 No comments yet

June 5, 2025   When ensuring your patients have clear, healthy skin, you might not realize the thorough administrative requirements your practice needs to follow.  HIPAA, or the Health Insurance Portability and Accountability Act, must be upheld by all Healthcare providers and their Business Associates (BAs) who handle and transmit Protected Health Information (PHI). PHI is sensitive information about a patient, such as their Social Security Number, birthdate, medical records, and more. If PHI ends up in the wrong hands, the information could easily be misused, making healthcare a prime target for hackers.  For dermatologists, every piece of information related to a patient’s skin condition – from their name and date of birth to their diagnosis, treatment plan, and even before-and-after photos – falls under HIPAA’s umbrella. Following HIPAA laws doesn’t just protect your practice from fines – it also keeps your patients safe and builds trust.  What is Required for Dermatologists? There’s a lot more required than just yearly training.  Dermatologists must follow the three HIPAA rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule to be HIPAA compliant.  The Privacy Rule dictates how PHI can be shared, specifically the minimum amount of information necessary to handle transactions. Information should only be shared with staff who actually need access to it. Staff access to PHI must be monitored and removed when staff leave the practice. The Privacy Rule also details patients’ Right of Access, requiring practices to provide health records to a patient within 30 days.  The Security Rule focuses on the technical, physical, and administrative safeguards that must be in place in your dermatology practice and includes the required Security Risk Analysis (SRA).  The SRA is an extensive annual review of your practice’s protective barriers in case a situation were to occur. SRA questions include information about physical alarms and locks your practice might have, and how email is handled in your practice. By addressing any vulnerabilities before a breach occurs, your practice can more easily mitigate risk.  Leaving this document incomplete can have severe consequences. For instance, a dermatology organization without a compliant SRA was fined $250,000 following a breach. The Office for Civil Rights (OCR), which enforces HIPAA, also enacted the Risk Analysis Initiative. This new initiative focuses on and fines practices missing an SRA after being alerted of a breach.  In addition to the SRA, dermatologists must complete Disaster Recovery Plans for their practices. The Disaster Recovery Plan builds a contingency plan in case a natural or man-made disaster, such as flooding or a cyber-attack, occurs.  These documents lead to the policies and procedures your practice must have that are easily accessible to staff. With policies and procedures, everyone in your practice will know what is expected and unacceptable in your organization, mitigating risk and providing a guide for every situation. In addition to this, training is also required under the rule for all new employees and yearly.  Expect an update to the Security Rule soon, and you can find the new details here.  The last rule of HIPAA is the Breach Notification Rule. This rule is observed after a breach, ensuring that all involved parties are properly informed following a breach of PHI.  After a breach of any size, affected individuals must be notified within 60 days of the breach’s discovery. If it is a small breach, the OCR must also be informed by the end of the year.  However, the breach is considered large if more than 500 patients are affected. For large breaches, while patients must be notified within 60 days, the OCR also does. The media must also be notified, with a press release going out. Depending on the state, the Attorney General must be made aware of this, too, so it is vital to review state law as well when facing a breach.  Streamlining Compliance in Your Dermatology Practice Given the ever-changing nature of the HIPAA landscape, the brief overview of requirements provided here is just a starting point. While it might feel overwhelming, it’s critical to maintain a compliant dermatology practice.  There are options to simplify HIPAA compliance. Smart software can efficiently assist in compliance management. The pillars of HIPAA compliance, such as the SRA, Disaster Recovery Plan, training, documentation, and more, can all be resolved with the right software platform. By using a smart solution, you can proactively pinpoint gaps and stay on top of your compliance management, freeing you up to focus on caring for patients’ skin.  To see how your dermatology practice can streamline HIPAA for your practice, meet with a compliance expert today.

Abyde News, HIPAA

Introducing SRA Contributor: Master Your HIPAA Risk Analysis

June 3, 2025 No comments yet

June 3, 2025 Have you ever been stumped by a HIPAA Security Risk Analysis (SRA) question because you didn’t know the answer? Even the most seasoned HIPAA Compliance Officers encounter administrative and technical security questions outside their area of expertise, and that’s completely normal. Remember, you’re not expected to have all the answers. So, how are you supposed to get the right answers for the questions you don’t know from those who do? Abyde’s latest update, SRA Contributor, helps you get the necessary answers. This feature allows you to send questions internally to other Abyde users (at your practice) or externally to trusted contacts of your Business Associates (BAs), allowing you to complete your SRA confidently.  The Users section has now been updated to include both Users and Contributors. Once in this section, click the SRA Contributor tab to add external individuals, such as your IT partner, who can assist in answering SRA questions.   Then, complete the SRA. We encourage users to mark uncertain questions with ‘Don’t Know’. Once the SRA is complete, Abyde users can access the SRA Contributor feature from their Scorecard module and securely send any questions as needed. Hit the Abyde Flag icon to the right of any question on your Scorecard to activate the SRA Contributor pop-up and select your Contributors. As a reminder, you can add a note to any question for your Contributors.   Once flagged, the question(s) are batched and ready to be sent. Abyde recommends reviewing any and all questions for Contributors and sending them in one batch to reduce the number of emails. After all questions are flagged, send them together by hitting the send icon on the Contributor line below the question or from the global SEND button at the top of the Scorecard module.  Once sent, your SRA Contributors (and other Abyde users) will receive an email to the secure SRA Contributor Portal. The Contributor Portal includes all flagged questions. Your Contributors can answer your questions, add notes, and send their responses to you once they complete the portal.  From there, you will receive an email notification that your question has been answered and is ready for review. Then, you can either reject or approve an SRA Contributor’s answers. If approved, their answer and note (if present) replace your initial response on the SRA. If rejected, you can send the question again to other contributors or manually change the answer yourself. SRA Contributors’ answers and Contributor Portal links (if they never answered the question) can also be deleted from the Scorecard by clicking the Trash Can icon.  Why This Matters A thorough and accurate Security Risk Analysis (SRA) is paramount for safeguarding patient data and ensuring compliance. It is the foundation of a compliant practice.  The SRA Contributor enables you to complete the SRA more efficiently and confidently, enhancing collaboration with your business associates and other Contributors who manage the more technical aspects of your practice.  This ensures that the required SRA is completed accurately and thoroughly, giving you confidence in the integrity and completeness of your answers.  To learn more, contact our support team at support@abyde.com, or call 1.877.816.1620. 

Business Associate Ransomware Fine
Abyde News, Fines, HIPAA

Ransomware Reality Check: Business Associate Pays Big HIPAA Fine

June 2, 2025 No comments yet

6/2/2025   Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities?  Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons.  A medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities.   This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA.    What Happened? In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data.  While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.  After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years.  This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.  Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative.    Streamlining the SRA with Software When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI.  With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI.  To learn more about how your organization can easily complete the SRA, meet with a compliance expert today. 

BayCare HIPAA Fine
Abyde News, Fines, HIPAA

BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access

May 29, 2025 No comments yet

May 29, 2025   A successful practice is built upon a strong foundation of well-trained and aware staff.  Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine.  Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”   What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well.  This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later.  After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access.  This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges.  Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose.  Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review.  While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences.    Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error.  Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI.  With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice. 

Small Healthcare Practice HIPAA Fine
Abyde News, Fines, HIPAA

Small Size, Same Rules: HIPAA Fine Serves as Reminder for All Healthcare Providers

May 19, 2025 No comments yet

May 19, 2025   HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized.  The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes:  “Cybersecurity threats affect large and small covered healthcare providers.”  Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR.  This fine showcases that no practice, big or small, must be followed to keep patient data safe.     What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation.  The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data.  The SRA is critical for a compliant practice and should be completed annually and after any breaches.  While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document.  In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule.  The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring.    Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR.  Meet with an expert today to learn how to automate your compliance program.   

PIH HIPAA Phishing Fine
Abyde News, Fines, HIPAA

Phishing Risks and Notification Delays: A Lesson in Managing a HIPAA Breach

April 24, 2025 No comments yet

4.24.25 As we head into the middle of the year, it’s safe to say that the Office for Civil Rights (OCR) is ramping up enforcement. Since the beginning of this year, over $6M in fines have been levied, with new penalties being announced weekly.  The latest fine showcases that the OCR can and will investigate breaches no matter your organization’s size. The latest HIPAA fine was imposed on PIH Health, Inc. (PIH), a California health network comprised of over a hundred health practices throughout the state.  PIH’s HIPAA violations have cost the organization $600,000. Due to these violations, the organization will be monitored for two years under a Corrective Action Plan (CAP). These violations exposed numerous shortcomings of the organization due to a phishing attack, emphasizing the importance of thorough safeguards for practices of all sizes.  What Happened?  In June 2019, a phishing attack compromised 45 PIH employee accounts. This breach devastated an organization with millions of patients, putting nearly 200,000 patients at risk.  While the phishing attempt occurred in the summer of 2019, the breach was not reported to affected patients or the OCR until January 2020.  When a breach impacts over 500 patients, time is of the essence. Parties must be notified within 60 days of the breach, including widespread press releases for the media.  More issues were brought to light once the OCR was aware of this breach. The organization lacked a sufficient Security Risk Analysis (SRA). The SRA is an exhaustive assessment of a practice, reviewing all safeguards and highlighting any vulnerabilities before a breach occurs.  This is at the base of a compliant practice, and the OCR has introduced the Risk Analysis Initiative to ensure that practices have this documentation in place.  Overall, this successful phishing attempt revealed inadequacies and several HIPAA violations. In addition, the organization’s failure to notify the OCR and patients promptly also contributed to the severity of the fine. Protecting Patient Data The healthcare industry’s sensitive data makes it the prime target for phishing attacks. Healthcare organizations must provide comprehensive staff training to avoid suspicious emails and, in general, risk mitigation techniques.  Healthcare practices must always address the breaches quickly. Timely notification of the OCR and affected patients ensures that all parties are aware of the breach’s impact and understand how to monitor their data. No matter the organization’s size, using smart software can help simplify compliance, avoid significant fines, and reduce patient data risk. For example, the SRA can be streamlined with compliance software, ensuring your practice knows the appropriate safeguards before an incident occurs. Intelligent solutions also provide your practice with a centralized compliance hub, letting staff know precisely what they need to secure patient Protected Health Information (PHI).  To learn more about how your practice can streamline common HIPAA violations, schedule a meeting with a compliance expert today.

Risk Analysis Initiative HIPAA Fine
Abyde News, Fines, HIPAA

Don’t Be Next: HIPAA Fine Shows Risk of Ignoring Security Risk Analysis

April 17, 2025 No comments yet

April 17, 2025 Let’s make this clear: The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is the proactive assessment of your practices’ physical, technical, and administrative safeguards. Physical safeguards include alarms, codes, and other procedures or devices your practice might deploy. Technical safeguards involve cybersecurity protocols, like firewalls, antivirus software, encryption, and other security measures. Lastly, the administrative safeguards are your practice’s actions, such as using visitor IDs, maintaining a sign-in sheet, or even posting about patients on social media. The latest HIPAA fine is another reminder of the importance of the SRA in protecting patient data. This is the sixth Risk Analysis Initiative enforcement since the end of last year. The Office for Civil Rights (OCR) is serious about ensuring that practices know this requirement. This focus has remained consistent even during administration transitions. Said best by OCR Acting Director Anthony Archeval, “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”   What Happened?  Northeast Radiology, P.C. (NERAD), a healthcare provider specializing in medical imaging clinical services in New York and Connecticut, experienced a significant breach that exposed nearly 300,000 patients’ Protected Health Information (PHI). The breach, which occurred from April 2019 to January 2020, was caused by unauthorized individuals accessing radiology images of patients due to a compromised server. When the OCR began investigating the practice in March 2020, it was discovered that NERAD did not have an SRA. Due to the absence of this document and the sheer size of the breach, the organization was fined $350,000 and will undergo a two-year Corrective Action Plan (CAP).   Completing an SRA NERAD’s HIPAA settlement with the OCR is a clear reminder that your practice needs to complete an SRA long before a breach occurs. While an SRA might seem daunting, addressing problems before patients’ information is at risk is much easier. Completing this risk assessment can help your practice identify vulnerabilities before they escalate into compliance issues. While the SRA mandates practices to analyze and review existing procedures thoroughly, this process doesn’t need to be overwhelming or costly. With smart solutions, your practice can answer simple questions about your practice while the software intuitively builds out an SRA report, analyzes the current situation, and provides recommendations to mitigate potential risks. To learn more about how your practice can streamline the SRA, schedule a consultation with an expert today.

HIPAA Audit Program
Abyde News, Audits, HIPAA

The HIPAA Audit Wake-Up Call: Is Your Practice Compliant?

April 10, 2025 No comments yet

April 10, 2025   The HIPAA Audit program is back in business.  Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) has been able to audit practices, ensuring they follow HIPAA standards.  While the revival of the audit program was announced last May, new information was confirmed at the latest HIPAA Summit, with 50 Covered Entities and Business Associates being selected to be audited. This program was last active from 2016-2017, which highlighted that, unfortunately, noncompliance with HIPAA is far too common in regulated entities. In fact, only 14% of Covered Entities, like medical practices, could produce a compliant Security Risk Analysis (SRA).  The healthcare industry is entering a new era of HIPAA compliance in the wake of the largest ever healthcare data breach. New HIPAA legislation is being reviewed and the Office of the Inspector General (OIG) is recommending stricter audit processes. With millions in fines already imposed in 2025, proactive preparation is now critical for healthcare providers and their business partners.   What is the Audit Program?  The audit program was first introduced when the HITECH Act was enacted in 2009. While the majority of the investigations the OCR conducts are reactive, resulting after a patient complaint or a breach, the audit program is random.  The OCR will thoroughly review the selected organization’s documentation and current processes as the audit program resumes. A compliant HIPAA program entails much more than training; it also requires comprehensive, continuous protocols to ensure patient data is being protected.  The basis of a compliant practice is being able to present an SRA. As stated earlier, previous audit programs spotlighted the shortcomings of regulated entities completing this.  The SRA is a thorough assessment of your practice. This includes reviewing the safeguards your practice currently has in place. Technical, physical, and administrative safeguards all play a role in securing Protected Health Information (PHI).  This would include a deep dive into the technology your practice uses, the physical protections your practice might have (like alarms), and the administrative policies your practice follows.  Completing this analysis will allow your practice to identify vulnerabilities before a breach occurs. Proactive compliance, addressing issues before they affect patients, is key to a successful practice.  In addition to providing an SRA, practices must also prove compliance with other pillars of HIPAA compliance, such as the Right of Access (or sending requested medical records to practices in a timely manner), the Breach Notification Rule, the Privacy Rule, and more.  After the rise in ransomware attacks in recent years, with a nearly 300% increase in ransomware-related breaches, regulated entities’ cybersecurity practices will likely be scrutinized, ensuring that those audited are aware of their technology responsibilities.    What can I do?  Your practice must be aware of HIPAA and implement the appropriate safeguards to be prepared for the possibility of an audit. While this can be a daunting task, it is imperative for your practice to follow HIPAA compliance before a situation occurs. Thankfully, smart software can streamline and simplify HIPAA for your practice, providing a roadmap to compliance. With the right solution, your practice can see exactly what the OCR requires, which will be asked for if ever audited.  To learn more about becoming audit-ready, schedule an educational consultation with our team of experts.

HIPAA Compliant Communication
Abyde News, Best Practices, HIPAA

Navigating HIPAA in the Digital Age: Patient Communication Essentials

April 2, 2025 No comments yet

April 2, 2025   When 80% of patients prefer digital communication, exploring this opportunity to better serve your patients is crucial. In the digital world, it’s easier than ever to connect with others and build relationships with others through technology. Connecting with patients via technology is simple, but practices must ensure that all communication, including emails, texts, and calls, adheres to HIPAA regulations.   What is HIPAA-Compliant Communication? HIPAA, or the Health Insurance Portability and Accountability Act, is focused on ensuring the security of patients’ Protected Health Information (PHI). PHI includes anything personally identifiable about a patient, including Social Security Numbers, full names, addresses, medical history, and more.  When communicating with a patient, it’s vital to implement the proper protocols to keep patient data safe. When patient data isn’t secured through traditional channels, using a regular phone doesn’t cut it. For instance, channels need to be encrypted, providing extra layers of protection.  Additionally, it’s important to communicate with patients using the minimum amount of information necessary for a conversation. For example, if a patient texts asking to reschedule an appointment, a practice should offer new times and not go in-depth about a patient’s medical history. Communication should remain brief and focus on justifiable reasons to talk to a patient, like scheduling, post-op instructions, and test results.  Patients need to consent to different forms of communication, like texts. The practice is responsible for receiving consent when a patient begins seeing a practice.    How can I Implement HIPAA-Compliant Communication?  An encrypted communication service is the easiest way to ensure secure communication channels. As communication with patients has become normalized in the healthcare industry, numerous organizations offer HIPAA-compliant communication systems. These systems include compliant and encrypted end-to-end phone calls, texts, and emails. Ensure these companies also do their due diligence and sign a Business Associate Agreement (BAA) with your communications provider.  Once a suitable communication system is in place, training staff on communicating effectively and safely with patients electronically is crucial. Staff should be well-versed in the proper procedures for digital patient communication. This includes understanding the Minimum Necessary standard, carefully reviewing messages before sending them to patients (especially to ensure information is being sent to the correct patient), and recognizing phishing scams to verify the authenticity of communications before responding.   What’s Next? Communicating with patients leads to a more successful practice, with higher attendance rates and more engaged patients. Digital communication is the future, and with the right tools, you can easily navigate HIPAA-compliant communication.  In addition to using digital communication systems, implementing a smart software solution is key to a compliant practice. A centralized compliance hub allows you to easily see your vulnerabilities and organize vital documentation, like BAAs with third-party vendors you may use.  Looking to learn more about how you can make your practice more efficient while still following rigorous HIPAA laws? Schedule a meeting with a compliance expert today. 

Business Associate Risk Analysis Initiative Fine
Abyde News, Business Associates, Fines, HIPAA

Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine

March 27, 2025 No comments yet

March 27, 2025   With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI).  The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide.  After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP).  At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities.  This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement.  This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement.    What Happened?  In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue.  Four breach reports describing this incident were filed from the end of 2018 into early 2019.  This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024.  The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities.  As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years.    How to Protect Your Organization  When working with PHI, all involved parties must know their responsibilities.  For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities.  Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.

What's coming next in HIPAA? Join our June webinar to stay up to date.

REGISTER NOW
X