HIPAA

HIPAA Settlement Patient Right of Access
Fines, HIPAA

OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center

October 7, 2020 Comments Off on OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center

October 7, 2020 The Office for Civil Rights (OCR) has officially kept their foot on the gas heading into October, announcing their 8th HIPAA right of access fine and adding to a string of nine total HIPAA fines announced since September 15th. Five of those recent fines also centered on providing patients appropriate access to their records, an initiative the OCR pledged to enforce in 2019. The latest practice left in the OCR’s dust is St. Joseph’s Hospital and Medical Center (SJHMC), an acute care hospital with several hospital-based clinics providing a variety of health services out of Phoenix, Arizona. SJHMC was slapped with a $160,000 fine, along with a 2-year corrective action plan to settle their potential HIPAA violation.  Continuing the patient right of access violation trend, SJHMC failed to provide patient records requested by a patient’s personal representative within any sort of a reasonable timeframe, and certainly not within HIPAA-mandated and state-specific deadlines. OCR involvement began in April 2018, when a complaint was received from an SJHMC patient’s mother stating that since January of 2018 she made various requests for a copy of her son’s medical records that SJHMC had failed to fulfill. While the hospital provided partial records, they failed to produce the full records requested despite follow-ups made by the mother in March, April, and May of 2018. The records were only provided a long 22 months later, in December 2019, after the OCR got involved to investigate the complaint. The deadline to provide patient records after a request in Arizona is 30 days.   If you haven’t realized the enforcement trend yet, the OCR made it pretty clear in their statement announcing the fine. “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously,” OCR Director Roger Severino stated, “OCR has many rights of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”  Not only did OCR Director Roger Severino call out practices who aren’t actively focusing on their HIPAA compliance program, he emphasized that there is more to come related to patient right of access. This fine, along with the many others announced in recent weeks, emphasizes just how important a HIPAA compliance program is and having the right policies in place to fulfill all aspects of HIPAA compliance – including meeting patient’s access requests.    

Business Associate Exposes 6 Million Records
Business Associates, Fines, HIPAA

OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records

September 23, 2020 Comments Off on OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records

September 23, 2020 The Office for Civil Rights has been dropping fines left and right in the last week, releasing their 7th (and largest) HIPAA settlement earlier today and bringing their running total to seven fines in just 8 days. The latest violation came with a hefty payout of $2.3 million as well as an extensive 2-year corrective action plan – and not to mention a whole lot of apology letters to write.  The lucky winner of the latest HIPAA settlement is CHSPSC LLC, a business associate who serves a number of hospitals and clinics owned by Community Health Systems, Inc out of Tennessee. You may be thinking, “well no biggie, I’m a covered entity not a business associate so that wouldn’t be me,” but the 6 million+ patients affected and the reasons the OCR gave for levying a fine would beg to differ. Just like any covered entity might be, this business associate was the victim of a cyberattack that even after alarms were raised went unmitigated for months. As if that wasn’t enough, the OCR investigation discovered long standing non-compliance with the HIPAA Security Rule ultimately landing the business associate at the top of the most expensive 2020 fines list. On April 10, 2014, CHSPSC’s information system was infiltrated by a threat group that went unnoticed until the company was notified by the FBI 8 days later. The hackers continued to have a field-day, accessing the sensitive data for 4 months after the initial attack. CHSPSC’s continued disregard for implementing the necessary security protections required by HIPAA even AFTER receiving federal notice was described by OCR Director, Roger Severino, as “inexcusable”. The cyberattack affected 237 different covered entities served by CHSPSC and withdrew the PHI of 6,121,158 individuals including everything from names and birthdays to emergency contact information and social security numbers.  As if over 6 million patients records being taken wasn’t bad enough, an OCR investigation into the business associate found several gaps in their compliance program including:  It doesn’t matter whether you’re a healthcare provider, business associate, or just the average joe – falling victim to a cyberattack is fair game. Because business associates require the same HIPAA safeguard requirements as covered entities, no matter who gets hacked the OCR is looking for the same requirements and can hand out the same fines for either type of health related entity.  For providers especially, entrusting your patients sensitive data to your business associates comes with added risks. In this case, 237 covered entities had to find that out the hard way. While there’s no way to be 100% in the clear from things like cyber attacks, having the proper business associate agreements in place at least takes the liability of an incident off your practice’s hands. If you had been one of those 237 entities affected here, lack of an agreement could have put your practice on the same chopping block as CHSPSC. 

$1.5 million HIPAA Fine
Cybersecurity, Fines, HIPAA

OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 Comments Off on OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 The OCR is certainly seeing $$$ this September. On top of the record five fines announced last week, the Office for Civil Rights (OCR) has just announced the latest settlement of a whopping $1,500,000 fine and 2-year corrective action plan for an orthopedic clinic out of Georgia. Athens Orthopedic Clinic found themselves in the HIPAA violation hot seat after a hacking incident sparked an OCR investigation beginning in 2016. The OCR found Athens Orthopedic had longstanding noncompliance with HIPAA rules, especially required technical safeguards, that led to the breach incident.   On June 26, 2016, the orthopedic clinic was notified that their database of patient records had been posted online for sale. Two days later, a hacker contacted the clinic demanding money in return for the stolen database. After investigation, Athens Orthopedic determined that the hacker was able to gain access through a vendor’s credentials on June 14, 2016, and the hacker continued to access protected health information (PHI) for a month after the initial breach. On July 29, 2016, Athens Orthopedic filed a breach report with the OCR noting all of the sensitive PHI that had been hacked: names, dates of birth, social security numbers, and other personal medical information of the 208,557 patients affected. The breach initiated a full-scale investigation into the clinic’s HIPAA program, where the OCR discovered a laundry list of key compliance elements that the practice was missing: Cyber threats are an ongoing and rising threat to the healthcare industry. When practices lack the proper safeguards to secure their patients’ PHI, they put themselves at the top of hackers ‘easy target’ list (would your practice be posted if such a list existed?). Along with the fine, OCR Director Roger Severino emphasized that “Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” So how do you ‘hack proof’ your business? Well, you probably can’t completely prevent a hack given how quickly hackers adapt to new security measures, but your practice CAN go a long way to avoid being targeted (and getting slapped with a HIPAA fine) by ensuring your HIPAA compliance program – especially your technical safeguards – is up to scratch.

Requesting Access to Medical Records and HIPAA
Best Practices, HIPAA

Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 Comments Off on Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 When it comes to medical records requests, you just hand over patient files – right? Wrong! The HIPAA Privacy Rule unequivocally provides individuals with the right to see and receive copies of their medical records upon request – but has some requirements when it comes to the who, what, and how of handing those records off. Appropriate patient access can be a fine line, and if you stray too far to either side you may end up in the next historic Office for Civil Rights (OCR) announcement of multiple access-related fines. Here’s the 411 on patient record access: Access is just for the patient, right? We hope it’s obvious that patients should be able to access their own records (who doesn’t want a hard copy of their dry eye disease diagnosis), but it’s not just patients that have the right to request records. In fact, the OCR levied two fines just this week for not providing access to an authorized personal representative of a patient. A ‘personal representative’ is someone with the authority under state law to make health care decisions for another individual. This may be the case if: How must access be requested? Making things easy (cough cough), HIPAA law does not specify any required method of requesting access. Patients may ask verbally, in writing, or by secure email or patient portal – really, whatever method suits the patient. Your practice CAN specify the way you want patients to request access, they just have to be informed first about this requirement (possibly as part of your onboarding forms). We do recommend making access requests written, just to document the date of the request. Do I need to verify the requester is authorized? Once you have a patient or their personal representative requesting access, you can just hand over the records, right? Not so fast. The HIPAA Privacy Rule requires practices to take reasonable steps to verify the individual making a request for access is who they say they are. While there’s no specific form of verification required, such as a copy of their driver’s license, it’s extremely important for your practice to use professional judgment when determining that a request is ‘legit’. Verification must also be done without adding unnecessary delays in fulfilling the request. What form must records be provided in? We’re long past the days of keeping everything on paper, and most practice’s manage their health records electronically. However, the Privacy Rule requires a practice to provide access to protected health information (PHI) in the format that it was requested in – either a paper or electronic copy. If the records are not readily producible in the requested format, you’ll need to agree on an alternative format instead. How quickly do records need to be provided? The phrase “ASAP” is nice and all until it comes to meeting specific HIPAA deadlines. When a request is made, the practice must provide access as soon as possible and at minimum within 30 calendar days (the federal law) or less depending on your specific state laws. If unable to provide access within 30 days, the practice can inform the individual of the reasons for the delay and can have no more than one 30 day extension period.  Timeliness is key when it comes to patient access. One practice in particular didn’t provide patient records until 9 months after the initial request was made. The patient filed a complaint to the OCR that resulted in an $85,000 fine along with a corrective action plan. If you thought 9 months was bad, just this week the OCR announced another fine for failing to provide medical records for almost 3 years.    Can I charge patients for copies of their records? Depending on the format requested or the time needed to collect records, there might be some costs involved. Thankfully HIPAA accounts for this, and lets your practice impose a reasonable, cost-based fee for requests. This fee can include:  There’s a lot more that goes into requesting records than simply handing them over. If you’re confused about all this – and we get it, we were too – having a HIPAA expert on deck to help sort out specific scenarios quickly can help your practice stay on top of requirements without unintentionally violating HIPAA. Don’t have an expert to help? Work with an outside HIPAA compliance provider (just picture us saying “pick me!”) who can help you manage the intricacies of access laws before winding up on the next OCR HIPAA settlement announcement.

5 HIPAA Settlements at Once
Fines, HIPAA

OCR Announces Historic 5 HIPAA Settlements at Once

September 15, 2020 Comments Off on OCR Announces Historic 5 HIPAA Settlements at Once

September 15, 2020 Earlier today the Office for Civil Rights (OCR) announced five HIPAA settlements (yes, you heard that right, five) breaking the record for total HIPAA settlements in one day.  Since 2019 the OCR has honed in on their HIPAA Right of Access Initiative, prioritizing patient’s ability to access their medical records in a timely manner. These five settlements bring the total to seven access related enforcement actions – so if you need any hints on what to make sure your practice is looking out for, this is it.    1. Housing Works Inc. This $38,000 fine resulted from a complaint received by the OCR last July alleging that Housing Works Inc., a New York City based non-profit organization, failed to provide the complainant with a copy of their medical records. The OCR received a second complaint a month later stating that the practice still hadn’t provided the patient with record access (strike number two) which ultimately led to a hefty fine along with a corrective action plan.   2. All Inclusive Medical Service, Inc. This Carmichael, CA based medical practice agreed to a $15,000 fine and corrective action plan after the OCR received a complaint in April 2018 that the practice had denied patient access to inspect and receive a copy of her records in January 2018. Only after the OCR’s investigation was the patient given access to her records – 32 months (almost three years) after she had initially requested.   3. Beth Israel Lahey Health Behavioral Services (BILHBS) This whopping $70,000 HIPAA settlement came from a complaint alleging that the behavioral health corporation failed to respond to a request from a personal representative seeking access to her father’s medical records in February 2019. The OCR investigation found that BILHBS failed to complete the request which meant a costly violation of HIPAA Right of Access.  4. Wise Psychiatry, PC This Psychiatry Practice based in Colorado agreed to a $10,000 settlement along with a corrective action plan after the OCR received a patient right of access complaint related to not providing a personal representative with access to their minor son’s medical records in February of 2018. The OCR provided the practice with technical assistance and closed the complaint just a few months later, but Wise Psychiatry found themselves back on the OCR’s radar in October 2018 when a second complaint from the same individual was filed noting records still had not been received. It wasn’t until May 2019 that the patient records were finally provided.  5. King MD Last but not least (actually, we take that back, this is the smallest HIPAA fine to date), Patricia King MD & Associates – a psychiatric care provider in Chesapeake, Virginia – agreed to pay a $3,500 fine along with adopting a corrective action plan to settle a potential HIPAA right of access violation. In October of 2018, the OCR received a complaint that the practice had failed to respond to an individual’s request to record access in August 2018. After the OCR provided them with technical assistance the complaint was closed. However, in February 2019, the OCR received a second complaint stating that King MD had still failed to provide the same patient with proper access and as a result, the practice was hit with a violation.   The main takeaways? Well if it isn’t already obvious, providing patients with timely access to their medical records is extremely important and is something that is commonly missed by practices. While Patient Right of Access is an enforcement priority for the OCR, that doesn’t mean it’s the only thing you have to watch out for. OCR Director Roger Severino emphasized in the announcement that, “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”  If you needed any more reason to get HIPAA compliance to the top of your priority list – 5 violation settlements announced all in one day should do the trick.      

What is a HIPAA Corrective Action Plan?
Audits, Fines, HIPAA

What is a ‘Corrective Action Plan’?

September 9, 2020 Comments Off on What is a ‘Corrective Action Plan’?

September 9, 2020 HIPAA Settlements are more than just $$$ If you’re like most practices, you might just see $$$ when a HIPAA fine makes the news. And yeah – million dollar fines are no joke. But a HIPAA violation settlement is more than just a dollar sign, and often includes something called a ‘corrective action plan’.  This corrective action plan, or CAP, is basically equivalent to ‘you messed up, here’s two years of administrative paperwork to fix your issues and think about what you’ve done.’ Yeah, you read that right – two years. If you thought paying a fine and putting it behind you was the extent of the bad news, we’re here to tell you why a CAP is just as important if slapped with a HIPAA violation. ALL the Paperwork The goal of a CAP is to correct the issues that caused the HIPAA violation in the first place. However, CAP requirements aren’t just a simple ‘do this next time’ and involve quite a bit of paperwork. Over the course of the designated time frame, one to typically two years, practices are required to: Lets face it, no one likes paperwork (even hearing that word makes us cringe). Having to complete what’s required in a CAP is often far more paperwork than maintaining a regular HIPAA compliance program would be – another reason to be compliant before an incident occurs. Even More Consequences Failing to complete a corrective action plan within the designated time frame can void the initial settlement and can leave a practice open to additional fines and penalties – yikes. It may just be paperwork, but the OCR takes it seriously, and leaves practice’s having to juggle a CAP on top of their already full plate of patient care, regular operations, and reputation management after landing in the news for a HIPAA violation.  So, who doesn’t want to be stuck with a mound of paperwork and the OCR breathing down your neck? (We’re raising our hand – both hands actually.) Getting ahead of violations by completing the SRA and HIPAA program requirements before a breach, complaint or audit will save your practice the pain of a CAP and help avoid a violation in the first place. After all, if you have all the right policies, SRA, and risk management plan in place before a breach you’ve already got OCR requirements down – but with less time spent, on your own schedule, and without the OCR looking over your shoulder.

Top 4 HIPAA Violations
Fines, HIPAA

Top 4 HIPAA Violations Your Practice Should Avoid

September 4, 2020 Comments Off on Top 4 HIPAA Violations Your Practice Should Avoid

September 4, 2020 Even with everything else going on in the world today, HIPAA violations are still making headlines. While these news stories reinforce that the Office for Civil Rights (OCR) hasn’t let up on HIPAA enforcement, they also provide great examples of what not to do when it comes to your own practice. Based on these violations and recent OCR investigation data, we’ve compiled the top four types of violations investigated by the OCR:  1. Impermissible Uses & Disclosures The reigning champion of HIPAA violations over the past 5 years – impermissible uses or disclosures – covers any access, use, or sharing of protected health information (PHI) that is done in a manner not permitted under HIPAA and compromises the security or privacy of a patient’s sensitive information. Common culprits include: Having the right policies in place outlining the proper ways staff may use and disclose PHI is key to ensuring your practice doesn’t join the growing list of improper use violators.  2. Missing Physical, Technical and Administrative Safeguards HIPAA law requires practices to implement safeguards to ensure PHI is protected and secured. These safeguards include:  Failing to implement key safeguards is what gets practice’s into trouble, which is why it is essential to perform in-depth as well as ongoing Security Risk Analyses in order to properly identify which safeguards are missing  3. Improper Access Your data library shouldn’t be fair game to every employee regardless of their role. Even if just glancing at a patient’s information, any access to patient information that is not necessary to complete a specific job function is a violation of HIPAA. With remote work becoming more and more common, we can expect improper access violations to rise as employees use data in less secure environments and with less supervision than there would be in a typical practice setting. Appropriate access is featured heavily in HIPAA, and it’s important to limit and document your access roles. It’s not just internal access to PHI that can get your practice into trouble. There are specific guidelines for providing patients with medical records as well, and while this may seem straightforward 51% of providers fail to comply with HIPAA Right of Access laws. Understanding what Patient Right of Access laws entail is important to keeping your patients happy and avoiding a problem with the OCR.  4. Violations of Minimum Necessary Requirement Less is more when it comes to sensitive health information. Only the minimum information necessary should be provided when PHI is requested, accessed, or disclosed. Violations of this requirement could include providing additional information such as previous medical conditions that may not pertain to the actual purpose of the task at hand. Having proper training and documented policies in place that define what information is considered necessary is an essential piece to protecting your patient’s information and steering clear of a HIPAA violation.   A Violation is Just a Slap on the Wrist, Right? While a violation in any of these areas could be minor, a HIPAA violation fine ranges anywhere from a few hundred to a million dollars based on various factors such as:  The biggest fine so far? $16 million in a single settlement. Monetary fines aren’t the only thing you have to worry about if you find yourself facing a HIPAA violation. Jail time and extensive corrective action plans involving extra oversight and administrative work are real possibilities if a violation is found. So How Can You Best Avoid a HIPAA Violation? Many HIPAA violations can be attributed to a lack of employee education on what’s required under federal law. Violations aren’t usually intentional or malicious, which is why it’s so important to create a culture of compliance within your organization and promote good habits. Keeping up with your HIPAA compliance program and staying updated on any changes to federal regulations is the best way to keep your patients’ information secure and avoid ending up as another HIPAA headline. 

HIPAA Compliant PHI Disposal
Best Practices, HIPAA

Disposing of PHI: Why, What and How

August 27, 2020 Comments Off on Disposing of PHI: Why, What and How

August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of?  Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network).    RELATED: So You Have PHI to Dispose of – Now What?  What is considered proper digital data disposal?  Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored.  Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.

Asset Log HIPAA
Best Practices, Cybersecurity, HIPAA

OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020 Comments Off on OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020 Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern. Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements.  What does an Asset Log entail? We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include: When documenting these assets, Abyde recommends including all the following information:  Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations.  No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.  

Properly Encrypting ePHI
Best Practices, Cybersecurity, HIPAA

Properly Encrypting ePHI: What Your Practice Should Know

August 20, 2020 Comments Off on Properly Encrypting ePHI: What Your Practice Should Know

August 20, 2020 Even before COVID-19, electronic solutions were transforming the way practices work and communicate with patients and other providers. As technology continues to evolve within the healthcare industry, it’s important to understand how to properly secure sensitive protected health information (PHI) when stored or transmitted. What does encryption actually mean? Protecting patient data from cyberthreats goes beyond having appropriate passwords. It means having the right technical safeguards in place including properly encrypting any PHI created, stored, sent, or received by your practice. So what exactly is encryption?  Encryption means that content containing sensitive data is made unreadable for anyone except those authorized to view the information. This process essentially uses a software or algorithm to ‘lock’ the data or written text and requires an encryption key to make the information decipherable again.  What should be encrypted? So what should be encrypted? Simply put, the answer to this question is pretty much anything containing PHI. This includes data that is being sent to someone else such as a patient, business associate, or another provider. Examples of this include:  Why does encryption matter? For a typical practice, your EHR system is likely already encrypted – but your EHR isn’t all that matters. All other laptops, external hard drives, servers, and communication systems are at high risk if they are not also properly encrypted to protect from cyberthreats. In fact, failing to encrypt devices has been the cause of various HIPAA violations. Recently, a covered entity in Rhode Island faced a $1,040,000 fine from the OCR on top of a 2 year corrective action plan. The violation resulted from a stolen unencrypted laptop, leading to over 20,000 patients data being exposed. Part of the reason for the hefty fine was the organization’s “systemic non-compliance” when it came to proper encryption of devices. The entire incident could have been avoided if the entity had the proper technical safeguards in place.  With cybersecurity threats on the rise and electronic communication becoming more commonplace, it’s all the more important to ensure the protection of your patients’ information. Implementing encryption services is a great way to best protect your practice and prevent HIPAA violations. If using an external vendor for encryption, make sure to have the appropriate business associate agreement in place as well.

Is your practice prepared for a HIPAA investigation? Get educated with our new eBook.

DOWNLOAD NOW
X