HIPAA Compliance for Medical Practices
82.5K views | +5 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Law Enforcement

HIPAA Law Enforcement | HIPAA Compliance for Medical Practices | Scoop.it

The battle between individuals’ privacy rights and the needs of law enforcement, has raged for centuries in one form or another. When the HIPAA Privacy Rule was implemented, the authors of this rule tried to appease, as it were, both sides.


The resulting “compromise” is that protected health information – the information the HIPAA Privacy Rule affords some protection from disclosure – can be disclosed when disclosure is needed by law enforcement.


There are limits, however, as to how, where, when, and why, law enforcement may obtain this information.


The HIPAA law enforcement exception to the general rule restricting use and disclosure of PHI (unless an exception permits or requires use or disclosure), is discussed below.

What is the HIPAA Law Enforcement Exception?

The HIPAA law enforcement exception can be found in the text of the HIPAA Privacy Rule. 


Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.


The Privacy Rule provision that addresses whether PHI can be disclosed to law enforcement is 45 CFR § 164.512. This provision is entitled, “Uses and disclosures for which an authorization or opportunity to agree or object is not required.” 


The provision then lists circumstances under which PHI may be used or disclosed, despite the general rule. Circumstances allowing use of PHI without written authorization (or an opportunity to agree or object) include (among others):


  • A specific state or federal law requires the disclosure of PHI.
  • Public health activities, which include (among other things):
    • Reporting of disease or injury
    • Reporting vital events such as birth or death
    • Conducting of public health surveillance
    • Conducting of public health investigations
    • Conducting of public health interventions.
  • When a covered entity reasonably believes an individual is a victim of abuse, neglect, or domestic violence.
  • When a health oversight agency seeks to conduct health oversight activities authorized by law. These activities include: 
    • Inspections
    • Licensure or disciplinary actions
    • civil, administrative, or criminal proceedings or actions
    • Other activities necessary for appropriate oversight of the healthcare system, government benefit programs, and of:
      • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
      • Entities subject to civil rights laws for which health information is necessary for determining compliance.
      • Disclosures for judicial and administrative proceedings.
      • Law enforcement purposes

The HIPAA Law Enforcement Exception: What Does it Cover?

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances (subject to certain conditions): 

  • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; 
  • To identify or locate a suspect, fugitive, material witness, or missing person; 
  • In response to a law enforcement official’s request for information about a victim or suspected victim of a crime; 
  • To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; 
  • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
  • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What is a HIPAA Violation? What Are The Fines /Penalties? 

What is a HIPAA Violation? What Are The Fines /Penalties?  | HIPAA Compliance for Medical Practices | Scoop.it

Signed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is legislation that provides data privacy and security provisions for safeguarding medical information. Essentially, if you’re handling, transmitting, in possession of, or responsible for any health records; you’re going to need to be in compliance with HIPAA.


Regulation around HIPAA is strict and specific. However, what happens if HIPAA guidelines aren’t followed to the letter?

It’s important to know what constitutes a HIPAA violation for the sake of personal data.


Did you know that there are stiff penalties and fines for a violation? A breach could also destroy your business and your credibility within the healthcare community.

HIPAA Penalty & Fine Structure

What are the consequences of violating HIPAA?

There are four tiers of HIPAA violations:


    • Tier 1. Lack of awareness where a covered entity or individual was unaware that the act in question was a violation. Fines start at $100 and go up to $50,000 per violation, topping out at $1.5 million each year.
    • Tier 2. Reasonable cause to believe the individual or entity knew about the rule or regulation. Issues at this tier are considered a lack of due diligence. The fines range from $1,000 to $50,000 per violation. The maximum fine is $1.5 million per year.
    • Tier 3. The HIPAA violation was performed with willful neglect. The party then corrected the violation within the required time period of 30 days after discovery. Fines at this tier start at $10,000 and go to $50,000. The maximum penalty is $1.5 million per year.
    • Tier 4. At this tier, the violation was made with willful neglect of HIPAA Rules. Further, the entity made no effort to correct the violation. There is a standard $50,000 fine per violation at this tier with a maximum fine of $1.5 million each year.


There are also criminal penalties for HIPAA violations and potential jail sentences:

    • Unknowingly or with Reasonable Cause. The person may receive a jail sentence of up to one year.
    • False Pretenses may result in a five years’ maximum jail sentence and a fine increase to $100,000 per violation.
    • Personal Reasons or to Commit Fraud or a Crime. Malicious intent such as data breaches may lead to a jail sentence of up to 10 years and a fine up to $250,000 per violation.


As you can see from the HIPAA fines chart, the penalty structure for violations can act as a strong deterrent for healthcare organizations.


Recent HIPAA violations cases reported by federal law enforcement include:

    • Memorial Healthcare System received a fine of $5,500,000 in 2017
    • Children’s Medical Center of Dallas incurred a penalty of $3,200,000 in 2017
    • Advocate Health Care Network’s violation warranted a $5,500,000 fine in 2016
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice | HIPAA Compliance for Medical Practices | Scoop.it

In 2018, ten companies had to pay $28.7 Million to HIPAA as fines. The United States law requires all covered entities to comply with HIPAA. Covered entities, in this case, refers to health care providers, such as hospitals, dental clinics, and pharmacies.


The American Dental Association conducted research which indicated a significant increase in dental practices, both in terms of size and number.


Statistics show that US Citizens who had access to dental care rose to 248 Million in 2016, from 170 Million in 2006.


The increase in dental practices across the States makes them prone to cyber hacking.


This is where HIPAA comes in. For dentists, the HIPAA rule is inclusive of;


• A Security Rule
• Privacy Rule
• Breach Notification Rule




HIPAA compliance refers to the process through which covered entities and business associates adhere to set rules which seek to protect Protected Health Information.


In simple terms, it seeks to ensure a patient’s healthcare data remains private. Protected Health Information is anyone’s healthcare data. The privacy and security rule control what healthcare professionals such as dentists can, or cannot do with your PHI.




HIPAA was initially introduced in 1996 to address insurance coverage for people working two jobs. It also sought to avoid health care fraud, and protect patients’ health information.




• Immensely help you transition from manual to electronic health records.
• Streamline your administrative healthcare functions.
• Protect your client’s health information.
• Set boundaries regarding using and releasing health records.
• Boost the efficiency of your clinic.
• Hold violators answerable if they violate a patient’s rights, through both criminal and civil penalties.




• Safeguard their personal and sensitive health information.
• Give them control over who gets access to their information.
• They get a right to obtain and go through their health records, and they get to request corrections when necessary.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

mark's curator insight, May 3, 10:58 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.


If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE




Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.

The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.

Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.

OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."

"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding abreach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:

  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.
Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."

The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.

The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."

Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."

The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.

The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.

But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.

"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

No comment yet.