skip to Main Content

Frequently Asked Questions

Is HIPAA compliance required for you?

Yes, if you are a health care provider and transmit any information in an electronic form in connection with insurance claims, encounter information, payment and remittance advice, claims status eligibility, enrollment and disenrollment, referrals, authorizations, coordination of benefits, etc.

How big are HIPAA fines?

The penalties for HIPAA noncompliance incurred within last 6 years are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year .

What Can Cause a Fine for HIPAA Noncompliance?

  1. HIPAA Complaints
    • 17,684 complaints submitted in 2015
    • Over 20,000 complaints in 2016
    • Number of complaints increasing year to year
  2. Breach of Protected Health Information (PHI)
    • 1694 breaches that impacted 500 individuals or more
  3. HIPAA Audit
    • Phase 2 Audit by OCR will include 200-250 entities in 2016/2017


What Can Cause a HIPAA Complaint?

  • A perception by patients, or their representatives that the HIPAA rules are not properly followed
    • E.g., patient receiving unprotected e-mail with PHI
  • Processes used by the healthcare organization are not consistent with HIPAA requirements, or lacking basic safeguards
    • E.g., using out of date computers or software, or lost/unrecoverable PHI records
  • The staff is not properly trained on Patient Rights established by HIPAA
    • E.g., refusing treatment because of insurance limitations


What Can Cause a Breach of PHI?

  • Ransomware attacks, key-loggers and malicious software
  • E-mail, files or computers getting hacked
  • Lost or stolen devices with PHI content or access to PHI
  • Inadequate disposal of PHI (paper records, media, devices, etc.)
  • Breaches by partners or Business Associates


What Can Cause a HIPAA Audit?

Any breach regardless of size, will automatically trigger an investigation by the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS), which may result in an audit.

In addition, the OCR Launched Phase 2 of the HIPAA Audit Program. Covered Entities (CE) are selected through a randomized process. Responses must contain the specified documentation: adopted HIPAA policies, procedures, evidence of implementation, including risk analysis & risk management. The CE must respond within 10 business days after the initial contact by OCR.

If a CE does not have the requested documentation, an explanation for the deficiency must be included in the response. A CE may be selected for a comprehensive onsite audit.

Is there official HIPAA Certification?

No. Currently there is no official HIPAA certification recognized by the authorities or by the healthcare industry. Different companies offer ‘private’ certifications. However none of the certifications will be accepted by the Office for Civil Rights of the HHS.

Are there any HIPAA procedures that can be adopted and followed out of the box?

No. The HIPAA Security and Privacy Rules provide key requirements, but they are not defined prescriptively enough that a healthcare organization can follow them out of the box. The HIPAA is designed with the intent for each practice to figure out how to apply HIPAA rules to their own processes, which is not very trivial. As a result there are no one-size-fits-all HIPAA policies and procedures available. For example, the American Dental Association offers a guidance kit that a dental practice would need to review, understand and then figure out how to use and apply. Some of the HIPAA training companies offer their own customized templates, however somebody will still need to interpret and customize them to the specific structure, size and environment of their healthcare organization, and then implement HIPAA-compliant IT capabilities and business processes to be able to maintain HIPAA compliance.

What differentiates our services?

There are a number of different service providers currently available to help with HIPAA compliance:

  • HIPAA compliant e-mail
  • HIPAA training
  • HIPAA risk assessment
  • HIPAA log monitoring
  • HIPAA backup & recovery,
  • and many more…

Our goal was to address each of the HIPAA requirements with a complete end-to-end service, requiring minimum involvement from the healthcare practice, minimizing impact on the staff’s day-to-day activities, automating whenever possible the capture of records required for HIPAA compliance, while trying to make the patient experience as friendly as possible.

Back To Top