Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.
Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.
She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.
Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?
All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!
Under the Federal HIPAA law, there is no private right of action. Meaning, a patient cannot directly sue a medical provider for a HIPAA violation. However, most state privacy laws do permit class action lawsuits. While a federal HIPAA violation itself doesn’t open the organization to class-action lawsuits by patients, a breach or non-compliance often triggers state law (consumer law) class actions, regulatory enforcement, and substantial financial risk and reputational damage.
For example, Florida law fills the “no private HIPAA lawsuit” gap While HIPAA itself doesn’t permit a private right of action, Florida’s own privacy and consumer protection laws allow individuals to sue when their medical or personal information is mishandled. Common bases for class actions include:
Examples of HIPAA style class actions
Akumin Operating Corp. (Florida-based outpatient radiology/oncology provider) 2023 breach; class action consolidated 2024-25. Ransomware attack, $1.5 million settlement.
Gastroenterology Associates of Central Florida, P.A. (d/b/a Center for Digestive Health / Center for Digestive Endoscopy) Discovered April 11, 2024; class action filed 2025. Network intrusion, settlement has been determined but not released.
HCA Healthcare, Inc. data breach (July 2023) HCA Healthcare agreed to a multi-million-dollar settlement after a breach of data affecting some 11.27 million patients across 20 states. Settlement between $9-10M.
Tampa General Hospital (2023) Subject to class-action claims after a data breach impacted over 1.2 million patients. Allegations included failure to use reasonable cybersecurity measures and delay in notification, invoking both FIPA and FDUTPA. Settlement $6.8M.
Lakeland Regional Health (2022) Data breach leads to litigation under FIPA and negligence, settlement $4M.
UF Health Central Florida (2021) Data breach leads to litigation under FIPA and negligence.
Anthem, Inc. breach (2015) Anthem reported a breach affecting tens of millions of individuals; in 2017 they settled class‐action litigation for $115 million.
Visionworks of America, Inc., a retail/optical chain, faces a proposed class action after a data breach affecting 40,000 customers.
Imagine a breach of your patient portal where PHI is exposed, then a class-action law firm sues you for negligent safeguarding of data. All the while the OCR fines you for the breach. We help you avoid both scenarios.
At Aris Medical Solutions, our HIPAA Keeper™system highlights that strong vendor management, business associate agreements (BAAs), cybersecurity controls, timely breach notification, record-access compliance (e.g., right of access) are critical to reduce the risk of class actions..
A HIPAA violation occurs when PHI data that identifies an individual and relates to their health status, treatment, or payment is improperly accessed, used, or disclosed. When it comes to patient privacy, ignorance isn’t bliss… it’s expensive. Every healthcare provider, business associate, and third-party vendor that handles protected health information (PHI) is required by law to comply with the Health Insurance Portability and Accountability Act (HIPAA). Yet, year after year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to issue fines for HIPAA violations that can be avoided with proper policies, training, and security safeguards. Even small practices face enforcement actions for these violations, and “I didn’t know” is not a valid defense under HIPAA.
Common HIPAA violations include:
Sending PHI to the wrong recipient
Failing to encrypt emails or devices that store ePHI
Losing laptops, smartphones, or USB drives containing patient data
Discussing patient details in public areas
Sharing login credentials or failing to log off workstations
Posting patient photos or information on social media without authorization
Not performing an annual risk analysis or updating policies and procedures
Financial and Legal Risks
HIPAA penalties are tiered based on the level of negligence and can range from $141 to over $71,000 per violation — with an annual maximum of $2 million per identical provision (as adjusted for inflation in 2025). OCR considers factors such as the organization’s size, history of compliance, and willingness to correct the issue when determining penalties.
Beyond monetary fines, violations can lead to:
Civil lawsuits: Patients can sue under state privacy laws.
Corrective action plans: Mandatory, multi-year compliance monitoring by HHS.
Reputation damage: Lost patient trust and public exposure of the breach.
Criminal charges: Willful misuse of PHI can lead to imprisonment.
Operational and Reputational Risks
The real cost of a HIPAA violation goes beyond fines. Breaches disrupt operations, divert staff resources, and erode the confidence of patients and business partners. Once trust is lost, it’s difficult — and expensive — to rebuild.
For example, when a ransomware attack locks down medical records, patient care slows, billing stops, and the organization may spend months recovering. Even worse, news of the breach spreads fast, often drawing negative attention from both patients and regulators.
How to Avoid HIPAA Violations
The best defense is a proactive compliance program. Every covered entity and business associate should:
Conduct an annual risk analysis to identify and mitigate vulnerabilities.
Implement and maintain written policies and procedures that align with the Privacy, Security, and Breach Notification Rules.
Train employees annually and document completion.
Secure all devices and networks — use encryption, strong passwords, and access controls.
Review business associate agreements (BAAs) to ensure vendors are also compliant.
Document everything — if it’s not documented, it didn’t happen.
Protect Your Organization Before It’s Too Late
HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit-ready.
Protect your practice — and your patients. Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.
Online tracking technology has caused a lot of speculation on what is acceptable or not. Here is a recap in case you missed the ruling last year.
Background & Baseline: HIPAA and Online Tracking
The OCR cautioned that certain online tracking technologies (ads, analytical tools, pixels) could potentially collect or disclose personal identifiable health information which is a violation of HIPAA.
The OCR and the Federal Trade Commission (FTC) in July 2023 sent letters to hospitals and telehealth organizations, warning of risks where third-party trackers (Google Analytics, Meta Pixel) might be sharing “sensitive health information” outside permitted guidelines of HIPAA.
The core concern: even data collected “passively” (IP addresses, page paths, query strings, referrers) may, in some scenarios, become linked (or inferred) to health conditions or services, thereby turning into PHI (protected health information).
The 2024 OCR “Online Tracking Technologies” Bulletin & Its Revision
In March 2024, OCR clarified how covered entities and business associates should consider HIPAA when using online tracking technologies.
Key elements of the revised guidance include:
Entities may use online tracking technologies only when such use does not lead to impermissible disclosures of PHI. If sharing PHI with a tracking vendor is necessary, it must occur under a valid Business Associate Agreement (BAA) or through patient authorization, and it must comply fully with HIPAA requirements.
If a vendor is unwilling or unable to sign a BAA, one option is to de-identify or aggregate the data before sharing it, ensuring it no longer qualifies as PHI.
The updated guidance recognizes the complexities of tracking activities on unauthenticated pages (those that do not require a login) and offers greater nuance on when such tracking may involve PHI.
Court Vacates Part of the OCR Guidance
In June 2024, a federal court in the Northern Texas removed part of OCR’s “Use of Online Tracking Technologies” guidance. The court determined that OCR exceeded its statutory authority by applying HIPAA to metadata—such as IP addresses—associated with user visits to unauthenticated webpages and by interpreting “individually identifiable health information (IIHI)” too broadly.
Specifically, the court invalidated the section of OCR’s guidance that presumed a combination of (1) a user’s IP address and (2) a visit to a public healthcare-related webpage automatically constituted IIHI or PHI, without considering additional context.
However, the court did not strike down the entire guidance; provisions related to authenticated user interactions. Such as patient portal logins remain in effect.
Following the ruling, HHS voluntarily withdrew its appeal in August 2024. As a result, the court’s decision remains in effect, restricting OCR’s authority in this area.
In practical terms, the ruling relaxes some of the overbroad constraints that the OCR attempted to impose on tracking in public (unauthenticated) settings but does not eliminate HIPAA obligations or the risk from misuse of tracking tools.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
An annual HIPAA risk analysis is necessary because it’s the foundation of an effective compliance program — and it’s required by law. Here’s why it matters:
It’s a Legal Requirement
Under the HIPAA Security Rule (45 CFR §164.308(a)(1)(ii)(A)), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Office for Civil Rights (OCR) repeatedly enforces this requirement, and failure to perform or update a risk analysis is one of the most common causes of HIPAA fines.
Threats and Technology Change Constantly
Healthcare organizations face evolving cybersecurity threats. Ransomware, phishing, insider misuse, and software vulnerabilities. An annual risk analysis ensures you’re identifying new threats and changes in your environment, such as:
Updated systems or software
New staff or vendors
Relocated offices or added telehealth operations
Cloud service or EHR changes
Without regular reviews, unnoticed gaps could leave patient data exposed.
It Protects Against Fines and Breaches
Most OCR enforcement actions begin with the finding that the organization failed to conduct an updated risk analysis. By performing one each year (and after significant changes), you demonstrate due diligence. This shows regulators, you are actively identifying, documenting, and mitigating risks. This can reduce penalties if a breach occurs and protects your organization’s reputation.
It Drives Continuous Improvement
A risk analysis isn’t just about compliance — it’s a management tool. It helps you:
Prioritize security investments
Strengthen policies and procedures
Train employees based on real vulnerabilities
Build a strong compliance record
An annual HIPAA risk analysis keeps your organization compliant, secure, and prepared for evolving risks. It’s not a one-time task — it’s an ongoing process that proves your commitment to protecting patient data and maintaining trust.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
Why It’s Important to Replace Windows 10 Pro Computers with Windows 11 Pro
Technology moves quickly, and operating systems are no exception. While Windows 10 Pro has been a reliable workhorse for many businesses, its time in the spotlight is coming to an end. Microsoft has officially announced that support for Windows 10 will end on October 14, 2025. This date marks a significant turning point for any organization still relying on Windows 10 Pro devices—and the clock is ticking.
1. End of Support Means End of Security Updates
Once support ends, Microsoft will no longer release security patches for Windows 10. That means any new vulnerabilities discovered after October 2025 will remain unpatched, leaving systems exposed to cyberattacks, ransomware, and data breaches. For businesses, especially those handling sensitive or regulated information, this creates serious compliance risks and potential legal liabilities.
2. Windows 11 Pro Delivers Enhanced Security
Windows 11 Pro is designed with modern threats in mind, incorporating advanced protections that go beyond what Windows 10 offers. These include:
Hardware-based encryption through TPM 2.0
Secure Boot to block unauthorized code at startup
Windows Hello for Business for stronger authentication
Microsoft Pluton Security Processor (on supported devices) for chip-to-cloud protection These features help safeguard against today’s sophisticated cyberattacks and meet the stricter compliance requirements many industries now face.
3. Performance and Productivity Gains
Windows 11 Pro isn’t just more secure—it’s faster and more efficient. It’s optimized for hybrid work, with better resource management, improved window snapping layouts, and integrated collaboration tools like Microsoft Teams Chat. These improvements can streamline workflows, reduce downtime, and help teams work more efficiently.
4. Compatibility with Modern Software and Hardware
As time passes, more software vendors will stop supporting Windows 10. New applications, updates, and drivers will increasingly be built with Windows 11 in mind, meaning Windows 10 systems could run into compatibility issues. Hardware manufacturers are already prioritizing Windows 11 drivers and firmware, ensuring better performance and stability on new devices.
5. Avoiding Costly “Last-Minute” Upgrades
Waiting until the deadline is risky, supplies of Windows 11 Pro-ready hardware could tighten as more organizations rush to upgrade. By planning now, you can budget for a phased replacement, avoid inflated prices, and ensure your team transitions smoothly without interruptions.
Windows 11 Home – Designed for everyday consumers, home users, and personal devices.
Windows 11 Pro – Built for business, professionals, and power users who need advanced security, networking, and management tools.
Summary:
Replacing Windows 10 Pro computers with Windows 11 Pro machines isn’t just about keeping up with technology—it’s about protecting your business from security threats, staying compliant, and giving your team the tools to work more effectively. With the end-of-support deadline approaching, the sooner you act, the safer and more prepared your organization will be.
As today’s healthcare organizations work to streamline operations and control administrative costs, outsourcing medical billing has emerged as a smart and efficient solution. However, while outsourcing medical billing can improve performance, it does not absolve you of your responsibility to protect patient data.
When third-party vendors handle patient information, ensuring HIPAA compliance becomes even more critical.
Whether you’re considering outsourcing for the first time or re-evaluating your current vendor, understanding how HIPAA impacts third-party billing is essential. In this post, we’ll break down what compliance really means, common risks to watch out for, and how choosing the right partner can make all the difference.
What Is HIPAA—and Why Does It Apply to Your Billing Vendor?
The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patients’ medical information and ensure that it’s used and stored securely. Any person or organization that handles protected health information (PHI)—including third-party billing companies—is legally obligated to follow HIPAA rules.
Here’s the catch: Just because you outsource billing doesn’t mean you outsource responsibility.
If your vendor mishandles PHI, your organization can still face the consequences—ranging from steep fines to lawsuits and reputational harm.
How HIPAA Applies to Outsourced Medical Billing
Under HIPAA, billing vendors are considered Business Associates. That means they must implement the same level of data privacy and security protections as healthcare providers.
To stay compliant, your billing partner should:
Sign a Business Associate Agreement (BAA) with your organization
Encrypt patient data during storage and transmission
Monitor and restrict employee access to PHI
Provide regular HIPAA training to all staff
HIPAA compliance isn’t just a box to check—it’s a shared responsibility that protects both your practice and your patients.
Common HIPAA Pitfalls in Outsourced Billing
Even experienced practices can run into trouble if the billing partner isn’t on top of compliance. Some common red flags include:
Sending PHI over unsecured email or messaging platforms
Poor handling or storage of patient information
Staff who haven’t been trained on HIPAA guidelines
Delayed reporting of potential data breaches
Your vendor should be able to clearly explain how they protect PHI—and provide documentation to back it up.
How to Choose a HIPAA-Compliant Billing Partner
When you’re evaluating a medical billing partner, cost and turnaround time matter—but HIPAA compliance should be non-negotiable.
Look for a billing provider that offers:
Secure systems with two-factor authentication
Routine internal audits and risk assessments
A signed and current Business Associate Agreement (BAA)
HIPAA-trained staff who understand billing complexities
Clear, written policies for PHI access, storage, and disposal
Why It Pays to Work with a HIPAA-Compliant Vendor
Beyond just staying legal, partnering with a HIPAA-compliant billing company offers real business benefits:
Lower risk of data breaches and penalties
Fewer denied claims thanks to accurate submissions
Faster reimbursements and stronger cash flow
Peace of mind during audits or compliance reviews
Enhanced patient trust in your organization’s professionalism
How Emerald Health Keeps Your Practice Compliant
At Emerald Health Medical Billing, HIPAA compliance isn’t an afterthought—it’s the foundation of everything we do.
From insurance verification to payment posting, every process is built with data protection in mind. Here’s how we help safeguard your patients’ information:
End-to-end encryption of all communications
Role-based access controls and detailed audit logs
HIPAA-certified staff across every department
Real-time transparency through client dashboards
Zero-tolerance policy for non-compliance
Whether you’re a small clinic or a multi-location practice, our solutions are designed to support your growth and your peace of mind.
Final Thoughts
As the healthcare industry becomes more digital and regulated, the stakes around data privacy have never been higher.
When you outsource your billing, you’re not just hiring a vendor—you’re choosing a guardian for your patients’ most sensitive data.
Dr. Arun Rajan, President & CEO of Emerald Health and a board-certified neurologist, leads our team with a deep understanding of clinical care and operational excellence. Our goal is simple: help practices run more efficiently—without compromising on compliance. https://emeraldhealthllc.com/
Avoid common misconceptions about HIPAA compliance. Learn the critical steps needed to avoid Chiropractor HIPAA violations and fines. Many chiropractor practices think the Government SRA tool is all they need for their HIPAA risk assessment. Keep in mind, it does not include policies and procedures, therefore you must create your own. Also, many chiropractic practices are members of a group that supply a “HIPAA Binder”. Again, most of these groups do not include policies and procedures. Without proper documentation, a chiropractic practice can be assessed with HIPAA violations and fines.
Another common misconception is that small practices believe they are too small to attract attention from the Office for Civil Rights (OCR). In reality, it takes just one patient complaint, a dissatisfied employee, or a data breach to initiate an audit. Remember, once an investigation begins, the OCR will examine your entire HIPAA compliance program — not just the specific incident in question.
Lastly, many organizations think HIPAA can be a once and done process. This can cost you $$$$$$ in fines! HIPAA requires every organization that is involved with patient data to document their ongoing compliance efforts.
Here are a few examples of Chiropractic practices and some multi-specialty practices that have been fined:
Arkansas Chiropractic Clinics — $321,000 fine Two chiropractic clinics in Arkansas were fined a total of $321,000 after improperly disposing of patient records by dumping them in a public park, violating HIPAA’s privacy and secure disposal requirements.
Illinois Chiropractic Offices — Ransomware and data breach incidents Several chiropractic practices in Illinois experienced ransomware attacks, with ransom demands reaching up to $10,000. While specific OCR fines were not disclosed, these events highlight serious security lapses and the risk of significant penalties.
Stolen devices containing ePHI — $150,000 fine In a case not exclusive to chiropractic, a healthcare provider failed to update and secure outdated systems, leading to a malware breach and resulting in a the fine from the OCR.
Missing risk analysis — $50,000 fine Another provider, a clinic using mobile devices like tablets or iPads, was fined $50,000 for failing to conduct a risk analysis and implement appropriate security controls on mobile devices. A critical requirement for chiropractic offices using digital tools.
Privacy & Unauthorized Access Stories
Receptionist displaying PHI on a tablet At a chiropractic office, an iPad used for patient check-in accidentally showed other patients’ names and birthdates, resulting in a HIPAA privacy violation.
Chiropractor misusing patient address to send flowers In Colorado, a chiropractor accessed a patient’s medical record to obtain her address and sent her unsolicited flowers. This was widely viewed as a serious breach of patient privacy and another type of violation of the HIPAA privacy rule.
Ask yourself: How much of your hard-earned revenue are you willing to risk?
Remember, it only takes a single patient complaint or one disgruntled employee to prompt an investigation by the Office for Civil Rights (OCR). Once that happens, every aspect of your compliance program will come under scrutiny.
Ask yourself: Are you confident your documentation can stand up to that level of review? Most practices lack the required policies and documentation.
Are you ready to protect your practice? We are here to help you avoid common misconceptions about HIPAA compliance. Do you have the critical steps needed to avoid Chiropractor HIPAA violations and fines? Our online HIPAA Keeper™ includes all policies and procedures required under HIPAA. We also include patient and HIPAA documentation. When HIPAA rules are updated or added, we update our system to keep you up to date. Also, we are always improving our system to make sure users are aware of new threats and how to protect their organization.
Still not sure? Check out our video that explains our 7-Steps in the HIPAA Keeper™ or Schedule a live demonstrationto see for yourself how easy maintaining HIPAA compliance can be!
PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).
The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:
Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.
Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.
Due to the highvalue of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.
In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.
Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.
What to do to prevent a Breach?
Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.
OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes regularly.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.
Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
Reproductive healthcare and how you protect privacy (this may change).
Substance Abuse and Mental Health Services Administration updates.
A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
New patient authorization attestation requirements.
The posting of estimated fee schedules may be required.
Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
Language assistance notice (and staff training on the tools utilized).
Conscience rights notice.
Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.
The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.
Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:
understanding how to identify phishing attempts,
using strong passwords, and
implementing multi-factor authentication.
Data security proposed changes:
Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.
Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.
Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.
Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software.
ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time.
Keep in mind, cyber-security is essential for patient privacy and safety.
The Healthcare and Public Health Sector Coordinating Council (HSCC)Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.
Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.
Summary
Our HIPAA Keeper™ online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!
“Simplifying HIPAA through Automation, Education, and Support”
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
In today’s digital age, scams and hackers have become increasingly sophisticated, targeting individuals and businesses alike with tactics that are harder to detect and easier to fall for. From phishing emails and fake websites to ransomware attacks and identity theft, the threats are constantly evolving. As our reliance on technology grows, so does the importance of understanding how these cybercriminals operate and what steps we can take to protect ourselves. This article dives into the world of online scams and hackers, uncovering their methods, motivations, and most importantly, how to stay one step ahead.
Facebook Scammer
One of the recent disruptors is when your Facebook account is hi-hacked, and you are locked out of your account, and you can’t remove the post. This has happened to more than one of my friends. This is what it sounds like:
They state they need to sell personal items for a family member due to the family member going to a care facility or having a medical condition. They list SEVERAL valuable items at very low cost, and ask for a “REFUNDABLE” deposit, to hold until they “return” and you have a chance to inspect the item. They state they will be out of town for a couple of weeks and are sad to have to clear out the home of this beloved person. They restrict comments, so you can’t warn anyone about this scam. They ask interested people to contact them through messenger, whereas they will give you a Zelle account. Keep in mind, this transaction CANNOT be reversed, and you are at the mercy of a scammer to return your deposit, which they WILL NOT. Think about this, the people who are “purchasing” these items think they are buying from YOU.
For those who are looking to buy from Facebook (or any other online platform) always remember, if a price is too good to be true, it probably is! NEVER Zelle or Venmo anyone you do not know, or for something like this. Insist on going to look at the items in person BEFORE any transaction is made. If they refuse, it is a scam.
Since the major data breach of 4 billion people, this information has been sold on the dark web. This information includes EVERYTHING needed to impersonate another person. We already sent this warning out last year, but feel the need to repeat…
Change passwords
Change answers to security questions
Enable multi-factor authentication on every account that offers this
Make sure your cell phone or email account that is used for the second authentication is secured with multi-factor authentication. Otherwise, if they hack this account, they will receive the “second” authentication instead of you!
Bank / Credit Card Scams
Scammers can spoof your banks phone number. When they call, they will say there has been a suspicious amount charged to your account. They will have your card number, your address, everything EXCEPT the code on the back of your card. If they ask you to verify give them the number to verify, they are a scammer.
If you receive a text message from your “bank”, referring to the same situation or to verify your account. Do not click on any links in the text message or email, call your bank with the number you have, or log in from your browser.
Never say “Yes”
When a person calls you and asks – can you hear me, never say yes. They may be recording you so they can make false purchases. Instead, reply “Why are you asking”. If they ask is this Sally Smith, ask them, “why are you asking”. This happened to me a couple weeks ago, they said: We are offering a free subscription for your type of Industry, would you like a free subscription, I asked, what kind of industry are you offering. They said we have many different industries. I replied, BUT you said you had a subscription in MY industry. They hung up!
Jury Duty / Arrest Warrant
These scammers threaten you with arrest if you do not pay the “fee” for missing jury duty or an outstanding ticket. They typically ask for a gift card, but with all the new scammers using Zelle, I am sure that will be next.
Investment Scams
With all the talk about Crypto being the next big thing, scammers are trying to capitalize on this. These scams usually start off by someone on social media offering to show you how to invest in cryptocurrencies. Again, if something sounds too good to be true, it probably is. Such as, guaranteed big returns, no risk, and the request for money to be wired or using a Zelle type system.
Renewal / Update Payment Scams
We see many of these emails and text messages targeting consumers from commonly used stores and banks. They use their store/ bank logo and add some sort of subscription ID or the last 4 digits of a credit card. Check your own renewal date and the credit card information. They are betting you won’t check and just click. When you click on the link within the email/text, it could be a virus or a fake URL to gain your login credentials. They also include the “unsubscribe” at the bottom, trying to make this look real. Sometimes the link is really connected to the store, other times, it will take you to a “fake” site and ask for your login credentials.
Job Posting Scams
This is common during the holidays when people are looking for some extra money, but this can happen at any time. They post jobs on social media sites or sometimes they will contact you via email or a text message. The message usually starts off with referring to an ad you answered. They may use a fake company or impersonate a well-known firm. These scammers offer great pay or state the compensation will be much more lucrative than it really is. Sometimes they offer free gifts if you are a mystery shopper. Keep in mind, there are legitimate companies offering jobs, however, never pay for upfront training, interviews, lists of job opening, or mystery shopping opportunities.
Also, never accept a deposit from a company when they ask you send back a portion of it.
Remember, legitimate companies do not ask for money from potential employees or salespeople.
What can you do?
If you receive a scam, report it to the FTC (Federal Trade Commission). Although they will not update you on the progress of your report, they share this information with law enforcement to help with investigations. Together, we can help stop this criminal activity and warn others!
Feel free to share this with others. The world wide web (WWW) is the new wild wild west!
Stay safe and alert out there.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
