Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.
Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.
She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.
Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?
All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!
Why It’s Important to Replace Windows 10 Pro Computers with Windows 11 Pro
Technology moves quickly, and operating systems are no exception. While Windows 10 Pro has been a reliable workhorse for many businesses, its time in the spotlight is coming to an end. Microsoft has officially announced that support for Windows 10 will end on October 14, 2025. This date marks a significant turning point for any organization still relying on Windows 10 Pro devices—and the clock is ticking.
1. End of Support Means End of Security Updates
Once support ends, Microsoft will no longer release security patches for Windows 10. That means any new vulnerabilities discovered after October 2025 will remain unpatched, leaving systems exposed to cyberattacks, ransomware, and data breaches. For businesses, especially those handling sensitive or regulated information, this creates serious compliance risks and potential legal liabilities.
2. Windows 11 Pro Delivers Enhanced Security
Windows 11 Pro is designed with modern threats in mind, incorporating advanced protections that go beyond what Windows 10 offers. These include:
Hardware-based encryption through TPM 2.0
Secure Boot to block unauthorized code at startup
Windows Hello for Business for stronger authentication
Microsoft Pluton Security Processor (on supported devices) for chip-to-cloud protection These features help safeguard against today’s sophisticated cyberattacks and meet the stricter compliance requirements many industries now face.
3. Performance and Productivity Gains
Windows 11 Pro isn’t just more secure—it’s faster and more efficient. It’s optimized for hybrid work, with better resource management, improved window snapping layouts, and integrated collaboration tools like Microsoft Teams Chat. These improvements can streamline workflows, reduce downtime, and help teams work more efficiently.
4. Compatibility with Modern Software and Hardware
As time passes, more software vendors will stop supporting Windows 10. New applications, updates, and drivers will increasingly be built with Windows 11 in mind, meaning Windows 10 systems could run into compatibility issues. Hardware manufacturers are already prioritizing Windows 11 drivers and firmware, ensuring better performance and stability on new devices.
5. Avoiding Costly “Last-Minute” Upgrades
Waiting until the deadline is risky, supplies of Windows 11 Pro-ready hardware could tighten as more organizations rush to upgrade. By planning now, you can budget for a phased replacement, avoid inflated prices, and ensure your team transitions smoothly without interruptions.
Windows 11 Home – Designed for everyday consumers, home users, and personal devices.
Windows 11 Pro – Built for business, professionals, and power users who need advanced security, networking, and management tools.
Summary:
Replacing Windows 10 Pro computers with Windows 11 Pro machines isn’t just about keeping up with technology—it’s about protecting your business from security threats, staying compliant, and giving your team the tools to work more effectively. With the end-of-support deadline approaching, the sooner you act, the safer and more prepared your organization will be.
As today’s healthcare organizations work to streamline operations and control administrative costs, outsourcing medical billing has emerged as a smart and efficient solution. However, while outsourcing medical billing can improve performance, it does not absolve you of your responsibility to protect patient data.
When third-party vendors handle patient information, ensuring HIPAA compliance becomes even more critical.
Whether you’re considering outsourcing for the first time or re-evaluating your current vendor, understanding how HIPAA impacts third-party billing is essential. In this post, we’ll break down what compliance really means, common risks to watch out for, and how choosing the right partner can make all the difference.
What Is HIPAA—and Why Does It Apply to Your Billing Vendor?
The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patients’ medical information and ensure that it’s used and stored securely. Any person or organization that handles protected health information (PHI)—including third-party billing companies—is legally obligated to follow HIPAA rules.
Here’s the catch: Just because you outsource billing doesn’t mean you outsource responsibility.
If your vendor mishandles PHI, your organization can still face the consequences—ranging from steep fines to lawsuits and reputational harm.
How HIPAA Applies to Outsourced Medical Billing
Under HIPAA, billing vendors are considered Business Associates. That means they must implement the same level of data privacy and security protections as healthcare providers.
To stay compliant, your billing partner should:
Sign a Business Associate Agreement (BAA) with your organization
Encrypt patient data during storage and transmission
Monitor and restrict employee access to PHI
Provide regular HIPAA training to all staff
HIPAA compliance isn’t just a box to check—it’s a shared responsibility that protects both your practice and your patients.
Common HIPAA Pitfalls in Outsourced Billing
Even experienced practices can run into trouble if the billing partner isn’t on top of compliance. Some common red flags include:
Sending PHI over unsecured email or messaging platforms
Poor handling or storage of patient information
Staff who haven’t been trained on HIPAA guidelines
Delayed reporting of potential data breaches
Your vendor should be able to clearly explain how they protect PHI—and provide documentation to back it up.
How to Choose a HIPAA-Compliant Billing Partner
When you’re evaluating a medical billing partner, cost and turnaround time matter—but HIPAA compliance should be non-negotiable.
Look for a billing provider that offers:
Secure systems with two-factor authentication
Routine internal audits and risk assessments
A signed and current Business Associate Agreement (BAA)
HIPAA-trained staff who understand billing complexities
Clear, written policies for PHI access, storage, and disposal
Why It Pays to Work with a HIPAA-Compliant Vendor
Beyond just staying legal, partnering with a HIPAA-compliant billing company offers real business benefits:
Lower risk of data breaches and penalties
Fewer denied claims thanks to accurate submissions
Faster reimbursements and stronger cash flow
Peace of mind during audits or compliance reviews
Enhanced patient trust in your organization’s professionalism
How Emerald Health Keeps Your Practice Compliant
At Emerald Health Medical Billing, HIPAA compliance isn’t an afterthought—it’s the foundation of everything we do.
From insurance verification to payment posting, every process is built with data protection in mind. Here’s how we help safeguard your patients’ information:
End-to-end encryption of all communications
Role-based access controls and detailed audit logs
HIPAA-certified staff across every department
Real-time transparency through client dashboards
Zero-tolerance policy for non-compliance
Whether you’re a small clinic or a multi-location practice, our solutions are designed to support your growth and your peace of mind.
Final Thoughts
As the healthcare industry becomes more digital and regulated, the stakes around data privacy have never been higher.
When you outsource your billing, you’re not just hiring a vendor—you’re choosing a guardian for your patients’ most sensitive data.
Dr. Arun Rajan, President & CEO of Emerald Health and a board-certified neurologist, leads our team with a deep understanding of clinical care and operational excellence. Our goal is simple: help practices run more efficiently—without compromising on compliance. https://emeraldhealthllc.com/
Avoid common misconceptions about HIPAA compliance. Learn the critical steps needed to avoid Chiropractor HIPAA violations and fines. Many chiropractor practices think the Government SRA tool is all they need for their HIPAA risk assessment. Keep in mind, it does not include policies and procedures, therefore you must create your own. Also, many chiropractic practices are members of a group that supply a “HIPAA Binder”. Again, most of these groups do not include policies and procedures. Without proper documentation, a chiropractic practice can be assessed with HIPAA violations and fines.
Another common misconception is that small practices believe they are too small to attract attention from the Office for Civil Rights (OCR). In reality, it takes just one patient complaint, a dissatisfied employee, or a data breach to initiate an audit. Remember, once an investigation begins, the OCR will examine your entire HIPAA compliance program — not just the specific incident in question.
Lastly, many organizations think HIPAA can be a once and done process. This can cost you $$$$$$ in fines! HIPAA requires every organization that is involved with patient data to document their ongoing compliance efforts.
Here are a few examples of Chiropractic practices and some multi-specialty practices that have been fined:
Arkansas Chiropractic Clinics — $321,000 fine Two chiropractic clinics in Arkansas were fined a total of $321,000 after improperly disposing of patient records by dumping them in a public park, violating HIPAA’s privacy and secure disposal requirements.
Illinois Chiropractic Offices — Ransomware and data breach incidents Several chiropractic practices in Illinois experienced ransomware attacks, with ransom demands reaching up to $10,000. While specific OCR fines were not disclosed, these events highlight serious security lapses and the risk of significant penalties.
Stolen devices containing ePHI — $150,000 fine In a case not exclusive to chiropractic, a healthcare provider failed to update and secure outdated systems, leading to a malware breach and resulting in a the fine from the OCR.
Missing risk analysis — $50,000 fine Another provider, a clinic using mobile devices like tablets or iPads, was fined $50,000 for failing to conduct a risk analysis and implement appropriate security controls on mobile devices. A critical requirement for chiropractic offices using digital tools.
Privacy & Unauthorized Access Stories
Receptionist displaying PHI on a tablet At a chiropractic office, an iPad used for patient check-in accidentally showed other patients’ names and birthdates, resulting in a HIPAA privacy violation.
Chiropractor misusing patient address to send flowers In Colorado, a chiropractor accessed a patient’s medical record to obtain her address and sent her unsolicited flowers. This was widely viewed as a serious breach of patient privacy and another type of violation of the HIPAA privacy rule.
Ask yourself: How much of your hard-earned revenue are you willing to risk?
Remember, it only takes a single patient complaint or one disgruntled employee to prompt an investigation by the Office for Civil Rights (OCR). Once that happens, every aspect of your compliance program will come under scrutiny.
Ask yourself: Are you confident your documentation can stand up to that level of review? Most practices lack the required policies and documentation.
Are you ready to protect your practice? We are here to help you avoid common misconceptions about HIPAA compliance. Do you have the critical steps needed to avoid Chiropractor HIPAA violations and fines? Our online HIPAA Keeper™ includes all policies and procedures required under HIPAA. We also include patient and HIPAA documentation. When HIPAA rules are updated or added, we update our system to keep you up to date. Also, we are always improving our system to make sure users are aware of new threats and how to protect their organization.
Still not sure? Check out our video that explains our 7-Steps in the HIPAA Keeper™ or Schedule a live demonstrationto see for yourself how easy maintaining HIPAA compliance can be!
PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).
The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:
Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.
Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.
Due to the highvalue of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.
In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.
Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.
What to do to prevent a Breach?
Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.
OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes regularly.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.
Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
Reproductive healthcare and how you protect privacy (this may change).
Substance Abuse and Mental Health Services Administration updates.
A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
New patient authorization attestation requirements.
The posting of estimated fee schedules may be required.
Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
Language assistance notice (and staff training on the tools utilized).
Conscience rights notice.
Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.
The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.
Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:
understanding how to identify phishing attempts,
using strong passwords, and
implementing multi-factor authentication.
Data security proposed changes:
Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.
Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.
Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.
Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software.
ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time.
Keep in mind, cyber-security is essential for patient privacy and safety.
The Healthcare and Public Health Sector Coordinating Council (HSCC)Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.
Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.
Summary
Our HIPAA Keeper™ online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!
“Simplifying HIPAA through Automation, Education, and Support”
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
In today’s digital age, scams and hackers have become increasingly sophisticated, targeting individuals and businesses alike with tactics that are harder to detect and easier to fall for. From phishing emails and fake websites to ransomware attacks and identity theft, the threats are constantly evolving. As our reliance on technology grows, so does the importance of understanding how these cybercriminals operate and what steps we can take to protect ourselves. This article dives into the world of online scams and hackers, uncovering their methods, motivations, and most importantly, how to stay one step ahead.
Facebook Scammer
One of the recent disruptors is when your Facebook account is hi-hacked, and you are locked out of your account, and you can’t remove the post. This has happened to more than one of my friends. This is what it sounds like:
They state they need to sell personal items for a family member due to the family member going to a care facility or having a medical condition. They list SEVERAL valuable items at very low cost, and ask for a “REFUNDABLE” deposit, to hold until they “return” and you have a chance to inspect the item. They state they will be out of town for a couple of weeks and are sad to have to clear out the home of this beloved person. They restrict comments, so you can’t warn anyone about this scam. They ask interested people to contact them through messenger, whereas they will give you a Zelle account. Keep in mind, this transaction CANNOT be reversed, and you are at the mercy of a scammer to return your deposit, which they WILL NOT. Think about this, the people who are “purchasing” these items think they are buying from YOU.
For those who are looking to buy from Facebook (or any other online platform) always remember, if a price is too good to be true, it probably is! NEVER Zelle or Venmo anyone you do not know, or for something like this. Insist on going to look at the items in person BEFORE any transaction is made. If they refuse, it is a scam.
Since the major data breach of 4 billion people, this information has been sold on the dark web. This information includes EVERYTHING needed to impersonate another person. We already sent this warning out last year, but feel the need to repeat…
Change passwords
Change answers to security questions
Enable multi-factor authentication on every account that offers this
Make sure your cell phone or email account that is used for the second authentication is secured with multi-factor authentication. Otherwise, if they hack this account, they will receive the “second” authentication instead of you!
Bank / Credit Card Scams
Scammers can spoof your banks phone number. When they call, they will say there has been a suspicious amount charged to your account. They will have your card number, your address, everything EXCEPT the code on the back of your card. If they ask you to verify give them the number to verify, they are a scammer.
If you receive a text message from your “bank”, referring to the same situation or to verify your account. Do not click on any links in the text message or email, call your bank with the number you have, or log in from your browser.
Never say “Yes”
When a person calls you and asks – can you hear me, never say yes. They may be recording you so they can make false purchases. Instead, reply “Why are you asking”. If they ask is this Sally Smith, ask them, “why are you asking”. This happened to me a couple weeks ago, they said: We are offering a free subscription for your type of Industry, would you like a free subscription, I asked, what kind of industry are you offering. They said we have many different industries. I replied, BUT you said you had a subscription in MY industry. They hung up!
Jury Duty / Arrest Warrant
These scammers threaten you with arrest if you do not pay the “fee” for missing jury duty or an outstanding ticket. They typically ask for a gift card, but with all the new scammers using Zelle, I am sure that will be next.
Investment Scams
With all the talk about Crypto being the next big thing, scammers are trying to capitalize on this. These scams usually start off by someone on social media offering to show you how to invest in cryptocurrencies. Again, if something sounds too good to be true, it probably is. Such as, guaranteed big returns, no risk, and the request for money to be wired or using a Zelle type system.
Renewal / Update Payment Scams
We see many of these emails and text messages targeting consumers from commonly used stores and banks. They use their store/ bank logo and add some sort of subscription ID or the last 4 digits of a credit card. Check your own renewal date and the credit card information. They are betting you won’t check and just click. When you click on the link within the email/text, it could be a virus or a fake URL to gain your login credentials. They also include the “unsubscribe” at the bottom, trying to make this look real. Sometimes the link is really connected to the store, other times, it will take you to a “fake” site and ask for your login credentials.
Job Posting Scams
This is common during the holidays when people are looking for some extra money, but this can happen at any time. They post jobs on social media sites or sometimes they will contact you via email or a text message. The message usually starts off with referring to an ad you answered. They may use a fake company or impersonate a well-known firm. These scammers offer great pay or state the compensation will be much more lucrative than it really is. Sometimes they offer free gifts if you are a mystery shopper. Keep in mind, there are legitimate companies offering jobs, however, never pay for upfront training, interviews, lists of job opening, or mystery shopping opportunities.
Also, never accept a deposit from a company when they ask you send back a portion of it.
Remember, legitimate companies do not ask for money from potential employees or salespeople.
What can you do?
If you receive a scam, report it to the FTC (Federal Trade Commission). Although they will not update you on the progress of your report, they share this information with law enforcement to help with investigations. Together, we can help stop this criminal activity and warn others!
Feel free to share this with others. The world wide web (WWW) is the new wild wild west!
Stay safe and alert out there.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
The Health Insurance Portability and Accountability Act (HIPAA) has long served as a cornerstone in protecting the privacy and security of individuals’ health information. As digital technology continues to evolve, so do the ways in which health data can be collected, shared, and potentially exposed. Recently, there have been significant updates concerning the use of online tracking technologies—such as cookies, web beacons, and pixels—particularly when used by HIPAA-covered entities and their business associates. These updates clarify how existing HIPAA regulations apply in the digital landscape, emphasizing the need for transparency, patient consent, and robust safeguards when handling protected health information (PHI) online.
These updates may be good news for healthcare
A federal judge in Texas ruled that the use of third-party online tracking technologies on hospitals’ public-facing web pages was unlawful. District Judge Mark Pittman in Texas sided with the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in his ruling that found the Department of Health and Human Services overstepped its authority with the 2022 guidance.
The lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority. Also, it calls for the portion of OCR’s guidance addressing unauthenticated web pages to be invalidated.
This past March, HHS updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for protected health information (PHI) disclosures. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in his ruling.
Keep in mind, this milestone verdict comes from hospitals and larger entities rather than small to medium sized practices. Whereas, they have more financial strength.
HHS / OCR back tracks and updates guidance
On March 18, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released updated guidance on the use of online tracking technologies by HIPAA-covered entities and their business associates. This update clarifies how HIPAA applies to tools like cookies, pixels, and web beacons used on websites and mobile apps.
Key Points from the Updated Guidance:
Definition of PHI in Online Tracking: OCR emphasizes that individually identifiable health information (IIHI) collected through tracking technologies is considered protected health information (PHI) under HIPAA. This includes data such as IP addresses, device identifiers, and browsing behavior when linked to an individual’s health care or payment for health care. Even if the individual does not have an existing relationship with the entity, such information is still regarded as PHI.
Use on Authenticated and Unauthenticated Webpages: The guidance distinguishes between authenticated webpages (requiring user login) and unauthenticated webpages. For authenticated pages, any tracking technology that collects PHI must comply with HIPAA regulations. For unauthenticated pages, if the information collected can be linked to an individual’s health care or payment, it is also considered PHI.
Business Associate Agreements (BAAs): Disclosing PHI to third-party tracking technology vendors without a valid HIPAA authorization or a business associate agreement (BAA) is considered a HIPAA violation. Entities must ensure that any sharing of PHI complies with HIPAA’s Privacy Rule requirements.
Enforcement and Compliance: OCR has indicated that it will prioritize compliance with the HIPAA Security Rule in investigations related to online tracking technologies. Covered entities are advised to conduct thorough risk assessments, train staff, and implement appropriate technical safeguards to ensure compliance.
This updated guidance underscores the importance of safeguarding PHI in the digital realm. HIPAA-regulated entities must carefully assess their use of online tracking technologies, ensuring compliance with privacy regulations to protect patient information.
Google Analytics
Removing Protected Health Information (PHI) from Google Analytics is a critical step for HIPAA-covered entities to ensure compliance with privacy regulations. Since Google Analytics is not a HIPAA-compliant service and does not sign Business Associate Agreements (BAAs), any transmission of PHI through its platform constitutes a HIPAA violation. To avoid this, organizations must take proactive measures to prevent PHI—such as names, IP addresses, medical conditions, appointment details, or any data that can be tied to an individual’s health—from being captured by tracking scripts. This often involves disabling data collection on sensitive pages, using robust filtering techniques to scrub URLs of identifiable information, and configuring analytics tools to anonymize IP addresses and exclude user-specific identifiers.
By auditing their tracking implementations and employing privacy-centric alternatives, healthcare organizations can maintain valuable analytics insights without compromising patient privacy.
Analytics Alternatives
There are some Google Analytics alternatives, but not all of them give prices. When searching for these services, be very careful. Nefarious characters are going to try and trick you into offering a too good to be true service. Criminals are looking for new ways to gain access to patient data.
Let us know if you would like us to review any particular service or if you have any questions. We are here to help!
Feel free to share this article with your colleagues. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you on every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
Most people in healthcare have been affected by the Change healthcare cyberattack. Scams have hit a new level, and you must be more diligent than ever before. Scams can be spotted, but you must look closely. A scam can quickly turn into a data breach. I recently conducted a HIPAA security officer training and reminded them of some of the threats that destroy your computer systems, both at work and at home. I watched “The Beekeeper” movie over the weekend. This made me change our Security Notification for this month. If you like action packed, good guy gets even, this is a great movie. This movie is about an email scam and revenge. If you are a Jason Statham fan, you will like this movie!
Here is the scenario:
Your computer gets a huge alert and says your computer is locked, you have been hacked, your email, bank accounts, passwords, etc. were compromised. They will give you a phone number to the “help desk”. You call the number, they “help” themselves and empty your bank account. Don’t call the number they give you, look it up yourself. DO NOT use a customer service or help desk number from a Sponsored Ad. Some scammers will pay for an ad to get to the top of Google. Most times you just need to reboot to clear the screen. DON’T click on anything in the warning. It is best to contact your IT company first. If you are home and can’t get in touch with someone, you may need to use Ctrl, Alt, Delete to shut your computer down. Then run a virus scan when you boot back up. Whatever you do, do not pay anyone, anything until you verify the validity of the situation!
Scams in text messages:
There are many versions to an email like this, they also come in text messages, and voice mails. Scams are hitting new levels every day. Some want you to click on a link, others want you to call the number they provide. Never click on a link, or call the number listed in the text, until you verify the text is valid.
Other email scams:
We have been saying for years, DO NOT CLINK ON LINKS. When you receive an email from your bank, IRS, post office, FedEx, etc. Look closely at the “from” email address. Many times, you can spot the fake address. It could be something as simple as a “.” In the URL address. Also, who it is addressed to, sometimes it is someone else. They do this so you will reply to let them know they have the wrong person. Again, this is a tactic from scammers to see if you will answer. If there is a link, they want you to click on, hover over it instead. It may take you to a completely different site. This could infect your computer or look like where you are supposed to go, only to lure you into entering your login credentials.
Phone call scams:
Scammers can spoof legitimate agencies like the power company, IRS, and even the police department. Never pay for any “immediate” requirements. This includes the threat of your power being shut off, IRS payment due, or paying a penalty for missing jury duty. These are just SOME of the examples these criminals are using.
Online marketplaces:
Scammers also target people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding their lost pet.
These scammers contact you and say they want to buy the item you’re selling — or that they found your pet. However, before they commit to buying, or returning your pet, they typically say they’ve heard about fake online listings and want to verify that you’re a real person. Or they might say they want to verify that you’re the pet’s true owner.
They send you a text message with a Google Voice verification code and ask you for that code. If you give them the verification code, they’ll try to use it to create a Google Voice number linked to your phone number. (Google Voice gives you a phone number that you can use to make calls or send text messages from a web browser or a mobile device.) The scammer might use that number to rip off other people and conceal their identity.
Sometimes these scammers are after a Google Voice verification code and other information about you. If they get enough of your information, they could pretend to be you to access your accounts or open new accounts in your name.
No matter what the story is, don’t share your Google Voice verification code — or any verification code — with someone if you didn’t contact them first. That’s a scam, every time. Report it at ReportFraud.ftc.gov.
What can you do?
When you receive an email, text, or phone call, you should call your bank or the company to advise them of what happened. If they are doing this to you, they are doing this to MANY others. Also, you can report this to the Federal Trade Commission (FTC). The FTC does not resolve individual reports, but your report will be entered in the FTC’s Consumer Sentinel database and will be available to federal, state, and local law enforcement across the country.
If someone has clicked a link or opened an attachment that downloaded harmful software:
Contact your IT department to update your computer’s security software.
They will run a scan and delete anything it identifies as a problem.
If you think a scammer has your information, like your Social Security, credit card, or bank account number:
Go to identitytheft.gov for steps you can take based on what kind of information was lost or exposed.
If you gave your username and password to a scammer:
Change your password right away. If you use the same password for other accounts or sites, change it there, too.
If someone calls and offers to “help” you recover money you have already lost:
Don’t give them money or personal information. You are probably dealing with a fake refund scam.
Scammers are getting bolder and more brazen. It is up to us to stay diligent and to stay safe.
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.
Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.
Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:
Emails:
What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.
Text Messages:
Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.
Websites:
Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!
Man-in-the-middle:
Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.
Zero-day attacks:
Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.
Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.
The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.
The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”
The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:
OCR received 30,435 new complaints alleging violations of the HIPAA Rules
OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
Common online tracking technology that could lead to a HIPAA violation should be at the top of all healthcare providers to “know” list.
I probably sound like a broken record by now, however, this is a VERY important topic! Many states are implementing their own set of privacy rules and using online tracking is dangerous in healthcare.
Here is a refresher on what is online tracking technology. Tracking technology collects data from website visitors and many times, follows that visitor around the internet. They serve an important purpose for the website owner. It can give them useful information about what a visitor is looking for, how long they stay on a page, and where they go after they leave your site. In the business world, that sounds harmless. Marketers are just trying to make websites more appealing and increase revenue. In the healthcare field, that can be considered a HIPAA violation. Most medical practices do not even know these trackers on their website. It is extremely important to audit your website and make sure the company you utilize for maintaining your website, marketing, and hosting understands HIPAA.
There are dozens of trackers, but we will cover the most common that we have encountered:
Google
Google Analytics
Google Ads
Google Maps
HotJar
HubSpot
YouTube
Vimeo
LinkedIn
TheTradeDesk
The most common of all trackers is Google. They have a few different “versions”, like Google Analytics, Google Ads, and Google Maps. You need to understand how this works because they all can lead to problems because these trackers are not HIPAA compliant. Google Analytics collects personal identifiers about your website visitors by default. Google ads follow visitors around the internet. If you find “doubleclick” in any part of a URL, that is also related to Google ads! There are others, but this is the most common marketers use to track sales conversions. Google maps, of course tracks where the visitor is located to take them to your location. This could be a violation if this is located on the same page as a scheduler or portal. You may be in the clear if there isn’t any other health information located on that page. Caution should be used when using Google maps. Many practices simply write out directions from common intersections or nearby towns.
Please note that even if the individual that visits your website is NOT a patient, the OCR considers them as a potential patient and may become a patient at some point in the future, and therefore their data could be considered PHI. The OCR and the FTC have specifically stated that Google Analytics and Google Ads can cause HIPAA violations. You will need to remove the information that is collected BEFORE it is shared with Google, or you must utilize a third-party to prevent Google from having access.
Hotjar is a Google competitor and states they are easier to use. They offer two types of analytic tools. Heatmaps and session recordings. They offer a “free” version, but remember when a service is free, you are usually the item for sale. Although they promote that they do not collect IP addresses and emails, it is unclear if they collect any other personal data. They advise new users to login into their Google account to get started, so that is a red flag for us.
HubSpot is popular because it is a CRM that is linked to your website. They state they have robust security in place, but they will not sign a BA agreement. Therefore, they are not HIPAA compliant. Their terms of service state that healthcare entities should NOT use HubSpot. We have read that it can be made HIPAA compliant, but this would still put you on notice with the OCR and FTC.
Since Google owns YouTube, this is another platform that sends out alarm bells. Many practices use video on their website that is hosted on YouTube. This could contain PHI and then YouTube would have access to personal identifiers. Unfortunately, this also means you are sharing PHI with Google. Again, this is a HIPAA violation. You may be able to have the patient sign an authorization that details what information is going to be shared and explain, even if they decide later, they want it removed, the original information may be retained online indefinitely. This is a slippery slope though.
Speaking of videos, this brings me to Vimeo. This is another video hosting platform. They have several “versions”, so just be aware of any URL that has Vimeo in it. Keep in mind these embedded videos collect user information, same as YouTube and shared with Vimeo. The same precautions must be applied.
If you must use videos, it is recommended to find an alternative hosting platform that will sign a BA agreement. I know this could be a long process, but you need to be sure patient data is not being shared!
Facebook is another one we have seen a lot on medical websites. They are another entity known to share information across multiple platforms. Meta, who is the parent company of Facebook, uses a Pixel as their tracking device. The “Meta Pixel” is a small code that is used to track information across Facebook and Instagram, and any other systems they choose. Have you ever been on one platform, only to see Ads on another about something you watched or read? Meta pixels track visitor actions, and this helps put ads in front of similar visitors to improve advertising conversions. The OCR and FTC have also named Meta/Facebook as being non-compliant.
LinkedIn has been known to be a professional platform. Many healthcare providers have chosen to have a presence on LinkedIn over Facebook. They too use trackers; this one is called the “Insight Tag”. They have several different URLS, but they all use trackers. This tracker has the ability to follow LinkedIn users on your website and monitor what pages are viewed and if any actions are taken. Originally, this was intended for visitors looking for a job. If this is placed properly, and no health information is located on that page, this is a low risk of a violation. Make sure this tracker is not located on your entire website. This tracker works like the rest of social media trackers and puts you at risk of violations if not installed properly.
TheTradeDesk tracker is difficult to spot since some of their URLS do not use this name. Watch for adsrvr in the URL. They call their tracker the “Universal Pixel” since it allows advertisers to target users on digital platforms, streaming devices, and podcasts. This platform collects a lot of data from your website! This includes demographics, browsing history, and even conversion stats. This all can lead to PHI being shared with them. It is not recommended to use this platform if you are a healthcare provider since they can load other ad pixels randomly on your website. This can put your practice at even more of a HIPAA violation.
None of these platforms will sign a Business Associate Agreement (BAA). I have heard of a company that can help with all of this, but they are not affordable for many providers. If you would like information about them, please contact us. I will continue to search for alternatives so you can still market your practice without fear of HIPAA violations. Until then, we recommend removing all trackers.
Let us know if you would like us to check your website. Feel free to share this information with your colleagues. We want to help as many practices as we can since the fines can be devastating. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
