Call Us Today! 877-659-2467

Category: HIPAA Compliance News

Good Faith Compliance is No Longer Enough

Posted bySuze Shaffer

HIPAA now has stricter and more explicit requirements. Especially as enforcement expectations tighten. This is changing how medical practices and business associates operate day to day. The big shift is that “good faith” compliance is no longer enough. Regulators now expect documented and continuously maintained compliance.

Compliance Must Be Documented, Not Assumed

Organizations can no longer rely on informal policies, verbal training, or “we’ve always done it this way.”

Written risk analyses, risk management plans, and policies have always been required. But now, regulators are closely reviewing for updates. Documents must be current, not created once and forgotten.

If it’s not documented, Office for Civil Rights treats it as if it doesn’t exist.

Impact: More time spent maintaining documentation, but far less exposure during an audit or complaint.

Risk Analysis Is the Foundation of Everything

The Office for Civil Rights (OCR) has made it crystal clear that risk analysis drives compliance decisions. Security controls must align with identified risks. Then a documented risk management plan that outlines the mitigation process must be created. “Addressable” safeguards must be justified if not implemented, this was never meant to be optional! Generic or copied risk analyses are being rejected.

Impact: Organizations must understand their systems, vendors, workflows, and vulnerabilities – not someone else’s.

Cybersecurity Expectations Are Higher

HIPAA now expects organizations to adopt modern security practices, not outdated basics.

  • Multi-factor authentication (MFA)
  • Encryption of data at rest and in transit
  • Regular patching and system hardening
  • Monitoring for suspicious activity

Failing to implement common-sense safeguards is increasingly viewed as willful neglect.

Impact: Greater reliance on IT partners, but also more oversight and accountability.

Vendors and Business Associates Are Under a Microscope

Practices are responsible for who they share PHI with. Business Associate Agreements (BAAs) must be current. Business associates must have current subcontractor agreements in place as well. Vendors must demonstrate their own security practices and comply with the HIPAA rules. “We trusted our vendor” is no longer a defense. Covered entities are responsible for ensuring their vendors are compliant.

Impact: More vendor vetting, more paperwork, fewer risky shortcuts.

Training Must Be Ongoing

Annual, generic HIPAA training doesn’t cut it anymore. Training must address phishing, ransomware, and real-world threats. Training must be tracked and documented.

Impact: Better-informed staff equals fewer costly human-error breaches.

Faster Response and Accountability After Incidents

HIPAA enforcement now scrutinizes how quickly and effectively a practice responds to incidents. Incident response plans must exist before an event occurs. Delays or confusion during a breach increases penalties. Internal security incident investigations must be documented.

Impact: Organizations need clear procedures, not panic, when something goes wrong.

Small Practices Are No Longer “Too Small to Enforce”

Enforcement actions increasingly involve:

  • Small and solo practices
  • Dental offices
  • Specialty clinics
  • Business associates

Complaints, not breaches often trigger investigations.

Impact: Every organization is expected to meet the same baseline standards, regardless of size.

Summary

HIPAA’s stricter requirements mean organizations must shift from reactive compliance to ongoing risk management.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

AI scribe and when an authorization is required

Posted bySuze Shaffer

There has been some confusion about when a patient authorization is required when using AI scribe or the recording of a patient encounter.

HIPAA permits providers to use and disclose PHI for the Treatment, Payment, and Healthcare operations (TPO). If the provider records the encounter solely to create clinical documentation, then a separate patient authorization is required.

Keep in mind, you must have a signed business associate agreement (BAA). The recording must be secure, and encryption and proper safeguards are in place. Also, this must be disclosed to the patient.

HOWEVER, it is recommended to obtain a patient authorization since many states, including Florida require an authorization from BOTH parties to record audio conversations.

AI Scribe Used for Treatment Documentation

If the provider records the encounter solely to create clinical documentation for treatment, payment, or healthcare operations purposes, HIPAA generally does not require a separate patient authorization.

Medical Provider Requirements

The AI vendor must sign a Business Associate Agreement (BAA). The recording must be secured using encryption and proper technical safeguards.

When Authorization May Be Required

A separate written authorization may be required if the recording is used for marketing, shared outside of treatment purposes, or training outside HIPAA regulated entities.

Some state law requires two-party consent for audio recording (such as Florida).

State wiretapping laws may require patient consent even if HIPAA does not.

AI scribing tools typically record audio of patient encounters, transcribe and process PHI, sometimes store or analyze recordings. That triggers BOTH laws at the same time.

Additional Risk Considerations

Even if HIPAA does not require authorization, patients should be clearly informed that the visit is being recorded. Transparency reduces complaints and scrutiny. Even some malpractice carriers recommend a written acknowledgment.

Practical Best Practice

Providers should be updating their intake paperwork to include this disclosure and adding signage in the exam rooms.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you step by step.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

New Rule for Health Care Claims Attachments and Electronic Signatures 

Posted bySuze Shaffer

CMS, on behalf of HHS, is notifying shareholders of the CMS-0053-F Final Rule. It was published in the Federal Register on March 24, 2026.

This final rule establishes the first HIPAA standards for health care claims attachments. It allows secure electronic submission of supporting clinical documentation. Examples include medical records, imaging, clinical notes, telemedicine documentation, and lab results.

The rule implements requirements under HIPAA Administrative Simplification. It also follows provisions from the Affordable Care Act and 2010 reconciliation law.

The rule introduces new standards to streamline administrative transactions. This reduces manual processes and improves efficiency and patient care.

The rule adopts standards for secure electronic submission of claim attachments.
These attachments include medical records, imaging, and clinical notes. The rule establishes secure electronic signatures for attachment transactions. These signatures ensure document integrity and verify identity using HL7 guidance. These updates reduce faxing and mailing. They will save time and resources for providers and payers. They improve administrative efficiency and support better patient care.

Compliance Timeline: 

Stakeholders must meet all rule requirements within 24 months of the effective date. This period allows covered entities to adopt new standards and transition from current processes.

For more information on the final rule, please visit: https://www.federalregister.gov/d/2026-05676

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Office for Civil Rights Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records

Posted bySuze Shaffer

Landmark Enforcement Program for Substance Use Disorder (SUD) Records

The U.S. Department of Health and Human Services Office for Civil Rights announced a new enforcement program. This program protects the confidentiality of substance use disorder patient records. OCR will enforce statutory and regulatory requirements under federal law.

This program introduces civil enforcement for covered substance use disorder programs for the first time. HHS will enforce safeguards to protect substance use disorder patient records. Patients deserve treatment without sacrificing privacy or legal protections.

The program enforces confidentiality provisions under section 3221 of the CARES Act. The regulation appears at 42 CFR Part 2.
Covered entities must comply with all requirements beginning February 16, 2026.

  • OCR may investigate entities that fail to protect substance use disorder patient records.
  • Penalties applied will be consistent with HIPAA Privacy, Security, and Breach Notification Rules.
  • Resolution agreements may be implemented to resolve violations.
  • Civil monetary penalties for noncompliance may be applied.
  • Corrective action commitments may also be applied.
  • HIPAA Notice of Privacy Practices may need to be updated.

Compliance will improve care coordination among providers and strengthen patient confidence in substance use disorder treatment providers.

Beginning February 16, 2026, OCR will accept complaints alleging confidentiality violations. Entities may access resources at the HHS OCR Part 2 webpage.

This program supports national policy objectives under Executive Order 14379.
The initiative addresses addiction through treatment, recovery, and self-sufficiency.

Section 3221 of the CARES Act aligns substance use disorder privacy standards with HIPAA standards.
It also aligns standards with the HITECH Act. This rule updated confidentiality protections under 42 CFR Part 2. This rule improves coordination among treating providers. Strengthens confidentiality protections through civil enforcement.
It also improves integration of behavioral health information and improved patient health outcomes.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk – step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

HIPAA Binder vs OCR Reality

Posted bySuze Shaffer

What Medical Practices Think They Have vs. What OCR Actually Requires

HIPAA binders have been used in the past, but usually lack proper documentation that is required.

What Practices Often Rely On:

“We have a HIPAA binder.”

  • HIPAA binder purchased (often never opened, and plastic not removed)
  • Policies printed once (often not completed)
  • Annual training sign-in sheets (sometimes, these are lost)
  • Generic risk analysis template (if they have even conducted a risk analysis)
  • Business Associate Agreements (many of these are missing, or lack compliance documentation)
  • Someone assigned as “HIPAA Officer” (most compliance officers have other responsibilities, and HIPAA never seems to be documented)

This shows intent, but intent is not proof.

What OCR Looks for During an Investigation:

“Show us your documentation.”

OCR does not ask if you tried.
They ask what you can produce, immediately.

  • A current, systemwide risk analysis tied to your systems (not one that is copied from another practice)
  • Evidence of ongoing risk management, not a one-time exercise
  • Training records for each workforce member
  • Signed BAAs with vendors that access ePHI
  • Policies that match actual safeguards in place
  • Proof documentation is maintained, reviewed, and updated

The Reality Gap (Where Most Practices Get Stuck):

Binder Mindset vs OCR Reality:

HIPAA is done  – HIPAA is ongoing

Purchased policies   – Policies are incomplete

Staff trained  – Training must be current and documented

Risk analysis completed once  – Risk Analysis must be accurate and updated

We’re too small  – All sizes are fined

Why Binders Fail During Audits:

  • Documents become outdated quickly
  • No audit trail showing updates or reviews
  • Training proof is incomplete or missing
  • Risk analysis is generic, not practice-specific
  • BAAs are unsigned, expired, or missing
  • Hard to produce documentation on demand

If it can’t be produced, OCR treats it as if it never existed.

The Question Every Practice Should Ask:

If the OCR contacted us tomorrow, could we confidently produce everything they would request?

If the answer isn’t a clear yes, it may be time to rethink how compliance is managed.

How our HIPAA Keeper™ Closes the Gap

Guided, step-by-step HIPAA compliance process
Built-in risk analysis & risk management tools
Centralized storage for policies, BAAs, and training records
Documentation that aligns with OCR expectations
Ongoing maintenance instead of “set-and-forget” compliance

Binders show effort. The HIPAA Keeper™ shows proof.

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Why Medical Practices Delay HIPAA Compliance

Posted bySuze Shaffer

(And Why That Delay Is Riskier Than They Think)

Most medical practices don’t ignore HIPAA because they don’t care.
They delay it because they’re busy, understaffed, and overwhelmed – and HIPAA feels confusing, technical, and unforgiving.

HIPAA Binders

When we discuss HIPAA compliance we hear “we’ve always done it this way”. “we are good, we have a HIPAA binder”. They rely on these old HIPAA binders that include policies created years ago. These worked at one point, but HIPAA expectations and enforcement have changed. They often lack HIPAA training documentation and updated procedures as technology has changed. Many of these binders still have plastic wrapping or are covered in dust!

HIPAA is no longer a one-time task. It’s an ongoing process, and static binders simply don’t keep up.

HIPAA Is Seen as a Cost, Not Protection

HIPAA doesn’t generate revenue, so it often falls behind. Most HIPAA compliance officers have many other responsibilities, staffing, billing, or patient care. Organizations compare the cost of compliance to nothing going wrong—so far. Unfortunately, this could end up being very costly due to one small mistake. One click of a mouse, one patient complaint, or even one disgruntled employee is all it takes to trigger an investigation from the OCR.

Major Misconception

One of the most common and costly misconceptions is “we are too small to be a target”. Smaller organizations assume hackers and enforcement focuses on hospitals. They have a false sense of security thinking… we have never had a breach. The fact is some organizations have had a breach and have not discovered it YET! Depending on the type of malicious code that may have invaded your systems, they could be waiting for the “right” time to reveal themselves. Since many small to mid-size organizations lack the security required to protect their data, they are often a larger target than hospitals. The OCR enforcement investigates ALL SIZES of organizations, no one is immune.

Fear of Technology

Online compliance systems can feel intimidating. Requiring yet another password, concerns about not understanding the terminology, and the HIPAA requirements. Organizations worry that technology will make HIPAA harder, not easier. This is rarely said out loud, but it’s very real… many organizations are concerned that an online system will expose their weaknesses, discover they are not compliant, and the lack of documentation will create liability. The truth is that gaps do not create risk, undocumented gaps do! The OCR requires organizations to identify risks and document their procedures to mitigate those vulnerabilities based on their environment.

Confusion About What HIPAA Actually Requires

HIPAA language is complex and guidance is often confusing. Many organizations ask, “is this really required”, “are we doing enough”, and “what does the OCR really expect”. Then they delay facing the Elephant in the room. Documentation becomes outdated, training records go missing, risk analyses are not updated, and business associate agreements are not signed.

When an incident occurs, then everyone scrambles, and even more mistakes are made. How well do you trust your compliance efforts? Remember, when the OCR investigates an incident, they review ALL your compliance records, not just the one incident.

A Better Way Forward

If someone asked for your HIPAA documentation tomorrow, would you feel confident—or stressed?

If the answer is stress, that’s not a failure – it’s a sign it’s time for support.

HIPAA compliance doesn’t have to be overwhelming, technical, judgmental, or confusing. An online system should be easy to navigate and increase your productivity. If it is too cumbersome, or you are still using a binder, it may be time to look at a better solution. We are here to help!

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Cybersecurity and the HIPAA Rules

Posted bySuze Shaffer

The Office for Civil Right released their January 2026 OCR Cybersecurity Newsletter. We have condensed this in an effort to educate regulated entities what is necessary under the HIPAA rules. Many organizations try to manage their data security on their own or utilize IT vendors that may not be well versed in data security and the HIPAA rules.

We hope this will help you to understand how cybersecurity and the HIPAA rules intersect. In the end, this is how to protect patient data and your organization. Remember, HIPAA is not optional, and it is more involved than ever before.

System Hardening and Protection of ePHI

System hardening requires installing, enabling, and properly configuring security measures across all systems. Organizations should enable built-in security features within devices, operating systems, and applications. They should also deploy third-party security tools such as anti-malware, EDR, and SIEM solutions when appropriate.

These safeguards support HIPAA Security Rule technical requirements, including access controls, encryption, audit logging, and authentication. Risk analysis and risk management decisions should guide which security measures an organization implements. Organizations may need third-party solutions, such as multi-factor authentication, when native options are unavailable. Establishing standardized security baselines helps ensure consistent protection and reduces risk to ePHI.

Patching Known Vulnerabilities

Applying patches protects electronic protected health information by reducing known security vulnerabilities. Organizations must keep operating systems, applications, and device firmware, including network equipment, up to date. Maintaining an accurate IT asset inventory helps identify systems that require patching.

The HIPAA Security Rule requires organizations to identify and manage risks to ePHI, including unpatched software. Patching is an ongoing process because new vulnerabilities emerge over time. When patches are unavailable, organizations must implement alternative security measures to reduce risk to an appropriate level.

Removing or Disabling Unneeded Software and Services

Many systems include unused or preinstalled software that increases security risk by expanding the system’s attack surface. This software may include games, social media applications, messaging tools, duplicate utilities, or insecure system services. Organizations should regularly review installed software and disable or remove anything not required for business operations. Unneeded software may create default or service accounts with elevated privileges and weak or known passwords. Attackers can exploit these accounts if organizations do not manage them properly.

Organizations must change default credentials, remove unused accounts, and delete accounts created by uninstalled software. Removing unnecessary software strengthens system security, especially when patches are unavailable. Organizations should test and document changes to ensure continued protection of ePHI under the HIPAA Security Rule.

Enabling and Configuring Security Measures

System hardening requires organizations to install, enable, and properly configure appropriate security measures. Organizations should activate built-in security features on devices, operating systems, and software. They should also deploy third-party tools such as anti-malware, EDR, and SIEM solutions when needed.

These security measures support HIPAA Security Rule technical safeguard requirements, including access controls, encryption, audit logging, and authentication. Organizations should base safeguard decisions on their risk analysis and risk management plan. Some systems may require additional controls, such as multi-factor authentication, through third-party solutions. Standardized security baselines help ensure consistent protection and reduce risk to electronic protected health information.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.


Schedule a free HIPAA checkup today at Aris Medical Solutions.

Phishing Prevention for Healthcare

Posted bySuze Shaffer

Healthcare is one of the most targeted industries for phishing because attackers know the environment is fast-paced, staff are busy, and ePHI is extremely valuable. All it takes is one click on a malicious email to shut down your systems, expose patient data, and put your practice in OCR’s crosshairs.

Phishing is behind most ransomware incidents reported to OCR, and many recent enforcement actions stemmed from preventable, basic phishing mistakes. With proper training, employees can stop the majority of Security Rule violations before they happen.

Below is the top phishing tactics used against medical and dental practices, followed by practical prevention steps aligned with HIPAA Compliance and Security Rule requirements.

1. Email Spoofing & Look-Alike Domains

What it looks like

  • Fake emails appear to come from a doctor, CEO, billing manager, or IT vendor.
  • Domains slightly change (e.g., mayoclinic.com vs mayoclinic.net).
  • “Urgent request” messages: invoice approvals, password resets, or wire transfer requests.

Why it works

Healthcare staff often trust internal names and don’t closely examine sender details.

How to prevent it

  • Enable DMARC, DKIM, and SPF on your email domain.
  • Require multi-factor authentication (MFA) for all email access.
  • Train staff to hover over the sender address before opening attachments.
  • Implement Role-Based Access Controls so fewer people can approve financial or patient-record changes.

2. Malicious Attachments (PDF, Fax, Lab Result, eRx Notice)

What it looks like

  • “Incoming fax” from eFax, RingCentral, or RightFax
  • “New lab results attached”
  • “Updated referral forms – review immediately”

Attachments often contain ransomware droppers or credential-stealing malware.

Why it works

Clinicians and staff open attachments quickly due to workflow pressure.

How to prevent it

  • Deploy email sandboxing (advanced email scanning).
  • Block macros and executable files.
  • Require staff to verify unexpected clinical attachments by calling the sender directly.
  • Maintain current endpoint detection & response (EDR) software.

3. Credential Harvesting / Fake Login Pages

What it looks like

  • Fake Microsoft 365, Google Workspace, EHR, or billing portal login prompts.
  • Emails claim “Your mailbox is full—log in to restore access,” or “Your password needs to be reset.”

Why it works

Providers often keep multiple portals open and may not notice small differences.

How to prevent it

  • Enforce MFA, which stops most credential-theft logins.
  • Train employees not to click on the links within the email.
  • Train employees to check the URL before entering credentials.
  • Use password managers that auto-fill only on real sites.

4. Vendor Impersonation (EHR, Imaging, Billing, Clearinghouses)

What it looks like

  • Fake messages from Athena, eClinicalWorks, Change Healthcare, Kareo, etc.
  • “Urgent update required to prevent claim rejections.”
  • “Your portal access will be disabled unless you verify your account.”

Why it works

Healthcare providers rely heavily on third-party systems and trust vendor branding.

How to prevent it

  • Verify updates by logging in directly and never through email links.
  • Maintain a Vendor Verification Checklist under your HIPAA Security Rule documentation.
  • Require IT department to approve all vendor-related system changes.

5. Business Email Compromise (BEC)

What it looks like

  • A hacked internal account sends messages to other employees.
  • Requests for W-2s, bank changes, ACH updates, or large transfers.
  • Email rules silently forwarding messages to attackers.

Why it works

It comes from a real account and staff trust it.

How to prevent it

  • Require MFA on all accounts.
  • Set alerts for email forwarding rule creation.
  • Use conditional access and login-location alerts.
  • Review account audit logs regularly.

6. “Patient Refund” or “Billing Issue” Scams

What it looks like

  • Fake patient messages: “I was overcharged, please open the attached statement.”
  • Calls followed by phishing emails requesting account verification.

Why it works

Front-desk and billing teams want to resolve patient issues quickly.

How to prevent it

  • Never open unknown attachments claiming to be patient documentation.
  • Require all inbound patient documents to be sent via HIPAA-secure channels only.
  • Train non-clinical staff (front desk, billing, schedulers) since they are the most targeted.

7. Ransomware Delivery via Phishing

What it looks like

  • Fake faxes, statements, or shipping notifications.
  • Attachments disguised as scanned documents.

Why it works

One click can deploy ransomware that halts clinical operations.

How to prevent it

  • Maintain image-based backups (not just data backups).
  • Test your Contingency Disaster Recovery & Emergency Mode Operations Plan quarterly.
  • Ensure all devices are patched and running updated security tools.

8. Social Engineering Phone + Email Combination (“Hybrid Attacks”)

What it looks like

  • A phone call claiming to be from IT followed by an email link.
  • Attackers pretending to be from a lab, insurer, or specialist office.

Why it works

Healthcare workflow relies on phone + fax + email and attackers exploit the mix.

How to prevent it

  • Create a verification protocol for anyone asking for access or information.
  • Maintain a list of trusted numbers for labs, hospitals, and vendors.
  • Train staff never to act on unsolicited “IT support” messages.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Class Action Lawsuits VS Federal HIPAA Laws

Posted bySuze Shaffer

Under the Federal HIPAA law, there is no private right of action. Meaning, a patient cannot directly sue a medical provider for a HIPAA violation. However, most state privacy laws do permit class action lawsuits.
While a federal HIPAA violation itself doesn’t open the organization to class-action lawsuits by patients, a breach or non-compliance often triggers state law (consumer law) class actions, regulatory enforcement, and substantial financial risk and reputational damage.

For example, Florida law fills the “no private HIPAA lawsuit” gap
While HIPAA itself doesn’t permit a private right of action, Florida’s own privacy and consumer protection laws allow individuals to sue when their medical or personal information is mishandled. Common bases for class actions include:


Examples of HIPAA style class actions

Akumin Operating Corp. (Florida-based outpatient radiology/oncology provider)
 2023 breach; class action consolidated 2024-25. Ransomware attack, $1.5 million settlement.
 
Gastroenterology Associates of Central Florida, P.A. (d/b/a Center for Digestive Health / Center for Digestive Endoscopy)
 Discovered April 11, 2024; class action filed 2025. Network intrusion, settlement has been determined but not released.

HCA Healthcare, Inc. data breach (July 2023)
HCA Healthcare agreed to a multi-million-dollar settlement after a breach of data affecting some 11.27 million patients across 20 states. Settlement between $9-10M.
 
Tampa General Hospital (2023)
Subject to class-action claims after a data breach impacted over 1.2 million patients. Allegations included failure to use reasonable cybersecurity measures and delay in notification, invoking both FIPA and FDUTPA. Settlement $6.8M.
 
Lakeland Regional Health (2022)
Data breach leads to litigation under FIPA and negligence, settlement $4M.
 
UF Health Central Florida (2021)
Data breach leads to litigation under FIPA and negligence.
 
Anthem, Inc. breach (2015)
Anthem reported a breach affecting tens of millions of individuals; in 2017 they settled class‐action litigation for $115 million.
 
Visionworks of America, Inc., a retail/optical chain, faces a proposed class action after a data breach affecting 40,000 customers.
 
Imagine a breach of your patient portal where PHI is exposed, then a class-action law firm sues you for negligent safeguarding of data. All the while the OCR fines you for the breach. We help you avoid both scenarios.


At Aris Medical Solutions, our HIPAA Keeper™ system highlights that strong vendor management, business associate agreements (BAAs), cybersecurity controls, timely breach notification, record-access compliance (e.g., right of access) are critical to reduce the risk of class actions..

Don’t leave patient data exposed.
Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.


What counts as a HIPAA Violation?

Posted bySuze Shaffer

A HIPAA violation occurs when PHI data that identifies an individual and relates to their health status, treatment, or payment is improperly accessed, used, or disclosed. When it comes to patient privacy, ignorance isn’t bliss… it’s expensive. Every healthcare provider, business associate, and third-party vendor that handles protected health information (PHI) is required by law to comply with the Health Insurance Portability and Accountability Act (HIPAA). Yet, year after year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to issue fines for HIPAA violations that can be avoided with proper policies, training, and security safeguards. Even small practices face enforcement actions for these violations, and “I didn’t know” is not a valid defense under HIPAA.

Common HIPAA violations include:

  • Sending PHI to the wrong recipient
  • Failing to encrypt emails or devices that store ePHI
  • Losing laptops, smartphones, or USB drives containing patient data
  • Discussing patient details in public areas
  • Sharing login credentials or failing to log off workstations
  • Posting patient photos or information on social media without authorization
  • Not performing an annual risk analysis or updating policies and procedures

Financial and Legal Risks

HIPAA penalties are tiered based on the level of negligence and can range from $141 to over $71,000 per violation — with an annual maximum of $2 million per identical provision (as adjusted for inflation in 2025). OCR considers factors such as the organization’s size, history of compliance, and willingness to correct the issue when determining penalties.

Beyond monetary fines, violations can lead to:

  • Civil lawsuits: Patients can sue under state privacy laws.
  • Corrective action plans: Mandatory, multi-year compliance monitoring by HHS.
  • Reputation damage: Lost patient trust and public exposure of the breach.
  • Criminal charges: Willful misuse of PHI can lead to imprisonment.

Operational and Reputational Risks

The real cost of a HIPAA violation goes beyond fines. Breaches disrupt operations, divert staff resources, and erode the confidence of patients and business partners. Once trust is lost, it’s difficult — and expensive — to rebuild.

For example, when a ransomware attack locks down medical records, patient care slows, billing stops, and the organization may spend months recovering. Even worse, news of the breach spreads fast, often drawing negative attention from both patients and regulators.

How to Avoid HIPAA Violations

The best defense is a proactive compliance program. Every covered entity and business associate should:

  1. Conduct an annual risk analysis to identify and mitigate vulnerabilities.
  2. Implement and maintain written policies and procedures that align with the Privacy, Security, and Breach Notification Rules.
  3. Train employees annually and document completion.
  4. Secure all devices and networks — use encryption, strong passwords, and access controls.
  5. Review business associate agreements (BAAs) to ensure vendors are also compliant.
  6. Document everything — if it’s not documented, it didn’t happen.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit-ready.

Protect your practice — and your patients.
Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC