HIPAA Compliance News Archives

Phishing Prevention for Healthcare

Suze Shaffer December 1, 2025December 1, 2025

Healthcare is one of the most targeted industries for phishing because attackers know the environment is fast-paced, staff are busy, and ePHI is extremely valuable. All it takes is one click on a malicious email to shut down your systems, expose patient data, and put your practice in OCR’s crosshairs.

Phishing is behind most ransomware incidents reported to OCR, and many recent enforcement actions stemmed from preventable, basic phishing mistakes. With proper training, employees can stop the majority of Security Rule violations before they happen.

Below is the top phishing tactics used against medical and dental practices, followed by practical prevention steps aligned with HIPAA Compliance and Security Rule requirements.

1. Email Spoofing & Look-Alike Domains

What it looks like

Fake emails appear to come from a doctor, CEO, billing manager, or IT vendor.
Domains slightly change (e.g., mayoclinic.com vs mayoclinic.net).
“Urgent request” messages: invoice approvals, password resets, or wire transfer requests.

Why it works

Healthcare staff often trust internal names and don’t closely examine sender details.

How to prevent it

Enable DMARC, DKIM, and SPF on your email domain.
Require multi-factor authentication (MFA) for all email access.
Train staff to hover over the sender address before opening attachments.
Implement Role-Based Access Controls so fewer people can approve financial or patient-record changes.

2. Malicious Attachments (PDF, Fax, Lab Result, eRx Notice)

What it looks like

“Incoming fax” from eFax, RingCentral, or RightFax
“New lab results attached”
“Updated referral forms – review immediately”

Attachments often contain ransomware droppers or credential-stealing malware.

Why it works

Clinicians and staff open attachments quickly due to workflow pressure.

How to prevent it

Deploy email sandboxing (advanced email scanning).
Block macros and executable files.
Require staff to verify unexpected clinical attachments by calling the sender directly.
Maintain current endpoint detection & response (EDR) software.

3. Credential Harvesting / Fake Login Pages

What it looks like

Fake Microsoft 365, Google Workspace, EHR, or billing portal login prompts.
Emails claim “Your mailbox is full—log in to restore access,” or “Your password needs to be reset.”

Why it works

Providers often keep multiple portals open and may not notice small differences.

How to prevent it

Enforce MFA, which stops most credential-theft logins.
Train employees not to click on the links within the email.
Train employees to check the URL before entering credentials.
Use password managers that auto-fill only on real sites.

4. Vendor Impersonation (EHR, Imaging, Billing, Clearinghouses)

What it looks like

Fake messages from Athena, eClinicalWorks, Change Healthcare, Kareo, etc.
“Urgent update required to prevent claim rejections.”
“Your portal access will be disabled unless you verify your account.”

Why it works

Healthcare providers rely heavily on third-party systems and trust vendor branding.

How to prevent it

Verify updates by logging in directly and never through email links.
Maintain a Vendor Verification Checklist under your HIPAA Security Rule documentation.
Require IT department to approve all vendor-related system changes.

5. Business Email Compromise (BEC)

What it looks like

A hacked internal account sends messages to other employees.
Requests for W-2s, bank changes, ACH updates, or large transfers.
Email rules silently forwarding messages to attackers.

Why it works

It comes from a real account and staff trust it.

How to prevent it

Require MFA on all accounts.
Set alerts for email forwarding rule creation.
Use conditional access and login-location alerts.
Review account audit logs regularly.

6. “Patient Refund” or “Billing Issue” Scams

What it looks like

Fake patient messages: “I was overcharged, please open the attached statement.”
Calls followed by phishing emails requesting account verification.

Why it works

Front-desk and billing teams want to resolve patient issues quickly.

How to prevent it

Never open unknown attachments claiming to be patient documentation.
Require all inbound patient documents to be sent via HIPAA-secure channels only.
Train non-clinical staff (front desk, billing, schedulers) since they are the most targeted.

7. Ransomware Delivery via Phishing

What it looks like

Fake faxes, statements, or shipping notifications.
Attachments disguised as scanned documents.

Why it works

One click can deploy ransomware that halts clinical operations.

How to prevent it

Maintain image-based backups (not just data backups).
Test your Contingency Disaster Recovery & Emergency Mode Operations Plan quarterly.
Ensure all devices are patched and running updated security tools.

8. Social Engineering Phone + Email Combination (“Hybrid Attacks”)

What it looks like

A phone call claiming to be from IT followed by an email link.
Attackers pretending to be from a lab, insurer, or specialist office.

Why it works

Healthcare workflow relies on phone + fax + email and attackers exploit the mix.

How to prevent it

Create a verification protocol for anyone asking for access or information.
Maintain a list of trusted numbers for labs, hospitals, and vendors.
Train staff never to act on unsolicited “IT support” messages.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.

Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Class Action Lawsuits VS Federal HIPAA Laws

Suze Shaffer November 1, 2025November 8, 2025

Under the Federal HIPAA law, there is no private right of action. Meaning, a patient cannot directly sue a medical provider for a HIPAA violation. However, most state privacy laws do permit class action lawsuits.
While a federal HIPAA violation itself doesn’t open the organization to class-action lawsuits by patients, a breach or non-compliance often triggers state law (consumer law) class actions, regulatory enforcement, and substantial financial risk and reputational damage.

For example, Florida law fills the “no private HIPAA lawsuit” gap
While HIPAA itself doesn’t permit a private right of action, Florida’s own privacy and consumer protection laws allow individuals to sue when their medical or personal information is mishandled. Common bases for class actions include:

Examples of HIPAA style class actions

Akumin Operating Corp. (Florida-based outpatient radiology/oncology provider)
2023 breach; class action consolidated 2024-25. Ransomware attack, $1.5 million settlement.

Gastroenterology Associates of Central Florida, P.A. (d/b/a Center for Digestive Health / Center for Digestive Endoscopy)
Discovered April 11, 2024; class action filed 2025. Network intrusion, settlement has been determined but not released.

HCA Healthcare, Inc. data breach (July 2023)
HCA Healthcare agreed to a multi-million-dollar settlement after a breach of data affecting some 11.27 million patients across 20 states. Settlement between $9-10M.

Tampa General Hospital (2023)
Subject to class-action claims after a data breach impacted over 1.2 million patients. Allegations included failure to use reasonable cybersecurity measures and delay in notification, invoking both FIPA and FDUTPA. Settlement $6.8M.

Lakeland Regional Health (2022)
Data breach leads to litigation under FIPA and negligence, settlement $4M.

UF Health Central Florida (2021)
Data breach leads to litigation under FIPA and negligence.

Anthem, Inc. breach (2015)
Anthem reported a breach affecting tens of millions of individuals; in 2017 they settled class‐action litigation for $115 million.

Visionworks of America, Inc., a retail/optical chain, faces a proposed class action after a data breach affecting 40,000 customers.

Imagine a breach of your patient portal where PHI is exposed, then a class-action law firm sues you for negligent safeguarding of data. All the while the OCR fines you for the breach. We help you avoid both scenarios.

At Aris Medical Solutions, our HIPAA Keeper™ system highlights that strong vendor management, business associate agreements (BAAs), cybersecurity controls, timely breach notification, record-access compliance (e.g., right of access) are critical to reduce the risk of class actions..

Don’t leave patient data exposed.
Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.

What counts as a HIPAA Violation?

Suze Shaffer October 29, 2025December 1, 2025

A HIPAA violation occurs when PHI data that identifies an individual and relates to their health status, treatment, or payment is improperly accessed, used, or disclosed. When it comes to patient privacy, ignorance isn’t bliss… it’s expensive. Every healthcare provider, business associate, and third-party vendor that handles protected health information (PHI) is required by law to comply with the Health Insurance Portability and Accountability Act (HIPAA). Yet, year after year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to issue fines for HIPAA violations that can be avoided with proper policies, training, and security safeguards. Even small practices face enforcement actions for these violations, and “I didn’t know” is not a valid defense under HIPAA.

Common HIPAA violations include:

Sending PHI to the wrong recipient
Failing to encrypt emails or devices that store ePHI
Losing laptops, smartphones, or USB drives containing patient data
Discussing patient details in public areas
Sharing login credentials or failing to log off workstations
Posting patient photos or information on social media without authorization
Not performing an annual risk analysis or updating policies and procedures

Financial and Legal Risks

HIPAA penalties are tiered based on the level of negligence and can range from $141 to over $71,000 per violation — with an annual maximum of $2 million per identical provision (as adjusted for inflation in 2025). OCR considers factors such as the organization’s size, history of compliance, and willingness to correct the issue when determining penalties.

Beyond monetary fines, violations can lead to:

Civil lawsuits: Patients can sue under state privacy laws.
Corrective action plans: Mandatory, multi-year compliance monitoring by HHS.
Reputation damage: Lost patient trust and public exposure of the breach.
Criminal charges: Willful misuse of PHI can lead to imprisonment.

Operational and Reputational Risks

The real cost of a HIPAA violation goes beyond fines. Breaches disrupt operations, divert staff resources, and erode the confidence of patients and business partners. Once trust is lost, it’s difficult — and expensive — to rebuild.

For example, when a ransomware attack locks down medical records, patient care slows, billing stops, and the organization may spend months recovering. Even worse, news of the breach spreads fast, often drawing negative attention from both patients and regulators.

How to Avoid HIPAA Violations

The best defense is a proactive compliance program. Every covered entity and business associate should:

Conduct an annual risk analysis to identify and mitigate vulnerabilities.
Implement and maintain written policies and procedures that align with the Privacy, Security, and Breach Notification Rules.
Train employees annually and document completion.
Secure all devices and networks — use encryption, strong passwords, and access controls.
Review business associate agreements (BAAs) to ensure vendors are also compliant.
Document everything — if it’s not documented, it didn’t happen.

Protect Your Organization Before It’s Too Late

Protect your practice — and your patients.
Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Online Tracking Technology – Clarified

Suze Shaffer October 8, 2025October 8, 2025

Online tracking technology has caused a lot of speculation on what is acceptable or not. Here is a recap in case you missed the ruling last year.

Background & Baseline: HIPAA and Online Tracking

The OCR cautioned that certain online tracking technologies (ads, analytical tools, pixels) could potentially collect or disclose personal identifiable health information which is a violation of HIPAA.
The OCR and the Federal Trade Commission (FTC) in July 2023 sent letters to hospitals and telehealth organizations, warning of risks where third-party trackers (Google Analytics, Meta Pixel) might be sharing “sensitive health information” outside permitted guidelines of HIPAA.

The core concern: even data collected “passively” (IP addresses, page paths, query strings, referrers) may, in some scenarios, become linked (or inferred) to health conditions or services, thereby turning into PHI (protected health information).

The 2024 OCR “Online Tracking Technologies” Bulletin & Its Revision

In March 2024, OCR clarified how covered entities and business associates should consider HIPAA when using online tracking technologies.
Key elements of the revised guidance include:
1. Entities may use online tracking technologies only when such use does not lead to impermissible disclosures of PHI. If sharing PHI with a tracking vendor is necessary, it must occur under a valid Business Associate Agreement (BAA) or through patient authorization, and it must comply fully with HIPAA requirements.
2. If a vendor is unwilling or unable to sign a BAA, one option is to de-identify or aggregate the data before sharing it, ensuring it no longer qualifies as PHI.
3. The updated guidance recognizes the complexities of tracking activities on unauthenticated pages (those that do not require a login) and offers greater nuance on when such tracking may involve PHI.

Court Vacates Part of the OCR Guidance

In June 2024, a federal court in the Northern Texas removed part of OCR’s “Use of Online Tracking Technologies” guidance. The court determined that OCR exceeded its statutory authority by applying HIPAA to metadata—such as IP addresses—associated with user visits to unauthenticated webpages and by interpreting “individually identifiable health information (IIHI)” too broadly.
Specifically, the court invalidated the section of OCR’s guidance that presumed a combination of (1) a user’s IP address and (2) a visit to a public healthcare-related webpage automatically constituted IIHI or PHI, without considering additional context.
However, the court did not strike down the entire guidance; provisions related to authenticated user interactions. Such as patient portal logins remain in effect.
Following the ruling, HHS voluntarily withdrew its appeal in August 2024. As a result, the court’s decision remains in effect, restricting OCR’s authority in this area.

In practical terms, the ruling relaxes some of the overbroad constraints that the OCR attempted to impose on tracking in public (unauthenticated) settings but does not eliminate HIPAA obligations or the risk from misuse of tracking tools.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Are annual HIPAA risk assessments necessary?

Suze Shaffer October 1, 2025October 7, 2025

An annual HIPAA risk analysis is necessary because it’s the foundation of an effective compliance program — and it’s required by law. Here’s why it matters:

It’s a Legal Requirement

Under the HIPAA Security Rule (45 CFR §164.308(a)(1)(ii)(A)), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
The Office for Civil Rights (OCR) repeatedly enforces this requirement, and failure to perform or update a risk analysis is one of the most common causes of HIPAA fines.

Threats and Technology Change Constantly

Healthcare organizations face evolving cybersecurity threats. Ransomware, phishing, insider misuse, and software vulnerabilities.
An annual risk analysis ensures you’re identifying new threats and changes in your environment, such as:

Updated systems or software
New staff or vendors
Relocated offices or added telehealth operations
Cloud service or EHR changes

Without regular reviews, unnoticed gaps could leave patient data exposed.

It Protects Against Fines and Breaches

Most OCR enforcement actions begin with the finding that the organization failed to conduct an updated risk analysis.
By performing one each year (and after significant changes), you demonstrate due diligence. This shows regulators, you are actively identifying, documenting, and mitigating risks. This can reduce penalties if a breach occurs and protects your organization’s reputation.

It Drives Continuous Improvement

A risk analysis isn’t just about compliance — it’s a management tool. It helps you:

Prioritize security investments
Strengthen policies and procedures
Train employees based on real vulnerabilities
Build a strong compliance record

An annual HIPAA risk analysis keeps your organization compliant, secure, and prepared for evolving risks. It’s not a one-time task — it’s an ongoing process that proves your commitment to protecting patient data and maintaining trust.

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Time to replace Windows 10 computers

Suze Shaffer September 4, 2025September 4, 2025

Why It’s Important to Replace Windows 10 Pro Computers with Windows 11 Pro

Technology moves quickly, and operating systems are no exception. While Windows 10 Pro has been a reliable workhorse for many businesses, its time in the spotlight is coming to an end. Microsoft has officially announced that support for Windows 10 will end on October 14, 2025. This date marks a significant turning point for any organization still relying on Windows 10 Pro devices—and the clock is ticking.

1. End of Support Means End of Security Updates

Once support ends, Microsoft will no longer release security patches for Windows 10. That means any new vulnerabilities discovered after October 2025 will remain unpatched, leaving systems exposed to cyberattacks, ransomware, and data breaches. For businesses, especially those handling sensitive or regulated information, this creates serious compliance risks and potential legal liabilities.

2. Windows 11 Pro Delivers Enhanced Security

Windows 11 Pro is designed with modern threats in mind, incorporating advanced protections that go beyond what Windows 10 offers. These include:

Hardware-based encryption through TPM 2.0
Secure Boot to block unauthorized code at startup
Windows Hello for Business for stronger authentication
Microsoft Pluton Security Processor (on supported devices) for chip-to-cloud protection
These features help safeguard against today’s sophisticated cyberattacks and meet the stricter compliance requirements many industries now face.

3. Performance and Productivity Gains

Windows 11 Pro isn’t just more secure—it’s faster and more efficient. It’s optimized for hybrid work, with better resource management, improved window snapping layouts, and integrated collaboration tools like Microsoft Teams Chat. These improvements can streamline workflows, reduce downtime, and help teams work more efficiently.

4. Compatibility with Modern Software and Hardware

As time passes, more software vendors will stop supporting Windows 10. New applications, updates, and drivers will increasingly be built with Windows 11 in mind, meaning Windows 10 systems could run into compatibility issues. Hardware manufacturers are already prioritizing Windows 11 drivers and firmware, ensuring better performance and stability on new devices.

5. Avoiding Costly “Last-Minute” Upgrades

Waiting until the deadline is risky, supplies of Windows 11 Pro-ready hardware could tighten as more organizations rush to upgrade. By planning now, you can budget for a phased replacement, avoid inflated prices, and ensure your team transitions smoothly without interruptions.

Windows 11 Home – Designed for everyday consumers, home users, and personal devices.
Windows 11 Pro – Built for business, professionals, and power users who need advanced security, networking, and management tools.

Summary:

Replacing Windows 10 Pro computers with Windows 11 Pro machines isn’t just about keeping up with technology—it’s about protecting your business from security threats, staying compliant, and giving your team the tools to work more effectively. With the end-of-support deadline approaching, the sooner you act, the safer and more prepared your organization will be.

IT Administrative Rights and Requirements

Suze Shaffer August 15, 2025September 4, 2025

This case illustrates why a HIPAA Security Officer must have administrative rights access to their organization’s IT infrastructure. Although the compliance officer may not know what to do with this access, it is required so you have control over your network. Should the need arise to replace your IT administrator or IT vendor, you won’t be held hostage. Also, this demonstrates the necessity to check references and BEFORE you terminate someone, be sure their access has been removed.

In the incident below, a fired IT administrator used his elevated access to disable firewalls, delete company data, remove email security filters, and block the business from its own systems—crippling operations. If only a single IT employee holds full administrative control, the organization becomes vulnerable to sabotage, insider threats, and operational paralysis if that person is unavailable, leaves unexpectedly, or acts maliciously.

For HIPAA-regulated entities, losing access to security systems or audit logs can also prevent breach detection and reporting, creating compliance violations and potential fines. A HIPAA Security Officer with administrative rights ensures independent oversight, immediate access to critical systems, and the ability to secure PHI systems without relying solely on IT staff—safeguarding both security and compliance.

If you need assistance with IT services, we work with some of the best in the industry. Use the Contact Us page and we will send our recommendations.

5 Felony Charges for Palm Coast IT Administrator Accused of Launching Cyber Attack on His Company After He’s Fired

Taken from Flagler Live

A 41-year-old resident of Palm Coast was arrested on five felony charges following a Florida Department of Law Enforcement investigation that found him to have allegedly carried out a cyber-attack on his company’s computer infrastructure in retaliation for the company firing him. The attack crippled some of the company’s functions.

“Dude I think I got my company in a choke hold,” the father of two young children, is alleged to have written in a message to someone after the cyber-attack.

The Spice and Tea Exchange, an online and in-store retailer originally founded in St. Augustine and based in Palm Harbor, hired an IT System Administrator in mid-October 2024. (The FDLE refers to it as The Spice and Tea Company.) He was fired last Jan. 14. “Within minutes, the company’s firewall, E-mail, and physical security was infiltrated,” FDLE’s warrant states, resulting “in completed deletion of company data.”

A human resources executive at the company told the FDLE investigator that while his position was being eliminated, he had “displayed very concerning behaviors while employed,” such as having a short fuse. The day of the firing he was working from home. The HR executive called him at noon to let him know he was fired. The conversation lasted just under 10 minutes.

According to the warrant, he “made several threatening statements prior to terminating the call. For one, [he] had stated ‘your company is not prepared for what is coming your way.’”

Almost as soon as he was fired the company would have disconnected him from its firewall and restricted access. That was to be done while the HR executive was still on the phone with him. But in what appeared to have been a movie-like race between IT employees, he was a step ahead of his ex-IT colleague at the Spice and Tea Exchange. He’d logged into the system at the same time that his colleague was racing to restrict access. He “overtook” him and the entirety of the business’ email access. The company “immediately lost access to the company firewall and emails,” the warrant states. He removed the firewall and obstructed business “continuity.”

He’d left one of his company laptops at the office. His colleague opened it–there was no expectation of privacy with a company laptop–and noticed that had his logon to his Chrome and Gmail accounts was automatic, and that it was syncing his other devices with his work computer, a violation of company policy. Within an hour or so of his firing, his history showed he had searched for “Florida Unemployment” and “Palm Coast Lawyers.”

The colleague also discovered that an email filtering service blocking spam and malware had been removed, requiring 3,800 emails to be manually approved. The company was no longer able to log into its own firewall and eventually learned from the Sisco Meraki Company, which provided the firewall data for the Exchange, that the company was deleted from Meraki’s database. So, there were no logs of the attack he allegedly orchestrated.

FDLE confirmed that the last user to make changes to the account had a username of his first initial and last name. FDLE also subpoenaed information from Google and was informed by Charter Communications of further data that led to his house in Palm Coast. Circuit Judge Chris France signed a search warrant, which was served on April 25.

He acknowledged his role when he was IT administrator but denied accessing the firewall.

France signed the FDLE warrant for his arrest on July 7. On Wednesday, he was driving his vehicle on State Road 11 in Flagler County when he was pulled over by a Flagler County Sheriff’s deputy, arrested, and taken to jail, where he was booked and soon released on $25,000 bond.

He faces three charges of computer fraud, a charge of tampering with computer intellectual property and a charge of unlawful use of a two-way communication device. Four of the charges are third-degree felonies, each with a maximum penalty of five years in prison. One of the charges is a second-degree felony, with a 15-year maximum if convicted.

New I-9 Requirements

Suze Shaffer August 1, 2025August 15, 2025

Although this is not a HIPAA requirement, it does affect every business.

Here are the highlights:

Updated Form I‑9

Business should use the new form dated January 20, 2025, with an expiration date of May 31, 2027, if you are not doing so already.
Prior editions from August 1, 2023 will remain valid until their respective expiration dates—either May 31, 2027 or July 31, 2026.
Employers using electronic I‑9 systems must update to reflect the form version with the May 31, 2027 expiration by July 31, 2026.

Key Form Changes

Section 1 terminology

The fourth citizenship attestation box now reads “An alien authorized to work”, replacing the former phrase “A noncitizen authorized to work.”

List B document descriptions

Minor updates include replacing the term “gender” with “sex” in two acceptable documents (e.g. driver’s license), for improved clarity.

Instructions and DHS Privacy Notice

Newly added statutory language and updated Department of Homeland Security Privacy Notice appear in the guidance section of the new form.

E-Verify & E‑Verify+ Updates (Effective April 3, 2025)

The citizenship status selection in E‑Verify and E‑Verify+ now displays “An alien authorized to work” for consistency. Even if the legacy form still shows “A noncitizen authorized to work.”
For E‑Verify Web Services submissions, back‑end systems automatically convert the older phrasing to the updated version. Developers should ensure platforms transmit “An alien authorized to work” to maintain compliance.

Employer Responsibilities & Compliance Tips

Adopt the 01/20/2025 edition as soon as possible—especially for newly hired employees.
Continue using valid older editions until their expiration, but update your electronic systems by July 31, 2026 to the correct version expiration date.
Train HR and hiring staff on the updated language, document descriptions, and instruction changes.
Ensure E-Verify users select “An alien authorized to work” regardless of what appears on older I‑9 forms during data entry.

Summary

The new I-9 form adoption deadline for electronic systems is July 2026, but manual use of the updated form is recommended immediately.
Terminology and document description are minor—but important for alignment with federal law.
HR and compliance teams should confirm systems, forms, and procedures are updated to avoid inconsistencies or audit risks.

The new form and instructions can be found here: https://www.uscis.gov/i-9

Why HIPAA Compliance Matters When Outsourcing Your Medical Billing

Suze Shaffer July 24, 2025July 24, 2025

As today’s healthcare organizations work to streamline operations and control administrative costs, outsourcing medical billing has emerged as a smart and efficient solution. However, while outsourcing medical billing can improve performance, it does not absolve you of your responsibility to protect patient data.

When third-party vendors handle patient information, ensuring HIPAA compliance becomes even more critical.

Whether you’re considering outsourcing for the first time or re-evaluating your current vendor, understanding how HIPAA impacts third-party billing is essential. In this post, we’ll break down what compliance really means, common risks to watch out for, and how choosing the right partner can make all the difference.

What Is HIPAA—and Why Does It Apply to Your Billing Vendor?

The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patients’ medical information and ensure that it’s used and stored securely. Any person or organization that handles protected health information (PHI)—including third-party billing companies—is legally obligated to follow HIPAA rules.

Here’s the catch: Just because you outsource billing doesn’t mean you outsource responsibility.

If your vendor mishandles PHI, your organization can still face the consequences—ranging from steep fines to lawsuits and reputational harm.

How HIPAA Applies to Outsourced Medical Billing

Under HIPAA, billing vendors are considered Business Associates. That means they must implement the same level of data privacy and security protections as healthcare providers.

To stay compliant, your billing partner should:

Sign a Business Associate Agreement (BAA) with your organization
Encrypt patient data during storage and transmission
Monitor and restrict employee access to PHI
Provide regular HIPAA training to all staff

HIPAA compliance isn’t just a box to check—it’s a shared responsibility that protects both your practice and your patients.

Common HIPAA Pitfalls in Outsourced Billing

Even experienced practices can run into trouble if the billing partner isn’t on top of compliance. Some common red flags include:

Sending PHI over unsecured email or messaging platforms
Poor handling or storage of patient information
Staff who haven’t been trained on HIPAA guidelines
Delayed reporting of potential data breaches

Your vendor should be able to clearly explain how they protect PHI—and provide documentation to back it up.

How to Choose a HIPAA-Compliant Billing Partner

When you’re evaluating a medical billing partner, cost and turnaround time matter—but HIPAA compliance should be non-negotiable.

Look for a billing provider that offers:

Secure systems with two-factor authentication
Routine internal audits and risk assessments
A signed and current Business Associate Agreement (BAA)
HIPAA-trained staff who understand billing complexities
Clear, written policies for PHI access, storage, and disposal

Why It Pays to Work with a HIPAA-Compliant Vendor

Beyond just staying legal, partnering with a HIPAA-compliant billing company offers real business benefits:

Lower risk of data breaches and penalties
Fewer denied claims thanks to accurate submissions
Faster reimbursements and stronger cash flow
Peace of mind during audits or compliance reviews
Enhanced patient trust in your organization’s professionalism

How Emerald Health Keeps Your Practice Compliant

At Emerald Health Medical Billing, HIPAA compliance isn’t an afterthought—it’s the foundation of everything we do.

From insurance verification to payment posting, every process is built with data protection in mind. Here’s how we help safeguard your patients’ information:

End-to-end encryption of all communications
Role-based access controls and detailed audit logs
HIPAA-certified staff across every department
Real-time transparency through client dashboards
Zero-tolerance policy for non-compliance

Whether you’re a small clinic or a multi-location practice, our solutions are designed to support your growth and your peace of mind.

Final Thoughts

As the healthcare industry becomes more digital and regulated, the stakes around data privacy have never been higher.

When you outsource your billing, you’re not just hiring a vendor—you’re choosing a guardian for your patients’ most sensitive data.

Dr. Arun Rajan, President & CEO of Emerald Health and a board-certified neurologist, leads our team with a deep understanding of clinical care and operational excellence. Our goal is simple: help practices run more efficiently—without compromising on compliance. https://emeraldhealthllc.com/

Chiropractor HIPAA Violations and Fines

Suze Shaffer July 15, 2025July 15, 2025

Avoid common misconceptions about HIPAA compliance. Learn the critical steps needed to avoid Chiropractor HIPAA violations and fines. Many chiropractor practices think the Government SRA tool is all they need for their HIPAA risk assessment. Keep in mind, it does not include policies and procedures, therefore you must create your own. Also, many chiropractic practices are members of a group that supply a “HIPAA Binder”. Again, most of these groups do not include policies and procedures. Without proper documentation, a chiropractic practice can be assessed with HIPAA violations and fines.

Another common misconception is that small practices believe they are too small to attract attention from the Office for Civil Rights (OCR). In reality, it takes just one patient complaint, a dissatisfied employee, or a data breach to initiate an audit. Remember, once an investigation begins, the OCR will examine your entire HIPAA compliance program — not just the specific incident in question.

Lastly, many organizations think HIPAA can be a once and done process. This can cost you $$$$$$ in fines! HIPAA requires every organization that is involved with patient data to document their ongoing compliance efforts.

Here are a few examples of Chiropractic practices and some multi-specialty practices that have been fined:

Arkansas Chiropractic Clinics — $321,000 fine
Two chiropractic clinics in Arkansas were fined a total of $321,000 after improperly disposing of patient records by dumping them in a public park, violating HIPAA’s privacy and secure disposal requirements.
Illinois Chiropractic Offices — Ransomware and data breach incidents
Several chiropractic practices in Illinois experienced ransomware attacks, with ransom demands reaching up to $10,000. While specific OCR fines were not disclosed, these events highlight serious security lapses and the risk of significant penalties.
Stolen devices containing ePHI — $150,000 fine
In a case not exclusive to chiropractic, a healthcare provider failed to update and secure outdated systems, leading to a malware breach and resulting in a the fine from the OCR.
Missing risk analysis — $50,000 fine
Another provider, a clinic using mobile devices like tablets or iPads, was fined $50,000 for failing to conduct a risk analysis and implement appropriate security controls on mobile devices. A critical requirement for chiropractic offices using digital tools.

Privacy & Unauthorized Access Stories

Receptionist displaying PHI on a tablet
At a chiropractic office, an iPad used for patient check-in accidentally showed other patients’ names and birthdates, resulting in a HIPAA privacy violation.
Chiropractor misusing patient address to send flowers
In Colorado, a chiropractor accessed a patient’s medical record to obtain her address and sent her unsolicited flowers. This was widely viewed as a serious breach of patient privacy and another type of violation of the HIPAA privacy rule.

Ask yourself: How much of your hard-earned revenue are you willing to risk?

Remember, it only takes a single patient complaint or one disgruntled employee to prompt an investigation by the Office for Civil Rights (OCR). Once that happens, every aspect of your compliance program will come under scrutiny.

Ask yourself: Are you confident your documentation can stand up to that level of review? Most practices lack the required policies and documentation.

Are you ready to protect your practice? We are here to help you avoid common misconceptions about HIPAA compliance. Do you have the critical steps needed to avoid Chiropractor HIPAA violations and fines? Our online HIPAA Keeper™ includes all policies and procedures required under HIPAA. We also include patient and HIPAA documentation. When HIPAA rules are updated or added, we update our system to keep you up to date. Also, we are always improving our system to make sure users are aware of new threats and how to protect their organization.

Still not sure? Check out our video that explains our 7-Steps in the HIPAA Keeper™ or Schedule a live demonstration to see for yourself how easy maintaining HIPAA compliance can be!