Call Us Today! 877-659-2467

Google Reviews on Medical Websites: HIPAA Compliance Risks

Patients trust online reviews. A strong Google rating can influence where someone chooses to receive care. As a result, many medical practices display Google reviews directly on their websites to build credibility and attract new patients.

While this may seem harmless, healthcare organizations should carefully evaluate the HIPAA implications before embedding or displaying patient reviews. What appears to be a simple marketing strategy can create privacy and compliance risks.

Can Medical Practices Display Google Reviews on Their Website Without Violating HIPAA?

Patients may voluntarily post reviews about their own healthcare experiences on Google. HIPAA does not prevent patients from sharing their own health information publicly.

The compliance issue arises when a healthcare provider republishes those reviews on its own website.

Republishing a patient’s review may be viewed as using or disclosing protected health information (PHI) for marketing or promotional purposes. Even though the patient made the information public, HIPAA does not automatically grant the provider permission to reuse it.

The fact that information is publicly available does not eliminate a covered entity’s HIPAA obligations.

Does a Google Review Contain PHI?

Protected Health Information is individually identifiable health information that relates to an individual’s past, present, or future health, healthcare, or payment for healthcare.

Many patient reviews include statements such as:

  • “Dr. Smith treated my diabetes.”
  • “The staff helped me through chemotherapy.”
  • “I had cataract surgery here.”
  • “My child received ADHD treatment.”

When a healthcare provider republishes these reviews, the practice is associating an identified individual with healthcare services it provided. That combination may constitute PHI.

What If Only Initials Are Used?

Some practices believe replacing the patient’s full name with initials eliminates the HIPAA concern.

Unfortunately, it may not.

Initials often do not fully de-identify an individual. Combined with other information, such as the provider’s specialty, procedure performed, date of service, location, or the original review still available on Google, the individual may remain identifiable.

HIPAA’s de-identification standard requires that there be no reasonable basis to identify the individual. Simply changing “John Smith” to “J.S.” rarely satisfies that standard.

No.

Posting a review on Google demonstrates that the patient chose to share information with the public. It does not necessarily authorize the healthcare provider to reuse that information for its own marketing.

HIPAA authorizations have specific regulatory requirements. They generally must:

  • Clearly describe the information being used or disclosed.
  • Identify who may use the information.
  • Identify who may receive it.
  • Explain the purpose of the disclosure.
  • Include an expiration date or event.
  • Inform the individual of their right to revoke the authorization.
  • Be signed by the patient or personal representative.

A Google review does not meet these requirements.

Embedded Google Reviews May Create Additional Privacy Risks

Many practices use Google review widgets that automatically pull reviews onto their websites.

These widgets may introduce additional privacy concerns beyond the review itself.

Depending on how the widget functions, it may:

  • Load content directly from Google servers.
  • Place cookies on visitors’ browsers.
  • Collect IP addresses or device identifiers.
  • Share website activity with third parties.
  • Trigger analytics or advertising technologies.

If review widgets operate alongside analytics, advertising pixels, or other tracking technologies, practices should carefully evaluate whether protected health information could be disclosed to third parties.

Healthcare organizations should inventory all third-party technologies operating on their websites and determine whether appropriate safeguards, contracts, and configurations are in place.

OCR Has Increased Scrutiny of Website Tracking

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has repeatedly emphasized that healthcare organizations are responsible for understanding how third-party technologies collect and transmit information from their websites.

Authenticated patient portals, appointment scheduling systems, online bill payment pages, and other areas where visitors interact with healthcare services require particular attention.

Even public-facing websites deserve careful review when technologies collect information that could become individually identifiable in a healthcare context.

Best Practices for Medical Practices

If your practice wants to highlight positive patient experiences, consider these recommendations:

  • Obtain a HIPAA-compliant authorization before republishing identifiable patient testimonials.
  • Avoid copying reviews directly from Google without authorization.
  • Do not assume publicly posted information removes HIPAA obligations.
  • Evaluate whether review widgets transmit visitor information to third parties.
  • Conduct periodic website privacy and security reviews.
  • Review all analytics, advertising pixels, chat tools, and embedded third-party content.
  • Work with legal counsel or your HIPAA compliance team before implementing new marketing technologies.

Another Approach

Consider asking satisfied patients to provide a separate written testimonial using a HIPAA-compliant authorization form designed specifically for marketing purposes.

This approach provides clear documentation that the patient understands how the testimonial will be used and protects both the patient and the practice.

The Bottom Line

Google reviews are valuable marketing tools, but healthcare providers must approach them differently than most businesses.

A patient may choose to publicly discuss their healthcare experience, but that does not automatically give the provider permission to republish that information on its own website. In addition, embedded review technologies may introduce separate privacy risks that require careful evaluation.

HIPAA compliance extends beyond policies and training. It includes understanding how everyday marketing decisions can affect patient privacy.

Before displaying patient reviews on your website, make sure your practice has evaluated both the HIPAA authorization requirements and the privacy implications of the technology used to display them.

Disclaimer: This article is intended for educational purposes and does not constitute legal advice.

Protect Your Organization Before It’s Too Late

At Aris Medical Solutions, our HIPAA Keeper cloud-based platform makes HIPAA compliance simple. It guides your organization through every requirement with a clear, step-by-step process. From risk analyses and policies to employee training and required documentation, you’ll have everything needed to remain compliant, protected, and audit-ready. Best of all, your HIPAA Compliance Officer is never on their own. Every client has access to a Certified HIPAA Security Analyst who provides expert guidance, answers questions, and helps ensure your compliance program is implemented correctly.

Protect your practice — and your patients.

Schedule a free HIPAA checkup today at Aris Medical Solutions.

HIPAA Checklist vs True Compliance

Distinction That Matters:

Many practitioners view HIPAA as a compliance checklist. They sign forms, complete training, and check boxes. This mindset weakens compliance and patient protection. HIPAA reflects the privacy and security principles that support quality patient care. These principles matter whether the law requires them or not. HIPAA compliance goes beyond checking off a list. Strong compliance creates a culture of privacy, security, and accountability. Organizations should strengthen their security programs now. Do not wait for stricter Security Rule requirements to be finalized before taking action. Patients entrust you to protect their privacy.

Patient Protection:

Trust as a prerequisite. Patients who fear disclosure often withhold important health information. This includes mental health, substance use, sexual health, and HIV status. Incomplete information can lead to inaccurate diagnoses and treatment decisions. Strong privacy protections build trust and encourage honest communication. Better communication leads to better clinical outcomes.

Preventing downstream harm. Cybersecurity is now viewed as a patient safety issue, not just an IT responsibility. PHI exposure doesn’t merely embarrass, it causes measurable injury: loss of employment, insurance discrimination, damaged relationships, domestic violence risk (particularly relevant when an abuser shares a health plan), and in some cases physical danger. Healthcare providers protect patients by securing their information and handling it responsibly.

Continuity of the relationship. Unauthorized disclosures can permanently damage patient trust. Even well-intentioned disclosures can weaken the patient-provider relationship. Patients who lose trust often delay or avoid needed care. Strong privacy protections support lasting relationships and better patient outcomes.

Practice Protection:

Breach costs are severe and compounding. OCR penalties range from $145 to $73,011 per violation, with annual caps reaching over $2 million per violation category. More damaging is the breach notification requirements, mandatory corrective action plans, and reputational exposure that affects patient volume and referral networks. A single ransomware incident or misdirected fax can trigger all of these simultaneously.

Breach exposure expands with data failures. A breach that causes patient harm creates dual liability, regulatory and civil. HIPAA does not offer a patient right of action; however, plaintiffs’ attorneys increasingly treat PHI mishandling as evidence of systemic negligence, not merely a technical violation. It colors how a jury perceives the entire standard of care and imposes high settlements during a class action lawsuit.

Third-party relationships. Business Associate Agreements exist because your liability extends through your vendors. A practice that doesn’t rigorously manage BAAs inherits risk from EHR vendors, billing services, and cloud storage providers. Ignorance of a downstream breach is not a defense. Business associates are increasingly being held to the same security expectations as covered entities.

Ethical Compliance Frameworks Often Miss:

HIPAA did not create patient confidentiality. It established enforceable standards for an existing ethical duty. The Hippocratic Oath, AMA ethics, and medical ethics frameworks all recognize confidentiality as a core responsibility.

HIPAA transforms that responsibility into specific, measurable, and auditable requirements. Many organizations treat HIPAA compliance as the finish line instead of the starting point. This approach creates unnecessary compliance and ethical risks. The Minimum Necessary Standard reflects more than a legal requirement. It requires staff to access only the information needed for legitimate purposes. This standard supports both patient privacy and ethical decision-making.

Practices that embrace this principle build stronger compliance programs. They also earn greater patient trust than organizations that simply check compliance boxes.

The Practical Mixture:

A practice that treats HIPAA as necessary and not merely required will:

  • Build patient relationships capable of supporting honest clinical communication
  • Reduce liability exposure across both regulatory and civil channels
  • Establish vendor and staff accountability structures that prevent the most common breaches (insider access, phishing, improper disposal)
  • Operate with a defensible standard of care in the event of litigation

The law exists. But the reasons to comply existed before it, and they matter more.

For organizations following HIPAA closely, the message from regulators and industry experts is clear: maintaining a written, well-documented compliance program with strong cybersecurity controls is becoming the baseline expectation, not a best practice. One of the main enforcement requirements is that of a Risk analysis as a starting point. Then must be updated as technology and staff changes.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project; it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

HIPAA vs State Privacy Laws

Many cash practices have the misconception that HIPAA does not apply to them. Well, that maybe true in some aspects, BUT… state privacy laws may actually be more stringent. In the coming years, more states will implement privacy laws to protect consumers from privacy and security failures due to the rise in cybercrime.

So, when practices compare HIPAA vs State Privacy laws, HIPAA sets a federal floor for covered entities. Cash practices escape HIPAA’s reach but land directly in a patchwork of state laws that can be equally or more demanding. The absence of HIPAA liability is not the absence of privacy liability.

What is HIPAA and Who Must Comply?

HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities. This includes health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with certain standard transactions (like billing insurance).

If you never bill insurance and never transmit health information electronically for covered transactions, you are likely not a HIPAA covered entity.

Cash-Only or Direct-Pay Practices and HIPAA

Although a cash only or direct pay practice may not fall under the HIPAA rule guidelines there are other laws they must follow and still have significant legal obligations to protect patient information.

Specialized Federal Privacy Laws

Depending on the services provided, additional federal laws may apply, such as:

  • 42 CFR Part 2 for certain substance use disorder treatment records.
  • Federal protections for certain research records.
  • Privacy requirements related to employment or occupational health records.

Federal Trade Commission (FTC) Health Breach Notification Rule

The FTC Health Breach Notification Rule may apply to certain health apps, telehealth providers, and businesses that are not covered by HIPAA if they experience a breach of individually identifiable health information

Federal Trade Commission (FTC) Act

The Federal Trade Commission can investigate businesses that:

  • Misrepresent their privacy practices.
  • Fail to safeguard consumer information after promising to do so (this includes posting a HIPAA Compliant Seal on a website).
  • Engage in unfair or deceptive acts involving personal information.

State Privacy Laws Fill the Gap

  • Govern how long records must be retained (varies: 5–10+ years by state)
  • Define patient rights to access and amend their records
  • Authorized disclosures
  • Apply to all providers regardless of insurance billing status
  • Civil penalties for unauthorized disclosures
  • Protection of electronic health records

These laws often apply regardless of whether the provider accepts insurance.

State Medical or Dental Practice Licensing Boards
State licensing boards generally require licensed healthcare providers to:

  • Maintain confidential patient records.
  • Secure electronic records.
  • Maintain complete and accurate documentation.
  • Retain records for the required period.
  • Protect patient information from unauthorized access.

Failure to do so can result in disciplinary action, including license suspension or revocation.

State Consumer Health Privacy Laws
Several states have enacted broader health privacy laws that apply beyond HIPAA. Examples include:

  • California (CMIA) – California Confidentiality of Medical Information Act applies broadly, including to providers not covered by HIPAA. California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
  • Colorado – Outlines five key rights for Colorado consumers, right to access, right to correction, right to delete, right to data portability, right to opt out.
  • Connecticut – The Connecticut Data Privacy Act (CTDPA) includes stronger data protections for children.
  • Florida, Texas, New York – each have specific statutes governing patient records, breach notification, and consent requirements.
  • Washington My Health MY Data Act (2023) – extends beyond HIPAA to cover consumer health data broadly.

Most states have implemented similar state privacy laws, some are more stringent, while others apply to larger entities. Keep in mind, these laws may apply even when HIPAA does not.

State Data Breach Notification Laws
All 50 states have breach notification laws. If an EHR containing patient information is accessed, stolen, or compromised, the provider may have to notify:

  • Affected patients.
  • The state attorney general (in some states).
  • Consumer reporting agencies (for large breaches).

The notification requirements vary by state.

Contracts with the EHR Vendor
Nearly every EHR agreement requires the practice to:

  • Maintain account security.
  • Control user access.
  • Protect passwords.
  • Report security incidents.
  • Use the software appropriately.

Violating these contractual obligations can create liability.

Does using an EHR create security obligations?

Even if HIPAA does not apply, using an EHR means the practice should implement reasonable safeguards such as:

  • Unique user accounts
  • Strong passwords or passkeys
  • Multi-factor authentication, when available
  • Encryption of devices and backups
  • Automatic screen locking
  • Audit logs
  • Routine software updates
  • Staff confidentiality training
  • Procedures for responding to security incidents

These measures are often considered evidence of reasonable care if a privacy dispute or data breach occurs.

Class Action Lawsuits

Medical data breaches carry significant class action lawsuit risk, as a single incident can expose personal health information. Plaintiffs’ attorneys have increasingly targeted healthcare providers, insurers, and their vendors following breaches, alleging failures to implement reasonable and appropriate security measures, violations of state privacy statutes, and in some cases HIPAA-adjacent state law claims. Even cash-pay practices that fall outside HIPAA’s reach are not immune: state consumer protection laws, medical records statutes, and common law negligence theories can all support class action claims when patient data is compromised. Courts have become more receptive to standing arguments in data breach cases, and the cost of defending, let alone settling a class action, can be devastating for a and size of practice. Inadequate data security is not just a regulatory risk; it’s a litigation risk that no practice can afford to ignore.

Smart practice even if not required:
Many cash-pay providers voluntarily adopt HIPAA-like privacy practices because:

  • It builds patient trust.
  • It provides a defensible compliance standard.
  • State laws often parallel HIPAA requirements anyway.
  • It simplifies operations if the practice ever accepts insurance later.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project, it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Class Action Lawsuits and Healthcare Providers

HIPAA itself does not provide individuals with a “private right of action,” meaning patients generally cannot sue a Covered Entity or Business Associate directly under HIPAA for a violation. Enforcement authority belongs to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which investigates complaints and may impose corrective actions, settlements, or civil monetary penalties.

Class Action vs HIPAA

However, while patients may not sue “under HIPAA,” class action lawsuits are becoming more prevalent following healthcare data breaches or privacy incidents. Plaintiffs’ attorneys often use alleged HIPAA failures as evidence of negligence, inadequate security practices, breach of fiduciary duty, or violations of state consumer protection and privacy laws. In many cases, lawsuits focus on claims such as emotional distress, identity theft risk, financial harm, or failure to properly safeguard sensitive information. As healthcare breaches continue to increase and state privacy laws expand, organizations are facing growing litigation exposure even when OCR does not issue a HIPAA fine.

Class Action Lawsuits

For example, American Multispecialty Group, which does business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Following the incident, Esse Health became the target of multiple class action lawsuits related to the breach. Those lawsuits were later consolidated, and the organization recently agreed to a $2,525,000 settlement to resolve the claims.

Other class action lawsuits include Ascension, BJC Healthcare, HCA Healthcare, Hypertension Nephology Associates, and Shields Heath Care Group that settled for $15,300,000.

These lawsuits commonly allege:

  • Failure to conduct an accurate and thorough risk analysis
  • Failure to implement reasonable security safeguards
  • Negligent cybersecurity practices
  • Delayed breach notification
  • Failure to properly monitor systems
  • Increased risk of identity theft and medical fraud

This trend demonstrates that even though HIPAA itself does not create a private right of action, plaintiffs are increasingly using state negligence laws, consumer protection laws, breach of implied contract claims, and privacy torts to pursue class action litigation after healthcare data breaches.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project, it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Good Faith Compliance is No Longer Enough

HIPAA now has stricter and more explicit requirements. Especially as enforcement expectations tighten. This is changing how medical practices and business associates operate day to day. The big shift is that “good faith” compliance is no longer enough. Regulators now expect documented and continuously maintained compliance.

Compliance Must Be Documented, Not Assumed

Organizations can no longer rely on informal policies, verbal training, or “we’ve always done it this way.”

Written risk analyses, risk management plans, and policies have always been required. But now, regulators are closely reviewing for updates. Documents must be current, not created once and forgotten.

If it’s not documented, Office for Civil Rights treats it as if it doesn’t exist.

Impact: More time spent maintaining documentation, but far less exposure during an audit or complaint.

Risk Analysis Is the Foundation of Everything

The Office for Civil Rights (OCR) has made it crystal clear that risk analysis drives compliance decisions. Security controls must align with identified risks. Then a documented risk management plan that outlines the mitigation process must be created. “Addressable” safeguards must be justified if not implemented, this was never meant to be optional! Generic or copied risk analyses are being rejected.

Impact: Organizations must understand their systems, vendors, workflows, and vulnerabilities – not someone else’s.

Cybersecurity Expectations Are Higher

HIPAA now expects organizations to adopt modern security practices, not outdated basics.

  • Multi-factor authentication (MFA)
  • Encryption of data at rest and in transit
  • Regular patching and system hardening
  • Monitoring for suspicious activity

Failing to implement common-sense safeguards is increasingly viewed as willful neglect.

Impact: Greater reliance on IT partners, but also more oversight and accountability.

Vendors and Business Associates Are Under a Microscope

Practices are responsible for who they share PHI with. Business Associate Agreements (BAAs) must be current. Business associates must have current subcontractor agreements in place as well. Vendors must demonstrate their own security practices and comply with the HIPAA rules. “We trusted our vendor” is no longer a defense. Covered entities are responsible for ensuring their vendors are compliant.

Impact: More vendor vetting, more paperwork, fewer risky shortcuts.

Training Must Be Ongoing

Annual, generic HIPAA training doesn’t cut it anymore. Training must address phishing, ransomware, and real-world threats. Training must be tracked and documented.

Impact: Better-informed staff equals fewer costly human-error breaches.

Faster Response and Accountability After Incidents

HIPAA enforcement now scrutinizes how quickly and effectively a practice responds to incidents. Incident response plans must exist before an event occurs. Delays or confusion during a breach increases penalties. Internal security incident investigations must be documented.

Impact: Organizations need clear procedures, not panic, when something goes wrong.

Small Practices Are No Longer “Too Small to Enforce”

Enforcement actions increasingly involve:

  • Small and solo practices
  • Dental offices
  • Specialty clinics
  • Business associates

Complaints, not breaches often trigger investigations.

Impact: Every organization is expected to meet the same baseline standards, regardless of size.

Summary

HIPAA’s stricter requirements mean organizations must shift from reactive compliance to ongoing risk management.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

AI scribe and when an authorization is required

There has been some confusion about when a patient authorization is required when using AI scribe or the recording of a patient encounter.

HIPAA permits providers to use and disclose PHI for the Treatment, Payment, and Healthcare operations (TPO). If the provider records the encounter solely to create clinical documentation, then a separate patient authorization is required.

Keep in mind, you must have a signed business associate agreement (BAA). The recording must be secure, and encryption and proper safeguards are in place. Also, this must be disclosed to the patient.

HOWEVER, it is recommended to obtain a patient authorization since many states, including Florida require an authorization from BOTH parties to record audio conversations.

AI Scribe Used for Treatment Documentation

If the provider records the encounter solely to create clinical documentation for treatment, payment, or healthcare operations purposes, HIPAA generally does not require a separate patient authorization.

Medical Provider Requirements

The AI vendor must sign a Business Associate Agreement (BAA). The recording must be secured using encryption and proper technical safeguards.

When Authorization May Be Required

A separate written authorization may be required if the recording is used for marketing, shared outside of treatment purposes, or training outside HIPAA regulated entities.

Some state law requires two-party consent for audio recording (such as Florida).

State wiretapping laws may require patient consent even if HIPAA does not.

AI scribing tools typically record audio of patient encounters, transcribe and process PHI, sometimes store or analyze recordings. That triggers BOTH laws at the same time.

Additional Risk Considerations

Even if HIPAA does not require authorization, patients should be clearly informed that the visit is being recorded. Transparency reduces complaints and scrutiny. Even some malpractice carriers recommend a written acknowledgment.

Practical Best Practice

Providers should be updating their intake paperwork to include this disclosure and adding signage in the exam rooms.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you step by step.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

New Rule for Health Care Claims Attachments and Electronic Signatures 

CMS, on behalf of HHS, is notifying shareholders of the CMS-0053-F Final Rule. It was published in the Federal Register on March 24, 2026.

This final rule establishes the first HIPAA standards for health care claims attachments. It allows secure electronic submission of supporting clinical documentation. Examples include medical records, imaging, clinical notes, telemedicine documentation, and lab results.

The rule implements requirements under HIPAA Administrative Simplification. It also follows provisions from the Affordable Care Act and 2010 reconciliation law.

The rule introduces new standards to streamline administrative transactions. This reduces manual processes and improves efficiency and patient care.

The rule adopts standards for secure electronic submission of claim attachments.
These attachments include medical records, imaging, and clinical notes. The rule establishes secure electronic signatures for attachment transactions. These signatures ensure document integrity and verify identity using HL7 guidance. These updates reduce faxing and mailing. They will save time and resources for providers and payers. They improve administrative efficiency and support better patient care.

Compliance Timeline: 

Stakeholders must meet all rule requirements within 24 months of the effective date. This period allows covered entities to adopt new standards and transition from current processes.

For more information on the final rule, please visit: https://www.federalregister.gov/d/2026-05676

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Office for Civil Rights Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records

Landmark Enforcement Program for Substance Use Disorder (SUD) Records

The U.S. Department of Health and Human Services Office for Civil Rights announced a new enforcement program. This program protects the confidentiality of substance use disorder patient records. OCR will enforce statutory and regulatory requirements under federal law.

This program introduces civil enforcement for covered substance use disorder programs for the first time. HHS will enforce safeguards to protect substance use disorder patient records. Patients deserve treatment without sacrificing privacy or legal protections.

The program enforces confidentiality provisions under section 3221 of the CARES Act. The regulation appears at 42 CFR Part 2.
Covered entities must comply with all requirements beginning February 16, 2026.

  • OCR may investigate entities that fail to protect substance use disorder patient records.
  • Penalties applied will be consistent with HIPAA Privacy, Security, and Breach Notification Rules.
  • Resolution agreements may be implemented to resolve violations.
  • Civil monetary penalties for noncompliance may be applied.
  • Corrective action commitments may also be applied.
  • HIPAA Notice of Privacy Practices may need to be updated.

Compliance will improve care coordination among providers and strengthen patient confidence in substance use disorder treatment providers.

Beginning February 16, 2026, OCR will accept complaints alleging confidentiality violations. Entities may access resources at the HHS OCR Part 2 webpage.

This program supports national policy objectives under Executive Order 14379.
The initiative addresses addiction through treatment, recovery, and self-sufficiency.

Section 3221 of the CARES Act aligns substance use disorder privacy standards with HIPAA standards.
It also aligns standards with the HITECH Act. This rule updated confidentiality protections under 42 CFR Part 2. This rule improves coordination among treating providers. Strengthens confidentiality protections through civil enforcement.
It also improves integration of behavioral health information and improved patient health outcomes.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk – step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

HIPAA Binder vs OCR Reality

What Medical Practices Think They Have vs. What OCR Actually Requires

HIPAA binders have been used in the past, but usually lack proper documentation that is required.

What Practices Often Rely On:

“We have a HIPAA binder.”

  • HIPAA binder purchased (often never opened, and plastic not removed)
  • Policies printed once (often not completed)
  • Annual training sign-in sheets (sometimes, these are lost)
  • Generic risk analysis template (if they have even conducted a risk analysis)
  • Business Associate Agreements (many of these are missing, or lack compliance documentation)
  • Someone assigned as “HIPAA Officer” (most compliance officers have other responsibilities, and HIPAA never seems to be documented)

This shows intent, but intent is not proof.

What OCR Looks for During an Investigation:

“Show us your documentation.”

OCR does not ask if you tried.
They ask what you can produce, immediately.

  • A current, systemwide risk analysis tied to your systems (not one that is copied from another practice)
  • Evidence of ongoing risk management, not a one-time exercise
  • Training records for each workforce member
  • Signed BAAs with vendors that access ePHI
  • Policies that match actual safeguards in place
  • Proof documentation is maintained, reviewed, and updated

The Reality Gap (Where Most Practices Get Stuck):

Binder Mindset vs OCR Reality:

HIPAA is done  – HIPAA is ongoing

Purchased policies   – Policies are incomplete

Staff trained  – Training must be current and documented

Risk analysis completed once  – Risk Analysis must be accurate and updated

We’re too small  – All sizes are fined

Why Binders Fail During Audits:

  • Documents become outdated quickly
  • No audit trail showing updates or reviews
  • Training proof is incomplete or missing
  • Risk analysis is generic, not practice-specific
  • BAAs are unsigned, expired, or missing
  • Hard to produce documentation on demand

If it can’t be produced, OCR treats it as if it never existed.

The Question Every Practice Should Ask:

If the OCR contacted us tomorrow, could we confidently produce everything they would request?

If the answer isn’t a clear yes, it may be time to rethink how compliance is managed.

How our HIPAA Keeper™ Closes the Gap

Guided, step-by-step HIPAA compliance process
Built-in risk analysis & risk management tools
Centralized storage for policies, BAAs, and training records
Documentation that aligns with OCR expectations
Ongoing maintenance instead of “set-and-forget” compliance

Binders show effort. The HIPAA Keeper™ shows proof.

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Why Medical Practices Delay HIPAA Compliance

(And Why That Delay Is Riskier Than They Think)

Most medical practices don’t ignore HIPAA because they don’t care.
They delay it because they’re busy, understaffed, and overwhelmed – and HIPAA feels confusing, technical, and unforgiving.

HIPAA Binders

When we discuss HIPAA compliance we hear “we’ve always done it this way”. “we are good, we have a HIPAA binder”. They rely on these old HIPAA binders that include policies created years ago. These worked at one point, but HIPAA expectations and enforcement have changed. They often lack HIPAA training documentation and updated procedures as technology has changed. Many of these binders still have plastic wrapping or are covered in dust!

HIPAA is no longer a one-time task. It’s an ongoing process, and static binders simply don’t keep up.

HIPAA Is Seen as a Cost, Not Protection

HIPAA doesn’t generate revenue, so it often falls behind. Most HIPAA compliance officers have many other responsibilities, staffing, billing, or patient care. Organizations compare the cost of compliance to nothing going wrong—so far. Unfortunately, this could end up being very costly due to one small mistake. One click of a mouse, one patient complaint, or even one disgruntled employee is all it takes to trigger an investigation from the OCR.

Major Misconception

One of the most common and costly misconceptions is “we are too small to be a target”. Smaller organizations assume hackers and enforcement focuses on hospitals. They have a false sense of security thinking… we have never had a breach. The fact is some organizations have had a breach and have not discovered it YET! Depending on the type of malicious code that may have invaded your systems, they could be waiting for the “right” time to reveal themselves. Since many small to mid-size organizations lack the security required to protect their data, they are often a larger target than hospitals. The OCR enforcement investigates ALL SIZES of organizations, no one is immune.

Fear of Technology

Online compliance systems can feel intimidating. Requiring yet another password, concerns about not understanding the terminology, and the HIPAA requirements. Organizations worry that technology will make HIPAA harder, not easier. This is rarely said out loud, but it’s very real… many organizations are concerned that an online system will expose their weaknesses, discover they are not compliant, and the lack of documentation will create liability. The truth is that gaps do not create risk, undocumented gaps do! The OCR requires organizations to identify risks and document their procedures to mitigate those vulnerabilities based on their environment.

Confusion About What HIPAA Actually Requires

HIPAA language is complex and guidance is often confusing. Many organizations ask, “is this really required”, “are we doing enough”, and “what does the OCR really expect”. Then they delay facing the Elephant in the room. Documentation becomes outdated, training records go missing, risk analyses are not updated, and business associate agreements are not signed.

When an incident occurs, then everyone scrambles, and even more mistakes are made. How well do you trust your compliance efforts? Remember, when the OCR investigates an incident, they review ALL your compliance records, not just the one incident.

A Better Way Forward

If someone asked for your HIPAA documentation tomorrow, would you feel confident—or stressed?

If the answer is stress, that’s not a failure – it’s a sign it’s time for support.

HIPAA compliance doesn’t have to be overwhelming, technical, judgmental, or confusing. An online system should be easy to navigate and increase your productivity. If it is too cumbersome, or you are still using a binder, it may be time to look at a better solution. We are here to help!

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC