Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.
Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper™ System!
Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.
iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.
Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:
Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!
Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
To read about other actual fines, click on our Education tab!
The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.
Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.
Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.
Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.
Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.
Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.
Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.
Examples of unauthenticated webpages where the HIPAA Rules apply include:
The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.
Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.
Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.
Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.
Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.
A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
We have talked in the past about the Office for Civil Rights conducting a minimum of a 12 month look back for data security/ HIPAA compliance efforts. If an organization suffers a breach, with proper documentation fines may be waived. This is known as “Recognized Security Practices”. Every organization will have different documentation based on their network configuration and how data flows in and out of your information systems. This isn’t really anything new since data security requirements have been in place since the Security Rule was enacted. There have been updates over the last few years, and they are making some new revisions requiring covered entities and business associates to document their efforts now more than ever. NIST SP800-66 Rev. 2
This includes ensuring your policies and procedures are documented and followed by your staff. Our online system makes this task must easier by enabling the HIPAA compliance officer to download and share certain policies for employees to review. Plus, the confidentiality and acceptable use agreement that is signed via DocuSign demonstrates you have advised your employees they must follow your policies and procedures.
Another part of this documentation should be reports from your IT department/vendor. Again, depending on how you access ePHI (electronic protected health information), reports will vary from practice to practice. Some suggested reports are:
Managed devices. You can use this as your inventory list instead of completing the list in your package. However, we still recommend documenting which devices have been used to access and/or store ePHI.
In the report above, this may contain operating systems, patches / updates that have been applied, IP addresses, User ID, and a device name. All of this is useful information, and if the report does not contain this information, you need to look for another report.
Software lists are very important since you can see if any employee has downloaded unauthorized software or if a computer has been compromised.
Device health reports typically include information on anti-virus, last log in, some record failed logins, or that is in a different report. These are must have reports.
Access logs may be located within the software the IT vendor utilizes to manage your network, within your domain controller, and within your EHR/PM software. These reports must be reviewed to ensure employees are only accessing ePHI based on their job function and to look for outside intrusions.
Backup reports should demonstrate when backups are performed and to ensure they are successful.
Summary reports are useful, but you must make sure you review them, and they can be lengthy.
There are times when certain devices cannot be updated or upgraded due to the nature of the equipment and the cost to do so. This would not necessarily be a violation if you demonstrate other means to protect your system. For example, either removing the outdated equipment from internet access or placing it on a separate network so it would not be accessible by other drives that contain ePHI. Your IT vendor should be able to guide you through the proper process based on your particular network.
Annual audits by a third party are highly recommended unless your IT vendor specializes in network security. Often, these two types of companies work well together. The IT vendor handles the day-to-day operations, and the network security companies hardens the systems.
Some organizations complain that this costs too much money. Trust me, this is much less expensive than a data breach. Plus, if you plan on obtaining cyber liability insurance, carriers are now asking detailed questions about data security and compliance efforts. If you do have a data breach and you do not have “qualified documentation”, your claim could be denied. Of course, the term “qualified documentation” is open to interpretation. They do have an outlandish wish list from what I have seen. Although I have always been a proponent of this insurance, I am starting to believe unless you already have a policy, you may not be able to obtain one. If you do apply now, you will need to have HEAVY data security in place. Which you should have anyway!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!
Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.
The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA. “Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.
We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.
Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.
Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.
Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.
Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.
The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.
Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.
Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.
Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.
Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.
Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.
Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.
Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.
Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.
After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
When an employee is terminated, it is necessary to remove access to protected health information (PHI) immediately. It is just as important for employees not to share their log-in credentials with anyone. The City of New Haven, Connecticut found out the hard way. In January 2017 the New Haven Health Department filed a breach report stating that a terminated employee may have accessed a file on a New Haven computer that contained PHI (protected health information) of 498 individuals. During the OCR’s investigation they discovered the former employee had returned to the health department eight days after being terminated and logged into her old computer and downloaded patient information to a USB drive. They also uncovered that the former employee had shared her user credentials with an intern, who continued to use these credentials to access PHI.
As we have mentioned before, when you are under investigation, they review all of your compliance efforts and not just the incident that provoked the investigation. During this investigation, the OCR determined they failed to conduct a system wide risk analysis and failed to implement access controls and termination procedures.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.
This mistake cost the City of New Haven $202, 400 and they must implement a robust corrective action plan that includes two years of monitoring.
This annual campaign is to raise awareness about cyber security. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cyber security, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.
Did you know… that 2 out of 3 people have experienced a tech scam within the last 12 months?
Did you know… nearly 1 in 10 people have paid money to a scam?
Do not let anyone you do not know gain access to your computer… Scammers call people and either offer them a free scan or tell them there is a new virus out and they are probably infected. These scammers almost always have the sense of urgency and try to pressure you to “Do-it-Now”.
Don’t do it! Most of us are the ones that allow the scammers in. Either by answering the phone or clicking on a link in an email. Social engineering is at an all time high and WE are the ones that are giving OUR money away!
Add security to your login… passwords are the most common authentication tools used today, and they are the easier to hack. Always use a two-step authentication process whenever it is offered. There are many solutions available. Biometrics, security keys, and one time use codes that are text to your cell phone.
Did you know… you can pick up malware by merely visiting a website? Covered Entities and Business Associates have to be especially diligent in keeping their network systems clean and protect patient data. HIPAA Compliance begins with solid HIPAA Policies and Procedures but it also includes Technical Safeguards that are needed.
Here are some suggestions to help keep your network clean and safe:
Limit administrative privileges to those who really need it and only sign in as the administrator when needed
Limit users to specific work hours and block after hours usage if possible
Perform a network security audit at a minimum annually
Perform routine physical inventory and ensure unauthorized devices are not connected to your network or computers
Keep anti-virus and anti-malware software up to date
Web surfing should not be permitted with any device that accesses or stores Protected Health Information (PHI)
Change default passwords on all technology devices
This excerpt was taken from the Office for Civil Rights (OCR):
Did you know that your file transfer protocols may be particularly vulnerable to cyber-attacks?
FTP (file transfer protocol) is a standard network protocol used to transfer computer files on a computer network. A type of data storage device, called a network-attached storage (NAS) device, started becoming victim to a serious type of malware which exploited the FTP service available on FTP servers, including FTP services available on NAS devices, beginning this year. NAS devices connect to a computer network and provide a way to access data for a group of persons or entities.
According to a recent report by Softpedia, Sophos, a computer security firm, gathered telemetry data that indicated 70 percent of a certain vendor’s NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C (also known as PhotMiner). Sophos researchers claim that out of 7,000 of these NAS devices connected to the internet, 5,000 were infected with this malware by cybercriminals who also collected $86,000, in cryptocurrency like bitcoin and monero, from cryptocurrency mining related to this attack.
Allegedly, the malware variant appeared in the beginning of June 2016. A report revealed that the malware was targeting FTP services, such as those available on NAS devices, and spreading to new machines by attempting to conduct brute-force attacks using a list of default credentials. Also, the researchers claim that a design flaw regarding the use of public folders on certain NAS devices permitted the Miner-C malware to more easily copy itself to the public folders.
The Mine-C or PhotoMiner (the malware) tricks users by copying files to the public folders that resemble a standard Microsoft folder icon. Once the user clicks on the folder, s/he activates the malware variant, and it installs the malware on the victim’s laptop, desktop, or other computing device. The malware allows cybercriminals to generate cryptocurrency (i.e., bitcoins, monero) by “mining”. Cryptocurrency mining exploits computer processing power to solve difficult math problems. Essentially, attackers are rewarded with cryptocurrency for the amount of math problems they solve.
This type of malware can affect an information system’s performance by eating up a system’s computing power, and slowing down other system processes.
For more information on how Aris Medical Solutions can help your organization call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
The Office for Civil Rights announced in August they would be working with their Regional Offices to more widely investigate the causes of breaches that affects less than 500 patient records. The Regional Offices will use their own discretion to prioritize which breaches to investigate.
Some of the factors they will be considering include:
The number of records affected
Intrusions of the IT systems
The sensitivity of the data
Whether the data was unencrypted or disposed of improperly
Number of breaches from the same entity including business associates
The lack of reported breaches when comparing similar situations with specific covered entities and business associates
Here are some helpful tips to avoid data breaches:
Confirm fax numbers and email address BEFORE sending.
Do not permit ANYONE access to your systems without confirming their identity and verifying they are still employed with that particular company.
Do not click on links in emails, instead, open your browser and go to the website.
Make sure all accesses to ePHI utilizes strong passwords, preferably passphrases.
Change your passwords/phrases at least every 90 days. This includes your EHR, PM software, workstation operating system, and email access.
If a two-step authentication is available, make sure it is engaged.
Use encryption whenever possible, depending on the operating system you use, it may be FREE!
Request a network security audit to be performed that includes remediation.
Do not retain records longer than necessary, why have that exposure if it is not required!
Make sure everyone involved with Patient Data is HIPAA Compliant.
As we mentioned last month, enforcement of HIPAA is here and you must ensure that if you are audited or investigated you have all of the appropriate documentation in place. Remember… if it is not documented, it doesn’t exist!
If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.
I am sure you have seen the recent HIPAA fines from the Office for Civil Rights (OCR). HIPAA enforcement is like never before and the fines are fierce. We knew this day would come and it has.
We are encouraging all medical practices and business associates to make sure you have all of your HIPAA compliance policies, procedures, and documentation implemented. When you are audited is not the time to discover you forgot something. The OCR is not being very kind.
When you are reviewing your HIPAA policies and procedures and deciding whether or not to implement the “Addressable” standards, be careful. Addressable is NOT optional; you must have reasonable and appropriate safeguards in place. Since there is not enough case law on record, this is a gray area. Just be careful you do not fall into the big black hole! Also, do not skip over any “Required” standards. These are required no matter what size your organization is.
We are seeing fines like $750K for neglecting to have a Business Associate Agreement (BAA) in place before data was released and a $650K fine for a lost IPhone that was not encrypted. Make sure you not only have BAAs in place but the business associate is in fact HIPAA compliant. This the responsibility of each practice. HIPAA enforcement is here and it is not going away anytime soon.
If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.
“Protecting Organizations through Partnership, Education, and Support”