Call Us Today! 877-659-2467

HIPAA vs State Privacy Laws

Many cash practices have the misconception that HIPAA does not apply to them. Well, that maybe true in some aspects, BUT… state privacy laws may actually be more stringent. In the coming years, more states will implement privacy laws to protect consumers from privacy and security failures due to the rise in cybercrime.

So, when practices compare HIPAA vs State Privacy laws, HIPAA sets a federal floor for covered entities. Cash practices escape HIPAA’s reach but land directly in a patchwork of state laws that can be equally or more demanding. The absence of HIPAA liability is not the absence of privacy liability.

What is HIPAA and Who Must Comply?

HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities. This includes health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with certain standard transactions (like billing insurance).

If you never bill insurance and never transmit health information electronically for covered transactions, you are likely not a HIPAA covered entity.

Cash-Only or Direct-Pay Practices and HIPAA

Although a cash only or direct pay practice may not fall under the HIPAA rule guidelines there are other laws they must follow and still have significant legal obligations to protect patient information.

Specialized Federal Privacy Laws

Depending on the services provided, additional federal laws may apply, such as:

  • 42 CFR Part 2 for certain substance use disorder treatment records.
  • Federal protections for certain research records.
  • Privacy requirements related to employment or occupational health records.

Federal Trade Commission (FTC) Health Breach Notification Rule

The FTC Health Breach Notification Rule may apply to certain health apps, telehealth providers, and businesses that are not covered by HIPAA if they experience a breach of individually identifiable health information

Federal Trade Commission (FTC) Act

The Federal Trade Commission can investigate businesses that:

  • Misrepresent their privacy practices.
  • Fail to safeguard consumer information after promising to do so (this includes posting a HIPAA Compliant Seal on a website).
  • Engage in unfair or deceptive acts involving personal information.

State Privacy Laws Fill the Gap

  • Govern how long records must be retained (varies: 5–10+ years by state)
  • Define patient rights to access and amend their records
  • Authorized disclosures
  • Apply to all providers regardless of insurance billing status
  • Civil penalties for unauthorized disclosures
  • Protection of electronic health records

These laws often apply regardless of whether the provider accepts insurance.

State Medical or Dental Practice Licensing Boards
State licensing boards generally require licensed healthcare providers to:

  • Maintain confidential patient records.
  • Secure electronic records.
  • Maintain complete and accurate documentation.
  • Retain records for the required period.
  • Protect patient information from unauthorized access.

Failure to do so can result in disciplinary action, including license suspension or revocation.

State Consumer Health Privacy Laws
Several states have enacted broader health privacy laws that apply beyond HIPAA. Examples include:

  • California (CMIA) – California Confidentiality of Medical Information Act applies broadly, including to providers not covered by HIPAA. California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
  • Colorado – Outlines five key rights for Colorado consumers, right to access, right to correction, right to delete, right to data portability, right to opt out.
  • Connecticut – The Connecticut Data Privacy Act (CTDPA) includes stronger data protections for children.
  • Florida, Texas, New York – each have specific statutes governing patient records, breach notification, and consent requirements.
  • Washington My Health MY Data Act (2023) – extends beyond HIPAA to cover consumer health data broadly.

Most states have implemented similar state privacy laws, some are more stringent, while others apply to larger entities. Keep in mind, these laws may apply even when HIPAA does not.

State Data Breach Notification Laws
All 50 states have breach notification laws. If an EHR containing patient information is accessed, stolen, or compromised, the provider may have to notify:

  • Affected patients.
  • The state attorney general (in some states).
  • Consumer reporting agencies (for large breaches).

The notification requirements vary by state.

Contracts with the EHR Vendor
Nearly every EHR agreement requires the practice to:

  • Maintain account security.
  • Control user access.
  • Protect passwords.
  • Report security incidents.
  • Use the software appropriately.

Violating these contractual obligations can create liability.

Does using an EHR create security obligations?

Even if HIPAA does not apply, using an EHR means the practice should implement reasonable safeguards such as:

  • Unique user accounts
  • Strong passwords or passkeys
  • Multi-factor authentication, when available
  • Encryption of devices and backups
  • Automatic screen locking
  • Audit logs
  • Routine software updates
  • Staff confidentiality training
  • Procedures for responding to security incidents

These measures are often considered evidence of reasonable care if a privacy dispute or data breach occurs.

Class Action Lawsuits

Medical data breaches carry significant class action lawsuit risk, as a single incident can expose personal health information. Plaintiffs’ attorneys have increasingly targeted healthcare providers, insurers, and their vendors following breaches, alleging failures to implement reasonable and appropriate security measures, violations of state privacy statutes, and in some cases HIPAA-adjacent state law claims. Even cash-pay practices that fall outside HIPAA’s reach are not immune: state consumer protection laws, medical records statutes, and common law negligence theories can all support class action claims when patient data is compromised. Courts have become more receptive to standing arguments in data breach cases, and the cost of defending, let alone settling a class action, can be devastating for a and size of practice. Inadequate data security is not just a regulatory risk; it’s a litigation risk that no practice can afford to ignore.

Smart practice even if not required:
Many cash-pay providers voluntarily adopt HIPAA-like privacy practices because:

  • It builds patient trust.
  • It provides a defensible compliance standard.
  • State laws often parallel HIPAA requirements anyway.
  • It simplifies operations if the practice ever accepts insurance later.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project, it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

Good Faith Compliance is No Longer Enough

HIPAA now has stricter and more explicit requirements. Especially as enforcement expectations tighten. This is changing how medical practices and business associates operate day to day. The big shift is that “good faith” compliance is no longer enough. Regulators now expect documented and continuously maintained compliance.

Compliance Must Be Documented, Not Assumed

Organizations can no longer rely on informal policies, verbal training, or “we’ve always done it this way.”

Written risk analyses, risk management plans, and policies have always been required. But now, regulators are closely reviewing for updates. Documents must be current, not created once and forgotten.

If it’s not documented, Office for Civil Rights treats it as if it doesn’t exist.

Impact: More time spent maintaining documentation, but far less exposure during an audit or complaint.

Risk Analysis Is the Foundation of Everything

The Office for Civil Rights (OCR) has made it crystal clear that risk analysis drives compliance decisions. Security controls must align with identified risks. Then a documented risk management plan that outlines the mitigation process must be created. “Addressable” safeguards must be justified if not implemented, this was never meant to be optional! Generic or copied risk analyses are being rejected.

Impact: Organizations must understand their systems, vendors, workflows, and vulnerabilities – not someone else’s.

Cybersecurity Expectations Are Higher

HIPAA now expects organizations to adopt modern security practices, not outdated basics.

  • Multi-factor authentication (MFA)
  • Encryption of data at rest and in transit
  • Regular patching and system hardening
  • Monitoring for suspicious activity

Failing to implement common-sense safeguards is increasingly viewed as willful neglect.

Impact: Greater reliance on IT partners, but also more oversight and accountability.

Vendors and Business Associates Are Under a Microscope

Practices are responsible for who they share PHI with. Business Associate Agreements (BAAs) must be current. Business associates must have current subcontractor agreements in place as well. Vendors must demonstrate their own security practices and comply with the HIPAA rules. “We trusted our vendor” is no longer a defense. Covered entities are responsible for ensuring their vendors are compliant.

Impact: More vendor vetting, more paperwork, fewer risky shortcuts.

Training Must Be Ongoing

Annual, generic HIPAA training doesn’t cut it anymore. Training must address phishing, ransomware, and real-world threats. Training must be tracked and documented.

Impact: Better-informed staff equals fewer costly human-error breaches.

Faster Response and Accountability After Incidents

HIPAA enforcement now scrutinizes how quickly and effectively a practice responds to incidents. Incident response plans must exist before an event occurs. Delays or confusion during a breach increases penalties. Internal security incident investigations must be documented.

Impact: Organizations need clear procedures, not panic, when something goes wrong.

Small Practices Are No Longer “Too Small to Enforce”

Enforcement actions increasingly involve:

  • Small and solo practices
  • Dental offices
  • Specialty clinics
  • Business associates

Complaints, not breaches often trigger investigations.

Impact: Every organization is expected to meet the same baseline standards, regardless of size.

Summary

HIPAA’s stricter requirements mean organizations must shift from reactive compliance to ongoing risk management.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

HIPAA Binder vs OCR Reality

What Medical Practices Think They Have vs. What OCR Actually Requires

HIPAA binders have been used in the past, but usually lack proper documentation that is required.

What Practices Often Rely On:

“We have a HIPAA binder.”

  • HIPAA binder purchased (often never opened, and plastic not removed)
  • Policies printed once (often not completed)
  • Annual training sign-in sheets (sometimes, these are lost)
  • Generic risk analysis template (if they have even conducted a risk analysis)
  • Business Associate Agreements (many of these are missing, or lack compliance documentation)
  • Someone assigned as “HIPAA Officer” (most compliance officers have other responsibilities, and HIPAA never seems to be documented)

This shows intent, but intent is not proof.

What OCR Looks for During an Investigation:

“Show us your documentation.”

OCR does not ask if you tried.
They ask what you can produce, immediately.

  • A current, systemwide risk analysis tied to your systems (not one that is copied from another practice)
  • Evidence of ongoing risk management, not a one-time exercise
  • Training records for each workforce member
  • Signed BAAs with vendors that access ePHI
  • Policies that match actual safeguards in place
  • Proof documentation is maintained, reviewed, and updated

The Reality Gap (Where Most Practices Get Stuck):

Binder Mindset vs OCR Reality:

HIPAA is done  – HIPAA is ongoing

Purchased policies   – Policies are incomplete

Staff trained  – Training must be current and documented

Risk analysis completed once  – Risk Analysis must be accurate and updated

We’re too small  – All sizes are fined

Why Binders Fail During Audits:

  • Documents become outdated quickly
  • No audit trail showing updates or reviews
  • Training proof is incomplete or missing
  • Risk analysis is generic, not practice-specific
  • BAAs are unsigned, expired, or missing
  • Hard to produce documentation on demand

If it can’t be produced, OCR treats it as if it never existed.

The Question Every Practice Should Ask:

If the OCR contacted us tomorrow, could we confidently produce everything they would request?

If the answer isn’t a clear yes, it may be time to rethink how compliance is managed.

How our HIPAA Keeper™ Closes the Gap

Guided, step-by-step HIPAA compliance process
Built-in risk analysis & risk management tools
Centralized storage for policies, BAAs, and training records
Documentation that aligns with OCR expectations
Ongoing maintenance instead of “set-and-forget” compliance

Binders show effort. The HIPAA Keeper™ shows proof.

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Chiropractor HIPAA Violations and Fines

Avoid common misconceptions about HIPAA compliance. Learn the critical steps needed to avoid Chiropractor HIPAA violations and fines. Many chiropractor practices think the Government SRA tool is all they need for their HIPAA risk assessment. Keep in mind, it does not include policies and procedures, therefore you must create your own. Also, many chiropractic practices are members of a group that supply a “HIPAA Binder”. Again, most of these groups do not include policies and procedures. Without proper documentation, a chiropractic practice can be assessed with HIPAA violations and fines.

Another common misconception is that small practices believe they are too small to attract attention from the Office for Civil Rights (OCR). In reality, it takes just one patient complaint, a dissatisfied employee, or a data breach to initiate an audit. Remember, once an investigation begins, the OCR will examine your entire HIPAA compliance program — not just the specific incident in question.

Lastly, many organizations think HIPAA can be a once and done process. This can cost you $$$$$$ in fines! HIPAA requires every organization that is involved with patient data to document their ongoing compliance efforts.

Here are a few examples of Chiropractic practices and some multi-specialty practices that have been fined:

  • Arkansas Chiropractic Clinics — $321,000 fine
    Two chiropractic clinics in Arkansas were fined a total of $321,000 after improperly disposing of patient records by dumping them in a public park, violating HIPAA’s privacy and secure disposal requirements.
  • Illinois Chiropractic Offices — Ransomware and data breach incidents
    Several chiropractic practices in Illinois experienced ransomware attacks, with ransom demands reaching up to $10,000. While specific OCR fines were not disclosed, these events highlight serious security lapses and the risk of significant penalties.
  • Stolen devices containing ePHI — $150,000 fine
    In a case not exclusive to chiropractic, a healthcare provider failed to update and secure outdated systems, leading to a malware breach and resulting in a the fine from the OCR.
  • Missing risk analysis — $50,000 fine
    Another provider, a clinic using mobile devices like tablets or iPads, was fined $50,000 for failing to conduct a risk analysis and implement appropriate security controls on mobile devices. A critical requirement for chiropractic offices using digital tools.

Privacy & Unauthorized Access Stories

  • Receptionist displaying PHI on a tablet
    At a chiropractic office, an iPad used for patient check-in accidentally showed other patients’ names and birthdates, resulting in a HIPAA privacy violation.
  • Chiropractor misusing patient address to send flowers
    In Colorado, a chiropractor accessed a patient’s medical record to obtain her address and sent her unsolicited flowers. This was widely viewed as a serious breach of patient privacy and another type of violation of the HIPAA privacy rule.

Ask yourself: How much of your hard-earned revenue are you willing to risk?

Remember, it only takes a single patient complaint or one disgruntled employee to prompt an investigation by the Office for Civil Rights (OCR). Once that happens, every aspect of your compliance program will come under scrutiny.

Ask yourself: Are you confident your documentation can stand up to that level of review? Most practices lack the required policies and documentation.

Are you ready to protect your practice? We are here to help you avoid common misconceptions about HIPAA compliance. Do you have the critical steps needed to avoid Chiropractor HIPAA violations and fines? Our online HIPAA Keeper includes all policies and procedures required under HIPAA. We also include patient and HIPAA documentation. When HIPAA rules are updated or added, we update our system to keep you up to date. Also, we are always improving our system to make sure users are aware of new threats and how to protect their organization.

Still not sure? Check out our video that explains our 7-Steps in the HIPAA Keeper™ or Schedule a live demonstration to see for yourself how easy maintaining HIPAA compliance can be!

Spotting scams, you need to look closely!

Most people in healthcare have been affected by the Change healthcare cyberattack. Scams have hit a new level, and you must be more diligent than ever before. Scams can be spotted, but you must look closely. A scam can quickly turn into a data breach. I recently conducted a HIPAA security officer training and reminded them of some of the threats that destroy your computer systems, both at work and at home. I watched “The Beekeeper” movie over the weekend. This made me change our Security Notification for this month. If you like action packed, good guy gets even, this is a great movie. This movie is about an email scam and revenge. If you are a Jason Statham fan, you will like this movie!

Here is the scenario:

Your computer gets a huge alert and says your computer is locked, you have been hacked, your email, bank accounts, passwords, etc. were compromised. They will give you a phone number to the “help desk”. You call the number, they “help” themselves and empty your bank account. Don’t call the number they give you, look it up yourself. DO NOT use a customer service or help desk number from a Sponsored Ad. Some scammers will pay for an ad to get to the top of Google. Most times you just need to reboot to clear the screen. DON’T click on anything in the warning. It is best to contact your IT company first. If you are home and can’t get in touch with someone, you may need to use Ctrl, Alt, Delete to shut your computer down. Then run a virus scan when you boot back up. Whatever you do, do not pay anyone, anything until you verify the validity of the situation!

Scams in text messages:

There are many versions to an email like this, they also come in text messages, and voice mails. Scams are hitting new levels every day. Some want you to click on a link, others want you to call the number they provide. Never click on a link, or call the number listed in the text, until you verify the text is valid.

Other email scams:

We have been saying for years, DO NOT CLINK ON LINKS. When you receive an email from your bank, IRS, post office, FedEx, etc. Look closely at the “from” email address. Many times, you can spot the fake address. It could be something as simple as a “.” In the URL address. Also, who it is addressed to, sometimes it is someone else. They do this so you will reply to let them know they have the wrong person. Again, this is a tactic from scammers to see if you will answer. If there is a link, they want you to click on, hover over it instead. It may take you to a completely different site. This could infect your computer or look like where you are supposed to go, only to lure you into entering your login credentials.

Phone call scams:

Scammers can spoof legitimate agencies like the power company, IRS, and even the police department. Never pay for any “immediate” requirements. This includes the threat of your power being shut off, IRS payment due, or paying a penalty for missing jury duty. These are just SOME of the examples these criminals are using.

Online marketplaces:

Scammers also target people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding their lost pet.

These scammers contact you and say they want to buy the item you’re selling — or that they found your pet. However, before they commit to buying, or returning your pet, they typically say they’ve heard about fake online listings and want to verify that you’re a real person. Or they might say they want to verify that you’re the pet’s true owner.

They send you a text message with a Google Voice verification code and ask you for that code. If you give them the verification code, they’ll try to use it to create a Google Voice number linked to your phone number. (Google Voice gives you a phone number that you can use to make calls or send text messages from a web browser or a mobile device.) The scammer might use that number to rip off other people and conceal their identity.

Sometimes these scammers are after a Google Voice verification code and other information about you. If they get enough of your information, they could pretend to be you to access your accounts or open new accounts in your name.

If you gave someone a Google Voice verification code follow these steps from Google to reclaim your number.

No matter what the story is, don’t share your Google Voice verification code — or any verification code — with someone if you didn’t contact them first. That’s a scam, every time. Report it at ReportFraud.ftc.gov.

What can you do?

When you receive an email, text, or phone call, you should call your bank or the company to advise them of what happened. If they are doing this to you, they are doing this to MANY others. Also, you can report this to the Federal Trade Commission (FTC). The FTC does not resolve individual reports, but your report will be entered in the FTC’s Consumer Sentinel database and will be available to federal, state, and local law enforcement across the country.

If someone has clicked a link or opened an attachment that downloaded harmful software:

  • Contact your IT department to update your computer’s security software.
  • They will run a scan and delete anything it identifies as a problem.

If you think a scammer has your information, like your Social Security, credit card, or bank account number:

  • Go to identitytheft.gov for steps you can take based on what kind of information was lost or exposed.

If you gave your username and password to a scammer:

  • Change your password right away. If you use the same password for other accounts or sites, change it there, too.

If someone calls and offers to “help” you recover money you have already lost:

  • Don’t give them money or personal information. You are probably dealing with a fake refund scam.

Scammers are getting bolder and more brazen. It is up to us to stay diligent and to stay safe.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Preventing a Data Breach

Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.

Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.

If you would like to review the list of breaches, click here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:

Emails:

What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.

Text Messages:

Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.

Websites:

Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!

Man-in-the-middle:

Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.

Zero-day attacks:

Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.

Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.

The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.

The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:

  • OCR received 30,435 new complaints alleging violations of the HIPAA Rules
  • OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
  • OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
  • OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Documentation and Medical Records Retention

As this year comes to a close and it may be time for some practices to review which medical records can be archived. We have been asked many times what is the “difference” between HIPAA documentation vs medical record retention requirements. Many organizations think these have the same requirements, and they do not!

If you are not sure about the differences, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

HIPAA documentation retention:

HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.

Here is an example of what is covered under HIPAA:

  • Audit logs of access to ePHI
  • Business associate agreements
  • Contingency plans
  • Employee sanction policy and documentation
  • Notice of Privacy Practices
  • Patient authorizations (unless included in their medical record)
  • Patient complaints and resolutions
  • Privacy policies (patient access, amendments, and authorizations)
  • Security incident reports and Breach notification documentation
  • Security policies (administrative, physical, and technical)
  • IT reports that include updates and device status

Medical record retention:

Most people think HIPAA controls the medical record retention requirements. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.

Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.

Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.

Medicare managed care program providers must also retain their records for 10 years.

Some states required Pediatrics to retain records until the patient reaches the age of 23.

North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.

It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.

As you can see, there are many variables.

Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information about Aris Medical Solutions call 877.659.2467 or click here to contact us.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Risk Analysis Requirements

Nefarious characters see healthcare organizations as high value yet relatively easy targets. These are referred to as target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for a bad actor. Understanding the HIPAA risk analysis requirements can help save your organization from these criminals.

There has been a significant rise in the number and severity of cyber-attacks against hospitals and medical practices in the last few years. These attacks expose vulnerabilities and endanger patient safety. The more they happen, the more expensive, and dangerous they become.

Although the HIPAA Security Rule does not specify how often a risk analysis must be conducted, it is recommended to review your systems at least once a year. Keep in mind if you introduce new equipment, software, or suffer a security incident, you may need to evaluate your risks more often.

If you need a HIPAA Security Risk Analysis, check out our:

The OCR conducted a webinar regarding Risk Analysis Requirements and discussed the areas that are deficient.

The OCR mentioned the following:

  1. The lack of a system wide accurate and thorough analysis. (Step 1 Questionnaire)
  2. Performing only the MIPS risk analysis does not encompass the system wide requirements.
  3. PCI/DSS is more than likely not a complete risk assessment since it does not include ePHI.
  4. Instead of a system wide accurate and thorough risk assessment, a summary or heat map is provided without the backup documentation.
  5. Lack of inventory list to track which devices access, transmit, or store ePHI. (Located in the Profile)
  6. No method to track operating systems that become out of date. (Documented in the inventory list)
  7. Lack of mitigation documentation after the risk analysis was completed. (Step 1 Risk Management Plan)
  8. Lack of sanctions against staff who violate HIPAA. (Step 3 Policies and Procedures)
  9. Lack of security software / equipment updates. (Documented in reports from your IT company and stored in the Profile under Uploads)

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant. Best of all you will have a HIPAA security analyst to guide you every step of the way!

“Simplifying HIPAA through Automation, Education, and Support”

Why it is so important to secure emails that contain PHI

We have advised our clients for years to only transmit protected health information (PHI) if it is encrypted. We have also recommended encryption for the data at rest. With the rise of hacking, this is never more important. There are many problems that can arise from compromised email accounts.

It only takes one employee’s email account to get hacked, then the hacker can view what the user has stored, who they communicate with, and who they do not speak with directly. Let’s review each one:

  1. Contents of email. Of course, you do not want an unknown person reading your emails, but it is even worse if your email account contains PHI. The hacker can take that information, sell it, or even target your patients to gain more information.
  2. The hacker can also see who you are communicating with and now they can target your co-workers into giving them information by impersonating you.
  3. They also know who you only communicate with via email. This sets the stage for phone conversations since you do not know what this person sounds like. The hacker can request wire transfers, employee lists, patient lists, the amount of information that they are willing to request is only limited by their imagination.

These attacks may be targeted for financial gain, identity theft, or medical insurance theft. Regardless of the hackers’ motives, they all can be devastating to a practice. Just last year an Orlando practice had 4 email accounts compromised and over 447K patients were affected. When considering the methods to secure email accounts, you must also consider which devices are used to access email. This furthers the security requirements. A thorough risk analysis will uncover potential vulnerabilities and give you the opportunity to avoid a data breach.

That brings me to the next topic… if you don’t need to store it, DO NOT. If you can move the needed documentation to a secure server or your EHR, then do. If there isn’t a “need” to store patient information (or any sensitive information) in email, then remove it. This also applies to “old” patient records in databases or software. There is a reason behind medical record retention requirements, and when it is safe to dispose of medical records, then do! This too reduces your liability!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

ICD-10 updates, Fraud, Waste, and Abuse Training, Booklets and Prevention

We try to share useful information as we come across it. Below are some links that we think may be of interest to our audience such as: ICD-10 updates, Fraud, Waste, and Abuse Training, Booklets, and Prevention. We have also included some videos from YouTube. Be sure to follow the guidelines set forth and do not let hindsight get you in trouble.

ICD10 Code sets revised:

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/ICD9-10CM-ICD10PCS-CPT-HCPCS-Code-Sets-Educational-Tool-ICN900943.pdf

This is about 88 minutes, we thought it had some good content. Web-based Fraud, Waste, and Abuse Training:

https://www.cms.gov/Outreach-and-Education/MLN/WBT/MedicareFraudandAbuse/FraudandAbuse/story.html

Medicare Fraud-Abuse Booklet:

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Fraud-Abuse-MLN4649244.pdf

Medicaid Fraud Prevention:

https://www.cms.gov/Medicare-Medicaid-Coordination/Fraud-Prevention/Medicaid-Integrity-Program/Education

For those who do not think they are serious about this, here is a link for enforcement:

https://oig.hhs.gov/fraud/enforcement/?type=criminal-and-civil-actions

OIG Compliance Resource Portal:

https://oig.hhs.gov/compliance/

Evaluation and Management Services Guide:

https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/eval_mgmt_serv_guide-ICN006764TextOnly.pdf

OIG Videos:

False Claims Act https://www.youtube.com/watch?v=BbZ78QTLztQ&list=PLkw9IKOokUiIjlyjm7wsvZd31z0U8QxxP&index=42&t=26s

Federal Anti-Kickback Statute https://www.youtube.com/watch?v=a4KhqqeAaUg&list=PLkw9IKOokUiIjlyjm7wsvZd31z0U8QxxP&index=43&t=9s

Physician Self-Referral Law

Exclusion Authorities and Effects of Exclusions

How to use the LEIE Online and Downable Databases

Eye on Oversight: Kick Backs to Physicians

Eye on Oversight: Medicare Part D Fraud

If you need assistance with HIPAA Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC