Common HIPAA Violations
Notice of Privacy Practices does not contain all the required disclosures and has not been updated to meet the HITECH Act requirements.
Practice does not follow the uses and disclosures as listed in their Notice of Privacy Practices.
Lack of documented training of ALL employees, including physicians.
Lack of an enforced tiered Sanctions Policy.
“Minimum Necessary” standards was not utilized when authorizing access to ePHI.
All staff members are not assigned a unique identifier for system access.
Practice does not have in place policies and procedures to ensure an accurate and complete Accounting of Disclosures.
Documented Confidential Communications process was not in in place.
The organization does not have a documented list of all users and level of access to ePHI.
The organization has not developed a Contingency Plan.
The organization is not monitoring their audit logs.
Business Associate Agreements have not been implemented with ALL Business Associates.
A $100 fine can easily become a $525,000 penalty
| Compliant | HIPAA Violation | Fine | #Days | Statutory Max/Yr | Total Amt of Fine Levied |
| Complaint filed | Patient denied access to Designated Record Set | $100 | 300 | $25,000 | $25,000 |
| Found by OCR | No right by patient to Amend record | $100 | 300 | $25,000 | $25,000 |
| Found by OCR | Employees not trained on HIPAA for past 6 Years | $100 | 6 Years | $25,000 | $150,000 |
| Found by OCR | Practice did not have a Sanctions Policy that was applied to employees that violated HIPAA | $100 | 6 Years | $25,000 | $150,000 |
| Found by OCR | Employee that violated Patient Rights to Access was not sanctioned | $100 | 300 | $25,000 | $25,000 |
| Found by OCR | HIPAA Required Documentation was not kept on Training | $100 | 6 Years | $25,000 | $150,000 |
| Total Penalty | $525,000 |
Aris protects their clients through Partnership, Education, and Support.