Common HIPAA Violations
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Notice of Privacy Practices does not contain all the required disclosures and has not been updated to meet the HITECH Act requirements.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Practice does not follow the uses and disclosures as listed in their Notice of Privacy Practices.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Lack of documented training of ALL employees, including physicians.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Lack of an enforced tiered Sanctions Policy.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
“Minimum Necessary” standards was not utilized when authorizing access to ePHI.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
All staff members are not assigned a unique identifier for system access.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Practice does not have in place policies and procedures to ensure an accurate and complete Accounting of Disclosures.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Documented Confidential Communications process was not in in place.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
The organization does not have a documented list of all users and level of access to ePHI.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
The organization has not developed a Contingency Plan.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
The organization is not monitoring their audit logs.
![favicon-16x16](https://arismedicalsolutions.com/wp-content/uploads/2015/06/favicon-16x16.png)
Business Associate Agreements have not been implemented with ALL Business Associates.
A $100 fine can easily become a $525,000 penalty
Compliant | HIPAA Violation | Fine | #Days | Statutory Max/Yr | Total Amt of Fine Levied |
Complaint filed | Patient denied access to Designated Record Set | $100 | 300 | $25,000 | $25,000 |
Found by OCR | No right by patient to Amend record | $100 | 300 | $25,000 | $25,000 |
Found by OCR | Employees not trained on HIPAA for past 6 Years | $100 | 6 Years | $25,000 | $150,000 |
Found by OCR | Practice did not have a Sanctions Policy that was applied to employees that violated HIPAA | $100 | 6 Years | $25,000 | $150,000 |
Found by OCR | Employee that violated Patient Rights to Access was not sanctioned | $100 | 300 | $25,000 | $25,000 |
Found by OCR | HIPAA Required Documentation was not kept on Training | $100 | 6 Years | $25,000 | $150,000 |
Total Penalty | $525,000 |
![](https://arismedicalsolutions.com/wp-content/uploads/2015/06/about_us_parallax2.jpg)
Aris protects their clients through Partnership, Education, and Support.