What Are the Three Rules of HIPAA?

a woman making a heart with her hands

If your healthcare organization collects and stores personal information as part of your operations, it’s vital that you and your staff are familiar with and adhering to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes three rules for protecting patient health information, namely:

  • The Privacy Rule
  • The Security Rule
  • The Breach Notification Rule

HIPAA was established by the federal government in 1996 with the intent to protect sensitive patient information from disclosure. As a healthcare organization, it’s paramount that you’re shielding your patients’ information from inadvertent or intentional exposure and potential risks. Any identifiable health information needs to be protected as mandated by national standards. There are serious consequences for failure to adhere to the three HIPAA rules, including financial penalties. Any security breach of electronic information systems through unauthorized access to electronic health records, confidential health, and medical history, or electronically protected health information can result in civil money penalties (and even criminal penalties), a loss of reputation for healthcare professionals, and even the loss of employment for an employee.

Businesses can face fines of up to $1.5 million per year in monetary penalties for failing to comply with the law and addressable implementation specifications. As a result, if you are one of the covered entities under HIPAA, you must follow the three HIPAA rules and security management processes, taking appropriate corrective action when necessary.

How HIPAA Helps Private Health Care Organizations

Prior to the introduction of HIPAA, Private Healthcare Information (PHI) wasn’t securely protected as there were no directive mandates or processes in place to secure personal health information.

In the early origin of HIPAA, there were privacy and security rules outlined to help protect patient records. Protected Health Information (PHI) was the focus of HIPAA’s new standards, which applied to the entire healthcare industry.

In addition to providing important protections, ultimately HIPAA’s primary goal was to improve the patient experience. Covered entities were given a variety of policies and procedures to ensure that their client’s information was protected without a lot of hassle. As healthcare providers implemented these policies, their patients and employees benefitted from the resulting reduced paperwork and improved workflow.

One way to meet HIPAA’s requirements is to use code sets in conjunction with patient identifiers. These codes shielding identifiable health information improved health insurance portability as it increased the ease of information transfer. With the Portability and Accountability Act in mind, healthcare providers attempt to make the patient’s experience more pleasant.

HIPAA’s federal standards also serve some much more minor purposes. Life insurance loans may be exempt from tax deductions, depending on the circumstances. It also improves the efficiency of healthcare services and makes it easier for patients to interact with them.

Who needs to have HIPAA compliance?

Private hospitals, health insurance companies, medical discount providers, and other business associates are all included in the scope of HIPAA’s application.

These types of businesses are known as “covered entities,” and must abide by the HIPAA regulations and security standards. Exceptions to the HIPAA rules for covered entities are extremely rare.

A company or organization that provides third-party health and human services to a covered entity must adhere to HIPAA regulations. As “business associates,” these companies are subject to the same regulations as the covered entities, even though they do not provide direct services.

Before engaging in any shared healthcare operations, a business associate agreement must be signed by both business associates and covered entities. Before undergoing any procedures, the confidentiality and integrity of protected health information must be preserved, and the business associate agreement does that.

What Are the Three Main Rules of HIPAA

As mentioned earlier in this article, HIPAA legislation comprises a few rules that outline what you must do to comply with the law. We’ll now discuss them in detail below:

1. The HIPAA Privacy Rule

HIPAA defines the circumstances under which a person may disclose or use protected health information. Everyone has a right to privacy and this rule helps ensure that appropriate safeguards are in place to protect personal health information. Those who are covered by this policy must adhere to a special set of rules.

The standards set by the privacy rule address subjects such as:

  • Which organizations must follow the HIPAA standards
  • What is Protected Health Information (PHI)
  • How organizations can share and use PHI
  • Permitted usage and disclosure of PHI
  • A patient’s rights over their health information

In 2003, the HIPAA Privacy Rule was first put into place. At that point, the affected entities included healthcare providers as well as healthcare clearinghouses and other health insurance entities. Healthcare-related business partners joined the list in 2013.

For the most part, the rule on patient privacy restricts the extent to which medical records can be shared without explicit consent. It does also provide some rights to patients including their right to obtain and examine their own health information. For example, it allows patients and their next of kin (representatives) to access their medical records under the HIPAA privacy rule. As outlined in the Privacy Rule, any requests for access and disclosure must be responded to within 30 days of receipt by the Covered Entities. Upon receipt, if a patient determines an error, the Privacy Rule enables them to request a correction.

The Privacy Rule also restricts the usage of health information which could identify a person (protected health information or PHI). Covered entities cannot use or disclose PHI unless:

  • It’s permitted under the privacy rule, or
  • The individual has authorized it in writing.

The privacy rule does not restrict de-identified health information.

2. The HIPAA Security Rule

The HIPAA Security Rule sets out the minimum standards for healthcare organizations to protect electronic protected health information (ePHI). To access that information in electronic format, even those who are technically capable of doing so would have to meet those standards. At its core, the HIPAA Security Rule requires healthcare providers to have the necessary administrative, physical, and technical safeguards implemented to ensure the ePHI’s integrity, security, and confidentiality is maintained.

The HIPAA Security Rule covers the following aspects:

  • The organizations that may need to follow the Security Rule and be deemed covered entities.
  • Safeguards, policies, and procedures that can be put in place to meet HIPAA compliance
  • Health care information that is under the protection of the Security Rule

To put it simply, anyone who is part of the business associates (BA) or covered entities (CE) and can access, alter, create, or transfer recorded ePHI will be required to follow these standards. These technical safeguards will involve NIST-standard encryption in case the information goes outside the firewall of the company.

In addition to technical safeguards, the Security Rule will include several physical safeguards. These physical safeguards may entail positioning workspaces in certain ways. For example, if your administrative staff are in a public area, others shouldn’t be able to see a computer screen because of a workstation layout.

Administrative safeguards are also checked and they include the Security Rule and the Privacy Rule. A privacy officer and a security officer are required to conduct regular audits and have a risk analysis process as part of these safeguards on an ongoing basis.

These evaluations are critical to the safety of the system. When considering possible threats to protected health information, your privacy officer and security officer don’t care if it’s just a theory. Consequently, they plan to implement a risk management plan in response to their audits and hypotheses to help avoid any potential risks that could occur in the future.

A covered entity must take the following steps to ensure the security of all ePHI they create, send, or receive:

  • Ensure the confidentiality integrity and availability of the ePHI
  • Protect against improper uses and disclosures of data
  • Protect the ePHI against potential threats, safeguarding their medical records
  • Train employees so that they are aware of the compliance factors of the Security Rule
  • Adapt the policies and procedures to include any updates to the Security Rule

Confidentiality, integrity, and availability rules in health care must be met by the covered entity. Access to health data needs to be secure and protected from any potential breaches.

3. The HIPAA Breach Notification Rule

Occasionally, there may be a breach that leaves your patients’ protected health information vulnerable. A breach can be any impermissible disclosure under the Privacy Rule that may compromise the security or privacy of protected health information. This is where the Breach Notification Rule would be enacted. The Department of Health and Human Services must be informed as soon as possible if there has been a data breach. Regardless of the nature or scale of the breach, this must be done within 60 days of its discovery. This is where a good risk management plan is valuable.

If a breach during administrative actions involves a person‘s personal information, that person must be notified within 60 days of the discovery of the breach.

In the event of a large-scale breach that affects more than 500 patients in a specific jurisdiction, the media should be informed as well.

An immediate announcement of a privacy violation is required by the HIPAA rule for breach notification. The Office for Civil Rights may impose fines if you don’t comply.

Alternatively, the Covered Entity may decide not to send a breach notification if it can show that the critical element of the PHI has not been compromised. A violation of privacy and security rules would be warranted if they are found to have been compromised.

Reportable Breaches and Exceptions

A breach of PHI occurs when an organization uses or improperly discloses PHI, even if it’s an accidental disclosure. However, organizations are only required to send alerts for identifiable health information that is not encrypted. In addition to this, there are three additional circumstances in which the breach notification rule is more lenient, during such compliance violations and PHI breaches. This may include:

  1. If it was unintentional or done in good faith, and was within the scope of the authority.
  2. If it was done unintentionally between two people permitted to access the PHI.
  3. If the organization has a good faith belief that the person to whom the disclosure was made would not be able to retain the PHI.

Under such a case, the organization should ensure that such incidents don’t reoccur and take corrective action plans. Breach alerts are required only for unsecured PHI. If you secured it as specified by this guidance, then you don’t need to send the alerts.

How Wheelhouse IT Can Help You Adhere to HIPAA Guidelines

You may believe that you can meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) on your own, and you may be right. A HIPAA-verified Managed Service Provider (MSP) makes it much easier to achieve HIPAA compliance than if you were to do it on your own.

To keep your organization and in-house IT department HIPAA compliant, you can rely on Wheelhouse IT. Some of the benefits of working with us include:

  • Conducting HIPAA security risk assessments
  • Encrypting all PHI and stored data
  • Implementing backup and disaster recovery plans to keep data secure
  • Identifying system vulnerabilities and providing high-quality solutions
  • Providing the necessary technology to ensure data security
  • Providing services such as Remote Monitoring Management (RMM), cloud-to-cloud backup, and authentication and access control

WheelHouse IT is ready to help your business navigate HIPAA compliance.

If you are looking for the assistance of an MSP for your HIPAA compliance needs, book time on our calendar below.

7 Social Media Content Ideas For When You’re Uninspired

a woman making a heart with her hands

Social media is a fun and effective way to promote your business and boost sales in many cases. Making sure that you put effort towards interacting online and creating quality content on your socials frequently can go a long way to further your business. However, every social media manager and coordinator has reached a point where they feel uninspired and their creativity has run out. This happens to even the best content creators. Below is a list of social media content ideas that is sure to fill in some gaps and hopefully get the creative ball rolling again the next time you’re feeling stumped.

Promote Blog Articles

Once you’ve posted blog articles on your company’s website, make sure you promote them on your social profiles. Not only can this help with engagement and click-through rates, but this can also help bring more visitors to your website and in turn boost conversion rates. You can do this with new blog articles and you could even link to past articles that still hold relevancy.


Showing off your organization’s team is almost always a sure way to boost engagement rates by showing the humans behind your operations. After all, photos with faces perform almost 40% better than without faces. Here at WheelHouse IT, we sometimes post a team member highlight on Tuesdays and use the hashtag #TeamTuesday as a fun alliteration. However, you can, of course, post your team members any day of the week!


Does your company have any news to share? Are there any updates that could affect current and potential clients? Have you found any tips to share that are pertinent to your industry and could be helpful to users? All of these make for useful and important content pieces that you can share on your company’s socials through your feed or even stories.


Posting a simple and fun multiple-choice question in the form of a pop quiz is a simple way to prompt people to stop, think, and comment on their answers. This can have the same effect as posting an open question. However, this type of post is even easier to engage with since all people have to comment is a letter as their answer. 😉 

For example: 

How many cups of coffee have you had today? 

  1. A) 1
  2. B) 2
  3. C) 3
  4. D) 4+

Company Testimonials

Online reviews, client testimonials, employee testimonials, and even kind emails or messages that show how your business is helping make a difference for your clients or your staff for the better can go a long way in displaying your legitimacy on social media. Creating an on-brand and eye-catching graphic with your favorite blurb out of a testimonial or review always makes for a good slice of content.


Comic relief can be a great way to show people your page’s humanity, so you don’t risk appearing boring and stiff. While providing valuable content pertaining to your business and industry is a crucial practice, it’s also sometimes necessary to have fun with your page.

When posting memes always be sure to keep it light, keep it relatable, and keep it simple! You don’t want your meme so niche that it only speaks to a few users. This is your chance to appeal to a wider audience and illicit a light chuckle and, if you’re lucky, a higher share rate.

Open Question

Simply asking your followers open questions through feed posts and stories that can prompt them to comment on their answers can be an easy and effective way to elicit engagement. However, it can’t just be any random question. It would be best in most cases to make this question relate to your business somehow.

Bonus: Dogs!

There aren’t many statistics that back up our claim that photos with your furry (or not so furry) loved ones will get you higher engagement rates. However, we’ve seen it firsthand! Our posts which include our staff’s pets, get almost as much engagement as posts with human faces!

We hope these social media content ideas help inspire you when you aren’t feeling your most creative. If you’re looking for help promoting your business online, check out our monthly Online Presence Management plans and start showcasing your brand and drawing traffic.

HIPAA Violation Examples – WheelHouse IT

three credit cards sitting on top of a computer keyboard

With fines reaching $50,000 per occurrence and a maximum annual penalty of almost 2 million dollars, it’s imperative to ensure your medical practice is HIPAA compliant at all times. While every possible violation should be considered a threat to your company however some come up more than others do in today’s worldwide technology-driven society with its ever-connected gadgets where everything seems accessible from anywhere no matter how secure they may seem on any given day.

HIPAA is a federal law that regulates the privacy, security, and human resources of health care providers. While it’s designed to ensure your sensitive information remains safe from prying eyes – many people have found ways around these laws before you even get started! 

15 Most Common Hipaa Violation Examples

Here are the 15 most common examples of HIPAA violations:

Accessing PHI from Unsecured Location

When it comes to the security of your employees’ personal information, you can’t afford any leaks. That’s why we recommend that all staff members keep documents with PHI in a secure location at all times and physical or digital files should be locked away from prying eyes or digital access alike – encrypted whenever possible!

On the other hand, failure to keep a record of the protected health information of patients is a common violation of HIPAA. It is also common to neglect to follow the privacy and security policies of a patient’s provider. For example, a doctor or any authorized individual might not be able to protect their patient’s information if the doctor doesn’t want to keep it. Keeping patient records will help protect the patients’ privacy and well-being.

Lack of Encryption

Encryption is a simple way to protect your patients’ data. If you lose or steal the device that contains their information, they will be protected from malicious hackers who want access at any cost! Even if an individual’s password were somehow compromised on another system (such as hacking incidents), encryption would keep them safe because only those authorized with special decryption keys can unlock it; making misinformation impossible when trying to compromise someone’s personal info via this route.

Getting Hacked OR Phished

Medical practices must take every reasonable step to protect against common hacking methods. Keeping antivirus software updated and active on all devices containing ePHI is a great place to start, as well as using firewalls with strong passwords that are changed frequently will provide additional protection for your practice’s information assets in this ever-changing world of cybercrime.

Employee dishonesty

Some of the most common HIPAA violations are snooping on health care records and not notifying patients. While this is a clear violation, the ramifications of this action are often not as obvious. There are some common ways to violate HIPAA, however, and these can lead to disciplinary or corrective action or even lawsuits.

Unauthorized Access

One of the most common HIPAA violations is unauthorized access to patient data. Employees must take care not to give access to health information to coworkers who may not have the same access rights.

If an employee is caught accessing a patient’s health information without authorization, the healthcare provider can face hefty fines, and the state attorney general can order an investigation into the breach.

Loss or Theft of Devices

Another common violation involves lost company devices. Medical practices must ensure that their devices are secure by installing encryption, multiple passwords, and other theft-deterrents. Limiting access to devices and data based on employee status and job function helps prevent loss or theft of sensitive medical information.

Unauthorized release of information

If a patient’s medical records are shared with an employee, it is also a HIPAA violation. The information contained in the medical records is confidential. If someone has access to private health information without permission, they can face big fines. This is the most common HIPAA violation and should be avoided at all costs. Luckily, the Office for Civil Rights conducts investigations into data breaches. The Office of Civil Rights can also conduct an investigation, so it’s important to keep employees and other employees abreast of the law.

A recent case involved a Texas hospital employee who accessed 596 patient digital files for personal gain. The violation was not intentional and was made with the best intentions. If the same situation occurs at your facility during healthcare operations, you must act immediately to protect patient privacy. If you don’t comply, HIPAA audits will likely be ineffective and could lead to criminal charges. Moreover, if you haven’t taken steps to ensure compliance, you’re likely to be subject to the same penalties.

Lack of Employee Training

Regardless of whether you’re a small or large healthcare provider, HIPAA can be a complicated process. It’s easy to get confused by all of the regulations. Even if you have a clear understanding of the law, mistakes can still occur. Here are some examples: negligently handling patient information, social media (like a Facebook post), and texting on a mobile device.

The same rules apply to social situations. While these situations can lead to huge fines, preventing these violations is not impossible. Investing in proper compliance training and education will help to prevent HIPAA violations. And starting in 2019 there are stricter audits and guidelines to follow.

In addition to the legal issues, several other potential HIPAA violations may affect your business. An example of a potential violation would be, if you have a computer that has a password-protected patient file, you must make sure the password is not visible to anyone except the employees. This violation will cost you dearly. Therefore, it’s important to invest in proper HIPAA training and education for your employees.

Gossiping or Sharing Information

If you are a care provider with access to patient health information need to be careful about what they discuss when talking outside work. Even vocalizing certain topics or accidental disclosure can result in violation fines or other penalties so it’s best not to broadcast anything related unless necessary!

Disposal of PHI

It’s possible to violate HIPAA by using a computer that contains protected health information in an unsafe way. Some of the most common HIPAA violations involve social media platforms, (such as social media posts), and texting. In some cases, it involves improper disposal of records. If these things happen, the penalties can be steep. These violations can lead to costly civil lawsuits. You and your business associate should take steps to avoid them.

Failure to Perform an Organization-Wide Risk Analysis

HIPAA compliance requires thorough risk analysis. This means looking at every aspect of your organization from top to bottom. There are many ways to do this but one of the simplest methods is to conduct a comprehensive audit. 

Failure to Manage Security Risks Lack of a Risk Management Process

The security risks associated with healthcare data are significant. They include theft, loss, unauthorized use, misuse, unencrypted storage, and unapproved sharing. To manage these risks, you must develop a comprehensive plan. This includes defining policies, procedures, and protocols. You must also establish a system to monitor and enforce compliance. A good place to start is by conducting a risk assessment.

Failure to Enter into a HIPAA-Compliant Business Associate Agreement

You must enter into a business associate agreement (BAA) with each company that provides services to you. The BAA defines how both parties will share information and protects the privacy of patients. It also ensures that any breach of confidentiality is handled appropriately.

Impermissible disclosure

An “impermissible” disclosure occurs when someone discloses medical information without permission. Examples include disclosing a patient’s name, address, telephone number, email address, Social Security number, date of birth, diagnosis, treatment, or payment status.

3rd Party Organization Disclosure of PHI

The importance of keeping your private information confidential can’t be overstated. If you discuss PHI with those who do not have the right to know, it is a direct violation of HIPAA and could result in fines or even worse – imprisonment!

The Enforcement Rule is a serious matter. If healthcare employees violate it, OCR can levy fines anywhere from $100 per instance to as much as half a million dollars for anyone’s mistake!

NOTE: Before any of a patient’s PHI can be disclosed to a third party for a purpose other than one expressly permitted by the HIPAA Privacy Rule, an authorization form must be obtained from them. Only the exact person who signed the authorization form can get information about a person. Thus, it is critical to review authorization documentation because patients can authorize the release of only certain types of information to specific parties.

To avoid this, keep all vital information confidential and only discuss it with authorized individuals behind closed doors. Similarly, delayed response to patients’ requests for a copy of their medical records can also be considered a violation.

Patients without authorization: a physician had accessed the medical information of celebrities and other public figures without authorization, leading to an investigation.

Response to the patient’s request for medical records needs to be made within 30 days. Failure to respond within 30 days is considered a violation.

HIPAA requires that PHI be shared only when “necessary” – that is, HIPAA-covered entity or business associates must make a reasonable effort to ensure that only the information required to complete a task or perform a job is accessed or shared with authorized persons or classes of individuals, which is another tricky requirement that can lead to violations.

Call Us To Learn How You Can Be HIPAA Compliant

In addition to the above violations, many other HIPAA violations aren’t as obvious. The most common HIPAA violation is the mishandling of patient records. Clinics should keep these records in locked rooms. If the clinician leaves the paper records in the room of a patient, it is a violation of HIPAA. In this case, the employee’s employer can be fined as well.

As a result, HIPAA-covered entities must conduct regular HIPAA compliance reviews to ensure that HIPAA violations are discovered and corrected before regulators become aware of them.

When potential risks and vulnerabilities are identified, covered entities and business associates must decide which measures to implement based on the size, complexity, and capabilities of the organizations, the existing measures already in place, and the cost of implementing additional measures concerning the likelihood of a data breach and the magnitude of the harm it would cause.

For more information please give us a call at (877) 771-2384

Contact Us Today and Check Out Our Blog!

HIPAA Do’s and Don’ts for Employees – WheelHouse IT

a clipboard with the words hipaa regulation on it

HIPAA Do’s and Don’ts for Employees

HIPAA is the law that protects your privacy as a patient. Under HIPAA, health care plans and providers must limit who can see records of you to those with need-to-know information such as doctors, nurses, or a health professional if you are in order for it not to be compromised by outside parties like hackers trying to take advantage from within their organization’s network security measures.

What does HIPAA mean?

HIPAA is a law that protects your privacy as it pertains to health care. There are many restrictions on who can see any of the health plan records, and under this act, you also have the right in regards for getting copies from doctors if needed!

Protected health information: As a rule of thumb, HIPAA is a law that protects your privacy as well as the right to see medical records. It gives patients to access and ability control over their own medical information, which includes doctors’ notes or test results from treatments given at hospitals, health care organizations, and other health agencies.

Your right to protected health

The right under this act also includes getting copies of the patient files or to see their electronic health records if they need more information than what was written down on paper for treatment purposes.

Thus, the Health Insurance Portability Accountability Act (HIPAA) is a set of rules that outline what employees should and shouldn’t do with their personal health information.

Protection against privacy violation

The intention was to protect the privacy rights of those who have insurance coverage, but there are still some obligations included in this law that every employer must follow so they don’t run afoul or risk financial penalties from government agencies like CMS- Coast Care Services Incorporated. For years, there have been strict guidelines for protecting patient health information.

Those rules are complicated, but they’re not hard to follow. Here are a few tips to ensure your employees follow them.

Firstly, don’t share health information via text messages. You can send a message through an SMS network or through a healthcare text messaging platform, but you should be sure to shut it down afterward. In addition, you should avoid sharing the ePHI you receive with other people.

When it comes to HIPAA compliance, your employees are no exception. While it’s not required for employers to protect employee health information, your employees must follow them. Using social media to share employee health information may be a violation, as well as losing or stealing devices. In addition, even if your business is no longer operating, you can be held liable for violations. By following the HIPAA guidelines, you can be sure your employees are doing their job right and avoid common errors.

Another important rule of HIPAA is that you should only share PHI with employees who need it. When working with patient information, you should avoid using public locations to work. In addition, shared spaces can be unsafe for you.

They can have questionable WiFi and insufficient restroom facilities. Also, don’t discuss HIPAA-sensitive information with colleagues in public. If you have a need to discuss the HIPAA regulations with someone, try to limit the discussion to other employees.

HIPAA Security: There is really no need in being afraid because there isn’t anything worse than finding out that someone has accessed or obtained sensitive data like social security numbers. The good news? With some careful planning from both parties involved (the company AND employee), this type of scenario can easily be avoided.

Take note: The following list of HIPAA rules is not all-inclusive, but it provides a starting point for understanding how the complicated privacy laws work within your organization. Rules can vary depending on who you are and what type of company or business structure there are at this particular workplace – so be sure to ask if any clarification might suit both parties better!

There are a lot of rules and regulations when it comes to protecting your private information, but don’t worry – we have all the answers for you! 

HIPAA do’s and don’ts for employees

Some of the most typical ways in which HIPAA Rules are violated by workers are listed below.

Don’ts of HIPAA 

  1. Employees cannot use PHI for personal gain. This includes things like selling PHI, or giving it away to others.
  2. Employees cannot use PHI without permission. For example, they cannot use patient information to make decisions about hiring or firing people.
  3. Employees cannot use PHI to discriminate against anyone. For example, they shouldn’t use PHI to decide whether to hire someone based on race, gender, religion, etc.
  4. Employees cannot use PHI unless it is absolutely necessary. For example, they should not use PHI to determine insurance rates.


  1. Employees must use secure methods to store patient data. This means that all electronic files containing sensitive information should be stored offline, and encrypted when transmitted.
  2. Employees must take steps to prevent unauthorized access to PHI. They should never give out the login credentials and lock up any device containing PHI.
  3. Employees must keep records of how often they view their patient information files. They should keep track of who viewed the information, and when.
  4. Employees should only disclose PHI to those who need it. For example, doctors, nurses, and other healthcare employees are typically allowed to review medical records and patient health records alike. Unlike healthcare providers or healthcare workers, an HR person would not be authorized to see the same information as the healthcare operations.
  5. Employees must destroy PHI once it is no longer needed. This includes shredding documents containing private health information and wiping computers clean after removing PHI.
  6. Employees must notify patients about privacy breaches. It’s important to inform patients about any security breach, including the time and date it happened.
  7. Employees must train on HIPAA compliance. Training will help them know what to look for, and where to find the relevant information.
  8. Employees must report suspected violations to authorities. Reporting suspected violations help law enforcement agencies catch criminals.

How does HIPAA affect my company?

The criminal penalties for violating HIPAA rules are severe. The fine for each violation is $50 per day, multiplied by the number of days the violation occurred. Companies could also face criminal charges if they violate HIPAA rules.

The punishment for violating HIPAA rules can be severe. The fine is $50 per day, and if a company has committed criminal charges they could face prison time as well!

In addition to the HIPAA Do’s, organizations should also make sure to follow all applicable state and federal laws regarding health information. Similarly, organizations must make sure to conduct annual risk assessments to identify areas of non-compliance, which can result in criminal penalties and monetary penalties. These audits should be done by a compliance officer and should be done in a confidential setting. In some cases, organizations may be required to perform more than one.

For example, healthcare providers should attend annual HIPAA training and review their policies and procedures. It is also a good idea to check them every year with staff members, especially if major changes have occurred in the business. Employees should sign an acknowledgment of HIPAA policies. It is also important to document the dates that employees have received the training and abide by its rules.

NOTE: The most important HIPAA Do is to be sure to follow the regulations.

For health care providers, annual training is an essential step in ensuring compliance. In addition, policies and procedures should be reviewed with staff and updated as necessary. It is also important to ensure that all employees have signed acknowledgments of the policies and procedures. Lastly, all employees should sign an acknowledgment of HIPAA training and review policies and procedures on an ongoing basis. For all healthcare providers and the majority of healthcare employees, this step is critical in ensuring compliance with HIPAA requirements.

What can I do to protect myself from HIPAA violations?

First off, there are two main types of violations: administrative and technical.

Administrative violations occur when companies fail to follow the rules. These include failing to comply with the Privacy Rule (which requires companies to maintain adequate safeguards) and failing to properly dispose of PHI.

Technical violations happen when companies mishandle PHI in some way. Examples of these violations include storing PHI on insecure devices, sharing PHI outside of the organization, and using unsecured email accounts.

Second, you have to understand that HIPAA applies to the covered health care provider, regardless of size. So even though your small business may not have many employees, it still needs to abide by HIPAA regulations.

Third, you should familiarize yourself with the rules. You can get more information at www.hhs.gov/ocr/hipaa. If you’re unsure about something, contact your health plan administrator or compliance officer.

Compliance violations: To avoid potential violations, healthcare organizations and their business associates must ensure full compliance with the HIPAA Privacy, Security, and Breach Notifications Rules.

Contact us today!

If your business has been affected by HIPAA, contact us at www.wheelhouseit.com. We offer HIPAA training and consulting services to ensure that your organization complies with HIPAA regulations.