HIPAA Compliance Insights

HIPAA Breach Notification

When Must PHI-Related Breaches Be Reported?

In February 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals — partly because the organization'

Carl B. Johnson · Jan 9, 2023

HIPAA Implementation

When Was HIPAA Implemented? Key Dates That Shape Compliance

In 2023, OCR settled with a dental practice for $350,000 over Security Rule violations that had persisted since 2016 — failures the practice might have

Carl B. Johnson · Jan 9, 2023

HIPAA History

When Was HIPAA Started? Key Dates Every CE Must Know

In 2023, OCR settled with Banner Health for $1.25 million after a breach affecting over 2.81 million individuals — a case that hinged on

Carl B. Johnson · Jan 9, 2023

HIPAA Certification

Where Can I Get HIPAA Certification? A Compliance Expert's Guide

Every week, at least one compliance officer or new hire sends me some version of the same question: where can I get HIPAA certification? The

Carl B. Johnson · Jan 9, 2023

Technical Safeguards

Which Action Would Be Considered a Technical Safeguard

In 2023, OCR settled with a health system for $1.3 million after investigators found the organization had failed to implement basic access controls on

Carl B. Johnson · Jan 9, 2023

HIPAA Enforcement

Which Governmental Entity Is Responsible for Enforcing HIPAA

In February 2023, the Office for Civil Rights settled with a dental practice in New England for $30,000 after the organization failed to provide

Carl B. Johnson · Jan 9, 2023

HIPAA Privacy Rule

Which Is Not Considered an Identifier Under the Privacy Rule

In 2023, OCR settled with a healthcare analytics company for over $1.5 million after the organization shared datasets it believed were de-identified — but which

Carl B. Johnson · Jan 9, 2023

Protected Health Information

Which Is Not Considered Protected Health Information

In 2023, OCR settled with a covered entity for $1.3 million after an investigation revealed the organization had misclassified certain data as non-PHI — and

Carl B. Johnson · Jan 9, 2023

Protected Health Information

Which Items Are Considered PHI Under HIPAA Rules

In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had been disclosing patient names, treatment records, and

Carl B. Johnson · Jan 9, 2023

ePHI

Which of the Following Is an Example of ePHI?

During a 2023 OCR investigation, a mid-sized cardiology practice received a $1.5 million penalty — not because of a sophisticated cyberattack, but because staff routinely

Carl B. Johnson · Jan 9, 2023

HIPAA Safeguards

Which of the Following Is Not a HIPAA Safeguard?

Every year, OCR investigations reveal the same pattern: organizations that misidentify what HIPAA actually requires end up with the most damaging audit findings. One of

Carl B. Johnson · Dec 14, 2022

PHI Access

Who Can Have Access to a Patient's PHI Under HIPAA

In 2023, OCR settled with a medical practice for $50,000 after an unauthorized employee accessed patient records with no treatment, payment, or operational justification.

Carl B. Johnson · Dec 14, 2022