Business Associate

PHI Access

Who Can Have Access to a Patient's PHI Under HIPAA

In 2023, OCR settled with a medical practice for $50,000 after an unauthorized employee accessed patient records with no treatment, payment, or operational justification.

Dec 14, 2022

HIPAA Privacy Rule

Who Is Required to Comply with the HIPAA Privacy Rule

In 2023, OCR settled with a dental practice in New England for $50,000 after finding it had no policies implementing the Privacy Rule — despite

Dec 14, 2022

Administrative Simplification

Administrative Simplification HIPAA: What It Means

When OCR settled with Anthem Inc. for $16 million in 2018 — the largest HIPAA settlement in history at that time — the enforcement action didn'

Dec 13, 2022

Business Associate Agreement

Business Associate Agreement for Subcontractor: What's Required

In 2023, OCR settled with a business associate that failed to ensure its subcontractors had proper safeguards in place for protected health information. The penalty

Nov 29, 2022

Business Associate Agreement

Business Associate HIPAA Agreement: What Must Be Included

In September 2023, OCR settled with a health system for $1.3 million after investigators found the organization had allowed a vendor to access protected

Oct 28, 2022

Business Associate

Business Associate HIPAA Compliance: What CEs Must Enforce

In June 2023, OCR settled with a business associate — a medical records management company — for $75,000 after a breach exposed the protected health information

Oct 25, 2022

Healthcare EDI Training

Healthcare EDI Training: A HIPAA Compliance Priority

In 2023, a mid-size health plan received a corrective action from OCR after an investigation revealed that staff responsible for processing electronic claims had never

Apr 28, 2022

HHS HIPAA Certification

HHS HIPAA Certification: What It Actually Means

At least once a month, a compliance officer asks me the same question: "Where do we get our official HHS HIPAA certification?" The

Apr 28, 2022

HIPAA Business Protection

HIPAA Business Protection: Safeguard Your Organization

In February 2024, OCR announced a $4.75 million settlement with a healthcare system that failed to conduct an enterprise-wide risk analysis — a fundamental gap

Apr 1, 2022

HIPAA Certification

HIPAA Certification for Software: What Developers Must Know

In 2023, OCR settled with a telehealth platform for $1.25 million after an investigation revealed the company's software transmitted protected health information

Apr 1, 2022

HIPAA Compliance Law

HIPAA Compliance Law: What Your Organization Must Know

In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a former employee stole the protected health information of over

Feb 28, 2022

HIPAA Compliance

HIPAA Compliance Privacy Rule: What Your Organization Gets Wrong

In February 2024, OCR settled with a New England dermatology practice for $300,000 after determining the organization had disclosed protected health information to a

Feb 28, 2022