What Happens in a HIPAA Violation?

Posted on February 28, 2020November 28, 2020 by suzanneleigh

Understanding What Happens in a HIPAA Violation Can Protect You

The Office of Civil Rights (OCR) reviews thousands of HIPAA cases every year. In 2018, companies in violation of HIPAA were fined $28.7 million. It’s essential that organizations understand what happens in a HIPAA violation so that they can avoid being fined. Here are some of the reasons those companies had to pay HIPAA fines.

An unencrypted laptop storing ePHI was stolen from an employee’s residence
An employee lost some unencrypted USB drives storing ePHI
ePHI wasn’t encrypted on enterprise-wide systems
A hospital allowed filming onsite without obtaining authorization from patients
A doctor disclosed PHI to a news reporter
A company didn’t have a business associate agreement in place with a vendor
A company didn’t make sure its vendor was in compliance — it held unsecured ePHI in a web-based system
A company failed to properly respond to a patient’s request to send their ePHI to a third party

All of these violations could have been avoided by practicing periodic HIPAA risk assessments and compliance reviews to check possible points of failure in tech, employees, and business practices

Can anyone file a HIPAA complaint against you?

No matter how compliant you are, anyone can submit a HIPAA complaint against you, whether you have violated HIPAA or not. The OCR. makes it easy for anyone to submit a HIPAA complaint with just a few clicks. Complaints can be filed online with the OCR directly, or with your own Compliance Officer. This isn’t meant to shock you, but to give you a sobering look at what to expect. If you know what happens in a HIPAA violation, you can be prepared.

What happens when HIPAA receives a complaint?

When the OCR receives a complaint, they review it according to the HIPAA Enforcement Rule to ascertain whether it violated the Security or Privacy rule, or whether any criminal activity was involved. If the complaint wasn’t filed within 180 days of the alleged violation or OCR believes the complaint didn’t violate any rules, it’s dismissed.

If criminal activity is detected in violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), the OCR will refer the complaint to the Department of Justice for investigation. If there is no criminal activity but a possible violation of the Security or Privacy rule, then the OCR will open an investigation.

What happens in a HIPAA violation investigation?

If the OCR decides to investigate a HIPAA complaint, it will contact the company named in the complaint and the person who filed the complaint. At this point, the OCR will gather evidence from both parties. They will ask you for a copy of your company’s policies and procedures, risk assessment history, and any other HIPAA compliance review material that may be relevant. This is where you can nip complaints in the bud if you are prepared.

The OCR will review the information and determine whether or not the Privacy or Security rule was violated. If the OCR doesn’t find any violations of the HIPAA rules, it resolves the case. If it sees evidence of noncompliance, it takes action in one or more of the following ways:

Voluntary compliance;
Corrective action; and/or
Resolution agreement.

What is voluntary compliance?

In many cases, the company knows what went wrong by the time the OCR has contacted it or at least learns what went wrong. It’s not uncommon for a company and its business associates to fix the problem while the investigation is ongoing. The OCR will even offer technical assistance if needed.

What is corrective action?

Cases that require corrective action can sometimes take years to investigate, depending on their complexity. The company or business associate will have to make corrections to their HIPAA Privacy and Security policies, procedures, safeguards, and training. Corrective action often comes with a Resolution Agreement.

How does a Resolution Agreement work?

A Resolution Agreement is a signed agreement between a non-compliant company or business associate and the HHS. The agreement can impose a fine and require monitoring from one to three years — the company has to make periodic reports to the HHS.

An example of a basic HIPAA Violation that cost an SME $85,000

Company: Korunda Medical is a healthcare company that offers primary care and pain management to approximately 2,000 patients annually. It has a central office, five satellite offices, two primary care physicians, and five interventional pain physicians.

What happened? A patient asked Korunda several times to forward his or her records to a third party in a particular electronic format.

What did Korunda do wrong? Korunda dragged its feet on the request, charged more than the reasonably cost-based fees allowed under HIPAA, and didn’t provide the records in the requested electronic format.

What rule did Korunda violate? Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524

What action was taken? Initially, the OCR provided technical assistance to Korunda to teach them how they were supposed to respond to the request — and closed the case.

Why did Korunda get fined? The OCR received a second complaint about the same thing four days after it had provided the technical assistance to Korunda.

How was the case resolved? Korunda entered into a Resolution Agreement requiring an $85,000 fee and one year of a monitored Corrective Action Plan during which Karunda was ordered to:

Revise policies and procedures within 30 days and prove it.
Create and present training materials within 60 days.
Submit a list of all the patient requests for PHI, the dates, particulars, and the cost every 90 days.
Report any employee who failed to comply within 30 days.
Submit an Implementation Report summarizing progress within 120 days.
File an Annual Report within 60 days of the close of the one-year monitoring period.

How much are the fines for HIPAA compliance violations?

Most Privacy and Security Rule investigations are resolved informally with technical assistance or Resolution Agreements. If the OCR decides to impose a civil money penalty (CMP), companies can either pay the penalty or request a hearing with an HHS judge if they disagree. If the judge rules that the fine is justified, companies can then appeal to the HHS appeals board within 30 days.

HIPAA has four levels of fines depending on the severity of the violation. Penalties can be imposed each year, every year, for each violation category. Violations that involve willful neglect (Levels 3 and 4 can lead to criminal charges.)

Had no idea they violated HIPAA violation.

$100-$50K per violation. $25K max per year.

2. There is reasonable cause to believe they knew they violated HIPAA.

$1K – $50K per violation. $100K max per year.

3. Showed willful neglect of HIPAA rules but corrected the violation within 30 days.

$10K-$50K per violation. $250K max per year.

4. Showed willful neglect of HIPAA rules and failed to correct the violation within 30 days.

$50k per violation. $1.5M max per year.

What’s the best way to avoid a HIPAA fine?

Your best defense against HIPAA enforcement and fines is to assume that you’ll have a HIPAA complaint filed against you at some point. Why? Because a HIPAA complaint opens the door to an audit where additional violations could be discovered.

Even if the original complaint ends up being false, the ensuing investigation and audit could uncover other HIPAA violations resulting in fines. Organizations that are merely box-checking for compliance could get in deep trouble here.

By assuming that you could be audited at any time, you’re more likely to stay on top of your HIPAA compliance reviews with periodic risk assessments. It’s better if you find all of your possible points of failure by exploring what happens in a HIPAA violation, and correct them yourself before an OCR auditor does.

Learn more about HIPAA-compliant live chat

New Patient Acquisition With Conversational Technology

Posted on February 28, 2020 by marketing

Live chat and healthcare

Chat is becoming a preferred communication method for patients in healthcare. In many cases, HIPAA-compliant chat is the best real-time communication option for patients in cases where privacy, speed and convenience are critical.

The name of the game: increase your pool of new clients quickly.

But you’re busy. Quick wins are often the best option.

Live chat doesn’t have to take weeks of time to enable on your website. In fact, some healthcare clients are up and running in as little as 3 business days. Give patients the immediacy they deserve and are already familiar with, and start chatting today.

Getting started with conversational technology

Goal: Increase new patient appointments
Why: To become a more sustainable business by boosting engagement with new website visitors
How: Engage your website traffic!

Quickstarter toolkit

We recommend having a few handy tools in your toolkit, some of which you may already have.

1. Professionally represent your practice with your own team members. Your team are the experts. Showcase your expertise across all patient communications, and provide a personal and delightful website experience the first time.

2. Streamline the new patient process with Proactive chat.

If live chat is a medical bag, then proactive chat is the stethoscope. Or the thermometer. It’s the tool you can get the most bang for your buck with, the one you use most often.

That’s because proactive chat allows you to customize messages to proactively trigger to website visitors. Do more than chat with site visitors, engage them at the right time and place with targeted messaging.

3. Customize and unify all conversations with Shortcuts.

Shortcuts provide an instant library of quick chat messages for chat agents to use. Shortcuts reduce response time so you can spend more time helping site visitors ultimately schedule an appointment.

Bonus: a common use case for shortcuts is as a frequently asked questions (FAQ) tool.

Sample workflow

Build your live chat toolkit

Start communicating with more patients today. Conversational technology is no longer just an option, it’s a necessity. Patient trust and confidence are of the utmost importance. Show patients and site visitors alike that you care about them. We at SnapEngage believe in the power of conversations. If you don’t have live chat already, now is the time.

Transform your practice with HIPAA-compliant conversational technology

How SOC 2 Reports Ensure Cloud-based Data Security

Posted on February 21, 2020 by suzanneleigh

Business today means cloud-based data processing. Companies that outsource to SaaS cloud-based service providers need to make sure that their integrity is maintained throughout their entire data supply chain. In this era of increased data privacy legislation, if your service provider isn’t compliant, you can be held liable and risk damage to your brand.

SOC 2 audit reports were designed for business associates such as IT-enabled SaaS and cloud computing service providers that store data in the cloud. They are internally facing audits conducted by an external SOC 2 Auditor.

SOC 2 is not a regulation like HIPAA, GDPR, or CCPA, and isn’t required for SaaS or cloud vendors. However, for companies that handle electronic personal health information (ePHI) —or any other personal data — SOC 2 is a data best practice. It ensures that a business associate’s data privacy and security policies are in alignment with a company’s data privacy regulations and can be adapted for service providers that need to comply with multiple regulations.

What is SOC?

Companies that outsource to vendors must make sure that they choose vendors who have effective internal controls. These standards are known as SOC or Service Organization Control.

SOC for service providers are audit reports performed by an independent auditor that prove vendors meet the requirements of the companies that do business with them. There are three types of SOC reports SOC 1, SOC 2, and SOC 3. They are not upgrades of each other but different kinds of reports.

SOC 1 focuses on a service provider’s financial reporting, whereas SOC 2 and SOC 3 both scrutinize a vendor’s security and data protection. The difference between SOC 2 and SOC 3 is restricted use. A SOC 3 report can be openly distributed, but a SOC 2 report is internal and limited to the vendor and the company requesting it from the vendor.

Today, any company that stores customer data in the cloud should strive to meet SOC 2 requirements to minimize the risk of unauthorized exposure and liability.

What is SOC 2 Compliance?

The American Institute of CPAs (AICPA) designed SOC 2 for outsourced IT-enabled SaaS and cloud computing service providers that handle a company’s data. At its core, SOC 2 is primarily an auditing procedure that ensures SaaS and cloud-computing providers securely manage data to protect both the privacy of a business’s clients and its interests.

But SOC 2 is more than just a technical audit. It also establishes strict criteria that vendors must comply with to properly and securely manage customer data following five Trust Service Principles — security, availability, processing, integrity, confidentiality, and privacy.

What are the five Trust Service Principles of SOC 2?

SOC 2 audit reports ensure that companies maintain internal corporate governance, risk management, and regulatory oversight by requiring their service providers to manage data according to these five Trust Service Principles.

1. The Security Principal

Security means the protection of data during its collection, use, processing, transmission, and storage. It also means the protection of the systems that process, transmit, and store the information which allow the primary organization to meet its goals.

Security can include access controls, network and web application firewalls, two-factor authentication, and intrusion detection to protect data and the data systems against abuse, theft, misuse, breaches, and any other unauthorized access of data and systems.

2. The Availability Principal

Availability refers to the accessibility of the systems, data, services, and products as outlined in the service level agreement (SLA) with a company to manage its daily business processes.

The availability principle isn’t focused on functionality and usability, but rather on the systems themselves, such as controls to support accessibility for operations and monitoring network performance. For example, a backup site failover plan, should any incident occur that impedes the availability of systems, would be governed by the availability principal.

3. The Processing Integrity Principle

The processing integrity principle has to do with whether a system is doing its job by processing data that is complete, valid, accurate, timely, and authorized. Processing integrity is more concerned with the processing behavior itself rather than the integrity of the data. However, systems should function free of error, delay, omission, and any unauthorized or accidental manipulation of data.

4. The Confidentiality Principle

The confidentiality principle governs a company’s ability to protect its confidential information throughout the data lifecycle until the data’s removal. Confidentiality is not the same as privacy in that privacy deals with personal information. In contrast, confidentiality — while it can include personal information — is intended for information that a company needs to control, such as intellectual property.

Confidential requirements included in contracts or legal clauses would also fit under the umbrella of the confidentiality principle. Other information might be trade secrets, proprietary information, business plans, or sensitive financial information. Protections under this principle may involve encryption, firewalls, access controls, and any other safeguards for information processed or stored on systems.

5. The Privacy Principle

The privacy principle focuses entirely on personal information that is collected, used, stored, disclosed, and disposed of in line with a company’s objectives and privacy policies.

Personal information is any information that can identify an individual. Personal information can include a name, home or email address, ID numbers, physical characteristics, purchase history, medical or health history, financial information, IP addresses, or biometric identifiers, and other identity indicators. Electronic personal health information (ePHI), as outlined by HIPAA, would fall under the privacy principle.

The SOC 2 privacy principle follows the criteria established by the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles that manage and prevent privacy risks.

What are Soc 2 Reports?

SOC 2 has two different report types that are the output of SOC 2 audits by external auditors. A SOC 2 Type I report assesses and reports on the design and functionality of a service provider’s system controls at a given point in time. A SOC 2 Type II report tests and reports on a service provider’s controls over a period of time (a minimum of six months), which attests to the operating effectiveness of its system controls.

Companies can request SOC 2 reports from SaaS or IT-enabled cloud service providers to assess and monitor any risks associated with a third party’s technology services. Vendors can also request the audits and reports on themselves. SOC 2 reports give companies vital information about how vendors manage data and maintain controls around their systems and processes involving sensitive data.

To put it simply, when a business associate is SOC 2 compliant, companies feel more confident trusting it to handle their data. For companies that handle electronic personal health information (ePHI) and are subject to the HIPAA, or that need added privacy and security controls to meet other data privacy regulations, SOC 2 reports add another layer of assurance against violations or data breaches.

Learn more about our secure live chat platform

Release Notes February 21st 2020

Posted on February 21, 2020 by Niki Finegan

Hello SnapEngagers,

we have been overdue with an update of our recently released updates, changes and fixes we have worked on besides the recently announced Guide Bot (Beta) and HIPAA SMS features.

Updates

Channels: We added an option to identify individual Facebook users in the CSV Logs export with their Facebook ID.
Analytics: Added a percentage number to the Availability Report to see at a glance what % of time agents were in the Online VS Paused status.
Hub: We have moved the “+ Start new Team Chat” option to the top of the left side team chat column so the option is easier to find for agents that have a lot of ongoing team chats already.

Resolved Issues:

Security:
- Resolved a cross-site scripting issue on our signin page which was reported by Sohail Shaikhm, Certified Penetration Tester.
Analytics:
- Removed the ‘gmtDate’ and ‘localDate’ fields from Analytics -> Agent Performance -> Response -> Agent report export.
- Availability report: Fixed an issue where the online hours in range was showing 0
Hub:
- Resolved an issue where a message typed but not sent in one chat was visible in the next chat when switching between the two using keyboard shortcuts.
- Applied a number of improvements to the loading time of Hub for agents configured on a high (100+) number of widgets
- Resolved an issue where Hub showed the home screen when clicking on the ‘load more chats’ button in the sidebar.
- Resolved an issue with Hub not loading on IE11
Visitor Chat:
- Fixed an ‘unexpected token’ error when a single quote mark was used in the pre-chat greeting message.
- Fixed an issue where the visitor JavaScript was polling for new messages after an offline form submission.

HIPAA Compliant SMS Messaging, The Fastest Way To Connect With Patients

Posted on February 19, 2020March 5, 2021 by marketing

Connecting with patients has never been easier

Patients want to communicate on the go and from mobile devices. In fact, over 65% of all web interactions take place on a mobile device. Text messaging is the #1 way Americans under 50 communicate. And that goes for more than just millennials. Texting has amassed multiple generations. Healthcare providers have been feeling the pressure to accommodate this need while maintaining HIPAA compliance.

Free download: HIPAA Compliance White Paper

Request white paper now

Is texting HIPAA compliant?

On the surface, this looks like a grey area. Texting messaging, one phone to one phone, is itself not HIPAA compliant. But let’s take a look at the fine print. If the following can be covered, then HIPAA compliant texting is possible, and best of all, legal.

If the text messages can be encrypted
If PHI (Protected Health Information) can be prohibited

Why are these important factors?

No encryption means no auditing abilities. A big no-no in the HIPAA world. Encryption goes hand-in-hand with maximum security measures.
Mobile devices are easily misplaced or lost, leaving conversations available to anyone
PHI is protected and private. It is up to healthcare organizations to ensure privacy.

The bottom line is to do your homework and ask questions when dealing with HIPAA compliance. We recommend having an IT team to work with to ensure your website/system is under a secure firewall to protect against hacks.

Is HIPAA compliant SMS messaging right for my practice?

There are many pros to including a HIPAA compliant SMS line in patient offerings.

1. Remove hurdles that come with patient portals, emails, and phone calls Did you know that only 20% of emails are read, while on average 98% of text messages are read? Plus, patients can send you photos in real-time to address urgent ailments and get the quickest possible patient care.

2. Text messaging is a platform that patients already know how to use It’s hard enough to train and support an internal team and internal patient portal. But on top of that, patients can be confused by the redirecting and might not feel comfortable entering in private information.

3. HIPAA compliant SMS is secure The name says it all, but this simple fact and verbiage can put a patients’ mind at ease. Healthcare providers communicate upfront about the security of the conversation, giving patients peace of mind right from the start.

4. Healthcare teams do not have to use their own mobile phones There is also no need to purchase a separate mobile phone for your office. In order to stay compliant, all text conversations route back to and live in a secure chat portal. This means that only the patient needs a mobile phone for the conversation to happen, and the healthcare provider on the other side will answer from a desktop computer. One device for the patient, one device for the provider, because sometimes life is fair 🙂

How SnapEngage keeps texting HIPAA compliant

Purchasing an SMS number through a HIPAA compliant provider is the first step. SnapEngage is an example of a HIPAA compliant provider. Next, determine verbiage to let patients know they will be redirected to a secure portal. This takes out any guesswork. SMS also allows patients to remain anonymous if they so choose. The patient will be prompted to click a link to continue on a secure channel. They are redirected, and ta-da! Healthcare chat agents continue to chat from one chat portal, and the conversation remains secure.

Is texting right for you?

Think about patient demographics and how a text solution could work for them. Consider also asking current patients what they think of a secure text feature. And if you decide to purchase an SMS line, tell everyone! You can advertise the number on your website, new patient brochures, new patient check-ins; anywhere you think patients and prospective patients can find it useful. Lastly, start texting. Everyone’s doing it.

Schedule a call with a HIPAA-compliant chat specialist

What Happens in a HIPAA Breach?

Posted on February 12, 2020 by suzanneleigh

What happens in a HIPAA breach?

Even if you’re HIPAA compliant, you’re not immune to data breaches. In today’s increasingly digital environment, data breaches are a common and unfortunate occurrence. The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), understands this. If you have a breach, it doesn’t necessarily mean it was a result of a HIPAA violation.

However, under HIPAA, there are specific steps you need to take to mitigate any risk to the HIPAA protected health information that you hold and process in anticipation of a breach. And if you do experience a breach, there are specific protocols you should follow depending upon the severity of the breach. The best defense for a data breach is preparation.

What is a data breach according to HIPAA?

According to HIPAA, a breach occurs when protected electronic Personal Health Information (ePHI) is used or disclosed in any way that compromises its security or privacy in violation of the Privacy Rule. For a leak of information to be considered a breach under HIPAA, the information exposed must be unsecured. Unsecured ePHI is ePHI that hasn’t been “rendered unusable, unreadable, or indecipherable to unauthorized persons” by encryption or destruction of the data.

How can you avoid HIPAA violations in the event of a breach?

You can avoid HIPAA violations if you’ve made a thorough and continuous effort to stay in compliance before any breach occurs. This means you do periodic risk assessments and have made sure that all ePHI – whether at rest or in transit – is encrypted to NIST standards so that the data is unreadable, undecipherable, and unusable by unauthorized parties if there is a breach.

Many data breaches go unnoticed because companies fail to conduct regular risk assessments and don’t catch them, which increases their chances of being charged with a violation of negligence.

Companies must train all staff and have written protocols in place for personnel to follow in the event of an emergency, security, or data breach.

If there is a breach, but the ePHI is secured because it is encrypted to the extent that it is unreadable, undecipherable, and unusable by any unauthorized parties, you may not be subject to the Breach Notification Rules. However, you should still do a risk assessment. It will be up to you to recognize the severity of a breach to be able to take the correct action under HIPAA and to prove to the HHS that you did.

The burden of proof is on you

If you have a breach, you’ll have to be able to prove to the HHS either that the ePHI was unusable and did not constitute a breach, or that you’ve responded appropriately by sending out all of the breach notifications required under HIPAA.

The HHS strongly urges covered entities (you) to perform a risk assessment if you suspect a breach. The goal of the risk assessment is to discover the following:

If unsecured ePHI was improperly viewed or obtained.
The type and amount of the ePHI as well as the likelihood of personal identifiers, what kind they are (name, medical numbers, etc.)
The possibility of any data that has been de-identified by encryption (no longer able to identify an individual) of becoming re-identified by an unauthorized party.
The identity of the illegal party who is responsible for the breach or who received the data (if possible).
The extent to which you were able to mitigate any damage caused by the breach.

If the HHS does an audit and finds that there may have been some impermissible use or disclosure of ePHI that you didn’t report, they’re going to ask you why.

Your risk assessment is your only defense against appearing culpable. It’s also how you might find out whether your situation falls under one of the three exceptions to a breach of ePHI. These are situations where you might not be found liable for a violation:

Unintentional access, acquisition, or use of ePHI by an authorized employee while doing his or her job.
Accidental disclosure of ePHI by one authorized person to another authorized person.
Disclosure of ePHI by an authorized person who believed that the unauthorized person who received the ePHI wouldn’t be able to view, use, or retain it.

How do you perform a HIPAA Risk Assessment?

A risk assessment can help you identify risks and vulnerabilities so that you can develop and implement administrative safeguards and protections that keep ePHI secure under the HIPAA Security Rule. The US Department of Health & Human Services (HHS), offers guidance on risk assessments on its website as well as a Security Risk Assessment (SRA) Tool that helps walk you through the risk assessment process. HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, redesign programs, or experience a security incident like a data breach.

What is the HIPAA Breach Notification Rule?

If you have a breach, but your risk assessment has determined that ePHI is secured (encrypted), you might not be subject to the Breach Notification Rule. But if there is any chance that unsecured ePHI was improperly used or disclosed, you have to follow specific notification rules to stay in compliance.

Victim notification letter:

You must notify each person whose ePHI is suspected of having been accessed, acquired, used, or disclosed within 60 days from the day of discovery of a data breach (unless law enforcement needs a delay of notification to investigate criminal activity.) The breach notification letter for affected individuals can be created on the HHS website once you have the details of the breach. The letter must include the following information:

What happened and the date it happened — Breaches are considered “discovered” the same day that the breach is known or should’ve been known if you were exercising diligence under HIPAA.

A description of the PHI involved in the breach
Steps affected individuals can take to protect themselves further
A description of what the covered entity is doing to mitigate the breach
Contact information for affected individuals to find out more information

Notification to HHS Secretary:

You must notify the Health and Human Services Secretary of any breach. Companies can report a breach on the OCR Website.

If a breach affects more than 500 victims, you must report the breach to HHS and the media. OCR will display details about the breach on its website (known in the industry as “the wall of shame.” You don’t want your name on this wall.)
If the breach involves less than 500 people, you must report it to HHS within 60 days of the end of the year in which the breach occurred.

Business Associates notification:

Business Associates must notify the covered entity if ePHI is suspected of having been accessed, acquired, used, or disclosed in a data breach.

For more details and guidance on the HIPAA Breach Notification Rule check out what the HHS has to say.

How significant are the fines for noncompliance resulting in a breach?

If the Office for Civil Rights (OCR) concludes that a HIPAA breach occurred because of noncompliance, the severity of the penalty will depend upon the extent to which it finds a company negligent.

HIPAA has four categories for violations. Fines can be imposed each year, every year for each violation category. The four different tiers of penalties depend upon the severity of the violation. Cases involving willful neglect (Tier 3 and Tier 4 can lead to criminal charges.) Breach victims can also file civil lawsuits against covered entities.

Tier 1: $100-$50K per violation. $25K max per year. Unaware of the HIPAA violation and even by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Tier 2: $1K – $50K per violation. $100K max per year. Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.

Tier 3: $10K-$50K per violation. $250K max per year. Willful neglect of HIPAA rules with the violation corrected within 30 days of discovery.

Tier 4: $50k per violation. $1.5M max per year. Willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.

Keep your name off of the wall of shame

As everything we do becomes more digital, you’re better off expecting a data breach than thinking it won’t happen to you. Breaches will be a part of life and business and the best thing you can do to protect your brand and your clients is get in front of them. If your HIPAA compliance needs a bit of dusting off, check out our HIPAA Compliance Checklist for 2020 and make sure you’re ahead of the game.