Improve Patient Acquisition Rate with Healthcare ROI Tools

How to Get the Most out of Your Marketing Campaigns

Your marketing team has spent time and effort creating targeted campaigns to increase web traffic. More website traffic is always great, but increased patient acquisition is better. Do you know your patient acquisition cost? 

SnapEngage Live Chat allows you to recognize and record where visitors are coming from. So, not only can you give website visitors responding to a specific campaign a more customized experience than anyone else on your site, you can accurately measure the return on your investment.

The only way to improve your marketing campaigns is to know where you stand with your current campaign performance. Whether measuring product conversion or new patient acquisition rate, having accurate data is a critical component in evaluating whether your campaign is effective at meeting measurable goals. 

With a few tools in your toolkit, you can collect that data while rolling out the red carpet with exceptional prospective patient engagement 24/7.

Record where they came from and send them where they need to go

Goal: Report on exact metrics from marketing campaigns and increase patient acquisition rate.
How: Qualified site visitors will receive VIP treatment on their very first visit.
Outcome: Reap the benefits of your targeted campaigns with contextual messaging. Capture ROI metrics and offer a 24/7 seamless chat experience to enhance the results of your marketing efforts.


Quickstarter toolkit

  1. Recognize where site visitors are coming from and trigger a chat with contextual messaging for each specific visitor with Proactive Chat. New visitors to your website are looking for valuable information and to schedule an appointment. 53% of visitors are more likely to do business with an organization that provides chat functionality. Guide them through this process with a strong proactive chat strategy
  2. Capture prospective patient information, even when chat agents are offline or maxed on chats, you’ll never miss a new patient opportunity with Info Capture Bot. Provide the best possible experience while supplementing your chat agent team. All prospect information left with the Info Capture Bot will be automatically sent to your integration for follow-up providing you with valuable ROI metrics and patient acquisition leads.
  3. Have the right agents online at the right time to provide a seamless chat experience and route your prospects where they need to go using Priority Tiers. As your chat requests increase, the system will always scale up to the next tier of agents making them available when they are needed most. Tiers also serve to maximize chat agent skill sets —  The second tier of chat agents can be specialists, engaging with only the most qualified site visitors. 


Sample workflow

Tools for ROI recap

Provide high-touch messaging with Proactive Chat settings
Never miss another connection. Info Capture Bots are an extension of your business.
Provide more cohesive new patient support with Priority Tiers


Build your live chat toolkit

Data measurement helps tie campaign success to your overall business bottom line. You can get your money’s worth from advertising campaigns by converting more patient leads from paid campaigns. With a few simple SnapEngage tools, you can correctly attribute which patients came from where and engage with them contextually so you meet their needs immediately. Tiers with a chatbot mean that chats will only route to the bot when no one is online — essentially providing customized service 24/7/365.

Sign up to receive our latest research, updates and success stories.

Recent Posts

Blog Categories

What is the HIPAA Privacy Rule During Coronavirus? (FAQs)

security through chat image

Many healthcare organizations may be confused about the HIPAA Privacy Rule during Coronavirus. To be clear, the HIPAA Privacy Rule — which protects patients’ protected health information (PHI) — is not waived because of the Coronavirus COVID-19 pandemic. 

However, the Office of Civil Rights (OCR) is aware that during an infectious disease outbreak — such as COVID-19 — it may be necessary to disclose a patient’s PHI without their written permission in order to treat them or protect the public health.

Therefore, certain provisions of the HIPAA Privacy Rule regarding the disclosure of patients’ PHI without their written authorization can be waived without sanctions or penalties in specific instances during a national Public Health Emergency. 

Let’s unpack this to answer the most common questions healthcare organizations are asking about when a patient’s PHI can be disclosed without their written authorization during the COVID-19 Public Health Emergency.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects the security and privacy of peoples’ Personal Health Information (PHI). When a patient’s Personal Health Information is in electronic form, it’s called ePHI. 

The HIPAA Privacy Rule provides the standards for healthcare companies to completely protect any PHI or ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors. 

If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA. Otherwise you risk a HIPAA violation which can subject you to fines and penalties.

Can we disclose PHI without patient authorization for treatment purposes?

Yes. Covered entities and business associates are allowed to disclose PHI if it’s necessary to treat the patient — or any other patient — without a patient’s authorization. 

Treatment includes:

  • Coordination and management of healthcare services by one or more healthcare providers
  • Consultation between healthcare providers
  • Referral of patients for treatment

See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), 164.501.

Can we disclose PHI without patient authorization to public authorities?

Yes. Covered entities and business associates may disclose PHI without written authorization to public health authorities such as any local or state health department, the CDC, a foreign government agency that is collaborating with a public health authority, or any person or entity who has been granted authority from or is under contract with a public health agency.

See 45 CFR §§ 164.501 and 164.512(b)(1)(i)

Can we disclose PHI without patient authorization to someone who might have COVID-19?

Yes. If state law or any other relevant law permits, covered entities can disclose PHI without written authorization to anyone who may have been exposed to COVID-19 or is at risk of contracting or spreading COVID-19. They may also disclose PHI to anyone who they believe can prevent or reduce a serious health threat to a person or to the public by receiving the PHI in question.

See 45 CFR §§ 164.512(b)(1)(iv).

Can we disclose PHI without patient authorization to family and friends?

Yes. Covered entities and business associates are allowed to share PHI without written authorization with family, relatives, friends, or any other person involved with the patient’s care. They can also share PHI if they need to when trying to find and notify family members, guardians, or people responsible for the patient — to inform them about a patient’s location, condition, or death. This can even include the police, the press, or public at large if it’s necessary in an emergency situation.

Covered entities should at least try and get verbal permission from patients or be able to reasonably infer that a patient wouldn’t object. But if a patient is incapacitated or not available, covered entities can share PHI if they believe it’s in the patient’s best interest.  

See 45 CFR §§ 164.510(b).  

Can we disclose PHI without patient authorization to the media or public at large?

No. Unless excepted as outlined above, information about an identifiable patient e.g. tests, test results, or illness details, cannot be disclosed to the media or public at large without the patient’s written authorization, or the written authorization of the person legally authorized to make healthcare decisions for the patient. 

However, if a patient hasn’t specifically objected to the release of PHI, a covered entity may release limited facility directory and basic information about a patient’s condition, such as “critical, stable, deceased, or treated and released.” 

See 45 CFR §§ 164.510(a)

Are there any other HIPAA restrictions or changes we should be aware of?

HIPAA Security Rule 

Covered entities and business associates must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information (ePHI) to protect patient information against intentional or unintentional impermissible uses and disclosures — except as permitted by the HIPAA telehealth penalty waiver for healthcare providers. 

COVID-19 HIPAA Telehealth Penalty Waiver for Healthcare Providers

Healthcare providers — specifically — won’t be subject to sanctions or penalties if they violate certain HIPAA Privacy, Security, and Breach Notification Rules when providing telehealthcare in good faith during the COVID-19 nationwide Public Health Emergency.

Minimum Necessary Requirements 

Covered entities and business associates still need to be careful to comply with HIPAA’s minimum necessary requirements. PHI disclosure should only be the minimum amount of information required to accomplish the purpose of the disclosure. But minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.

Other Applicable State and Federal Laws 

There may be other state or federal laws that apply to the disclosure waiver granted under a public health emergency. All covered entities and business associates governed by the HIPAA Privacy Rule should make sure they are up to speed on relevant local laws that may restrict disclosure of PHI during the COVID-19 pandemic.

Real-time OCR Announcements Related to COVID-19

Healthcare providers who are covered under HIPAA need to be aware of ongoing announcements related to HIPAA, Civil Rights, and COVID-19 on the HHS website as we run up against potential Civil Rights challenges while navigating our way through this pandemic. 

Contact SnapEngage to learn how we can help you stay HIPAA compliant during and after COVID-19

SnapEngage’s HealthEngage is the world’s first HIPAA compliant live chat. Our COVID-19 Coronavirus Symptom Checker Bot offers a sequence of questions and answers to help patients understand their options and staff to answer questions quickly. Download our Guide to HIPAA-Compliant Chat and ensure that your business is compliant and protected throughout coronavirus and beyond.


Sign up to receive our latest research, updates and success stories.

Recent Posts

Blog Categories

What are the HIPAA Telehealth Rules for COVID-19? (FAQs)

Virtual doctor visit with telemedicine

Since the Office of Civil Rights (OCR) released its Notification of Enforcement Discretion for Telehealth Remote Communications in March, healthcare organizations want to know what it means to provide HIPAA compliant telehealthcare during the Coronavirus crisis. These FAQs answer the most common questions about the HIPAA telehealth rules for healthcare organizations during COVID-19.

Which HIPAA telehealth rules are affected by COVID-19?

HIPAA Privacy, Security and Breach Notification Rules — HIPAA covered healthcare organizations won’t be subject to sanctions or penalties if they violate HIPAA Privacy, Security, and Breach Notification Rules when providing telehealthcare in good faith during the COVID-19 nationwide Public Health Emergency.

Which HIPAA covered entities qualify for the telehealth enforcement discretion during COVID-19?

Healthcare providers only — The HIPAA telehealth Enforcement Discretion applies to all healthcare providers that are covered by HIPAA and provide telehealth services during the emergency or transmit any health information in electronic form (ePHI) in connection with a transaction.

Under HIPAA, healthcare providers are those organizations that provide medical or health services, bill for healthcare services, and are paid for health care in the normal course of business. 

Examples of healthcare providers under HIPAA are:

  • Clinics
  • Hospitals
  • Pharmacists
  • Laboratories
  • Physicians
  • Nurses
  • Home Health Aids
  • Therapists
  • Mental Health Professionals
  • Dentists
  • Any other person or entity that provides healthcare

Which HIPAA covered entities do not qualify for the telehealth enforcement discretion during COVID-19?

Health insurance companies — Health insurance companies that pay for telehealth services but do not provide them are not considered covered entities for the telehealth Enforcement Discretion. Covered entities are healthcare providers only.

What patients can healthcare organizations treat under the telehealth enforcement discretion for COVID-19?

Any patient — HIPAA covered health care providers can treat any patients they normally service using telehealth or telemedicine — with no limitations. This includes both COVID-19 and non-COVID-19 related telehealthcare services. 

It also includes both patients that receive Medicare or Medicaid benefits and patients that don’t. (Any telehealth restrictions imposed by Medicare or Medicaid do not limit the HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.)

What is telehealth according to the HHS?

The HHS defines telehealth as the use of “electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” 

This includes technology such as:

  • The internet
  • Video conferencing software
  • Streaming media
  • Storage and forwarding of images
  • Landline communication
  • Wireless communications — audio, text, imaging, video.

But this doesn’t mean that healthcare providers can jump on any platform. The OCR specifically states that providers must use non-public facing applications.

What are non-public facing applications?

Non-public facing communications mean communications platforms that are designed to only allow specific parties into the telehealth conversation. Non-public facing communications should use end-to-end encryption and support individual user accounts and log in credentials.

Examples of non-public facing remote communication platforms with end-to-end encryption:

  • WhatsApp
  • Telegram
  • Facetime
  • iMessage
  • Signal
  • Facebook Messenger Secret Conversations  (iPhone, iPad, and Android only)
  • Skype Private Conversation
  • SnapeEngage LiveChat

Examples of non-public facing remote communication platforms without end-to-end encryption:

  • Google Hangouts
  • Facebook Messenger
  • Skype


What are public facing applications?

Public facing applications are not allowed under the Notification of Enforcement Discretion for Telehealth. Public facing technologies are open to the public and are not considered private. Examples of public facing communications are:

  • Facebook
  • TikTok
  • Slack

What are HIPAA compliant telehealth vendors?

HHS also notes that healthcare providers who want additional telehealth privacy should seek out technology vendors who are already HIPAA compliant technology vendors and are willing to enter into a business associate agreement (BAA) with covered entities. 

The HHS website lists some technology vendors that may have HIPAA compliant communication products. But OCR has not reviewed them. Nor does it certify or recommend them — or any other specific technology.

Even though the OCR assures covered healthcare providers that they will not be penalized for using less secure tech communication products during the Public Health Emergency, it advises telehealthcare providers that they should make an effort to use end-to-end encrypted technologies and inform patients of privacy risks when they can’t.

How long will the HIPAA telehealth rules for COVID-19 last?

The Notification of Enforcement Discretion for Telehealth will last as long as the declared Public Health Emergency during COVID-19 lasts. A Public Health Emergency lasts until the HHS Secretary determines that the Public Health Emergency is over. He can extend it for additional 90-day periods, but ultimately, the protection against HIPAA penalties for telehealth ends when the Secretary says it does.

What happens if the Public Health Emergency officially ends, but healthcare providers still need to use telehealth?

This is a situation that all HIPAA covered healthcare providers should be aware of. 

While the HHS Secretary may declare a national Public Health Emergency terminated, healthcare providers may still find that they are dependent on telehealth and telemedicine in their regional areas to service patients — coronavirus related or not. 

Healthcare providers who are dependent on non-HIPAA compliant technologies to service their patients may find themselves in a grey zone when it comes to HIPAA sanctions or penalties

The best way to prepare for this is by integrating HIPAA compliant technology today with a Business Associates Agreement in place. Otherwise you may find yourself scrambling when the telehealth Enforcement Discretion is terminated.

Contact SnapEngage to learn how we can help you stay HIPAA-compliant through COVID-19 and beyond

ShapEngage’s HealthEngage is the world’s first HIPAA compliant live chat. We’re set up to address your needs through COVID-19 and beyond. For example, our COVID-19 Coronavirus Symptom Checker Bot offers a sequence of questions and answers to help patients understand their options and staff to answer questions quickly. 

Get set up with the leading HIPAA compliant conversational platform designed for healthcare today, and you won’t have to worry about continuing to provide exceptional service while staying HIPAA compliant tomorrow.

How To Reduce Coronavirus Business Impact

Man on computer, secure chat


Coronavirus business impact has been swift, affecting all aspects of business operations. The downstream effects of this viral outbreak is sweeping across the globe. In most industries, budgets are tightening, and ways of working are changing fast. Every day thousands of businesses are banning travel and directing employees to work remotely. The right technology solutions can help businesses stay connected during uncertain times.

Outside of travel and restaurants, other verticals hit particularly hard by Coronavirus (COVID-19) include General CorporateHealthcare, and Government. These verticals are experiencing a tsunami of requests. An unprecedented number of calls and emails are inundating companies.

How business is adapting to limits on physical presence


Businesses are experiencing a significant increase in calls and emails from customers, patients, and citizens. Many businesses aren’t able to respond to incoming requests in a timely fashion. In addition, employees are being directed to work from home.

An intelligent mix of live chat and automation, like the SnapEngage COVID-19 Symptom Checker bot, is helping over-burdened staff address customer and employee concerns, thereby stemming Coronavirus business impact.

Moneypenny, a leading answering service in the UK and US serving over 50,000 businesses, has already seen the impact of Coronavirus on their clients. According to Joanna Swash, its Chief Executive Officer, clients are preparing to close offices and work remotely, and they are turning to Moneypenny for help with remote operations and agents.

“Coronavirus is forcing us to change the way we work at an unprecedented rate. With businesses making preparations to operate remotely, chat offers a flexible, real-time method for high volume communication. In fact, it’s ideal for homeworking because it’s cloud based, multiple team members can manage chats and the chat box can be hidden whenever they’re not available.” ~ Joanna Swash, CEO at Moneypenny

In recent months Moneypenny has experienced a 33% increase in chat volume and Coronavirus is now accelerating this trend. More and more businesses are also approaching Moneypenny for help with business continuity preparations – keeping customers away from telephone switchboards and instead triaging their questions quickly online. Swash believes this trend will continue, even after Coronavirus (COVID-19) stabilizes.

More government agencies are using live chat

Local and national government agencies are rapidly going through contingency planning exercises in light of the Coronavirus (COVID-19) pandemic. Their strategies are leading to changes in the way they operate. Government agencies are using live chat to handle increased inquiries from the public. Rather than coming into crowded government offices, these agencies are encouraging citizens to ask tax, utility, health, and other questions directly over chat.

“I have today asked our IT department to raise an order for additional live chat technology to allow us to expand our chat offering and flex some of our working arrangements.” ~ UK Public Sector Organization

Healthcare is leaning on tech to slow Coronavirus impact

There is no doubt that the impact of Coronavirus (COVID-19) on healthcare is unprecedented. Hospitals and healthcare clinics are already challenged. The time factor with Coronavirus, especially for vulnerable patients, goes from general concern to life-threatening very quickly. Many healthcare providers are using live chat and bots to assist with rapid response triage, while building patient trust at the same time.

Triage: understand a patient’s situation before making an appointment

Automation and live chat can help providers quickly determine which patients need help right away, and which can wait. With SnapEngage, providers can create automated Pre-Chat and Proactive Chat dialogues that anticipate clients’ needs in this trying time and stretch the customer service ability of business staff.

Deaconess, a leading health system in the Evansville, Indiana, uses the SnapEngage proactive and Chatbot API features to offer a Coronavirus Symptom Checker. The chatbot offers a sequence of questions and answers to help patients understand their options.

“The ability to quickly identify patients in need of urgent medical care is more important than ever. The SnapEngage Guide Bot and other automation features can save healthcare staff significant time by answering common questions up-front.” ~ Sofia Rossato, CEO at SnapEngage

Trust: protect patients with HIPAA compliant chat

There are many live chat solutions on the market. Most are not HIPAA compliant. In a time of crisis, healthcare providers must answer questions quickly. It is frustrating for a patient with symptoms to be told that they cannot share personal information over chat.

SnapEngage was the world’s first HIPAA compliant chat platform. Patients can share personal information and rest assured that their data will be protected. Patients and staff can feel comfortable knowing that the communication channel is safe. Healthcare providers are increasing their use of HIPAA compliant chat to improve the patient journey, patient loyalty, and time to resolution.

“In the current climate, people need reassurance and the quickest way to give them that is by being available – from anywhere, at any time. Live chat is a product of our ‘always on’ world and now it’s facilitating continuous communication to keep people safe and informed. I’d urge any business to assess their current provision and act now.” ~ Joanna Swash, CEO at Moneypenny

How to scale communication during a pandemic

Businesses that can address customers’ needs the quickest in times of uncertainty will secure brand loyalty for years to come. Overloaded customer service staff manning the phones and emails simply won’t be able to scale. Many companies will experience a reduction in staff due to school closures, lack of home support, quarantines, and, unfortunately, illness.

Try these strategies for reducing the Coronavirus business impact. That means lowering time-to-resolution and scaling your support operations quickly.

  • Automate important messages with Proactive Chat
  • Guide visitors to the right location on your website quickly using Guide Bot
  • Outsource live chat agents with trusted partners like Moneypenny

Bonus: a quick way to stretch communications systems

How can you address your potential staff shortages? Here’s a quick change you can make today: include an option to chat in all of your emails for quicker support.

Contact SnapEngage to learn how we can help your business reduce the impact of Coronavirus (COVID-19). Access the Help Center for detailed tips and tricks.


Anticipate Patient Needs with HIPAA-Compliant Live Chat to Gain Trust

Adopt Live Chat and Foster Loyalty

The patient journey doesn’t begin and end with an office visit. Ongoing care means accessible and effective communication. Adopt Live Chat to anticipate patients’ needs and personalize their experience.   

The core of patients’ needs lie in being understood. When your patients believe you’re familiar with their needs, you’ve won half the battle. Live Chat allows your agents to see what patients are typing before they submit their request.

Solidify loyalty by providing patients with options that respond to their situation. When you enable patients to connect with your agents online or by phone — without exiting the chat — you assure them that their needs will be met. 

Allowing patients an easy way to connect with the same agent gives them a sense of ease. They trust that you know who they are. Patient trust and loyalty are the driver for retention and growth.

Anticipate patients’ needs and respond in real time

  • Connect with more patients more often to build trust and loyalty.
  • Build long-term loyal relationships with your patients to drive greater use of your products and services.
  • Reward returning visitors or patients with personalized messaging. 
  • Answer their questions faster by seeing what they type before they submit their request. 
  • Give patients the option to call the same agent directly from within the chat.


Adoption toolkit 

By adopting these HIPAA-compliant chat tools, you can provide patients with an exceptional experience.

  1. Collect information beforehand with a Pre-Chat form. The form is extremely customizable. You can maximize the patient experience by collecting critical information before the chat begins. Eliminate misrouted calls and patient frustration. Give patients the option to skip the form and reduce patient wait times with Proactive Chat.
  2. Give your agents a heads up with Sneak Peak. Your team can respond more precisely if they can see what patients are typing before they hit send. Patients will see “…” while your agents are typing. If an answer takes longer than 60 seconds, you can auto-inform patients that an answer is in the works with Shortcut.
  3. Resolve complex issues quickly with the Call Me feature. Enable Call Me to allow patients to speak with your agents on the phone or online with a headset (speakers/mic) without closing the chat. Unlimited calls are allowed. Patients feel heard and agents can resolve problems quicker. 

Tools for success recap

Collect key information before starting a chat with a Pre-Chat Form
…but don’t require the form if they are about to leave  with Proactive Chat
Reduce patient wait times with Sneak Peek
Resolve complex issues quickly with the Call Me feature


Sample workflow

Adopt your Live Chat toolkit to build loyalty

SnapEngage offers a suite of HIPAA-compliant professional service packages designed to increase organizational efficiency, answer queries faster, and gain a larger presence with patients. 

Staff and physicians spend less time searching for patient data and routing calls. Patients are safe from being trapped in the accidental run around. 

The goal? Remove all patient obstacles in a less work intensive way. With chat support it’s quicker, easier, and more accessible.


What Happens in a HIPAA Violation?

The Office of Civil Rights (OCR) reviews thousands of HIPAA cases every year. In 2018, companies in violation of HIPAA were fined $28.7 million. Here are some of the reasons those companies had to pay the fines.

  • An unencrypted laptop storing ePHI was stolen from an employee’s residence
  • An employee lost some unencrypted USB drives storing ePHI
  • ePHI wasn’t encrypted on enterprise-wide systems
  • A hospital allowed filming onsite without obtaining authorization from patients
  • A doctor disclosed PHI to a news reporter
  • A company didn’t have a business associate agreement in place with a vendor 
  • A company didn’t make sure it’s vendor was in compliance — it held unsecured ePHI in a web-based system 
  • A company failed to properly respond to a patient’s request to send their ePHI to a third party

All of these violations could have been avoided by practicing periodic HIPAA risk assessments and compliance reviews to check possible points of failure in tech, employees, and business practices. 

Can anyone file a HIPAA complaint against you?

No matter how compliant you are, anyone can submit a HIPAA complaint against you, whether you have violated HIPAA or not. The OCR. makes it easy for anyone to submit a HIPAA complaint with just a few clicks. Complaints can be filed online with the OCR directly, or with your own Compliance Officer. This isn’t meant to shock you, but to give you a sobering look at what to expect when it happens so you can be prepared.


What happens when HIPAA receives a complaint?

When the OCR receives a complaint, they review it according to the HIPAA Enforcement Rule to ascertain whether it violated the Security or Privacy rule, or whether any criminal activity was involved. If the complaint wasn’t filed within 180 days of the alleged violation or OCR believes the complaint didn’t violate any rules, it’s dismissed. 

If criminal activity is detected in violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), the OCR will refer the complaint to the Department of Justice for investigation. If there is no criminal activity but a possible violation of the Security or Privacy rule, then the OCR will open an investigation.


What happens in a HIPAA violation investigation?

If the OCR decides to investigate a HIPAA complaint, it will contact the company named in the complaint and the person who filed the complaint. At this point, the OCR will gather evidence from both parties. They will ask you for a copy of your company’s policies and procedures, risk assessment history, and any other HIPAA compliance review material that may be relevant. This is where you can nip complaints in the bud if you are prepared.

The OCR will review the information and determine whether or not the Privacy or Security rule was violated. If the OCR doesn’t find any violations of the HIPAA rules, it resolves the case. If it sees evidence of noncompliance, it takes action in one or more of the following ways:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement.


What is voluntary compliance?

In many cases, the company knows what went wrong by the time the OCR has contacted it or at least learns what went wrong. It’s not uncommon for a company and its business associates to fix the problem while the investigation is ongoing. The OCR will even offer technical assistance if needed. 


What is corrective action?

Cases that require corrective action can sometimes take years to investigate, depending on their complexity. The company or business associate will have to make corrections to their HIPAA Privacy and Security policies, procedures, safeguards, and training. Corrective action often comes with a Resolution Agreement. 


How does a Resolution Agreement work?

A Resolution Agreement is a signed agreement between a non-compliant company or business associate and the HHS. The agreement can impose a fine and require monitoring from one to three years — the company has to make periodic reports to the HHS.


An example of a basic HIPAA Violation that cost an SME $85,000

Company:  Korunda Medical is a healthcare company that offers primary care and pain management to approximately 2,000 patients annually. It has a central office, five satellite offices, two primary care physicians, and five interventional pain physicians.


What happened?  A patient asked Korunda several times to forward his or her records to a third party in a particular electronic format. 


What did Korunda do wrong?  Korunda dragged its feet on the request, charged more than the reasonably cost-based fees allowed under HIPAA, and didn’t provide the records in the requested electronic format.

What rule did Korunda violate? Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524

What action was taken?
Initially, the OCR provided technical assistance to Korunda to teach them how they were supposed to respond to the request — and closed the case. 


Why did Korunda get fined? The OCR received a second complaint about the same thing four days after it had provided the technical assistance to Korunda.


How was the case resolved? Korunda entered into a Resolution Agreement requiring an $85,000 fee and one year of a monitored Corrective Action Plan during which Karunda was ordered to:


  1. Revise policies and procedures within 30 days and prove it. 
  2. Create and present training materials within 60 days. 
  3. Submit a list of all the patient requests for PHI, the dates, particulars, and the cost every 90 days.
  4. Report any employee who failed to comply within 30 days.
  5. Submit an Implementation Report summarizing progress within 120 days.
  6. File an Annual Report within 60 days of the close of the one-year monitoring period.

How much are the fines for HIPAA compliance violations?

Most Privacy and Security Rule investigations are resolved informally with technical assistance or Resolution Agreements. If the OCR decides to impose a civil money penalty (CMP), companies can either pay the penalty or request a hearing with an HHS judge if they disagree. If the judge rules that the fine is justified, companies can then appeal to the HHS appeals board within 30 days.


HIPAA has four levels of fines depending on the severity of the violation. Penalties can be imposed each year, every year, for each violation category. Violations that involve willful neglect (Levels 3 and 4 can lead to criminal charges.) 


  1. Had no idea they violated HIPAA violation. 

$100-$50K per violation. $25K max per year. 

2. There is reasonable cause to believe they knew they violated HIPAA. 

$1K – $50K per violation. $100K max per year. 

3. Showed willful neglect of HIPAA rules but corrected the violation within 30 days.

$10K-$50K per violation. $250K max per year. 

4. Showed willful neglect of HIPAA rules and failed to correct the violation within 30 days.

$50k per violation. $1.5M max per year. 


What’s the best way to avoid a HIPAA fine?

Your best defense against HIPAA enforcement and fines is to assume that you’ll have a HIPAA complaint filed against you at some point. Why? Because a HIPAA complaint opens the door to an audit where additional violations could be discovered. 

Even if the original complaint ends up being false, the ensuing investigation and audit could uncover other HIPAA violations resulting in fines. Organizations that are merely box-checking for compliance could get in deep trouble here. 

By assuming that you could be audited at any time, you’re more likely to stay on top of your HIPAA compliance reviews with periodic risk assessments. It’s better if you find all of your possible points of failure and correct them yourself before an OCR auditor does.


Sign up to receive our latest research, updates and success stories.

Recent Posts

Blog Categories

How SOC 2 Reports Ensure Cloud-based Data Security

Business today means cloud-based data processing. Companies that outsource to SaaS cloud-based service providers need to make sure that their integrity is maintained throughout their entire data supply chain. In this era of increased data privacy legislation, if your service provider isn’t compliant, you can be held liable and risk damage to your brand. 

SOC 2 audit reports were designed for business associates such as IT-enabled SaaS and cloud computing service providers that store data in the cloud. They are internally facing audits conducted by an external SOC 2 Auditor. 

SOC 2 is not a regulation like HIPAA, GDPR, or CCPA, and isn’t required for SaaS or cloud vendors. However, for companies that handle electronic personal health information (ePHI) —or any other personal data — SOC 2 is a data best practice. It ensures that a business associate’s data privacy and security policies are in alignment with a company’s data privacy regulations and can be adapted for service providers that need to comply with multiple regulations. 

What is SOC?

Companies that outsource to vendors must make sure that they choose vendors who have effective internal controls. These standards are known as SOC or Service Organization Control. 

SOC for service providers are audit reports performed by an independent auditor that prove vendors meet the requirements of the companies that do business with them. There are three types of SOC reports SOC 1, SOC 2, and SOC 3. They are not upgrades of each other but different kinds of reports. 

SOC 1 focuses on a service provider’s financial reporting, whereas SOC 2 and SOC 3 both scrutinize a vendor’s security and data protection. The difference between SOC 2 and SOC 3 is restricted use. A SOC 3 report can be openly distributed, but a SOC 2 report is internal and limited to the vendor and the company requesting it from the vendor.

Today, any company that stores customer data in the cloud should strive to meet SOC 2 requirements to minimize the risk of unauthorized exposure and liability. 

What is SOC 2 Compliance?

The American Institute of CPAs (AICPA) designed SOC 2 for outsourced IT-enabled SaaS and cloud computing service providers that handle a company’s data. At its core, SOC 2 is primarily an auditing procedure that ensures SaaS and cloud-computing providers securely manage data to protect both the privacy of a business’s clients and its interests. 

But SOC 2 is more than just a technical audit. It also establishes strict criteria that vendors must comply with to properly and securely manage customer data following five Trust Service Principles — security, availability, processing, integrity, confidentiality, and privacy. 

What are the five Trust Service Principles of SOC 2?

SOC 2 audit reports ensure that companies maintain internal corporate governance, risk management, and regulatory oversight by requiring their service providers to manage data according to these five Trust Service Principles.

1. The Security Principal

Security means the protection of data during its collection, use, processing, transmission, and storage. It also means the protection of the systems that process, transmit, and store the information which allow the primary organization to meet its goals. 

Security can include access controls, network and web application firewalls, two-factor authentication, and intrusion detection to protect data and the data systems against abuse, theft, misuse, breaches, and any other unauthorized access of data and systems.

2. The Availability Principal

Availability refers to the accessibility of the systems, data, services, and products as outlined in the service level agreement (SLA) with a company to manage its daily business processes. 

The availability principle isn’t focused on functionality and usability, but rather on the systems themselves, such as controls to support accessibility for operations and monitoring network performance. For example, a backup site failover plan, should any incident occur that impedes the availability of systems, would be governed by the availability principal.

3. The Processing Integrity Principle

The processing integrity principle has to do with whether a system is doing its job by processing data that is complete, valid, accurate, timely, and authorized. Processing integrity is more concerned with the processing behavior itself rather than the integrity of the data. However, systems should function free of error, delay, omission, and any unauthorized or accidental manipulation of data.

4. The Confidentiality Principle

The confidentiality principle governs a company’s ability to protect its confidential information throughout the data lifecycle until the data’s removal. Confidentiality is not the same as privacy in that privacy deals with personal information. In contrast, confidentiality — while it can include personal information — is intended for information that a company needs to control, such as intellectual property. 

Confidential requirements included in contracts or legal clauses would also fit under the umbrella of the confidentiality principle. Other information might be trade secrets, proprietary information, business plans, or sensitive financial information. Protections under this principle may involve encryption, firewalls, access controls, and any other safeguards for information processed or stored on systems.

5. The Privacy Principle

The privacy principle focuses entirely on personal information that is collected, used, stored, disclosed, and disposed of in line with a company’s objectives and privacy policies. 

Personal information is any information that can identify an individual. Personal information can include a name, home or email address, ID numbers, physical characteristics, purchase history, medical or health history, financial information, IP addresses, or biometric identifiers, and other identity indicators. Electronic personal health information (ePHI), as outlined by HIPAA, would fall under the privacy principle.

The SOC 2 privacy principle follows the criteria established by the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles that manage and prevent privacy risks. 

What are Soc 2 Reports?

SOC 2 has two different report types that are the output of SOC 2 audits by external auditors. A SOC 2 Type I report assesses and reports on the design and functionality of a service provider’s system controls at a given point in time. A SOC 2 Type II report tests and reports on a service provider’s controls over a period of time (a minimum of six months), which attests to the operating effectiveness of its system controls.

Companies can request SOC 2 reports from SaaS or IT-enabled cloud service providers to assess and monitor any risks associated with a third party’s technology services. Vendors can also request the audits and reports on themselves. SOC 2 reports give companies vital information about how vendors manage data and maintain controls around their systems and processes involving sensitive data.

To put it simply, when a business associate is SOC 2 compliant, companies feel more confident trusting it to handle their data. For companies that handle electronic personal health information (ePHI) and are subject to the HIPAA, or that need added privacy and security controls to meet other data privacy regulations, SOC 2 reports add another layer of assurance against violations or data breaches. 


What Happens in a HIPAA Breach?

What happens in a HIPAA breach?

Even if you’re HIPAA compliant, you’re not immune to data breaches. In today’s increasingly digital environment, data breaches are a common and unfortunate occurrence. The Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), understands this. If you have a breach, it doesn’t necessarily mean it was a result of a HIPAA violation.

However, under HIPAA, there are specific steps you need to take to mitigate any risk to the HIPAA protected health information that you hold and process in anticipation of a breach. And if you do experience a breach, there are specific protocols you should follow depending upon the severity of the breach. The best defense for a data breach is preparation.

What is a data breach according to HIPAA?

According to HIPAA, a breach occurs when protected electronic Personal Health Information (ePHI) is used or disclosed in any way that compromises its security or privacy in violation of the Privacy Rule. For a leak of information to be considered a breach under HIPAA, the information exposed must be unsecured. Unsecured ePHI is ePHI that hasn’t been “rendered unusable, unreadable, or indecipherable to unauthorized persons” by encryption or destruction of the data.

How can you avoid HIPAA violations in the event of a breach?

You can avoid HIPAA violations if you’ve made a thorough and continuous effort to stay in compliance before any breach occurs. This means you do periodic risk assessments and have made sure that all ePHI – whether at rest or in transit – is encrypted to NIST standards so that the data is unreadable, undecipherable, and unusable by unauthorized parties if there is a breach.

Many data breaches go unnoticed because companies fail to conduct regular risk assessments and don’t catch them, which increases their chances of being charged with a violation of negligence.

Companies must train all staff and have written protocols in place for personnel to follow in the event of an emergency, security, or data breach.

If there is a breach, but the ePHI is secured because it is encrypted to the extent that it is unreadable, undecipherable, and unusable by any unauthorized parties, you may not be subject to the Breach Notification Rules. However, you should still do a risk assessment. It will be up to you to recognize the severity of a breach to be able to take the correct action under HIPAA and to prove to the HHS that you did.

The burden of proof is on you

If you have a breach, you’ll have to be able to prove to the HHS either that the ePHI was unusable and did not constitute a breach, or that you’ve responded appropriately by sending out all of the breach notifications required under HIPAA.

The HHS strongly urges covered entities (you) to perform a risk assessment if you suspect a breach. The goal of the risk assessment is to discover the following:

  • If unsecured ePHI was improperly viewed or obtained.
  • The type and amount of the ePHI as well as the likelihood of personal identifiers, what kind they are (name, medical numbers, etc.)
  • The possibility of any data that has been de-identified by encryption (no longer able to identify an individual) of becoming re-identified by an unauthorized party.
  • The identity of the illegal party who is responsible for the breach or who received the data (if possible).
  • The extent to which you were able to mitigate any damage caused by the breach.

If the HHS does an audit and finds that there may have been some impermissible use or disclosure of ePHI that you didn’t report, they’re going to ask you why.

Your risk assessment is your only defense against appearing culpable. It’s also how you might find out whether your situation falls under one of the three exceptions to a breach of ePHI. These are situations where you might not be found liable for a violation:

  1. Unintentional access, acquisition, or use of ePHI by an authorized employee while doing his or her job.
  2. Accidental disclosure of ePHI by one authorized person to another authorized person.
  3. Disclosure of ePHI by an authorized person who believed that the unauthorized person who received the ePHI wouldn’t be able to view, use, or retain it.

How do you perform a HIPAA Risk Assessment?

A risk assessment can help you identify risks and vulnerabilities so that you can develop and implement administrative safeguards and protections that keep ePHI secure under the HIPAA Security Rule. The US Department of Health & Human Services (HHS), offers guidance on risk assessments on its website as well as a Security Risk Assessment (SRA) Tool that helps walk you through the risk assessment process. HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, redesign programs, or experience a security incident like a data breach.

What is the HIPAA Breach Notification Rule?

If you have a breach, but your risk assessment has determined that ePHI is secured (encrypted), you might not be subject to the Breach Notification Rule. But if there is any chance that unsecured ePHI was improperly used or disclosed, you have to follow specific notification rules to stay in compliance.

Victim notification letter:

You must notify each person whose ePHI is suspected of having been accessed, acquired, used, or disclosed within 60 days from the day of discovery of a data breach (unless law enforcement needs a delay of notification to investigate criminal activity.) The breach notification letter for affected individuals can be created on the HHS website once you have the details of the breach. The letter must include the following information:

What happened and the date it happened — Breaches are considered “discovered” the same day that the breach is known or should’ve been known if you were exercising diligence under HIPAA.

  • A description of the PHI involved in the breach
  • Steps affected individuals can take to protect themselves further
  • A description of what the covered entity is doing to mitigate the breach
  • Contact information for affected individuals to find out more information

Notification to HHS Secretary:

You must notify the Health and Human Services Secretary of any breach. Companies can report a breach on the OCR Website.

  • If a breach affects more than 500 victims, you must report the breach to HHS and the media. OCR will display details about the breach on its website (known in the industry as “the wall of shame.” You don’t want your name on this wall.)
  • If the breach involves less than 500 people, you must report it to HHS within 60 days of the end of the year in which the breach occurred.

Business Associates notification:

Business Associates must notify the covered entity if ePHI is suspected of having been accessed, acquired, used, or disclosed in a data breach.

For more details and guidance on the HIPAA Breach Notification Rule check out what the HHS has to say.

How significant are the fines for noncompliance resulting in a breach?

If the Office for Civil Rights (OCR) concludes that a HIPAA breach occurred because of noncompliance, the severity of the penalty will depend upon the extent to which it finds a company negligent.

HIPAA has four categories for violations. Fines can be imposed each year, every year for each violation category. The four different tiers of penalties depend upon the severity of the violation. Cases involving willful neglect (Tier 3 and Tier 4 can lead to criminal charges.) Breach victims can also file civil lawsuits against covered entities.

Tier 1: $100-$50K per violation. $25K max per year. Unaware of the HIPAA violation and even by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Tier 2: $1K – $50K per violation. $100K max per year. Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.

Tier 3: $10K-$50K per violation. $250K max per year. Willful neglect of HIPAA rules with the violation corrected within 30 days of discovery.

Tier 4: $50k per violation. $1.5M max per year. Willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.

Keep your name off of the wall of shame

As everything we do becomes more digital, you’re better off expecting a data breach than thinking it won’t happen to you. Breaches will be a part of life and business and the best thing you can do to protect your brand and your clients is get in front of them. If your HIPAA compliance needs a bit of dusting off, check out our HIPAA Compliance Checklist for 2020 and make sure you’re ahead of the game.

GDPR: What US Companies Need to Know

Do you know whose data you have?

When the General Data Protection Regulation (GDPR) became law on May 25, 2018, it raised the bar on standards for data protection and security around the world. It also set off a massive ripple of global privacy laws that are changing business — and how we use the internet — forever. 

A common misconception by US companies is that the GDPR only applies to companies in Europe. If you’re a US company, GDPR directly applies to you today if you fall into one of these categories.

  • You have offices in the EU
  • You have offices in the US but customers around the world
  • You are a B2B company in the US that has EU clients

More specifically, if you collect or process the data of any EU citizens residing anywhere in the world, you need to pay attention to GDPR. 

GDPR caught a lot of US companies off guard. 42% of US sites are still blocking EU customers because they weren’t prepared to comply with GDPR. That’s a nice sized market share just waiting to be tapped by whoever gets there first. 

Why all US companies should pay attention to GDPR

Understand that the GDPR is currently setting the framework for a rash of privacy legislation that is sweeping the US and the globe. It’s raising service, transparency, and accountability to levels that previously didn’t exist. Consumers are aware of these laws which means consumer trust is becoming an essential feature of brand ethos.

The biggest mistake US companies can make is to think of data privacy law as something restricted to Europe. It’s already here. The sooner US companies get in front of the standards set by the GDPR, the easier it will be to comply with any other privacy laws that become relevant to a company’s jurisdiction.

Privacy laws are being enacted in the majority of the states. One of the strictest privacy laws to pass in the US so far is the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. 

What does GDPR do?

GDPR gives ordinary people an unprecedented amount of control over the personal information organizations can collect, retain, and process. It grants individuals the privacy and security of their personal data as a fundamental human right. 

All organizations operating within or outside of the EU that deal with any data of EU citizens, directly or indirectly, must have a lawful basis for collecting and processing personal data. Along with this required legal basis comes the responsibility of keeping that data safe and responding to a consumer’s request to amend, delete, or obtain a copy of it.

What is personal information under the GDPR?

  • Names, addresses, phone numbers, ID numbers, bank details, etc.
  • IP addresses, cookies, tags, pixels, email addresses, user names, Instagram and Facebook posts, Tweets, stories, etc.
  • The following data has special rules and companies need to be very careful with it — Biometric data, health data — physical and mental, racial or ethnic data, political opinions, philosophical or religious beliefs religious, trade union membership, sex life and sexual orientation. Article 9(1) 

When is it legal to collect and process personal information under GDPR?

Before you can ask for and collect anyone’s personal data, you need to have a legal basis for its collection and use — the GDPR outlines six lawful bases for collecting and processing someone’s information:

  1. Consent: The user has given you explicit consent to process specific data for a particular reason.
  2. Contract: You need to collect and process data to carry out a contract you have with the user.
  3. Legal obligation: You need to collect and process data to comply with the law.
  4. Vital interests: You need to collect and process data to save someone’s life.
  5. Public task: You need to collect and process data to complete a job that is in the public interest, or part of your official functions as a public officer, and the job has a clear lawful basis.
  6. Legitimate interests: You need to collect and process data for your legitimate interests, or the legitimate interests of a third party — unless that interest is overridden by the fundamental rights and freedoms of the user granted by the GDPR.

For most US companies, consent, contract, and legitimate interest are the legal bases that are most applicable. ( Legal obligation, vital interest, and public task are designed to cover organizations engaged in public services and health.) 

Let’s discuss what consent, contract, and legitimate interest might mean to US companies so that you understand the extent to which you’ll need to redesign how you collect personal data, where you store it, and who you share it with, to comply with the GDPR.

What does consent mean under the GDPR?

Users can’t really give consent to something they don’t understand. The burden of making your intentions clear to your consumers in transparent and understandable language falls on you, the company, entirely. Not only do you have to be completely transparent with your consumer base, but you have to be able to prove to any privacy authorities that you have been. 

All communication with a user regarding their consent needs to be readable by the average person, not just lawyers. This does away with long illegible privacy policies full of legal and technical jargon. It requires companies to overhaul their privacy policies, terms and conditions, disclosures, opt-in boxes, and any other communication regarding a user’s data to comply with GDPR standards. 

What you need to do when you ask for consent

When you ask for consent, it needs to be informed consent. You have to explicitly layout in everyday language why you want a user’s information and what you intend to do with it. 

You also have to advise users of their right to opt-out, request deletion, correction, transfer, and copy their data. Whenever you request consent for a users information, you must include the following:

  • Who you are and your contact information
  • The contact of the Data Protection Officer (DPO), if you have one
  • The purpose for requesting the data
  • The legal basis for requesting the data
  • If the legal basis is legitimate interests pursued by you or by a third party, you have to say what those legitimate interests are
  • Identify who else will process data if there are any third parties involved

Two essential points about consent are:

Consent must be freely given:  You must be able to prove that consent was freely given. Your request for consent must be in clear and understandable language.  

Consent can’t be a precondition to using services: Consent must be separate from all other terms and conditions. This means that there is no longer a legitimate way to bundle a bunch of services and permissions together and simply provide an “I accept” checkbox. Nor can you use a pre-checked opt-in box or any other default method. 

Transparency in privacy policies and opt-ins under GDPR

The first step in transparent and informed consent is revising privacy notices, disclaimers, and cookie notices to include all of the information that the GDPR requires in simple, readable language. The GDPR wants you to inform users of the following:

  • What data do we collect? — Identify what data you collect. Name, email, phone, etc.
  • How do we collect your data? — Explain how data is collected. Forms, opt-ins, web browser, etc.
  • How do we use your data? — Explain exactly how the data will be used. Process an order, email list for additional services, etc.
  • How do we store your data? — Explain how data is stored, its location, and your security features. 
  • Marketing — What 3rd party companies you share data with, and the ability of users to opt-out!
  • What are your data protection rights? — You must inform users of their rights under GDPR:
      • The right to access – Users have the right to know what data you have
      • The right to rectification – Users can ask you to correct their data
      • The right to erasure – Users can ask you to completely erase their data
      • The right to restrict processing – Users can ask you to restrict data processing
      • The right to object to processing – Users have the right to stop you from processing their data altogether
      • The right to data portability – Users can ask you to send their data somewhere else
  • What are cookies? — Explain what cookies are. 
  • How do we use cookies? — Explain precisely how you use cookies. Keep you signed in, track your purchases, etc.
  • What types of cookies do we use? — You must explain every function used under your cookie policy. Functionality, advertising, etc.
  • How to manage your cookies — Give all users the ability to opt-out of any type of cookie functions. Explain how it might affect user experience on your site.
  • Privacy policies of other websites — Explain that your privacy policy doesn’t cover websites you hyperlink to.
  • Changes to our privacy policy Provide the latest date you updated your privacy policy. Explain how and when you update your privacy policy.
  • How to contact us — Provide, email, phone, and physical address.
  • How to contact the appropriate authorities — For the GDPR, this is the Information Commissioner’s Office (ICO). But US companies should also include any other data privacy authorities that may cover their jurisdiction.

What revising your privacy policies means to your business processes

It stands to reason that before you revise your existing privacy notice to a privacy notice that outlines everything you promise to do, you need to have set up both the technical and business processes to be able to do what you say.

To anticipate the changes in purpose and legal basis that occur in data processing, you’ll need to walk through the timeline of all your business processes that involve the collection, processing, and retention of data — who has access to it and why. Then you can be clear about what needs to go into your privacy notices, terms and conditions, disclosures, opt-in boxes, etc.

Can I use legitimate interest as a lawful basis to collect and process data under GDPR?

Legitimate interest may sound ambiguous enough to slip in marketing or tracking cookies or pixels and justify it as a legitimate interest of your organization. However, remember the requirements above for consent? One of the requirements for obtaining consent is letting the user know precisely what your legitimate interest is if you plan on using legitimate interest as a legal basis for data collection. You need to do so in simple language and give them the right to object.

The bottom line here is that there is no sneaky way to get around being completely transparent and upfront with users about why you want their data from the very beginning. 

Can I use contract as a lawful basis to collect and process data under GDPR?

If you’re selling someone a product online, you’re going to need their credit card information. And if you’re delivering that product, you’ll need their address. So, you deliver the product and, for all means and purposes, no longer need their address to complete the contract. Do you have to delete it?

Maybe you need to keep a record of their address for your accounting procedures. And since you must engage in proper accounting to be able to enter into valid sales contracts in the first place, you could argue that keeping and processing the address is necessary under the same legal basis. 

What happens to data you’ve collected when you’re done with it is still your responsibility

Let’s say the bank processing your customer’s credit card information needs their address to process the payment and also needs to hold onto the address to comply with laws that require the bank to keep this information. Has the legal basis changed? Yes, and you need to be aware of this.

The bank is a processor that got the address from you, the controller. And the bank has to process the data under a legal obligation. So, the legal basis for the bank, the processor, for holding onto the address that they got from you, the controller, is no longer Article 6(1)(b) contract but is now Article 6(1)(c) legal obligation. You, as the controller, have to anticipate this from the onset.

You can’t respond to a user’s request about their data if you don’t know where it is

This example supports the need for US companies to walk through their business procedures involving data and look at them in a new light. To stay in compliance, as the company in the data controller role (you collected the information in the first place), you need to walk through your data supply chain so that you know where the data you collect is held, who is processing it, and why. 

You must be able to respond to users’ requests regarding their data, and you can only do that when you know where there data is. Only then can you make sure that you are in compliance. Most companies will have to make some changes to how they collect, store, and process data to be able to comply with the GDPR. They will also most likely have to amend their data governance plan and data governance team.  

Challenges for compliance with GDPR

One of the biggest challenges companies face becoming compliant with new data privacy regulations blazing around the globe is that much of the data collected, controlled, and processed today exists in unstructured storage, both on-site and in the cloud. That data is shared with 3rd party processors further complicates the issue.

Firms have to be able to locate and quantify the personal data stores they hold to minimize risk. You should only keep the data that is necessary for those business purposes that you can prove you have a valid legal basis for, as discussed above.

Penalties of non-compliance with GDPR

GDPR can impose some pretty hefty fines on data controllers and processors for non-compliance that can range from 10-20M Euros, or up to 4% of global annual revenue, whichever is higher. GDPR also establishes a private right of action for material or non-material damage caused by controllers or processors who violate the GDPR. 

For those of you who still think these fines won’t apply to you, know that the California Consumer Privacy Act (CCPA) fines are similar.

Other disadvantages of non-compliance with GDPR

Beyond penalties, the reasons for taking the GDPR seriously are that global consumers and B2B companies already expect you to. If you control or process data, your clients and business associates will be asking if you are GDPR compliant because they can get in trouble if you aren’t.

To put it bluntly, you could lose customers if you are not GDPR compliant. And you may lose trust. It’s harder to regain a customer’s trust than it is to get it in the first place. You want the PR for your brand to celebrate your accomplishments, rather than have to defend your misgivings.

The advantages of complying with GDPR

In the long run, taking your company to GDPR compliance level is going to give you a much better understanding of where all the data is in your company. It will also help you become more effective and efficient in your business decisions. Your company will be more prepared to handle any data breach incidents. And you’ll be that much more ahead of the game when local privacy laws in your geographic region of governance take effect.

The upside of being GDPR compliant is that it can give you an edge in your industry, especially if you can beat your competitors to compliance levels 

In today’s digital business climate, data privacy and security is a huge selling point for those leading the way. Consumer trust is a new realm of marketing that companies need to take seriously. Get a handle on your network infrastructure and business processes, and align yourself with compliant vendors and service providers. You’ll protect the market share you have now, and set yourself up to grow that share tomorrow. 


HIPAA Compliance Checklist for 2020

Check the pulse of your HIPAA program

Whether you’re just getting started creating a HIPAA compliance plan for your organization, or checking the pulse of your current HIPAA program, a road map is always helpful.

The HIPAA requirements are deliberately vague because they need to be flexible and scalable enough to apply to a broad range of health care companies and anyone those companies contract with. This HIPAA compliance checklist aims to do several things. 

  1. Introduce you to the language used in HIPAA so that you have a better grasp of the HIPAA Rules.
  2. Help you become more acquainted with the HIPAA rules and what they want you to do if you deal with Personal Health Information (PHI).
  3. Help you determine what areas your organization may need to focus on to become HIPAA compliant by providing a simplified checklist that can point your efforts in the right direction.
  4. Give you some additional tips on how to use the HIPAA Security Risk Assessment Tool to find weak areas in your HIPAA compliance program.

What is HIPAA trying to protect?

HIPAA wants to protect the security and privacy of patients’ Personal Health Information (PHI) that is used or shared in any form. When a patient’s Personal Health Information is in electronic form, it’s called ePHI. 

As most health information is digitally managed these days, the handling of ePHI is critical. HIPAA wants healthcare companies to completely protect any ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors. 

This Compliance Checklist will walk you through the more critical aspects of the HIPAA so that you can determine what areas your organization needs to work on to get in HIPAA compliance.

What’s the difference between a Covered Entity and a Business Associate under HIPAA?

A Covered Entity (CE) is any health care provider, health plan, or health care clearinghouse that creates, maintains, stores, processes or transmits PHI or ePHI. Most health care organizations do business with 3rd parties that provide a service or perform a specific function or activity for a  company that may involve having access to ePHI. Under HIPAA, these 3rd parties are called Business Associates (BA). 

Before having access to ePHI, the Business Associate must sign a Business Associate Agreement (BAA) with the Covered Entity. While the ePHI is in the Business Associate’s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity. 

Check the boxes of the statements you agree with:

□ We have identified all of our Business Associates (BA) and vendors.

□ We have Business Associate Agreements (BAAs) in place with all of our BAs.

□ We have satisfactorily assessed all of our BA’s HIPAA compliance levels.

□ We monitor and revise our BAAs annually, and anytime there is a change in services.

□ We have Confidentiality Agreements in place with non-BA vendors.

The HIPAA Privacy Rule 

The privacy rule provides the standards for people who are allowed to have access to PHI and governs the use and disclosure regulations of any PHI. If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA. 

Use and Disclosure of PHI

□ We acquire and hold HIPAA authorizations for any uses and disclosures of PHI, which aren’t otherwise permitted by the HIPAA Privacy Rule.

□ Our authorizations are written in every day simple language (no legalese) and clearly explain the precise uses and disclosures of PHI.

□ Our authorizations accurately describe to whom we will disclose PHI.

□ Our authorizations include an expiration date.

□ Our authorizations are signed and dated by the patient.


Individuals Access to PHI

□ We have procedures for providing patients with access to their health information.

□ At an individual’s request, we provide access to and copies of their PHI.

□ We provide copies of an individual’s PHI in the format of their request.

□ We respond to an individual’s request for copies of any PHI within 30 days.

□ Our fees charged for requested copies of PHI by an individual are cost-based.


Notice of Privacy Practices (NPP)

The Privacy Rule gives people the right to information about an organization’s privacy practices. The HIPAA refers to this as Notice of Privacy Practices (NPP). While Covered Entities can use templates for their Notice of Privacy Practices, the notices should be customized to your organization.

□ We have created and customized a Notice of Privacy Practices (NPP)

□ We have provided a copy of our NPP to all patients.

□ All patients have confirmed in writing that they’ve received a copy of our NPP.

□ We have posted an NPP in a visible and prominent location on our website.

□ We have posted an NPP poster in a visible and prominent location visible to patients in our facility. (If applicable.)

□ We have procedures in place and have trained staff for dealing with complaints and any failures on our part to comply with our NPP.

The HIPAA Security rule 

The Security Rule requires entities to evaluate risks and vulnerabilities and implement reasonable and appropriate security defences to protect against anticipated threats to the security and integrity of ePHI. There are three elements to the HIPAA Security Rule:

  • technical safeguards 
  • physical safeguards 
  • administrative safeguards

These are areas that you need to assess yourself with an understanding of what could go wrong in either the technical, physical, or administrative functions of your organization that could make ePHI vulnerable to a breach. You’re basically looking at your IT set up, your office set up, and your staff policies. 

HIPAA Technical Safeguards § 164.312

Technical Safeguards concern the technology used to both provide access to ePHI and protect it. The HIPAA won’t tell you how to prepare for compliance, but it will show you what outcome it expects. 

Access control

This section deals with who has authorization to access PHI. 

□ We have an identity management and access controls plan in place.

□ We assign unique IDs to all individuals authorized to access to ePHI.

□ We can confirm that access to ePHI is restricted to authorized individuals only for the purposes of their employment duties.  

□ We vet all employees before providing authorization to access ePHI and can confirm authorization is appropriate.

□ We have procedures in place to terminate an employee’s access to ePHI if their position changes or they leave our company.

□ We have procedures in place to recover all devices and media holding ePHI if an employee’s position changes or they leave our company.


Audit logs  

Track all users who access ePHI on your systems and monitor all activities and systems involving ePHI at all times.

□ All of our uses and disclosures of PHI/ePHI are limited to the minimum amount of PHI necessary for the purpose the PHI/ePHI is disclosed. 

□ Our systems are set to log out any user after a period of inactivity automatically.

□ We have created ePHI access logs and monitor them consistently.

□ We have created ePHI access logs that track successful and unsuccessful login attempts. 

□ ePHI access logs are monitored consistently for unauthorized access to ePHI.



Protect ePHI from being destroyed or altered in any way and be able to tell if it has.

□ We have controls in place to protect ePHI from being altered or destroyed unless authorized.


Transmission Security 

Make sure all ePHI – whether at rest or in transit – is encrypted to NIST standards once it moves outside your organization’s internal firewalled servers — so that patient data is unreadable, undecipherable, and unusable by any unauthorized employees or 3rd party contractors. Prevent unauthorized access to ePHI over any network communications such as public wifi.

□ We have assessed whether encryption of ePHI is necessary.

□ If encryption of ePHI is unnecessary, we have instead employed alternative and equally effective means to secure the integrity, confidentiality, and availability of all ePHI.

□ We have controls in place during electronic transmission to safeguard against any unauthorized access of ePHI.

□ We have documented our decisions regarding encryption and electronic transmission safeguards.


HIPAA Physical Safeguards § 164.310

Physical standards are designed to protect storage media and the physical places where ePHI is held in an organization

□ We have procedures in place for the secure disposal of ePHI and PHI.

□ We have procedures in place to make physical PHI forever unreadable upon disposal.

□ We have procedures in place to permanently delete all ePHI stored on devices being prepared for disposal.

□ All devices that hold ePHI and PHI are secure at all times.


HIPAA Administrative Safeguards § 164.308

This section deals with your staff, employees, and any workforce member that comes into contact with ePHI, whether from your office or a 3rd party contractor. It also requires you to designate a Security Officer.

Assigned security responsibility 

You need to designate a security official who will conduct risk analyses, monitor audit logs, train the workforce, manage security incidents, and update policies and procedures.

□ We have a designated HIPAA Security Officer.


Security awareness and training

Have a required security awareness training program for all employees.

□ All employees attend annual HIPAA training.

□ We keep documentation to substantiate that all employees attend annual HIPAA training.

□ All staff has received Security Awareness training.

□ We keep documentation to substantiate that all employees have received Security Awareness training.

□ We provide staff with periodic updates to reinforce Security Awareness training.


Contingency plan 

These are guidelines for emergencies.

□ We have a contingency plan set up for emergencies.

□ We have developed procedures for responding to emergency situations.

□ We keep an updated exact copy backup to recover all ePHI in the event of a disaster.

□ We have procedures in place in the event of operating in emergency mode to ensure that all critical business processes function.

□ Our contingency plans are updated and tested at regular intervals.


Security incident procedure

Security incidents require a response and reporting whether or not there is a data breach. You need to set up a system to audit and track any security events.

□ We have procedures in place for any security incidents and data breaches.

□ We have the capability to conduct and record investigations of all security incidents.

□ We are able to report all breaches or incidents.

□ Our employees can anonymously report any privacy or security incident and any potential HIPAA violation.


HIPAA Breach Notification Rule 

The breach notification rule applies to unsecured ePHI, which is not encrypted and not destroyed, rendering it usable and readable. (The HHS states that encryption and destruction are the only two methods that will render ePHI unusable unreadable, and undecipherable.)

□ We have policies and procedures in place under HIPAA Privacy, Security, and Breach Notification Rules.

□ All employees have read and legally attested to the HIPAA policies and procedures.

□ We have documentation of all employees’ written legal confirmation of the HIPAA policies and procedures.

□ We keep documentation for our annual reviews of our policies and procedures.



Covered Entities and Business Associates must conduct their own periodical audits. There are six required annual self-audits for businesses. There are five required annual self-audits for Business Associates. 

These audits are entirely self-conducted by Covered Entities and Business Associates. Only the Security Risk Assessment (SRA) has any guidelines in the form of an available tool on the HHS site. All other audits are up to you. Links are provided to the relevant rules for your reference.

□ We have completed the six annual audits required by the HIPAA compliance program. 

Security Risk Assessment (SRA)

□ Security Standards Audit — Self-audit against the HIPAA Security Rule.

□ Asset and Device Audit — List all devices that hold ePHI and who uses them.

Physical Site Audit

HITECH Subtitle D Audit

□ Privacy Assessment (Not required for BAs) — Self-audit against the HIPAA Privacy Rule.

□ We have proof that we have conducted the six annual audits and assessments for the past six years.

□ We have identified any and all gaps revealed in the self-audits.

□ We have documented all areas with deficiencies or gaps.

□ We have created a remediation plan to correct any and all deficiencies or gaps found in the audits and risk assessments.

□ Our remediation plans are fully documented in writing.

□ We review and update our remediation plans annually.

□ We keep copies of our yearly remediation plan for six years.

What is a HIPAA Risk Assessment? 

A risk analysis can help you establish the safeguards you need at your organization to protect patient data and comply with the HIPAA. This will allow you to identify risk and develop and put in place administrative safeguards and protections such as office rules and procedures that keep ePHI secure under the HIPAA Security Rule. 

The US Department of Health & Human Services (HHS) offers guidance on risk self-assessment on its website as well as a Security Risk Assessment (SRA) Tool that you can download to guide you through the risk assessment process. 

The SRA Tool walks you through potential threats and vulnerabilities and gives recommendations based on standards identified in the HIPAA Security Rule. Keep in mind that the SRA Tool only provides scoring in terms of risk, not compliance. Also, the SRA Tool is only available for Windows. (There’s an older version of the HHS SRA Tool for iPad in the App Store.) 

How does a HIPAA Risk Assessment work?

A HIPAA Risk Assessment helps you identify any potential risks to the PHI that your company holds, transmits, creates, or receives from another party. It walks you through the required actions that you must be able to perform to be in compliance. It also helps you identify areas or gaps in security that you need to upgrade. The risk assessment for ePHI wants you to focus on several areas:

  • Storage, processing, and transmission
  • Potential threats and vulnerabilities
  • Current security measures
  • Proper use of security measures

It then asks you to make determinations based upon your assessment:

  • What’s the likelihood of a reasonably anticipated threat?
  • What’s the potential impact of a data breach involving ePHI?
  • What are the risk levels for vulnerability and impact?
  • What actions can be taken to improve the security features to mitigate any threats, breaches, or vulnerabilities?

HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, or redesign programs.

Disclaimer:  This checklist is merely a guide to direct you toward what you may need to work on to achieve HIPAA compliance. Completing this checklist does not in any way mean you are HIPAA compliant, nor does it give legal advice. Consult a HIPAA compliance professional to ensure your organization achieves and retains HIPAA compliance. 

Sign up to receive our latest research, updates and success stories.

Recent Posts

Blog Categories