Ways to Avoid Fines & Violations Under HIPAA

by | Jan 13, 2016 | Regulatory Compliance, U.S. Private and Emerging Business


Technological advancements have given rise to new issues regarding privacy in Healthcare. It is very important that organizations understand and comply with these frequenty changing Healthcare rules. Failure to comply can lead to hefty fines for your organization. The three important rules that your organization should be aware of are the Security Rule, The Privacy Rule, and the Breach Notification Rule.

Security Rule

The intent of this rule is to create national standards that are used to protect patient’s electronic medical records. This includes any type of information that is created, received, used, or maintained by any covered entity including all subsidiaries and affiliates. In order to ensure compliance it is important to conduct risk assessments and evaluations of the entire organization including any areas that handle electronic protected health information (ePHI). It is equally important to not only assess and evaluate the organization, yet also to implement the necessary steps to access all covered and protected information. It is important for organizations to monitor the implementation to ensure its programming is efficient. Simply having a program in place that is not monitored is insufficient. Failure to ensure that patients electronic health records (EHR) are protected on a broad scale, as well as on the individual level, can lead to fines.

Privacy Rule

The Privacy Rule applies to all health plans where either a group or individual pays the cost of medical care. This includes private entities and government entities along with any subsidiaries that have access to patient records. Healthcare clearing houses, often these are subsidiaries of many other agencies, and they are also required to follow the Privacy Rule. They process data that they receive from other public and private entities and transfer it into standard transactions or data elements. Another group affected under the Privacy Rule is Healthcare providers. This includes all physicians, hospitals and clinics, as well as lawyers, accountants, and billing companies. The Privacy Rule allows a covered provider or a Healthcare plan to disclose protected health information as long as it is used for the purpose in which it was intended. It is suggested that the covered company obtain written assurance from their business associates confirming that they will safeguard patient information and only use it for the intended purpose to comply with their duties under the Privacy Rule.

Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 requires that notification be given in the event of a breach of unsecured protected health information. This applies to anyone who has access to personal health records and all third parties. A breach is the disclosure of health information without permission and therefore, violates the Privacy Rule. It is important to preform risk assessments to determine how the electronic health records of a patient are protected and secured. This is important so that it is clear how one can make any necessary adjustments. However, in the event of a breach it is important to promptly notify the party and make the needed adjustments to prevent a future breach.

While it is impossible to be protected from all types of electronic breaches, there are several things that can be done to help prevent them. Some of these prevention methods include, yet are not limited to the following:

  1. Educating employees about the risks of using work computers for personal email.
  2. Educate employees on avoiding the use of hyperlinks within an email to reduce the chance of an attack.
  3. Create your own suspicious email to help determine who may be at risk and require further education and monitoring.
  4. Make use of the new technology that is available to protect your electronic data.

By adhering to the rules set forth by HIPAA, preforming risk assessments and implementing the necessary changes to protect data, patient’s electronic medical records will be protected and fines can be avoided. If you are unsure whether your institution is compliant and if electronic medical records are sufficiently protected, contact a business attorney to assist you.


  1. Jayanthi, Akanksha. “Why Healthcare May See More HIPAA Fines in the Coming Year.” ASC COMMUNICATIONS 2016, 8 Jan. 2016. Web. 12 Jan. 2016. <http://www.beckershospitalreview.com/healthcare-information-technology/why-healthcare-may-see-more-hipaa-fines-in-the-coming-year.html>.
  2. “HIPAA for Professionals.” HHS.gov. U.S. Department of Health & Human Services, 10 Sept. 2015. Web. 12 Jan. 2016. <http://www.hhs.gov/hipaa/for-professionals>.