6 Ways to Avoid HIPAA Penalties

It looks like the OCR (Office of Civil Rights) is getting in full swing to start auditing for HIPAA violations. There’s not a day that goes by where we don’t find some entity, large or small, getting breached. The threat is real and it requires action to keep you and your practice protected.

Depending upon the issue, HIPAA violations can result in penalties ranging from $100 to $50,000 per violation. Violations that are deemed “willful neglect” result in a minimum fine of $10,000 per violation. For example, a lost laptop or tablet that contains PHI from 2000 patients may constitute 2000 violations. If the breach happened because of failure to implement required practices, then additional penalties could be assessed. To make things worse, covered entities must report any breach of PHI to all affected individuals as well as HHS.

However, you can avoid all of these penalties if the breach is not found intentional and the violations are corrected within 30 days. In order to avoid “willful neglect” violations, your practice must make sure to cover all the basic requirements.

Here are 6 tips for avoiding HIPAA penalties:

  1. Conduct a regularly scheduled security risk assessment. The first step is to identify and prevent potential security breaches before they happen. Knowing where your biggest vulnerabilities are is the first step to solving them.
  2. Require all business associates to sign a BAA, a business associates agreement. A proper BAA is not only a requirement of the HIPAA ruling, it also helps insulate your practice from HIPAA liabilities. If a business associate violates HIPAA laws, you don’t want your practice to have to pay for it. So, be sure to confirm that the business associate is acting as an independent contractor, not an agent of the practice.
  3. Implement administrative, technical, and physical safeguards (HIPAA security rule). All practices have policies that are required by the privacy rule, but few have properly addressed these safeguards. Implementing these required safeguards will actually have a positive impact on the overall health and performance of your network. These safeguards also protect the practice from a potentially disastrous system failure as well as relentless efforts of cyber criminals.
  4. It is important to train your employees and monitor their performance. Your practice can avoid penalties based on the misconduct of a rogue employee so long as you have implemented appropriate policies and adequately trained the staff.
  1. Respond immediately to a breach. You need to report and correct a breach, or suspected breach, within 30 days to avoid HIPAA penalties, if and only if, the breach is not deemed “willful neglect.” Corrective actions may include modifying policies, implementing additional safeguards, disciplining employees and providing additional training.
  1. Document, Document, Document. Document proper actions to ensure your defense against HIPAA claims. Covered entities and business associates are required by HIPAA to maintain documentation for a minimum of six years.

Although these steps cannot ensure you won’t have a security breach, they will help your practice mitigate the resulting liability under the HIPAA rules. The simple truth is… it’s going to become more and more difficult to ignore the HIPAA compliance regulations. You will be seeing more subsequent audits and fines are going in the days to come.

Phillip D. Long

Business Information Solutions, Inc.

For more information email at or call at 251-923-4027.