HIPAA Settlement, HIPAA

HHS Reports HIPAA Violations and Enforcement Measures are On the Rise


December 29, 2012 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Many mental health practitioners have disregarded much of HIPAA and HITECH because enforcement has been lax to date.  However, on 12/14/12, the chief enforcer of HIPAA, Leon Rodriguez, director of the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), reported that his organization is transitioning from an investigative culture to a culture of assertive enforcement.

While OCR states their agency is committed to “doing enforcement in a balanced way that is coupled with education while still remaining sensitive to business realities, punitive measures, such as monetary settlements, will become increasingly more common in 2013.

Why Now?

A key factor driving greater enforcement is the shift to electronic health records and health information exchange systems. The essential foundation of these systems is patients’ trust in the security of their health records.

Unfortunately, risk assessment and management often present formidable challenges for small mental health practices. It can be helpful to be aware that the most serious security threats are theft, loss and unauthorized disclosure. Therefore, it’s crucial for practices to take the implementation of physical and administrative security measures as seriously as technological ones. To maintain good security, a holistic approach is needed to regularly assess vulnerabilities with people, processes and technology.

For example, it is a surprise to many practicing professionals to learn that they might be a “covered entity” based on their prior actions, and that at this point, it is wisest to assume that one is a covered entity to avoid any problems. It is best to undergo training to fully understand requirements. For instance, text messaging must be conducted using proper privacy and security precautions as dictated by both state and federal (HIPAA and HITECH) law.

As we reported last June, in our article called Why Worry about HIPAA?, the Justice Department is enforcing HIPAA through the enforcement tools put into place by the 2009 HITECH Act, which clarified that criminal penalties apply to individuals and not only to covered entities.

According to statistics from HHS reported in that article, the most commonly identified entities requiring corrective action for compliance have been (in order of frequency):

  • Private Practices
  • General Hospitals
  • Outpatient Facilities
  • Health Plans (group health plans and health insurance issuers)
  • Pharmacies

What are Some Key Solutions for Practitioners?

You may need to demonstrate that you have been using a technology platform that is HIPAA compatible. Such documentation is most easily achieved through the procurement of a Business Associate’s Agreement from all vendors. Other requirements are too involved to detail here, but some include the need to educate staff of their HIPAA duties and ensure their compliance.  Documentation of such training for staff is also required. HIPAA requires that a practitioner’s breach notification policy exists, and that it is made available to the public.

What about Using Mobile Devices?

HHS has also recently launched a campaign to help practitioners be more aware of privacy issues with mobile devices. The steps they recommend are: “Decide, assess, identify, develop and train.”

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

BCTP®-I Telehealth Training & Certificate

Clinicians seeking an orientation to legal, ethical, technical, and clinical issues will find this program a good place to start.

Telehealth Courtroom Realities: How to Stay Out of Legal Hot Water

Developed by a senior litigating telehealth attorney for the defense, this eye-opening telehealth training experience will help the clinician avoid the harsh realities of a courtroom.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
8 years ago

where can I get a sample or tmelpate BA that includes HIPAA and HITECH provisions? We are seeing more indemnification language, cost recovery language,etc. in BAs now than what we feel the BA was originally intended thoughts?

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
8 years ago
Reply to  Alhoceimi

Go to some of the websites developed by video companies we have listed on this page: https://www.telehealth.org/video and download their BAAs from their websites. Compare them for their BAA language to see if you can find some that are more respectful of your needs. If you do, you might be able to trust those companies more overall, too.

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...