Chat with us, powered by LiveChat

Follow me on

Consequences for HIPAA Violations

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations of the HIPAA Privacy Rule. Once a medical records storage company for covered entities, Filefax shut their doors during the OCR investigation yet could not escape additional fines and penalties that followed after their doors were closed. The bottom line, HIPAA violations do not stop just because a business closes.

The consequences of HIPAA violations are significant and far reaching. Beyond the financial ramifications, organizations stand to lose their good standing reputation, client/patient trust and their ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?

What Qualifies as a HIPAA Violation?

A HIPAA violation occurs when either a covered entity (CE) or business associate (BA) fails to comply with one of more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for a number of reasons and may be deliberate or unintentional.

  • Example of a Deliberate Violation – Inadequate Privacy training for clinical staff which results in a patient complaint regarding disclosing their full identity through a verbal announcement in a waiting area or hospital emergency room.
  • Example of a Unintentional Violation – Commonly this is a symptom of negligence such as: failure to complete a Security Risk Analysis, failure to employ encryption for laptops/electronic media resulting in loss/theft or failure to maintain policies and procedures instructing staff members on how to appropriately handle protected health information (PHI.)
Penalties and Fines

The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. Contrary to what the headlines may lead you to believe, OCR will first strive to resolve violations using non-punitive measures such as issuing guidance to help the provider fix the areas without issuing a fine however that is not always possible.

If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. OCR takes many different factors into account when determining what is the appropriate financial penalty and uses a four tiered approach as shown in the image below. A few of these factors include: number of patients affected, what specific data was exposed and for how long, etc. Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.

Avoidance is Key

Being that the stakes are high and much is on the line, how does a practice or organization protect themselves against HIPAA violations? Show due-diligence.  The best task to start with is complete a comprehensive, organization wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both CE’s and BA’s operate day to day unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.

Unsure where your organization stands? Take our short 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.

We’ve Helped Many Access the LADMF! Need Assistance?

Last May, we wrote a “How To” blog on the Social Security Limited Access Death Master File (LADMF) aka DMF and the response has been overwhelming! The HIPAA One team is delighted by how many of you have come forward and asked us to assist your organization in accessing this file. As the rest of the industry catches up and the need continues to grow, we want to revisit the content again. Being that this file contains critical information for healthcare providers, continue reading on to learn “how and why” HIPAA One can act as an Accredited Conformity Assessment Body (ACAB) for your organization.

What is the LADMF

The DMF is essentially a database maintained by the Social Security Administration and contains over 86 million records on deceased individuals. Used to verify death, the online file has many purposes and is used by a variety of users, including: medical researchers, hospitals, oncology programs (tracking former patients and subjects), investigative firms (payment of pension funds), insurance organizations, etc.

In November 2016, changes were made to the access requirements for individuals or organizations seeking to access the DMF. Due to the sensitive nature of the information coupled with an effort to prevent identify theft and fraud, individuals or entities must now submit a written attestation form an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality and security of that information.

Complete an SRA

In order for a healthcare entity to prove they have the appropriate safeguards in place to access the DMF file, they must complete a Security Risk Analysis (SRA.) Along with a myriad of other benefits; an SRA accurately displays an organization’s safeguards and subsequent remediation plan to correct any deficiencies. By completing an SRA, healthcare organizations prove their commitment to properly securing sensitive information and building an overall “culture of compliance” at their workforce.


As your HIPAA compliance vendor, we are happy to offer our services and act as your ACAB if you used our software to complete your SRA*. However; we are unable to assume that role for clients who conducted an SRA independently or without using our tools.

If your organization meets our requirements and would like us to act as your accredited assessment body to access the DMF, these are the steps you must complete prior to sending us the attestation form:

  1. There is an annual fee for processing the LADMF Subscriber Certification Form, payment can be processed here: Additionally, every three years a processing fee of $525.00 LADMF ACAB Systems Safeguards Attestation Form is required.
  2. After the payment has been accepted, complete and submit the LADMF Subscriber Certification Form at Certification must be renewed each year.
  3. An order number will be assigned to the organization
  4. HIPAA One will then fill out the ACAB form free of chare
  5. HIPAA One will submit the form on behalf of the client to the email provided on the form

*completed within the past 3 years, remote or onsite



Contact us at or call 801-770-1199  to speak with one of our experienced auditors.

Newly Released Whitepaper Co-Authored with Microsoft

The concept of the “Internet of Things” (IoT) is becoming an increasingly growing topic of conversation as  more and more companies are interconnecting everyday objects around us to the internet, such as: medical devices, appliances, voices and faces, HVAC systems, TVs, vehicles, money and health information.  These devices are now enabled to record and exchange data about individuals’ behavior, habits and personal information through the Cloud.

Microsoft Windows 10 Enterprise allows PC users to decide for themselves if they want their Personally Identifiable Information shared with the IoT, or not. In the healthcare industry where cybersecurity, privacy, and compliance can make or break an organization, Microsoft recognizes the importance of supporting these communities by designing our software and cloud services to be flexible, secure and to meet regulatory compliance mandates.

As a core component to Microsoft’s ecosystem, properly configuring Windows 10 for Enterprise not only assists healthcare entities with HIPAA security and privacy compliance, but also introduces numerous security capabilities to help protect sensitive environments against dynamic and increasingly complex malicious cyberattacks, viruses and malware.  Windows 10 Enterprise is highly-evolved with a built-in, deep-level security architecture balanced with industry-leading compatibility to drive improved user productivity.  Threat, Identity, and Information protection risks are significantly reduced by simply by using Windows 10 (you can read about some of Windows 10’s latest enhancements here).

Last year, we partnered with Microsoft and developed a third-party, detailed recommendation on how to configure Windows 10 in a manner that maintains the security of PHI in accordance to HIPAA. It is great excitement that we share the news that the latest version of the “HIPAA Compliance with Microsoft Windows 10” whitepaper including updates found in the most-recent Fall Creators Update is now available. Any of our customers pondering upgrading to Windows 10 will find assurance and value in the recommendations found in this whitepaper, and that the real-world tested configurations will serve as a complement to their security baselines.

Download your copy today!


2017 Deadlines for EHR Incentive Programs

Does your workplace accept any payments from EHR incentive programs like MACRA or Meaningful Use? If so, the fourth quarter is probably a busy time preparing and finalizing documents for submission. At HIPAA One, we understand the amount of extra work that can add to a workforce. Therefore, we would like to provide a little assistance and guidance on the specific HIPAA security risk analysis requirement so there is not any delay in receiving those crucial payments.

Date to Remember

The Meaningful Use reporting deadline for this calendar year is December 31, 2017. To the best of our knowledge, an extension has not been granted – therefore all activities must be completed in the next 6 working days of the calendar year.

HIPAA Security Risk Analysis Requirement

As mentioned above, to qualify for Meaningful Use or MACRA (MIPS) dollars, an annual HIPAA security risk analysis is a requirement for every healthcare provider attesting. If your workplace was to be audited due to a patient complaint, random audit, etc; failure to have a current documented HIPAA risk analysis could result in a mandatory requirement to give back awarded Meaningful Use dollars.

A HIPAA security risk analysis is not only a critical element in building a secure, compliant environment in any healthcare setting but also required under HIPAA. As a reminder, HIPAA requires organizations that handle electronic protected health information (ePHI) to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. (SOURCE:

In order to attest for Meaningful Use, your risk analysis needs to be completed in the same calendar year for which you at attesting. The Final Rule for MU Stage 3 states the following regarding protection of health information: “The measure must be completed in the same calendar year as the EHR reporting period. If the EHR reporting period is 90 days, it must be completed in the same calendar year. This may occur either before or during the EHR reporting period; or, if it occurs after the EHR reporting period, it must occur before the provider attests or before the end of the calendar year, whichever date comes first.” To learn more about the necessary supporting documentation for audits, click here.

There’s Still Time

If this post has increased your heart rate a little or given you reason to worry about the upcoming December 31st deadline, don’t fret! There is still time to complete a bona fide HIPAA security risk analysis using our automated, self-guided software.

Our sales team members would love to answer your questions. Get started now.

Not All Risk Analysis Tools Created Equal

One of our favorite phrases at HIPAA One is “free like a puppy.” Our President, Steven Marco uses it regularly on webinars to convey the sentiment that nothing is ever truly free and there is always some kind of hidden string attached. This sentiment absolutely applies to some of the “free” HIPAA risk analysis solutions in the marketplace today. Regardless of whether you are seeking a spreadsheet/checklist or paid software tool to complete your risk analysis, this post will review what you need to look for and how to spot a risk analysis phony.

Paid Services – External Consultants

Selecting a vendor or tool to complete your risk analysis is an important task and doing your due diligence is KEY. With a few questions and a bit of research, you can help protect your workplace from massive consequences should a patient complain or security issue arise down the line. Just because a vendor makes the claim that they will help you complete a bona fide HIPAA security risk analysis, does not mean that risk analysis would stand up (or pass) in an industry audit.

Before committing to a vendor, consulting firm or paper shredding company (hey, we’ve heard of it before!), it’s important to ask what’s included, wins/losses and assurances. Below is a list of what you need to be looking for in a risk analysis solution or service:

  1. Industry-Certified Auditors on Staff – Verify the vendor has:
    1. Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
    2. Previous experience responding to AND PASSING government and private-sector audits.
  2. Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
  3. Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
  4. Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
  5. Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
  6. Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
  7. Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
  8. Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.

Beware! Free Services – ONC SRA Tool

Through the years we have heard many times how many small to medium size practices have two main struggles as it pertains to HIPAA compliance: lack of knowledge and/or training and lack of financial resources allocated to HIPAA compliance objectives. We understand there may be years where you or another member at your workplace will need to look up some free tools online to complete your HIPAA risk analysis manually. As you can imagine, this solution is not ideal due to the fact that many free services or tools do not include the above list of required documentation, regulatory updates or audit protection assures, however, something is better than nothing.

Unfortunately, we are unable to provide feedback on each free risk analysis checklist or spreadsheet available today, however, we would like to spotlight one of them, the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool (SRA Tool.) Back at its inception in 2014, the SRA Tool was recognized in the marketplace as being a rather thorough, good solution for healthcare providers seeking a free tool that covered most of the bases. Now, this three year old solution is outdated and quite frankly, a liability to anyone who uses it. For this reason, we cannot endorse the SRA Tool in good faith as it is truly not a production ready solution and is not updated to meet the updated HIPAA Audit Protocol.

Below is an excerpt from the “SRA Tool User Guide” clearly outlining that the tool does not guarantee compliance with the HIPAA Security Rule or issue any guarantees to an organization in the event of an audit:

Whereas we do not recommend using this tool to complete your organization’s yearly HIPAA risk analysis, the tool can be used for training purposes. Healthcare IT professionals wanting to learn more about risk analysis may find the questions beneficial in advancing their knowledge of HIPAA compliance.

If your organization has not completed your 2017 risk analysis, there is still time! To learn more about the simplest, most-automated and trusted software solution in the industry used by over 5,000 sites to protect their ePHI, CLICK HERE.

Answering the Age Old Question

True or False: Are penetration tests and vulnerability scans one in the same?

If you answered “False” you are correct, however, it can be difficult to understand the difference between the two information security services. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.

Before defining the two services, let’s start with an analogy from one of our certified audit support team members. Think of a vulnerability scan as walking around the house rattling doorknobs and pushing on windows to see if they are unlocked or open. These easy security items, much like locking the garage’s back door or basement window, can help ensure your house is secure. A penetration test would be entering into your home through an open window or unlocked door to emulate a burglar breaking in. By completing this exercise, you could expose security vulnerabilities before someone with bad intentions may take advantage.

Penetration Tests

A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.

HIPAA One offers penetration testing and ongoing threat management solutions and tools through our trusted partner, TwelveSec. By partnering with TwelveSec, we are able to provide a wide array of services designed to manage threats against your network including: Assurance Services, Security Management Services and Information Security Training Services.  HIPAA One also offers free, unlimited post-remediation verification for any risks discovered during the Penetration Testing project. For additional information, click here.

Vulnerability Scans

Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks and communications equipment. Vulnerability scans are configured for safe checks, meaning the scan will only identify known, unpatched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS).  A free example of a vulnerability scan can be found at and focuses on encryption and certificate exchange.

There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.

HIPAA One includes a Nessus Professional Feed vulnerability scan with each HIPAA security risk analysis software license. Using Nessus Professional Feed, HIPAA One will run a vulnerability scan on external IP addresses during the course of the HIPAA security risk analysis. For more information or to get started, Contact Us today!



HIPAA & Email

Is it possible to email patients in a HIPAA compliant manner? What can and cannot be included in an email to patients? What does HIPAA have to say about it? These questions have long been on the minds of providers as they attempt to navigate towards greater messaging options without opening themselves up to breaches, penalties or fines. Before determining if HIPAA and email can effectively coexist, let’s take a step back and understand what the HIPAA Privacy and Security rules allow.

HIPAA Privacy Rule

Per the Office for Civil Rights (OCR) of the Department of Health and Human Services webpage, “The HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

OCR then goes on to state if the patient reaches out to a healthcare provider using email, the provider can assume that email communication is acceptable. If the provider feels the patient does not understand the possible risks of using un-encrypted email, the provider should alert the patient and ensure that they want to continue with email communications.

Additionally, the Privacy Rule states that patients have the right to request a provider communicate with them by alternative means if reasonable; “For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.” See 45 C.F.R. § 164.522(b).

HIPAA Security Rule

The HIPAA Security Rule does not prohibit the use of e-mail to send ePHI, however, it does outline some standards to protect and guard the integrity of unauthorized access to ePHI. Sited from the OCR website, “However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

Recap of the Privacy and Security Standards:

Providers may e-mail patients but they must take precautions.

Should the patient request his/her provider use e-email, the provider must take the necessary steps to ensure the ePHI is protected.

As a standard practice, providers should warn patients about the risks of e-mail communications.

Information shared over an open network increases the likelihood of unauthorized access.

Best Practices for HIPAA Compliant Email

Below is a list of some best practices to ensure compliant e-mail along with adhering to the Privacy and Security Rules:

  • Encrypt e-mail messages – If the provider is not using a patient portal or e-mail application, encrypt any/all sent e-mail messages and avoid sending any PHI. Additionally, any attachments (specifically those including PHI) should be encrypted as well.
  • Capture each patient’s consent to receive communication by email – Include a communication consent form within the patient on-boarding forms to verify communication preferences and allow patients to opt in or out of e-mail correspondence.
  • Utilize a secure, HIPAA compliant email application – There are many email applications and servers designed to offer providers a HIPAA compliant e-mail offering.
  • Message patients through an EMR portal – A secure EMR portal is the perfect place to send HIPAA compliant messages to patients. Patients may log in to view appointment reminders, test results and physician/nurse messages without the threat of unsecured e-mail.

We’d Love to Hear From You!

For additional questions/comments on how to approach patient e-mail communication in a secure manner, contact us at

Offering secure e-mail is just one part of a providers responsibility to build a compliant culture for patients and employees. We advise all providers to start by completing a Security Risk Analysis to create a baseline for security. To speak with a member of our sales team, Contact Us.

Utah Hospital Aftermath: What Police Precincts Need to be Doing

Recently, like many Americans, we watched events unfold at a Utah based hospital between a police officer and hospital nurse. Being that our office is based in the Salt Lake City area, the incident hit close to home both literally and figuratively. Unfortunately, the police officer who arrested and allegedly assaulted a nurse for refusing a blood draw on an unconscious patient brought up more questions than answers. As all healthcare organizations should heed a warning whenever there is a security breach at any hospital, private practice, insurance provider, etc; we feel it is crucial that both providers and law enforcement understand what happened and how to prevent a similar incident from occurring.

What Went Wrong

In simple terms the nurse was arrested for doing her job. By refusing the police officer to administer a blood draw on an unconscious patient she was protecting her patient’s rights. As the police body cam video illustrates, the nurse pleas with the officer stating she did feel she was doing anything wrong.  On the flip side, the same cannot be said for the officer involved in the incident. Under HIPAA, any person or organization who touches Protected Health Information (PHI) needs to understand and be aware of the basic rules around patient’s right to privacy including what can be released and what cannot.

One commonly misunderstood item under HIPAA is who constitutes as a business associate and who does not. By definition a business associate is any person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to PHI. In this case, the police office was a business associate of the hospital and therefore needed to comply with HIPAA.

Workforce Training

One HIPAA requirement that is really highlighted through the events that unfolded during this incident is the importance of workforce training. It is unknown at this time whether the police officer has ever participated in HIPAA training, however, based on the events that transpired he clearly did not understand that in order to release PHI to law enforcement, there must be either a signed waiver/release by the patient, a court-order or subpoena.

Although training employees on HIPAA may feel like an overwhelming or daunting task, it does not need to be. Most importantly, workforce training should be tailored to whether the organization is a Covered Entity, Business Associate or Hybrid and review how employees can impact the security of PHI. Had the police officer understood some basic patient privacy rules, the incident could have gone a very different way. Bottom line, police precincts should be offering basic HIPAA training for all colleagues.

In turn, when a member of law enforcement arrives at a hospital or medical facility he/she should be directed to a specific department to discuss their request. All hospital staff must be trained on what to do with law enforcement in the building so they can minimize disruption and ensure the appropriate action is taken. Some examples of a hospital department that may handle these requests include: Health Information Management, Medical Records Department, or Legal and/or Compliance. This should be covered in during employee workforce training along with documented in the hospital or medical facility’s policies and procedures.

Moving Forward

As stated above, with appropriate training and awareness, the incident above could have been avoided. We applaud the nurse for understanding her rights and the importance of appropriate patient care. At HIPAA One we offer  affordable and easy-to-use workforce training modules that can be customized for various organization types with a “game like” feel.

To view our modules or learn more, click here.


HIPAA & Texting

In recent years, a great number of medical practices have embraced text messaging as a popular means for communicating to both patients and their internal staff members. Despite the convenience and time saving benefits, healthcare providers and staff must be aware of potential consequences when texting Electronic Protected Health Information (ePHI). Text messaging includes any communication service or application that enables the transmission of electronic written messages between two or more mobile devices. This includes both Short Message Service (“SMS”) text messaging and other service providers like iMessage, WhatsApp, etc.

The Challenges

Under HIPAA healthcare providers must maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. Unfortunately, text messaging presents multiple threats for meeting some of those requirements. Including:

  • Standard SMS messages are not encrypted
  • Sender does not have the ability to “control” if/when the message is discarded upon viewing
  • No clear path to verify the reader’s identity which opens the door to unintended recipients, AKA a HIPAA breach

Even well intended providers who find ways to implement and oversee texting security measures must also think about documentation. Any exchange between providers regarding a patient’s condition, must also make its way onto the patient’s medical record. Unless the provider integrates text messaging with their EMR, it can be difficult to ensure appropriate documentation.

What Does HIPAA Say?

Unfortunately the HIPAA laws and Office for Civil Rights (OCR) do not have anything specific outlined regarding texting requirements. Any and all forms of communication present some level of risk and it is the healthcare providers’ responsibility to ensure privacy and security while data is being exchanged.

Despite the lack of HIPAA specifications regarding texting, providers should keep in mind a general adherence to the HIPAA Privacy and Security Rules. Both have different objectives and controls for navigating the secure sending of ePHI:

  • HIPAA Privacy Rule – Limits provider disclosure of ePHI only to authorized individuals or entities.
  • HIPAA Security Rule – Requires that providers protect patient’s sensitive data from any threats to access or disclose PHI to unauthorized individuals or entities and should a breach or unauthorized disclosure occur, have a remediation plan.

Best Practices

Despite the risks, a provider can take steps to reduce the likelihood of a breach or HIPAA violation while utilizing text messaging. When texting any sensitive ePHI information that might be locally stored in a device, encryption should be applied in the event of a loss, disposal or theft. Additionally, the text might be stored at the server level (phone carrier).

The following safeguards can help protect PHI along with establishing compliant communication:

Security Risk Analysis (SRA) – While conducting an SRA, a healthcare provider will identify where ePHI is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones.

Limit PHI – Whenever possible it is best to text with limited or no PHI included in the message, examples: appointment confirmations, instructions to call the office to receive test results, etc.

Policies and Procedures – Ensure texting is included in the policies and procedures, specifically Administrative and Technical policies. It is important to outline what is acceptable to text along with an outline of steps should a text be sent to the wrong patient/incorrect recipient.

Workforce Training – A well trained workforce is any healthcare provider’s best defense against undisclosed PHI exposure. Workforce training should include the sharing of information, securing authorized devices and using secure third party apps that might permit sharing information in a secure way.

Waivers and Intake Forms – Ensure all patient forms are up-to-date with all the current HIPAA requirements. The forms should plainly state which methods the patient allows the provider to contact him/her. Additionally, forms should include who outside the patient can receive their information and what can be sent.

Notice of Privacy Practice – A Notice of Privacy should be standard operating procedure for providers and distributed to all patients. If the provider has included text messaging as part of their communication model, ensure the Notice of Privacy includes texting.

Next Steps

Get started texting in a more compliant manner and take steps to build a HIPAA baseline by tackling the mandatory requirement of an SRA. Need assistance with your risk analysis or creating/updating Policies and Procedures templates? Contact Us today.

What You Need to Know about the Newly Updated HHS Breach Tool

As part of their commitment to providing greater transparency to consumers, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently launched their revised web tool designed to highlight important breach information. The HIPAA Breach Reporting Tool (HBRT) now includes enhanced navigation and gives the general public a deeper look into recent healthcare data breaches including those being currently investigated.

Released in 2009, the HBRT (HIPAA Breach Reporting Tool) was created as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. As required by HIPAA, entities must report breaches of unsecured protected health information of 500 or more individuals to OCR. In the event of a breach, HIPAA also requires covered entities to promptly notify the affected individual and, in some cases, notify the media.

The HBRT tool includes the following information on each breach:

The name of the entity
State where the entity is located
Number of individuals affected by the breach
The date of the breach
Type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure)
Location of the breached information (e.g., laptop, paper records, desktop computer)



The straightforward, easy-to-use tool has two purposes: provides detailed information to customers and acts as a repository for organizations looking to report incidents. By compiling this information, the tool also helps educate the industry on the types of breaches occurring with the ultimate goal of highlighting the importance of securing health information.

For additional information on HIPAA breach notification, visit:

To avoid a data breach and the consequences that follow, conduct a HIPAA Security and Privacy Risk Analysis using the HIPAA One software solution. Our automated risk analysis software quickly recognizes gaps that may exist within an organizations security and in the event of an audit, can produce the necessary documentation with just one click.  Learn more: