Tips To Protect Your Practice Against HIPAA Penalties

The regulatory environment around HIPAA has gotten more stringent over time. This is partly due to consumers, who are becoming more aware of its importance in keeping their data private and safe. There are many ways that you can start protecting your business from HIPAA penalties today. Below are six tips that can help mitigate your risk of incurring willful neglect penalties.

Updated Security Risk Assessments

The HIPAA Security Rule (specifically the administrative safeguards) requires a security risk assessment to identify potential risks to electronic protected health information (ePHI). It also calls for appropriate implementation of security measures to address those identified risks. Be sure to reevaluate regularly and address any newfound risk points.

Business Associate (BA) Agreements

Healthcare organizations can have dozens if not hundreds of vendors that supply products and services on a regular basis. Under the HITECH Act, these vendors are often considered Business Associates that must follow certain security regulations to protect healthcare data. Ultimately, the end healthcare provider is responsible for any breaches of ePHI. A proper BAA is not only a requirement of the HITECH Act, it also helps insulate your practice from HIPAA and HITECH liabilities.

Revise Employee Training

Training programs are vital to educate employees on how to handle and secure PHI and ePHI. Communicating the practice’s procedures and policies can prevent theft, abuse of PHI and ePHI, and unauthorized access to medical information. Most training needs to be followed up with refresher courses to retain the knowledge and drive home the importance of compliance.

Timely Response and Reporting of Any Suspected Breach

Respond immediately to any suspected breach. Covered entities are themselves obligated to investigate any data or information breaches. Also, if you act swiftly a potential data breach can be prevented; and perhaps, most critically from the perspective of your practice, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with “willful neglect” and corrects a HIPAA violation within 30 days. Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and reeducating staff.


Covered entities and business associates are required to maintain documentation per HIPAA security regulations on all actions, assessments, and activities related to security and privacy for a minimum of six years. Beyond these requirements, thorough documentation can help providers defend HIPAA claims against their organization.

Although there is no guarantee these steps will protect against breaches, with due diligence and work, you can put your organization in the best position for a positive outcome.