Most medical practices view HIPAA compliance as maintaining appropriate documentation regarding patient notices and consents, and controlling access to the PHI within the office; that’s PRIVACY. Practices tend to forget the technology/security side of HIPAA, which requires maintaining, or reasonably attempting to maintain, secure EHR/IT systems; that’s SECURITY.
Athens Orthopedic Clinic PA agreed to pay $1.5 million in damages to settle potential violations of HIPAA following a self-reported breach report informing OCR that approximately 208,000 patient files were affected because of a hacker breach.
The OCR investigation revealed “long standing, systemic non-compliance with the HIPAA privacy and security rules”.
Remember that HIPAA requires both PRIVACY and SECURITY.