Most medical practices view HIPAA compliance as maintaining appropriate documentation regarding patient notices and consents, and controlling access to the PHI within the office; that’s PRIVACY.  Practices tend to forget the technology/security side of HIPAA, which requires maintaining, or reasonably attempting to maintain, secure EHR/IT systems; that’s SECURITY.

Athens Orthopedic Clinic PA agreed to pay $1.5 million in damages to settle potential violations of HIPAA following a self-reported breach report informing OCR that approximately 208,000 patient files were affected because of a hacker breach.

The OCR investigation revealed “long standing, systemic non-compliance with the HIPAA privacy and security rules”.

Remember that HIPAA requires both PRIVACY and SECURITY.