• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Are you ready for a HIPAA audit?


Time was when violating the Health Insurance Portability and Accountability Act got you little more than a warning letter from the U.S. Department of Health and Human Services.

Key Points

The HITECH Act also replaced the aforementioned warning letters with mandatory fines for violations. The most serious of these-those classified as "willful neglect"-include breaches of unsecured protected health information (PHI), and can carry penalties of up to $1.5 million.

A second-tier violation is where most physicians would most likely find themselves, and the fines for those are $1,000 per violation. Fines can go as high as $25,000 per violation, and can be levied for multiple incidents. In short, HIPAA violations can really add up.


HHS defines a PHI breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual."

Three types of incidents can trigger a HIPAA audit. (A random audit also is possible, although the odds are fairly low given the number of physicians in the United States compared to the number of HIPAA auditors.)

When applying for the incentives, physicians must explain how their practice meets HIPAA compliance requirements. The EHR must be certified as HIPAA-compliant, as must all the physician's policies and procedure manuals, employees need to undergo appropriate training, and all annual audits must be documented.

Related Videos