News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

What do I do if…

Real situations healthcare teams face, with clear steps. Not legal advice; use this to know what to escalate and when to call your privacy officer.

Role

A patient calls asking for their spouse's test results

You generally cannot release this without written authorization from the patient, even to a spouse.

Get the answer →

I accidentally sent a fax to the wrong number

This may be a reportable breach. Take these steps in the next 24 hours.

Get the answer →

I saw a coworker looking at patient records they shouldn't be

This is an internal HIPAA violation. You have an obligation to report it.

Get the answer →

A patient wants a copy of their medical records

Patients have a legal right to their records. You have 30 days to provide them.

Get the answer →

A family member is asking about a patient's condition

This depends on what the patient has authorized. When in doubt, say nothing.

Get the answer →

I think a staff member at our practice violated HIPAA

Investigate promptly. Document everything. Determine if it is a reportable breach.

Get the answer →

We think we may have had a data breach

Treat it as a breach until proven otherwise. The 60-day clock is running.

Get the answer →

A customer is asking us to sign a BAA

If you handle their patient data, you need one. Review it carefully before signing.

Get the answer →

A vendor is asking us to send them patient information

Only share what they need, with a BAA in place, and through a secure method.

Get the answer →

A patient says they are filing a HIPAA complaint

Stay calm, document everything, and notify your privacy officer immediately.

Get the answer →

A colleague from another office asked about a patient we both treat

If it's for coordinated care and you're both involved in treatment, limited sharing is usually OK, stay professional and minimal.

Get the answer →

Someone overheard us talking about a patient

Treat it seriously. Report it and work on preventing a repeat, volume and location matter.

Get the answer →

We learned an employee accessed a customer's patient data without authorization

Investigate, document, revoke access, and determine if this is a reportable breach.

Get the answer →

We had a security incident (malware, intrusion, or lost device)

Activate your incident plan, preserve evidence, and involve legal counsel early.

Get the answer →

A customer asked, "Are you HIPAA compliant?"

Be honest: explain your controls and BAAs, never promise a checkbox no one can guarantee.

Get the answer →