I’m going to turn the lights down low, burn a few candles, play some Norah Jones, and slip into something a little less comfortable: Health Insurance Portability and Accountability Act compliance (yeah, baby). Okay, so maybe it’s not the sexiest of topics, but familiarizing yourself with the most common HIPAA compliance issues helps keep your practice in the know—and out of the jailhouse. So, let’s strip it down, shall we?

The PT Patient’s Guide to Understanding Insurance - Regular BannerThe PT Patient’s Guide to Understanding Insurance - Small Banner

First Things First

If you follow the news, you might think that HIPAA compliance issues only happen to “the big guys”—the healthcare providers and payers with access to thousands of patient records. That’s because, in most cases, only major breaches must be reported to the news media. But you don’t have to work for a large hospital or major health insurance carrier to be majorly concerned about HIPAA. In fact, private practices are the most frequent offenders. The HHS indicates that private practices are the most common type of covered entities “that have been required to take corrective action to achieve voluntary compliance,” coming in ahead of hospitals, outpatient facilities, pharmacies, and health plans (group health plans and health insurance issuers).

Take Two—or Five

Now that I have your attention, let’s talk about the big compliance concerns your practice needs to be aware of—including one you may not have considered. The US Department of Health and Human Services reports that since April 2003—when compliance with HIPAA standards become mandatory—the “OCR has received over 121,576 HIPAA complaints and has initiated over 929 compliance reviews.” Of those reviews, these are the top five most-investigated compliance issues:

  1. Impermissible uses and disclosures of protected health information
  2. Lack of safeguards of protected health information
  3. Inability for patients to access their protected health information
  4. Lack of administrative safeguards of electronic protected health information
  5. Use or disclosure of more than the minimum necessary protected health information

Last But Not Least

As you can tell, most of these five issues have the potential to cause a breach, but what happens after a breach occurs also presents a very real HIPAA compliance threat. According to this HHS document, “A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.” Mitigating a breach is mandatory—and an important part of the first step in your HIPAA breach survival guide—but over the past few years, OCR records indicate a troubling increase in healthcare providers’ lack of mitigation.


For the most part, a great EMR (wink, wink) has your HIPAA compliance concerns covered in all the right places, but some HIPAA-related matters—like social media, email marketing, or natural disasters—fall outside the scope of your EMR. Not sure how your practice is doing when it comes to avoiding these top six issues? Then you may already be at risk, and it’s time to assess your processes and security practices. Still catching up on the basics of HIPAA? Take advantage of your resources—like the ones here, here, here, and here—to make sure you and your staff never get caught with your compliance pants down. Finally, keep an eye on our Blog, where we always provide the latest compliance information.

  • The PT's Guide to Surviving a HIPAA Breach Image

    articleNov 9, 2015 | 5 min. read

    The PT's Guide to Surviving a HIPAA Breach

    Whether it occurs as the result of a lost work laptop or stolen patient files, a data breach of the Health Insurance Portability and Accountability Act (HIPAA) is a worst-case scenario for healthcare providers (and patients). If you’re a healthcare provider, the minutes, hours, and days following a breach are nearly as important as the steps you take to prevent those breaches in the first place. If you experience a HIPAA breach, here’s what you can do …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • Sink or Swim: How Well Do You Know HIPAA? [Quiz] Image

    articleAug 30, 2016 | 1 min. read

    Sink or Swim: How Well Do You Know HIPAA? [Quiz]

    The threat of a HIPAA violation or breach is almost as scary as the thought of dangling your feet into a murky lake. (I mean, who really knows what lurks in dark water? Yikes!) That’s why we created this HIPAA quiz—to help you figure out how well you can navigate even the sketchiest of situations. And while we can’t promise that you won’t ever run into a lake monster, we can certainly say you’ll come out the …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.