We use cookies to give you the most personalized experience possible on our website, and to collect information about how visitors use our site. If you continue without changing your settings, we’ll assume that you’re ok with receiving cookies from the XMedius website. You can disable cookies in your browser settings at any time, but please note that parts of the site will not work properly if you disable cookies.

For more information on how we use cookies, read our privacy policy.


4 Things You Might Not Know About HIPAA Compliance

 In Blog, Fax, FoIP, Security, Technology

HIPAA is an incredibly influential part of the US healthcare regulatory landscape. Because its focus is the security of electronic personal information, it’s no surprise that the law and its requirements continue to evolve as the tech landscape changes.

While this is ultimately a good thing, ensuring that the law makes sense in regards to the resources available and challenges faced in healthcare IT, it can also make HIPAA compliance a bit of a moving target. What doesn’t change, however, is the extreme consequences of a security breach.


1. It’s Not the Fines That Get You

A HIPAA breach can deliver a serious blow to your organization’s financials, but the costs may not be coming from where you think. The requirement to publicize that the breach occurred can cause more damage than a government fine.

“If you do the math and you look at an organization that has 10,000 records, that’s between $2 million and $4 million worth of risk. 25,000 records? Up to $10 million in risk. And 100,000 records mean $40 million in risk. Now, I’m saying risk because it’s not the cost of the breach itself. A study shows that about one-third of these numbers is the actual cost of the breach.

The cost of the breach includes notifying patients and hiring lawyers. If it’s a big breach, you have to set up an 800-number and have people answering it. You may have to do credit monitoring. That’s about a third of these costs. What’s the other two-thirds? It’s the loss of business.”

-Mike Semel
President & Chief Compliance Officer, Semel Consulting


2. Inattention is No Excuse, Even If Nothing Bad Happens

The law requires organizations to secure information from prying eyes, whether those eyes are there or not. Organizations are required to make sure all their systems are properly maintained, even if that means installing a completely new operating system (which may itself require new hardware).


“HIPAA says that you have to have devices that are currently supported with patches and updates in order to be compliant.”

-Mike Semel
President & Chief Compliance Officer, Semel Consulting


3. HIPAA Breaches Can Even Come from Within

It’s important to remember that HIPAA violations aren’t always caused by malicious outsiders, your own employees can be a source of trouble, either intentionally or unintentionally. It’s essential to remember that HIPAA requires only relevant staff have access to any given record. If a nurse looks at the diagnosis for a celebrity staying in another ward, that’s a violation. If your radiology department email’s a patient’s x-ray results to the wrong doctor, that’s a violation.

Regular training and oversight are key to protecting your organization against threats from within, in addition to keeping bad actors out.


4. A Key to Better Health Data Security Can Be Simplicity

Because many data security solutions are cumbersome, it is common for staff to circumvent them by relying on insecure (but more user-friendly) consumer file-exchange solutions instead. The best way to keep this from happening? Make your security rules easier rather than weaker.

If sending a document via Fax-Over-IP or a secure file exchange solution is as easy as sending an unsecured email, your employees are much more likely to do it. By making proper compliance the path of least resistance, you streamline workflows, reduce staff frustration, and better protect your organization.


Want to Learn More?

XMedius has published a new HIPAA resource for healthcare organizations, covering information on a range of subjects that will benefit both large and small providers. Learn about key wrinkles like:

  • What happens when HIPAA & state laws conflict
  • What your organization’s obligations are regarding Cloud services providers you contract
  • What is a “Permissible Disclosure” and when is it allowed

Plus: Access a free recorded webinar on “HIPAA Pitfalls to Avoid at All Costs”


Visit the HIPAA Knowledge Hub


Ready to streamline regulatory compliance with XMedius secure document exchange solutions?





Leave a Comment