An estimated 40 million to 45 million patient records have been compromised in a HIPAA data breach since 2012. Since 2009, theft or loss of unencrypted devices or computers accounted for 35 percent of all breaches. Where do HIPAA-covered entities, such a physician practices and their business associates, most often make their biggest misstep? It's in performing an inadequate risk analysis.
Use these resources to learn more about HIPAA privacy and security compliance.
Education: View TMA's educational programs on HIPAA privacy and security compliance.
E-tips: TMA offers physicians (general information) advice on issues related to HIPAA compliance.
HIPAA Security Risk Assessment Tool Use this free tool created by the Office of the National Coordinator (ONC)
HIPAA Compliance Consulting Services Make sure your practice is compliant with help from TMA’s certified HIPAA compliance officer
Ransomware and HIPAA Fact Sheet - HHS
Are You Prepared for a Business Associate Breach? - TMA whitepaper, Aug. 2015
Are You Prepared for a Computer Virus Incident? - TMA whitepaper, Aug. 2015
Are You Prepared for a Lost Laptop or Smartphone? - TMA whitepaper, Aug. 2015
Download a sample Business Associates Agreement.
Download a Notice of Privacy Practices.
Download a Sample Authorization Form to use or disclose protected health information.
HIPAA Privacy in Emergency Situations - OCR
HIPAA in Emergency Situations: Preparedness, Planning, and Response - OCR
The Security Risk Assessment Tool by the Office of the National Coordinator (ONC) for Health Information Technology is a free tool designed to help practices with one to 10 physicians identify their risks and vulnerabilities with electronic protected health information (ePHI) and then implement appropriate security measures.
HIPAA requires practices to review and document their administrative, physical, and technical safeguards to regularly protect patients’ ePHI.
Also, if you participate in the Medicare Merit-Based Incentive Payment System (MIPS), conducting or updating a risk assessment is a requirement in the Promoting Interoperability category.
If you think you will need help working through the tool, TMA’s practice management consultants can provide on-site staff training and compliance walk-throughs. Contact them today to learn more about the HIPAA Gap Analysis and Training.
U.S. Department of Health and Human ServicesView frequently-asked questions, rules, enforcement plans, etc.
Patient Privacy: A Guide for Providers - This HHS resource (login required), is an educational program for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Physicians can earn free CME credits and health care professionals will receive CE credits.
HIPAA in Emergency Situations: Preparedness, Planning, and Response - OCR
HIPAA News Archive The history, politics and changing concepts behind HIPAA are chronicled in the archived articles.
Complexity of HIPAA Enforcement – Workgroup for Electronic Data Interchange (WEDI)
Omnibus Final Rule – Section by Section Comparative Summary (WEDI)
Texas law requires HIPAA training within 90 days of hiring employees "as necessary and appropriate for employees to carry out (their) duties." It requires additional training within a year after any relevant change in state or federal law regarding protected health information (PHI) takes effect. HIPAA has required training for employees since 2003 "as necessary and appropriate for them to carry out their functions," within a reasonable time after hiring, and updated as needed. Be sure you document the training, and keep signed attendance records for six years under state law.
Complying With HIPAA and Texas Privacy Laws (On Demand Webinar)
Complying With HIPAA Security Rule and Texas Data Security Laws (On Demand Webinar)
Cyber Security and Ransomware: Protect Your Practice (On Demand Webinar)
HIPAA Security: Compliance and Case Studies (Publication)
HIPAA Training for Medical Office Staff (On Demand Webinar)
Managing Your Medical Records (Publication)
Managing Your Online Presence (On Demand Webinar)
Policies and Procedures: A Guide for Medical Practices (Publication)
Taking Privacy to a New Level: Texas Lowers Reporting Threshold for Security Breaches (Texas Medicine, Jan. 2020)
Laptop Encryption Helps You Stay HIPAA Compliant (Texas Medicine Today, Dec. 17, 2019)
“Patient Privacy Must Be Protected,” TMA Says in Response to Ascension-Google Partnership (Texas Medicine Today, Nov. 14, 2019)
Keep Your Records Straight, and HIPAA-Compliant, With TMA CME (Texas Medicine Today, Oct. 30, 2019)
Security Risk Analysis Is Not a Do-It-Yourself Project (Texas Medicine Today, July 1, 2019)
New Tool Helps With HIPAA Compliance (Texas Medicine Today, Oct. 30, 2018)
Office Cleaners Clean Up on Patient Files (Texas Medicine Today, July 9, 2018)
Never, Ever Text Patient Hospital Orders (Texas Medicine Today, March 14, 2018)
Is Your Patients’ HIPAA-Protected Information Secure? (Texas Medicine Today, March 9, 2018)
18 Privacy Pitfalls. One Easy (and Free) Mobile Solution (Action, 2017)
Security Risk Assessment for HIPAA — and Medicare/Medicaid? (E-Tips, 2017)
Get Hip to HIPAA Rules With Training From HHS, TMA (Action, 2017)
New White Paper Helps You Stay HIPAA Secure (Action, 2017)
Return-to-Work or -School Releases and HIPAA (E-Tips, 2017)
HHS Warns of HIPAA Email Phishing Scam (Action, 2016)
Get Started on Your HIPAA Security Risk Assessment (Action, 2016)
Five Gray Areas of HIPAA You Can't Ignore: New White Paper (Action, 2016)
HIPAA Audit, Phase 2: Are You in Compliance? (E-Tips, 2016)
Is a Ransomware Attack a HIPAA Breach? (E-Tips, 2016)
Patient Access to Their Health Info: HIPAA, Meaningful Use (E-Tips, 2016)
HIPAA and Patients’ Right to Access Information (E-Tips, 2016)
Are You Prepared for a Business Associate Breach (E-Tips, 2015)
Are You Prepared for a Computer Virus Incident (E-Tips, 2015)
Are You Prepared for a Lost Laptop or Smartphone (E-Tips, 2015)
Are You Prepared for a Patient Complaint? (E-Tips, 2015)
Federal HIPAA Guide Gives Practical Advice on Security Management (E-Tips, 2015)
Be Tech Savvy on the Road (E-Tips, 2014)
Security Alert: Are Your Browsers Vulnerable to POODLE? (E-Tips, 2014)
Thorough Risk Analysis Key to HIPAA Preparedness (Action, 2014)
HIPAA Security Risk Tool From HHS (Action, 2014)
Tougher HIPAA Rules in Effect (Texas Medicine, October 2013)
Business Associate Agreement Rules Among HIPAA Changes (E-Tips, 2013)
Breach Notification Rules Get a Makeover (E-Tips, 2013)
HIPAA and Medical Power of Attorney (E-Tips, 2013)
Eight Steps to a HIPAA Security Risk Analysis (E-Tips, 2013)
Health Plan Requests for PHI (E-Tips, 2013)
How to Render PHI "Deidentified" (E-Tips, 2013)
HIPAA Privacy Training: Why Now Is a Good Time
Zip It! Feds, State Strengthen Privacy Protection (Texas Medicine, July 2012)
Texas Privacy: Law Protects Health Information (Texas Medicine, Dec. 2011)
TMA’s comments on HHS Accounting of Disclosures proposed rule (Aug. 1, 2011)
HIPAA Privacy and Novel Coronavirus (HHSC)
Notification of Enforcement Discretion for Telehealth Remote Communications (HHSC)
FAQs on Telehealth and HIPAA (HHSC)
Go to the TMA COVID-19 Resource Center
Got HIPAA questions? Call the Knowledge Center.
Electronic health record (EHR) vendors may not block or terminate your access to your patient’s information. This paper will help arm you with information about your rights.