We will be performing site maintenance on our learning platform at learn.aaos.org on Sunday, February 5th from 12 AM to 5 AM EST. We apologize for the inconvenience.


Published 8/1/2015
Cindy Bracy, MPH, RHIA

Ignoring Potential HIPAA Violations Is Risky Business

When was the last time your practice performed a security and risk assessment (SRA)? If you don’t know, ask your practice executive. If your practice executive doesn’t know, chances are you need to conduct one—and soon.

An estimated one third of solo and group medical practices have not conducted an SRA, which puts them at risk for substantial fines. You don’t want to be among them.

An SRA is a requirement that must be met to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Conducting this assessment also provides the required documentation needed to meet Meaningful Use Stage 2 Core Measure #9.

What is an SRA?
Table 1
shows the basic steps in performing an SRA. HIPAA requires that medical practices conduct SRAs that include, but are not limited to, the steps listed on a regular basis. A complete list of steps can be found in the AAOS HIPAA Security and Risk Assessment Manual, available at www.aaos.org/store

In addition to conducting an SRA, practices must also have a Business Associate Agreement (BAA) for each outside entity that has access to or receives protected health information. How many different BAAs does your practice have on file? If you don’t know, ask your practice executive for details including a listing of associates under agreement and term (expiration date).

BAAs are required to include the following information:

  • business associates’ obligations
  • protected health information allowable disclosure requirements
  • safeguards for protected health information to ensure against unauthorized disclosure
  • protected health information usage and exceptions
  • reporting requirements when protected health information is disclosed to another entity especially if there is a data breach
  • documentation of business associates usage and disclosure of protected health information
  • termination of agreement terms focusing on return and/or destruction of protected health information
  • copies of agreements with business associates’ subcontractors

Don’t risk a penalty
HIPAA violations are no longer focused on hospitals and ambulatory surgical centers. Small group and solo practices need to be prepared for random HIPAA audits. As shown in
Table 2, the fines can range from $100 per violation up to an annual maximum of $1.5 million.

The new AAOS HIPAA Security and Risk Assessment Manual eBook includes a downloadable copy of the SRA tool, a sample BAA, HIPAA training syllabus, and much more. Following the guidelines in this eBook will ensure that you are meeting HIPAA Security Rule requirements and are compliant in case of a HIPAA audit of your practice.

Cindy Bracy, MPH, RHIA, is the AAOS practice management manager. She can be reached at bracy@aaos.org

Additional Information:
Sample notification letter