HIPAA FAQ

What is a HIPAA breach?

A HIPAA breach involves the forbidden use or disclosure of protected health information that compromises the security or privacy of that information. 

Examples of a HIPAA breach include an email containing PHI sent to the wrong recipient and then used to carry out malicious attacks, a cybercriminal accessing a healthcare organization’s system and stealing patient data, or a medical practice losing a laptop containing PHI. 

What do I do If I’ve had a HIPAA breach?

If you’ve had a HIPAA breach, you must do the following: 

  • Perform a risk analysis that identifies when the breach occurred, breach discovery date, estimated number of individuals affected, type of breach, location of the breach, and kind of PHI involved. 
  • Contact the authorities, especially if you determine that a cyber attack may have occurred. 
  • Notify individuals, such as patients, clients, or employees, that are involved with the breach. 
  • Notify HHS of the breach. The law requires you to report the incident to the Department of Health and Human Services (HHS) on the Breach Reporting Portal. 
It is important to have a process in place to respond to a breach before it happens. At Cytek, we can help you figure this out and prevent a breach from ever occurring in the first place.

What exactly is a HIPAA Risk Assessment?

A HIPAA risk assessment requires all healthcare organizations to identify, prioritize, and manage risks, vulnerabilities, and potential security breaches. It helps businesses uncover hidden threats and improve their security measures. 

Is a Risk Assessment really necessary?

A HIPAA risk assessment is a law requirement for any business or organization that acquires, stores, and manages protected health information (PHI), including electronic protected health information (ePHI). To maintain HIPAA compliance, your healthcare organization must conduct a risk assessment annually. 

What is the Cost of HIPAA Violations?

This depends on your level of awareness. 

  • If you did not know of the violation, it could cost between $100-$50k per violation. 
  • If you had reasonable cause for the violation, it could cost between $1,000-$50,000 per violation. 
  • If you fall under the Willful Neglect rule but correct the violation, it can cost between $10,000-$50,000 per violation. 
  • If you fall under the Willful Neglect rule and do not correct the violation, the estimated cost is $50,000 per violation. 

Are popular apps like Google Suite, Zoom, OneDrive, DocuSign, and DropBox HIPAA compliant?

Yes and no. To ensure these applications are HIPAA compliant, you must have a signed Business Associate Agreement (BAA) with each business associate (BA) that assures they will protect and secure patients’ health information by implementing physical, technical, and administrative safeguards. 

It’s important to understand that many free versions of these applications do not give the option of acquiring a signed Business Associate Agreement, which makes them non-HIPAA compliant. 

At Cytek, we’ve created highly secure, affordable alternatives that are HIPAA compliant: Cytek Safeguard, Cytek Secure Mail, and Cytek Chat. 

What does my practice need to do to become fully HIPAA compliant?

The easiest way to become fully HIPAA compliant in an ever-changing online environment with regularly updated HIPAA rules is to team up with Cytek. 

Becoming HIPAA compliant is not an end destination but an ongoing process. Cytek helps you maintain your HIPAA compliance through expert training, recommendations, and implementations. 

A risk assessment helps reveal areas where your organization’s protected health information (PHI) could be at risk. Take our free online assessment and start protecting your practice today.

Getting your employees HIPAA certified is quick and easy with our self-paced, online training.