From the WELL Cybersecurity Division


Maintaining HIPAA compliance ensures that patient information is secure. It is vital that all US clinic operators and healthcare providers understand their responsibilities.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that instituted the creation of national standards to protect sensitive patient health information (PHI) from being disclosed without the patient's consent or knowledge.

Expand section to learn more

Are You Responsible for HIPAA & PHI?

A Covered Entity is a health care provider, a health plan, or a healthcare clearing house who, in its normal activities, creates, maintains or transmits PHI

What Can I Do to Protect PHI?

Technical Safeguards

  • Access Control
  • Authenticate PHI integrity
  • Encrypt / Decrypt PHI in motion and at rest
  • Audit activity logs
  • Auto log-off

Physical Safeguards

  • Facility access controls
  • Policies for the use of workstations which access PHI
  • Polices and procedures for mobile devices
  • Inventory of hardware

Admin Safegaurds

  • Conduct risk assessments
  • Introduce a risk management policy
  • Employee training
  • Develop contingency plans
  • Test contingency plan
  • Restrict 3rd party access
  • Report security incidents
Common Violations
  • Stolen laptop
  • Stolen phone
  • Stolen USB device
  • Malware incident
  • Ransomware attack
  • Hacking
  • Business associate breach
  • EHR breach
  • Office break-in
  • Sending PHI to the wrong patient/contact
  • Discussing PHI outside of the office
  • Social media posts
Fines (per violation - per record exposed)
  • Attributed to ignorance $100 to $1,000
  • Occurs despite reasonable vigilance – $1,000 to $50,000
  • Due to willful neglect which is corrected within 30 days – $10,000 to $50,000
  • Due to willful neglect not corrected within 30 days – $50,000
  •  Willful neglect also carries the potential for civil or criminal charges


Scroll to Top