Covered Entities (CE) not complying with HIPAA

Covered Entities (CE) not complying with HIPAA is our 5th post on the subject of The History of HIPAA.

In this post we’re addressing the risk CE’s are taking by not complying with HIPAA.

OCR = Enforcement

For many years, after HIPAA became the law of the land, it was not enforced. HIPAA was known as a paper tiger. It had no teeth and the medical community by and large did not implement HIPAA. But that’s all changed. Now, the saying, “it’s not your father’s HIPAA” truly reflects recent and dramatic changes to the almost 30-year old law.

The OCR website states: Since 2003, OCR's enforcement activities have obtained significant results that have improved the privacy practices of covered entities.  The corrective actions obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve.

So what does enforcement look like?

Story telling is a powerful way to convey an idea. The following stories convey the truth that “it’s not your father’s HIPAA” better than any blog post could.

First Story

An Office Manager took a laptop home which had clinical research data on it, that data was un-secured heath care information. She ran to the gym to pay her dues for the month. Then ran over to Walgreen’s to pick up her prescription for her sick child that was called in earlier in the day and then she went home.

Her car was unlocked at these stops and somewhere between the gym, Walgreen’s and her home the laptop was stolen; she doesn’t know where. 50,000 health records were breached and 138 patients reported identity theft that they have tied back to that stolen laptop.

That practice incurred civil penalties from the OCR and they will likely incur 138 lawsuits. All because the manager of a small practice took a laptop home.

Second story

Hospice gets $50,000 HIPAA Penalty – First Settlement After a Breach Affecting Fewer Than 500.

This story, about a non-profit hospice, in Hayden, Idaho, had a laptop stolen that contained protected health information on 441 individuals.

At that time, Leon Rodriquez, Director of the Office for Civil Rights said in a statement: “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

Third story

Defend your practice against HIPAA violations.

A five-physician practice in Phoenix, Arizona was fined $100,000 for failing to meet HIPAA’s privacy and security requirements:

“The penalties for a HIPAA violation are real and substantial. For example, a five-physician practice in Phoenix, Arizona, was fined $100,000 for failing to meet HIPAA’s privacy and security requirements.

In other cases, fines have been assessed for the loss of thumb drives and laptops containing patient information as well as for poor compliance plans and training.”

Those stories are about covered entities. In our next post we’ll focus on business associates.

Real life stories say it so well and that is this: if you think the OCR will never pay you a visit because you’re small covered entity, you better think again.


If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery. You’ll learn what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:

  • The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
  • 7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these criteria.
  • Where tape backups fail and give you a false sense of security.
  • The #1 cause of data loss that most businesses don’t even think about until their data is erased.

You can download your Free Business Advisory Guide Here.

This guide explains in plain every day English what you need to know about data backup, security and disaster recovery.

And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

Have you started your HIPAA compliance initiative?

With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that HIPAA compliance for small health care practices is daunting. As a BA we’re going through it ourselves. We’re actually doing it, not just writing about it.

Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?

Give us a call at 503.359.1275. We’re always happy to chat!

Return to main HIPAA page

For more information visit:

Dedicated to your success,

Wally Moore

General Manager & Compliance Officer

DTS InfoTech . . . computer networks that work