Is Your Company on the Feds’ List of 1,200 HIPAA Violators?

Violation noticeI don’t like sounding like an alarmist. But now is the time to get your HIPAA house in order and review everything you do, from your unified communications to your training, policies and procedures. The federal government is stepping up enforcement of HIPAA medical privacy rules, and things could get ugly for violators. There are serious HIPAA enforcement actions underway, a recent article from Law360 says, and more than 1,200 companies were identified earlier this year as possible enforcement targets.

Enforcement Getting Tougher

The article also notes that since June of last year, more than $10 million in fines have already been levied, and that’s expected to grow dramatically with stepped-up enforcement. While not all of those 1,200 companies are expected to incur full-blown HIPAA prosecutions, it’s a good idea to start preparing now for the ramp-up in federal actions.

As I’ve been saying for more than a year now, the scope of enforcement has increased, and many companies that don’t know it yet are now subject to HIPAA. For a long time, it was mostly medical service providers and insurance-related businesses that worried about HIPAA.

These days, subcontractors who handle HIPAA information should also be worried. In addition, just having a personnel department that handles health plans could make a company subject to HIPAA, and I’ve even corresponded with some highly placed executives at some Internet phone service providers that didn’t seem to understand that they’re subject to HIPAA, too.

Are You Overlooking a HIPAA Breach?

One of the most often overlooked sources of HIPAA non-compliance is a company’s unified communications system, which usually consists of features such as voicemail, business phone service, electronic faxing, teleconferencing, recording and web collaboration capabilities.

Since HIPAA-covered data is often stored in emails, voicemails or electronic faxes, the way your unified communications provider handles these can be crucial in your compliance. And the best way to make sure that your HIPAA compliance isn’t jeopardized by your unified communications provider is to make sure that the provider can supply a Business Associate Agreement, with third-party validation of the provider’s own compliance.

How to Protect Your HIPAA Compliance

Your unified communications provider can’t make you compliant if you haven’t done the myriad of other things that you need to do to comply, such as processes, procedures, training and sanctions. But your provider CAN make you non-compliant if they don’t take their own compliance seriously. By getting it in writing, you protect your company’s own HIPAA compliance from being jeopardized by your unified communications provider, thereby strengthening your own ability to comply.

For more information on HIPAA compliance and unified communications, check out “Is Your Business Phone Service Provider Ignoring the Elephant Herd in the Room?” or “Why HIPAA Compliance Should Scare You and What You Must Ask Your Business Phone Service Provider NOW.”

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png