Can You Afford a HIPAA Violation?

In June of 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to the United States Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule arising out of the loss of a portable USB thumb drive containing electronic protected health information (ePHI).

In September of 2012, Massachusetts Eye and Ear Infirmary agreed to pay HHS $1.5 million to settle potential violations of the Security Rule arising out of the theft of a laptop computer which contained a large amount of patient information.

In each case, the HHS Office of Civil Rights charged that the providers had failed to take necessary steps to comply with certain requirements of the Security Rule, including:
-conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices;
-implementing security measures sufficient to ensure the confidentiality of ePHI that they created, maintained, and transmitted using portable devices; and
-adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.

Both of these cases involved the theft of devices which contained massive amounts of unencrypted patient data. There was no evidence that any patients sustained any actual damages as a consequence of the theft of any of this information, but damages are not an essential element of the violation, and as one can see, the settlements were substantial.

And lest anyone think that the HHS watchdogs only go after the big players, in January of 2013, Hospice of Northern Idaho agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule in another laptop theft case. This is the first settlement involving a breach of unsecured ePHI affecting fewer than 500 patients. It is unlikely to be the last.

The American Telemedicine Association, which advocates for wider use of telemedical technology, has projected enormous growth in the field over the next few years, and the number of companies with links on its principal website is long and varied. Most of these companies fall under the HIPAA definition of “business associates.”

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate (emphasis added). The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. To learn more about business associate agreements, and see a template for what HHS believes such an agreement ought to contain, visit

It seems to me that any prudent practitioner thinking about using telemed conferencing ought to be asking her or himself at this point, “What are the risks to me and my practice of using a free VOIP technology like Microsoft’s Skype®, especially if, in the future, Microsoft decides to change the company’s Terms of Service to allow them to target advertising to users based upon the content of their communications?”

It seems clear that, to be HIPAA-compliant, a videoconferencing service must be willing and able to sign a business associate agreement. Skype and other free services do not offer this. does. We also offer live technical support, which free services can’t provide. And free services simply can’t offer the superior video quality and features needed for a professional office–we can.

To learn more about, visit our website at

Stephen C. Taylor
General Counsel