Contact Us at +1-484-212-0850

How to Handle HIPAA Security Incidents, Breaches, Complaints, and Investigations

Duration :

Course Description:

The Department of Health and Human Services has imposed civil money penalties (fines) as high as $4.8 million for breaches of patient confidentiality under HIPAA, and knowing how to respond to such incidents is crucial to avoiding or minimizing liability. The presenter has successfully defended seven health care providers in investigations by the Office for Civil Rights of DHHS for alleged breaches.

This webinar will cover everything that you need to know about how to handle HIPAA security incidents, breaches, and complaints and the Department of Health and Human Resources Investigations thereof. Not all security incidents are breaches, but all breaches of confidentiality are within the broad ambit of security incidents. Privacy rule violations, such as failing to give a patient a copy of his or her medical records, may also constitute a breach as the $4.2 million fine assessed against Cignet Healthcare of Prince George’s County, Maryland, dramatically proved. Handling an investigation properly is key to determining not only how to handle it to mitigate any harm and to take action to prevent it from happening again but also to determine whether it is reportable to affected individuals and to DHHS.

HIPAA requires a complaint procedure (policy). The webinar will suggest what such a document should contain as it also will for the required report procedure (what is reportable, who reports, to whom, and required/suggested contents of the report) and the required response procedure (what do the responsible officials do after receiving the report or the complaint).

Investigating a possible security incident is key. The webinar will cover how to conduct a thorough investigation of HIPAA security incidents, breaches, and patient complaints.

Finally, the second largest HIPAA civil money penalty or settlement, $4.2 million, was in large part due to the offender’s failure to cooperate with the DHHS investigation. The presenter has successfully defended his clients in seven such investigations and knows how to respond to them to avoid or minimize liability.

Why should you Attend?

As of the so-called HITECH Act, covered entities and their business associates must report certain breaches of HIPAA to DHHS which can result in seven-figure fines, lawsuits, bad publicity, and other sanctions. Remediation costs may be immense, such as the $17 million incurred by Blue Cross/Blue Shield of Tennessee on top of the $1.5 million civil money penalty for not having sufficient security to prevent a burglar from stealing all their computer equipment and media with millions of individuals’ health insurance data. That is not the only method DHHS may learn of a breach, however. Civil money penalties have resulted from complaints by patients, and one even resulted from a newspaper story. Civil money penalties to date range from $50,000 to two in the $4 million range. And a $50,000 or low six-figure fine may doom a small practice. And these fines cannot be discharged in bankruptcy because they are imposed as a punishment rather than compensating the government for that money it had expended. The largest civil money penalty is reserved for breaches that are not handled properly, capped at $1.5 million for identical such breaches in a calendar year. And DHHS considers that, say, if you lose an unencrypted laptop with no other reasonable and appropriate security in its place, it constitutes a separate violation for each patient’s data on the lost laptop. In addition, patients and others who complain to DHHS may receive a portion of any fine, thereby providing an incentive to complain. Also, an audit by DHHS may lead to a civil money penalty.

Nor are these penalties reserved for large practices. Fines have been assessed against two-physician practices and a small hospice in North Dakota. Being not-for-profit provides no immunity, nor does being a government entity. Alaska Medicaid was fined $1.5 million; and a county government (Skagit County in Washington State), $215,000.

Thus, it is crucial to know how to avoid breaches, how to investigate a security incident, how to determine whether it is a breach, when you have to report a security incident to DHHS (and sometimes to state agencies), and how to mitigate (lessen) the harm of a breach. How a so-called covered entity responds to security incidents and breaches receives great scrutiny in DHHS audits and is a factor in determining whether a sanction is warranted and in lessening the fine from what it otherwise might be.

HIPAA requires covered entities to, in addition to its Privacy Officer, have a complaint procedure and a complaint official (who can be the Privacy Officer) in addition to having a report procedure and a response (how do you handle the report) procedure. Failure to have these elements of HIPAA compliance or having inadequate ones constitute a breach of the HIPAA requirements.

Areas Covered:

Topics which will be covered in the session (bulleted point)

  • What is a security incident?
  • What is a breach?
  • What are the penalties for a breach?
  • What types of breaches are likely to result in sanctions?
  • What are the HIPAA requirements for handling breaches?
  • The Report and Response Procedure.
  • Investigating security incidents and patient complaints.
  • Taking action on the breach—immediate and subsequent—including mitigation.
  • What breaches are reportable to DHHS?
  • How to respond to an investigation by DHHS.
  • Conclusion and questions and answers.

Who will benefit?

This webcast will be of a valuable assistance to the below audience.

  • HIPAA Security and Privacy Officers
  • Healthcare Compliance Officers
  • Healthcare Attorneys
  • Directors of Health Information Management
  • Medical Records Supervisors
  • Health Care IT Directors and similar officials
  • Office Managers
  • Business Associates - those who provide services for covered entities involving health information, such as billing services, transcription services, and the like.

Registration Options

Avail 12 months unlimited access for a single user.

Material shipped within 15 days post webinar completion & get life time access for unlimited participants.


HIPAA Privacy Officer, HIPAA Privacy Officer Training, HIPAA Privacy Officer Course, HIPAA and HITECH expectations, Protected Health Information, PHI, HIPAA Training, HIPAA 2019 Changes, HIPAA 2019 updates, HIPAA Changes, HIPAA Security, HIPAA Audit, Omnibus Rule, HIPAA 2019 Law, HIPAA cases, Health Insurance Portability and Accountability Act, Health and Human Services, Health Care, New HIPAA Rules, HIPAA Business Associate, HIPAA Violations and Fines, HIPAA Best Practices

Speaker Details



Healthcare Attorney, Author and President of EMR Legal

Jonathan P. Tomes has been an expert witness in litigation involving health information compliance issues and is the President of EMR Legal, Inc., a national HIPAA consulting firm. His knowledge of the law and of the practical aspects of handling security incidents to avoid liability provide a rare opportunity for compliance officers and medical records veterans and novices alike. Mr. Tomes has presented seminars nationally for more than 20

Refund Policy

Participants/Registrants for our live events, may cancel up to 72 hours prior to the start of the live session and ComplianceTrain will issue a letter of credit to be used towards any of ComplianceTrain's future events. The letter of credit will be valid for 12 months.

ComplianceTrain will process refund in cases where the event has been cancelled and is not rescheduled within 90 days from the original scheduled date of the webinar. In case if a live webinar is cancelled, participants/registrants may choose between recorded version of the course or a refund. Refunds will not be processed to participants who do not show up for the webinar. A webinar may be cancelled due to unavoidable circumstances, participants will be notified 24 hours before the scheduled start of the event. Contact us via email: