Healthcare Compliance Blog
Expert guides, checklists, and regulatory updates to help your practice stay compliant.
Staff Snooping in Patient Records: Detection, Sanctions, and Breach Analysis
Staff are accessing records without a work reason. How to detect snooping via EHR audit logs, HIPAA sanction rules, breach analysis, and building access discipline.
Storing PHI in the Cloud Without a BAA: Compliance Risks and Remediation
Storing PHI in Google Drive, Dropbox, or AWS without a BAA is a HIPAA gap. Here are the risks, the BAA requirements, and the steps to remediate cloud storage of patient data.
Terminated Employee Still Has EHR Access: Immediate Steps to Contain the Risk
You discovered a terminated employee still has EHR access. Immediate containment steps, audit log review, breach analysis, and a real offboarding checklist.
Your IT Company Never Signed a BAA: How to Fix This HIPAA Exposure
Your IT vendor has access to PHI but never signed a BAA — that's an active HIPAA violation. Here's how to assess the risk, remediate the gap, and prevent recurrence.
Your EHR Vendor Had a Breach: What Is Your Practice's Liability?
When your EHR vendor or other business associate suffers a data breach, your practice is not off the hook. This guide covers practice liability, BAA obligations, notification duties, and how to protect yourself under HIPAA.
Patient Requests an Accounting of Disclosures: What Your Practice Must Provide
A patient wants a list of everyone you've shared their PHI with. Under 45 CFR 164.528, here's what an accounting of disclosures must include, what's exempt, and the workflow.
Patient Asks to Restrict Disclosures: Understanding the Right to Restrict Under HIPAA
When a patient asks you not to share their health information with their insurer or for other purposes, HIPAA gives them specific rights under 45 CFR 164.522. Here is when you must comply and when you may decline.
Patient Wants to Amend Their Medical Record: When You Can (and Cannot) Say No
A patient asks you to change their medical record. HIPAA gives them the right to request amendments under 45 CFR 164.526 but also gives you specific grounds for denial. Here is how to handle it correctly.
Patient Requesting Medical Records: HIPAA Timelines and Denial Rules
How long does your practice have to respond when a patient requests their medical records? This guide covers the HIPAA right of access timeline, allowable fees, denial grounds, and how to stay compliant under 45 CFR 164.524.
EHR System Down for Days: Patient Access Rights and HIPAA Obligations
What healthcare practices must do when their EHR system is down for an extended period. Covers HIPAA patient access rights under 45 CFR 164.524, contingency planning, and OCR enforcement on access delays.
Paper Charts Stolen from a Car: HIPAA Breach Obligations for Physical PHI
HIPAA breach obligations when paper patient charts are stolen from a car. Covers breach assessment for physical PHI, notification requirements, law enforcement coordination, and prevention policies.
Emailed PHI to the Wrong Person: Breach Assessment and Next Steps
What to do after emailing protected health information to the wrong recipient. Covers HIPAA breach assessment, encryption considerations, recall options, notification requirements, and prevention.
Patient Records Found in a Dumpster: HIPAA Disposal Violations Explained
What happens when patient records are found improperly disposed of in a dumpster. Covers HIPAA disposal requirements, breach assessment, OCR enforcement history, and corrective action steps.
Faxed Patient Records to the Wrong Number: Is It a HIPAA Breach?
What to do when patient records are faxed to the wrong number. Covers HIPAA breach assessment, the four-factor test for misdirected faxes, mitigation steps, and when notification is required.
Ransomware Hit Your Practice: The HIPAA Breach Response Checklist
A step-by-step HIPAA breach response checklist for medical practices hit by ransomware. Covers containment, the OCR presumption of breach, notification obligations, and recovery planning.
Lost a Laptop with Patient Data: HIPAA Breach Steps You Must Take Now
Step-by-step guide for healthcare practices that have lost a laptop containing patient data. Covers breach assessment, encryption safe harbor, notification timelines, and OCR reporting requirements.
HIPAA Compliance Training Near Me: How GuardWell Serves Healthcare Organizations Nationwide
Looking for HIPAA compliance training near me? GuardWell serves healthcare organizations nationwide with expert-led, tailored training. Start your free trial today.
Did You Miss the February 2026 HIPAA Notice of Privacy Practices Deadline? Here's How to Catch Up
The February 16, 2026 deadline to update your HIPAA Notice of Privacy Practices has passed. If your NPP still hasn't been updated, here's exactly what changed, what you're exposed to, and how to fix it this week.
The Proposed HIPAA Security Rule Overhaul: What Your Practice Should Start Preparing For Now
HHS has proposed the biggest update to the HIPAA Security Rule since 2003. The rule is not yet final, but here's what the proposed changes mean for your small practice and what you can start doing now to prepare.
Do I Need a BAA With My Cloud Fax, IT Company, or Answering Service?
If a vendor touches patient information on your behalf, you probably need a Business Associate Agreement. Here is how to identify which vendors require BAAs and what to do if you are missing them.
An OSHA Inspector Just Showed Up at My Practice — What Are My Rights?
An OSHA compliance officer arrived for an unannounced inspection of your medical practice. Here is what to expect, your legal rights during the inspection, and how to avoid common mistakes.
An Employee Accessed Patient Records Without Authorization — What Are My Obligations?
A staff member snooped in patient records they had no reason to access. Here is what HIPAA requires you to do: investigation steps, breach determination, sanctions, and reporting obligations.
We Sent PHI to the Wrong Patient — Now What?
A misdirected fax, email, or patient portal message containing PHI is one of the most common HIPAA incidents. Here is your step-by-step response plan for the first 72 hours.
How Much Is a HIPAA Violation Fine for a Small Practice?
The real costs of HIPAA violations for small medical practices — fine amounts by tier, recent enforcement examples, and what determines your penalty. Includes steps to reduce your risk.
I Just Got a Letter from OCR — What Do I Do?
Step-by-step guide for medical practices that received an investigation letter from the HHS Office for Civil Rights. What it means, how to respond, and how to protect your practice.
The Cost of Non-Compliance: HIPAA, OSHA, and OIG Penalties
An analysis of the financial, operational, and reputational costs of non-compliance for medical practices, including penalty structures for HIPAA, OSHA, and OIG violations.
Creating an Effective Compliance Training Program
A practical guide for medical practices on designing, implementing, and measuring a compliance training program that drives real behavioral change and satisfies regulatory requirements.
Workplace Violence Prevention in Healthcare Settings
How medical practices can develop and implement a workplace violence prevention program compliant with OSHA guidelines and emerging state mandates for healthcare employers.
How to Build a Healthcare Compliance Training Program
Learn how to build an effective healthcare compliance training program — required topics, training frequency, documentation standards, and how to track completion across your staff.
Medical Practice Compliance: The Complete 2026 Guide
A comprehensive overview of medical practice compliance requirements in 2026 — covering HIPAA, OSHA, OIG, CLIA, MACRA/MIPS, DEA, CMS, TCPA, state law, and staff training for doctors offices.
OIG Compliance Program for Small Practices: Getting Started
A practical guide to implementing the seven elements of an effective compliance program as recommended by the OIG, tailored for small and mid-size medical practices.
DEA Controlled Substance Compliance for Medical Practices
Essential DEA compliance guidance for medical practices covering registration, prescribing requirements, recordkeeping, storage, disposal, and audit preparation for controlled substances.
How to Prepare for a HIPAA Audit: A Practice Manager's Guide
Practical advice for medical practice managers on how to prepare for an OCR HIPAA audit, including what to expect, which documents to have ready, and the most common deficiencies found.
HIPAA Breach Notification: Rules, Timelines, and Penalties
A complete guide to HIPAA breach notification requirements — what constitutes a breach, notification timelines, how to report to OCR, and the penalties for non-compliance.
Staff Training Requirements for Healthcare Compliance in 2026
A complete overview of mandatory staff training requirements for medical practices in 2026, covering HIPAA, OSHA, OIG, fraud and abuse, and role-specific training obligations.
HIPAA Breach Risk Assessment: The 4-Factor Test Explained
Understand how to apply the HIPAA four-factor breach risk assessment to determine whether an impermissible use or disclosure of PHI requires breach notification.
Telehealth Compliance: HIPAA Requirements for Virtual Care
Navigate HIPAA compliance for telehealth services with this guide covering technology requirements, patient consent, documentation, and security safeguards for virtual care delivery.
What Is an OIG Compliance Program? 7 Elements Explained
A plain-language guide to the OIG's 7 elements of an effective healthcare compliance program — what each element requires and why every medical practice should implement one.
Understanding Business Associate Agreements Under HIPAA
Everything medical practices need to know about HIPAA Business Associate Agreements — who qualifies as a BA, what the agreement must include, and how to manage your vendor relationships.
Bloodborne Pathogens Exposure Control Plan: What Every Practice Needs
Learn how to create and maintain a compliant Bloodborne Pathogens Exposure Control Plan for your medical practice, covering OSHA requirements, engineering controls, and post-exposure procedures.
OSHA Requirements for Medical Offices: A Complete Guide
Everything medical offices need to know about OSHA compliance — bloodborne pathogens, hazard communication, emergency action plans, PPE, and recordkeeping requirements explained.
OSHA Recordkeeping: Understanding Forms 300, 300A, and 301
A comprehensive guide to OSHA recordkeeping requirements for medical practices, covering the OSHA 300 Log, 300A Annual Summary, and 301 Incident Report forms.
Medicare Compliance for Medical Practices: CMS Requirements
A guide to Medicare compliance obligations for medical practices, covering PECOS enrollment, billing compliance, Stark Law, Anti-Kickback Statute, and emergency preparedness requirements.
Security Risk Assessment: A Step-by-Step Guide for Medical Practices
Learn how to conduct a thorough HIPAA Security Risk Assessment for your medical practice with this detailed step-by-step walkthrough covering scope, threats, vulnerabilities, and remediation.
HIPAA Compliance Checklist for Small Medical Practices in 2026
A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.