The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires privacy and security safeguards for protected health information (PHI). It ensures that individuals' health information is adequately protected while providing and promoting high-quality health care. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the law.
Why focusing on HIPPA matters
HIPAA violations are not just a legal issue — they can have significant financial and reputational repercussions. According to the HHS and The HIPAA Journal, a staggering $124 million in financial penalties have been imposed in the past decade, with an average of over $300,000 per entity in 2023 alone. As of mid-2024, nearly $5 million in penalties have been imposed as the OCR continues to work through its investigations backlog. These numbers underscore the importance of maintaining HIPAA compliance to safeguard your organization's reputation and financial standing.
Find out if you're a covered entity
Ignorance isn't an excuse for noncompliance
It's crucial to understand that each entity (including hospitals, insurance companies, healthcare clearinghouses, and business associates who might come into contact with PHI) is responsible for being aware of and adhering to HIPAA regulations.
Not all fines are due to poor handling of PHI. Many past violations resulted from inadequate training or failure to conduct a proper risk assessment. Instances like these underscore the urgency for covered entities to take a proactive approach in their compliance efforts rather than waiting for a violation to occur as the OCR conducts periodic audits of HIPAA-covered entities and their business affiliates.
Most violations are reported directly as complaints to the OCR, often by responsible employees (note that entities can not retaliate against who filed the complaint) or self-reporting after an internal audit. When it comes to these complaints, the most common issues, according to the US Dept. of Health and Human Services, include:
- Impermissible use and disclosure of PHI
- Lack of safeguards
- Lack of patient access to their Personal Health Information
- Disclosing or using more protected health information than necessary
In cases like this, the OCR will review the information to determine if the covered entity violated the HIPAA Privacy or Security Rule. If the covered entity is not compliant, the OCR will attempt to resolve the issue through voluntary compliance, corrective action, and/or a resolution agreement.
Data breaches are on the rise
Proactively safeguarding Protected Health Information has become even more critical as data breaches have become more common. In fact, 725 data breaches, exposing more than 133 million records, were reported to the OCR in 2023 — nearly 80% due to hacking incidents.
Protecting customers' data is critical to maintaining a good relationship with them as well as building brand affinity. It takes time to forge trust, but a single leak can undermine that trust in a second.
All the benefits of video, with less risk
From interactive training to live and on-demand communication to education, video is a powerful tool for healthcare professionals trying to serve patients and communities. However, being in a HIPAA-regulated industry adds a layer of complexity to video management and third-party tooling.
As part of our commitment to helping these organizations, Vimeo completed the US Department of Health and Human Services (HHS) security risk analysis, validating Vimeo's compliance with HIPAA's administrative, physical, and technical safeguards as outlined in the HIPAA Security Rule. Additionally, we follow industry-wide best practices for security and compliance and have SOC 2 and ISO 27001 certifications.
Want to learn more about Vimeo's HIPAA-compliant video solutions for healthcare companies? Check out the additional resources below or request a demo.
What healthcare providers need to know about video and HIPAA →
