Monthly Newsletter - American Institute of Healthcare Compliance

March 2026 Monthly Newsletter

In This Monthly Issue

Why Trust Matters More Than Rules
Ensure Patient Dignity
Build a Chain of Trust
Ethical Considerations in Crisis Situations
HIPAA Training Solutions

Information is provided for educational purposes and is not intended as legal or consulting advice.

Why Trust Matters More Than Rules

Patients want to trust their provider. With rising cyberattacks, patients fear that their medical records are at risk, which can cause them to avoid seeking care or withhold information.

The HIPAA (Health Insurance Portability and Accountability Act) is frequently viewed by providers as a set of legal regulations, but it is a fundamental necessity to establish, maintain, and strengthen patient trust in the healthcare system. It is all about patients having the confidence that their most private information is secure.

While compliance to privacy and security rules can avoid hefty fines and legal penalties, the deeper purpose of HIPAA is to protect the confidentiality, integrity, and security of sensitive patient data, which is available to providers, even in crisis, is essential for fostering a secure, patient-centered care environment.

It goes beyond a check-box mentality. HIPAA compliance is a moral and ethical obligation that prioritizes patient privacy and confidentiality, strengthening the patient-provider relationship.

Simply having policies and annual training can demonstrate compliance documentation, but is insufficient, True HIPAA compliance requires building a culture of privacy where staff actively protect data, rather than just treating it as a compliance task.

Organizations that treat HIPAA as a core part of their strategy, rather than an afterthought, build superior reputations, foster patient loyalty, and demonstrate reliability to partners.

Ensure Patient Dignity

It is all about approach and attitude that supports doing the right thing, always. Does your organization treat sensitive data as an extension of the patient’s body and dignity, rather than just digital records?

It is a fundamental ethical commitment to trust, patient autonomy, and non-maleficence (doing no harm). It is all based on maintaining confidentiality, integrity, security and availability of patient information, according to the National Institutes of Health.

Confidentiality: Protecting Dignity and Trust

Ethical confidentiality is the duty to safeguard patient information disclosed during care, grounded in the expectation of privacy and respect.

The "Need-to-Know" Principle: Information is only shared with those directly involved in the patient’s care.
Posthumous Duty: The ethical obligation to protect data continues even after the patient’s death.
Breach Mitigation: It means actively preventing unauthorized access (data breaches) or careless sharing (casual conversations, social media).

Integrity: Ensuring Accuracy and Safety

Integrity ensures that patient information is accurate, consistent, and reliable throughout its lifecycle.

Patient Safety: Unaltered and accurate records are essential for safe, effective treatment. Falsified or corrupted data can lead to misdiagnosis.
Preventing Unauthorized Alteration: Ethical practice prevents tampering with medical records, whether intentional or accidental.

Security: Upholding Privacy Standards

Security involves implementing technical, physical, and administrative safeguards to protect data from threats, breaches, and, in crises, potential ransom.

Respect for Autonomy: Securely storing data, such as using encryption for telemedicine, is a direct expression of respect for a patient’s right to control their personal information.
Accountability: Ensuring that only authorized personnel can access or modify records.

Availability: Ensuring Continuity of Care

Availability means that data is accessible to authorized users when and where it is needed.

Balancing Act: While security prevents, availability allows; they must be balanced to ensure that data protection does not hinder necessary care.
Preparedness: In a crisis, ethical stewardship means having robust, backed-up, and accessible systems to ensure that patient care is not compromised.
In 2026, organizations must establish and document the capability to restore lost or damaged ePHI within 72 hours of a security incident.

Build a Chain of Trust

Building a chain of trust between healthcare providers (Covered Entities) and Business Associates (BAs) is a regulatory requirement under HIPAA designed to ensure that Protected Health Information (PHI) remains secure throughout its entire lifecycle, even when handled by third parties. This chain of trust ensures that privacy and security obligations flow down to every subcontractor that creates, receives, maintains, or transmits PHI.

Proposed 2026 HIPAA and ERISA regulations are driving tighter, more audit-intensive relationships between covered entity providers and their business associates (BAs). Key changes include stricter cybersecurity standards, detailed data mapping, and mandatory disclosure of compensation for PBMs and consultants.

The HIPAA Final Rule is expected to be published in May 2026, with a 60-day effective date followed by a 180-day grace period for compliance. Covered entities should begin updating their policies now to meet these more stringent requirements.

A legally binding Business Associate Agreement (BAA) is the foundational document of the chain of trust. A robust BAA ensures that all parties—covered entities, business associates, and subcontractors—are bound by the same rigorous privacy and security standards, mitigating risk in an era where nearly half of all HIPAA breaches involve third-party vendors.

Mandatory Clauses: The BAA must explicitly outline permitted uses/disclosures, require the implementation of safeguards (administrative, physical, and technical), and mandate prompt breach reporting.
Defined Scope and Data Flows: Explicitly mapping where Protected Health Information (PHI) is created, stored, or transmitted to ensure the "minimum necessary" standard is applied.
Subcontractor Flow-Down Obligations: A crucial component requiring the business associate to bind any subcontractors to the same level of security and privacy protections.
Stringent Breach Notification Procedures: Defining clear timelines (e.g., within 60 days, or faster, such as 24-hour notice for emergency plans) for reporting incidents to the covered entity.
Security Safeguards Requirement: Mandating administrative, physical, and technical safeguards, including encryption in transit/at rest, multi-factor authentication (MFA), and regular risk assessments.
Termination and Destruction Protocol: Ensuring that upon contract termination, PHI is either returned or securely destroyed, with no further retention.
Audit and Compliance Rights: Granting the covered entity the right to audit the vendor's security controls and requiring access to records for HHS investigations
Pre-engagement Requirement: The BAA must be signed before any PHI is shared.

Trust is built on verification, not just contracts

Do your due diligence. Conduct comprehensive risk assessments to evaluate a vendor's security posture, policies, and procedures before partnering.

Verify the vendor’s compliance.
Review the vendor's documented risk analyses, audit trails, and, if applicable, third-party certifications.

Best Practices for Maintaining the Chain of Trust

Regular Updates: Reviewing and updating BAAs whenever services, technologies (e.g., cloud, AI), or regulations change, such as preparing for upcoming 2025 HIPAA revisions.
Vendor Due Diligence: Assessing a business associate's security posture before signing a BAA, rather than relying solely on the contract for security.
Employee Training: Ensuring the business associate trains its staff on the specific requirements of the BAA.
Assigning Liability: Clearly defining which party covers financial penalties, legal fees, or remediation costs in the event of a breach.

Consult with a HIPAA legal expert to assist your organization as you update your BAAs to be compliant to the New Final Rule. By tightening your BAAs and relationships with vendors, you will move from a compliance posture to an active, operationalized partnership that protects patient data, reputation and builds patient trust.

Ethical Considerations in Crisis Situations

The devastation caused by the pandemic and havoc realized during and after a ransomware attack prompts providers to consider ethical duty during a crisis situation. In crisis situations, HIPAA permits sharing patient information to prevent imminent threats to safety or when patients are incapacitated, prioritizing care over strict confidentiality. Ethical considerations require balancing patient autonomy with beneficence (doing good), justice in resource allocation, and maintaining transparency, even when standard consent protocols are waived.

Protecting information must be balanced with the need for immediate, life-saving information access. In crises, there is an obligation to prioritize patient safety, sometimes requiring rapid data sharing. Clinicians sometimes mistakenly refuse to share information with caregivers when patients are in crisis due to misunderstanding HIPAA, causing harm. A few considerations are listed below:

Breaches of confidentiality may be ethically and legally warranted when patients are victims of abuse, coercion or neglect. In such cases, upholding confidentiality without context may perpetuate harm, while disclosure may be necessary to prevent serious injury or protect life.
Imminent Threat: Providers can disclose PHI without consent to anyone (family, law enforcement, the public) if they believe it is necessary to prevent or lessen a serious and imminent threat.
Proportionality: Limited disclosure of information may be ethically justifiable to prevent imminent harm. this relates to the Minimum Necessary Standard - disclose only the specific information required to address the immediate emergency.
Resilient Data Ecosystems: Ensuring that systems are designed to be reliable during disasters, maintaining trust and safety. Disaster Relief - information can be shared with organizations like the American Red Cross for coordinating family notifications without a patient's prior verbal permission.
Incapacitated Patients: If a patient is unconscious or otherwise unable to agree, providers may share information with family or friends if they determine it is in the patient's best interest.

Ultimately, these principles are meant to build a trusted, secure, and respectful environment for healthcare, fostering patient autonomy and preventing social, legal, or physical harm.

References

Shelat VG. Respecting privacy and upholding confidentiality: core ethical duties. Singapore Med J. 2025 Dec 1;66(12):685-689. doi: 10.4103/singaporemedj.SMJ-2025-147. Epub 2025 Dec 15. PMID: 41396294; PMCID: PMC12747445.
Varkey B. Principles of Clinical Ethics and Their Application to Practice. Med Princ Pract. 2021;30(1):17-28. doi: 0.1159/000509119. Epub 2020 Jun 4. PMID: 32498071; PMCID: PMC7923912.

HIPAA Training Solutions

Offered by the American Institute of Healthcare Compliance, a Licensing/Certification Partner w/CMS.

Explore HIPAA training solutions for your management and executive teams. Choose the hyperlink below, check pricing and scroll down to "click here to review course details" to download the course information packet.

Information Technology and Security Professionals should have specialized training in HIPAA specific to supporting healthcare providers. The following course is provided by HIPAA for MSPs and Certification is provided by AIHC.