HIPAA Is Not Just for Healthcare Part 2 focuses on what every business needs to know about HIPAA-related data breaches and reporting requirements. In this episode of TNtv, Sarah Badahman, Founder and CEO of HIPAAtrek, joins ThrottleNet to explain how and when to report a HIPAA breach, and why preparation and documentation are key to compliance.
Many business owners assume HIPAA only applies to the healthcare industry, but the truth is that HIPAA compliance rules extend to any organization that handles health-related information. That includes HR departments, insurance agencies, law firms, consultants, and IT service providers.
This second installment of the series builds on Part 1, explaining the specific steps organizations must take once a potential HIPAA incident occurs and the penalties for failing to comply.
Reporting Rules Depend on Population Size
In HIPAA Is Not Just for Healthcare Part 2, Sarah Badahman explains that HIPAA breach reporting rules depend on how many people are affected. The Office for Civil Rights (OCR) classifies incidents into two main categories based on population size.
1. Breaches Involving 500 or Fewer Individuals
If your business experiences a breach involving 500 or fewer individuals, you must report the incident to the OCR through their online portal at hhs.gov/ocr/office.
Reports must be submitted by the end of the calendar year in which the breach occurred. All affected individuals must also be notified, including details about the type of breach, how it happened, and what steps are being taken to protect their data.
As HIPAA Is Not Just for Healthcare Part 2 notes, even smaller breaches can create compliance and reputation issues if not handled quickly and transparently.
2. Breaches Involving More Than 500 Individuals
For larger incidents affecting more than 500 individuals, HIPAA Is Not Just for Healthcare Part 2 highlights that reporting timelines are much stricter.
Organizations must notify the OCR within 60 days of discovery and conduct a four-factor risk assessment to determine the extent of exposure.
In Missouri and many other states, this 60-day rule is closely enforced. Missing the deadline can lead to major fines and increased federal scrutiny.
“When it comes to HIPAA breaches, it’s not if one will happen — it’s when,” says Badahman. “Preparation and documentation are your best defense.”
The Four Factors in a HIPAA Risk Assessment
HIPAA Is Not Just for Healthcare Part 2 outlines the four factors that determine whether a HIPAA breach has occurred and how regulators will evaluate it:
- The nature and extent of the PHI involved
- The unauthorized recipient of the data
- Whether the PHI was actually acquired or viewed
- The steps taken to mitigate harm and prevent recurrence
Having these details documented in advance can help your business respond faster and more effectively if a breach occurs.
Creating a Mitigation Plan
One of the most important points made in HIPAA Is Not Just for Healthcare Part 2 is the need for a written mitigation plan. A mitigation plan documents how your organization responds to, contains, and corrects a data breach.
It should include:
- A timeline of response activities
- Assigned responsibilities and completion dates
- Ongoing updates and documentation of actions taken
If the OCR investigates, this plan will serve as proof of your organization’s compliance efforts. As Badahman explains, “It’s not enough to act — you must also prove it.”
Media Notification and Public Transparency
HIPAA Is Not Just for Healthcare Part 2 stresses that transparency is required for larger breaches. Businesses must:
- Notify local media outlets in the affected region
- Post a public statement on their website
- Provide a toll-free number for affected individuals to contact your organization
A dedicated security incident response team can manage these communications and ensure compliance with public notification requirements.
Business Associates Are Also Responsible
Another major focus of HIPAA Is Not Just for Healthcare Part 2 is how business associates share compliance responsibilities.
If your company handles PHI on behalf of another organization — such as an IT vendor, attorney, or consultant — you must follow the same HIPAA reporting and documentation requirements.
A Business Associate Agreement (BAA) is required for all such partnerships. This agreement should outline each party’s responsibilities, reporting timelines, and documentation procedures in the event of a breach.
Without a signed BAA, both the covered entity and the business associate can face penalties.
The Cost of Ignoring HIPAA Requirements
As discussed in HIPAA Is Not Just for Healthcare Part 2, the OCR evaluates breaches based on awareness and action. Organizations that fail to identify or report incidents promptly are far more likely to face fines and corrective action plans.
Penalties can reach up to $1.5 million per year, per violation category. Beyond financial penalties, businesses risk loss of trust, reputational harm, and federal oversight.
Proactive IT Management Prevents Breaches Before They Happen
HIPAA Is Not Just for Healthcare Part 2 emphasizes that prevention is the best form of compliance.
ThrottleNet helps businesses throughout St. Louis, Kansas City, and the Midwest implement secure, compliant IT solutions that meet HIPAA standards.
Our managed IT and cybersecurity services include:
- 24/7 threat monitoring and response
- Encrypted data storage and transfer
- Automated backups and disaster recovery
- Cybersecurity awareness training for staff
- HIPAA risk assessment and reporting support
With a 2-minute average response time, 93% same-day resolution, and a $500,000 Cybersecurity Protection Guarantee, ThrottleNet helps companies protect sensitive data and maintain HIPAA compliance with confidence.
About the Video
This article is based on HIPAA Is Not Just for Healthcare Part 2, a TNtv segment featuring Sarah Badahman, CEO of HIPAAtrek.
In this episode, Sarah explains how and when to report a HIPAA-related data breach, the difference between large and small incident reporting, and what documentation the Office for Civil Rights expects during an audit.
Watch the full TNtv episode: HIPAA Is Not Just for Healthcare Part 2: How and When to Report a HIPAA Breach
