search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Important: These services do not remove your legal responsibility. You remain responsible for understanding, confirming, and documenting what is done in your name.


Your HIPAA Compliance Responsibilities


HIPAA compliance is required by federal law. A proper program typically includes:


• A HIPAA policies and procedures manual • Documented risk analyses and risk management plans • Annual reviews, evaluations, and internal audits • Ongoing workforce training • Business Associate Agreements (BAAs) with all vendors handling PHI


Common Misunderstandings


1. “I have a BAA, so I’m covered.” BAAs help but do not eliminate scrutiny of your response and documentation.


2. “I bought a HIPAA manual years ago.” Compliance is an operating system, not a binder. Policies must be implemented, reviewed, updated, and documented.


Civil monetary penalties can be substantial, with per-violation minimums exceeding $71,000 in the highest tiers. Outcomes depend heavily on documentation showing a reasonable, implemented compliance program.


What You Should Do Now: Step-by-Step Step 1 — Confirm Notification


Check email (including spam), physical mail, and portals used by your EHR, billing vendor, or clearinghouse. Look for communications from TriZetto, Cognizant, Kroll, ChiroTouch, or partners. Search terms include “TriZetto,” “Cognizant,” “Kroll,” and “data breach.” If no notice is received, continue monitoring and consider proactively contacting vendors.


Step 2 — Verify Authenticity


Confirm sender domains and contact details. Cross-check phone numbers and URLs with official sources. Do not rely on contact information provided only in emails.


Step 3 — Record Your “Day 0”


Document the date the notice was received and by whom. This establishes your internal compliance timeline.


Step 4 — Decide on TriZetto/Kroll Services If offered, enrolling is usually advisable. Save enrollment confirmation, scope of services, deadlines, and assign one internal point person. Enrollment does not eliminate oversight responsibility.


Step 5 — Create a Breach Response File Create a folder titled “TriZetto Breach Response – [Practice Name] – 2025/2026.” Include: • Notice received • Day 0 record • Affected individual lists or summaries • Written confirmation of vendor actions • Patient notification letters • Proof of mailing/completion • OCR/state/media confirmations • Internal notes, calls, emails, decisions, dates • Patient inquiry log and staff scripts


This file is critical if regulators ask questions. Ple x us F eb/March 20 26 13


Step 6 — Conduct an Internal HIPAA Review Review: • Currency of your HIPAA manual • Current Security Rule risk analysis and follow-through • BAAs with all PHI vendors (EHR, billing, IT, cloud, shredding, remote access) • Breach documentation • Alignment of written policies with actual practices


Seek professional help promptly if gaps exist.


Step 7 — Communicate with Staff Brief staff clearly. Designate a point person. Instruct staff not to speculate or confirm impact without verification.


Suggested Script: “We’re aware of a cybersecurity incident involving a third-party vendor used for billing and insurance transactions. We’re working with the vendor and experts to complete all required steps under HIPAA. If information is confirmed to be affected, individuals will receive formal notification with available support resources.”


Step 8 — Prepare for Patient Questions


Be ready to explain that a third-party vendor experienced a security incident, that required steps are underway, and that affected individuals will receive individual notice and support services if applicable.


Step 9 — Escalate Early if Unsure


If you are unclear about notification requirements, timelines, or vendor actions, consult a HIPAA professional or legal counsel promptly. Delays increase risk.


Protecting Your Practice Going Forward Cyberattacks and HIPAA audits are increasing. Practices that fare best:


1. Keep HIPAA programs current: annual reviews, updated risk analyses, realistic breach policies.


2. Train staff continuously: onboarding, annual refreshers, cyber hygiene, documented attendance.


3. Strengthen business associate oversight: current BAAs, vendor inventories, incident expectations.


4. Stay audit-ready: organized documentation, annual tabletop exercises, accessible records.


Professional HIPAA compliance support helps reduce risk, manage breaches, maintain documentation, and free you to focus on patient care.


Conclusion


The TriZetto/ChiroTouch incident shows that even indirect vendor breaches can put your practice at risk. You cannot control every vendor, but you can control how you respond, document, and maintain compliance.


By acting promptly, leveraging vendor support appropriately, maintaining a current HIPAA program, training staff, and documenting thoroughly, you can protect patients and significantly reduce regulatory and financial exposure.


—The full white paper by Dr. Ty Talcott—which includes a helpful checklist for responding to this breach—can be found at https:// chirohealth.org/trizetto-white-paper.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32