HIPAA fines for ignoring a specific requirement can reach $25,000 per violation. Most at risk are large facilities that process hundreds of patient records. Access to records must also be customized per employee. For instance, a specialist in a hospital should have direct access to all patients within his/her care, but not necessarily to all the patient files in the facility.
Furthermore, keeping a clean audit trail of records access – a requirement of HIPAA – has led some facilities to require positive identification each time a record element has changed, making typed passwords particularly inefficient. In response, information technology (IT) organizations have spent aggressively on security precautions such as firewalls, virtual private networks and other devices controlling TCP/IP, as well as anti-virus software.