If you work in the field of healthcare, you’ve more than likely heard of HIPAA law. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This law was put into place to protect the privacy and rights of patients and to safeguard patient medical information. Whether you work in the medical industry, or you just want to understand how your medical information is being protected and secured, you need to understand HIPAA law and how it affects the use of patient information and the transmission of electronic medical records.

What is HIPAA Law?

HIPAA was originally passed in the United States and signed into law on August 21, 1996. The main purpose of HIPAA is to protect and serve patient medical data, as well as patient insurance information, and other personal information.

There are three parts to HIPAA:

The Privacy Rule, The Security Rule, and the Breach Notification rule. The Privacy Rule defines PHI, Protected Health Information, as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” These rules were updated on April 21, 2005, to address electronic Protected Health Information (ePHI).

The Security Rule covers how patient information is protected.

The third part of HIPAA, the Breach Notification Rule, pertains to what constitutes a breach of security and the steps that need to be taken if a security breach occurs and a patient’s medical information is illegally accessed. If you work in healthcare in any capacity, whether as a doctor, nurse, transcription professional, receptionist, or even at home as a medical coder, medical writer, or medical claims examiner, you must comply with HIPAA privacy, security, and breach notification guidelines.

Mandatory compliance means that anyone who works in the healthcare industry and has access to patient data must take any precautions that are necessary to remain HIPAA compliant.

What Are the Objectives of HIPAA?
HIPAA was created with the following objectives:

to “improve the portability and accountability of health insurance coverage” for employees between jobs

to combat waste, fraud and abuse within the healthcare and health insurance industries
to promote the use of medical savings accounts through tax breaks
to provide insurance coverage for employees with pre-existing medical conditions
to simplify health insurance administration

The Privacy and Security Rules were put into place to ensure that:

a patient has the right to control access to their own health information
a patient is not required to disclose information about any healthcare they receive that is privately funded
all healthcare providers take the necessary steps to determine how patient information is disclosed, whether the disclosure is in the form of physical documentation or electronic transmission
the patient grants permission to use their personal information for marketing, fundraising, or research purposes

Since HIPAA has changed the way that doctors, nurses, and staff handle patient medical records, insurance information, and personal data, let’s take a look at what you need to know about complying with HIPAA law, especially if you are interested in pursuing a career in healthcare.

What It Does and Doesn’t Have Domain Over

First outlining what HIPAA actually applies to: covered entities and business associates.

Covered Entities (CE): health plans, healthcare providers, and healthcare clearing houses

Business Associates (BA): anyone who performs functions on behalf of covered entities that involves personal health information

So, now that we know who may be liable under HIPAA, let’s look at what is covered.

Protected Health Information (PHI): Any information that relates to the individual’s health or condition, information on the provision of healthcare to the individual, or information regarding the payment for the provision of healthcare to the individual.

Personally Identifiable Info (PII): Data such as name, address, social security number, etc.

In order for HIPAA to be applicable, both PHI and PII must be present, in conjunction with a CE. Here are a few case studies:

Case 1: An application that provides personal fitness data to the user In this situation, a vast amount of PII exists; however, no PHI exists (only fitness data, which is provided solely to the user) and therefore, this is not covered by HIPAA.

Case 2: An application that takes their users healthcare data, and provides it to physicians in aggregate form Under this case, there is no PHI or PII, since no single user can be identified from the aggregated data, and therefore, HIPAA once again does not apply.

Case 3: A monitoring application that reminds patients to take their medications in a timely manner In this situation, there is PII and PHI; however, since there is no covered entity involved, and the information’s final destination is the user, HIPAA has no reign.

Do you regularly ha Case 4: A monitoring application prescribed by a physician, or an application that provides data to the physician

Under these conditions, there is PII and PHI, which is provided to covered entities; and therefore, HIPPA applies.

So, what if you have an application enforceable under HIPAA? There are a few strict rules that must be followed in order to be HIPAA-compliant.

Privacy Rule:

Applicable to all CEs, the use of PHI other than for treatment, payment, or healthcare operations is strictly forbidden unless written authorization is obtained. For more detailed information on the Privacy Rule, look here.

Security Rule:

This rule, pertinent to all CEs, covers the standard safeguards related to health data. This rule deals with the administration, physical, and technical aspects underlying healthcare data. For example, how the data is stored, how the administration documents the data, and how the data is encrypted. While there are many required aspects to this rule, the standards are flexible; and it is important to understand the required versus addressable standards. Finally, it is very important to notify the HHS in the event of a breach of security.

These obligations apply to all CEs. But you may be wondering how the Business Associate, BA fits into HIPAA policies. According to Stefano, there is one golden rule that all BAs should follow: the BA can’t cause the CE to breach its HIPAA obligations.

Summary of the HIPAA Security Rule

This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision.

Introduction

The Security Rule describes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Statutory and Regulatory Background

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.

Who is Covered by the Security Rule

The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.

Business Associates

The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule. HHS developed regulations to implement and clarify these changes.

What Information is Protected

Electronic Protected Health Information. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI).3 The Security Rule does not apply to PHI transmitted orally or in writing.

General Rules

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce.4
Its size, complexity, and capabilities,
Its technical, hardware, and software infrastructure,
The costs of security measures, and
The likelihood and possible impact of potential risks to e-PHI.6

Risk Analysis and Management

The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.

A risk analysis process includes, but is not limited to, the following activities:
Evaluate the likelihood and impact of potential risks to e-PHI;8
Implement appropriate security measures to address the risks identified in the risk analysis;9
Document the chosen security measures and, where required, the rationale for adopting those measures;10 and
Maintain continuous, reasonable, and appropriate security protections.11

Administrative Safeguards

Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.15

Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).16

Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.17 A covered entity must train all workforce members regarding its security policies and procedures,18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.19

Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.20

Physical Safeguards

Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.21

Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).23

Technical Safeguards

Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24

Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25

Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.26

Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.27

Required and Addressable Implementation Specifications

Covered entities are required to comply with every Security Rule "Standard." However, the Security Rule categorizes certain implementation specifications within those standards as "addressable," while others are "required." The "required" implementation specifications must be implemented. The "addressable" designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.28

Organizational Requirements

Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation.29Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.

Business Associate Contracts. HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.

Policies and Procedures and Documentation Requirements

A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.30

Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).31

State Law

Preemption. In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply.32 “Contrary” means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.33

Enforcement and Penalties for Noncompliance

Compliance. The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.

Learn more about enforcement and penalties in the Privacy Rule Summary - PDF - PDF and on OCR's Enforcement Rule page.

Compliance Dates

Compliance Schedule. All covered entities, except “small health plans,” must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.

Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.

This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier to review the complete requirements of the Security Rule, provisions of the Rule referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule, the Rule governs.

HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.

The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.

Read more about covered entities in the Summary of the HIPAA Privacy Rule - PDF - PDF.

See additional guidance on business associates.

Specifically, covered entities must:

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.5

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.7

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14

BA obligations:

Required to enter into a business associate agreement with CE.

After the HITECH Act:

Comply with HIPAA’s business associate safeguards on use restrictions

Comply with Security Rule

Notify CE in case of breach

HIPAA can be Complicated

HIPAA compliance, designed to protect the privacy and security of your patients and clients, can be complicated. To break it down, we’ve put together a handy HIPAA Compliance Checklist.

Before we dive in, a quick word about requirements: One of the complexities of HIPAA compliance is that it’s not always clear what’s mandatory and what isn’t. You’ll notice that certain implementation standards are designated as required, while others are called “addressable.”

HIPAA Compliance Checklist

Now, back to the HIPAA Compliance Checklist. There are two main rules that Covered Entities and their Business Associates should familiarize themselves with in order to be HIPAA compliant: HIPAA’s Privacy Rule and Security Rule.

THE HIPAA COMPLIANCE CHECKLIST PRIVACY RULE

The Privacy Rule sets national standards for who is allowed to have access to PHI, whether it’s found in electronic, paper, or oral form. In other words, it spells out guidelines for Covered Entities to consider as they share PHI with Business Associates.

The Privacy Rule is designed to ensure that PHI is properly protected. But it attempts to be practical, too, by allowing authorized parties to transmit and share PHI in order to provide proper care.

Here’s a checklist for the Privacy Rule:

Privacy policies and procedures. Develop and implement written privacy policies and procedures consistent with the Privacy Rule.
Privacy personnel. Appoint a privacy official to develop and implement the aforementioned privacy policies. Designate a contact person responsible for receiving complaints and providing individuals with information about privacy practices.
Workforce training and management. Train everyone on your workforce—including employees, volunteers, and others—on your privacy policies, and apply appropriate sanctions against those who violate the standards.
Mitigate any harmful effect that might be caused by an employee or Business Associate’s improper use or disclosure of PHI.
Data safeguards. Maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent use or disclosure of PHI—whether it’s intentional or not. Solutions might include shredding documents, employing pass codes, or limiting access to private information.
Complaints procedures. Implement procedures for individuals to complain to the Covered Entity about its HIPAA compliance, and inform people that complaints may also be submitted to the Secretary of the U.S. Department of Health & Human Services.
Retaliation and waiver. Don’t retaliate against anyone who exercises his or her Privacy Rule rights. Don’t ask people to waive their Privacy Rule rights as a condition for obtaining treatment, payment, or enrollment eligibility.
Documentation and record retention. Store records of your privacy policies, privacy practice notices, disposition of complaints, and other actions for six years after their creation.

In general, the Privacy Rule works to limit the disclosure of protected information. With these rules in place, it also grants individuals the opportunity to hold Covered Entities accountable for how they handle PHI.

THE HIPAA COMPLIANCE CHECKLIST SECURITY RULE

While the Privacy Rule applies to PHI in any form, the Security Rule is tailored to protecting the growing proliferation of electronic protected health information (ePHI) at every part of its life cycle: from creation, storage, sharing, and disposal.

With cloud computing and BYOD culture on the rise in work environments everywhere, adhering to the Security Rule is more important than ever in order to ensure HIPAA compliance.

The HIPAA compliance checklist Security Rule is divided into three different safeguard categories: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Each of the safeguard categories is itself divided into standards for Covered Entities to follow to ensure HIPAA compliance. Each standard, in turn, contains several implementation specifications, or additional instructions to help implement the standard.

So: safeguards, standards, and specifications. It’s no wonder that complying with HIPAA seems daunting.

But let’s take a closer look at the following safeguard checklists, so you know what to do to make sure you’re following the Security Rule.

The HIPAA Compliance Checklist Administrative Safeguards

The Administrative Safeguards are just that: administrative policies to govern the workforce and ensure HIPAA compliance. There are nine of them, which we’ve listed below along with implementation guidelines for how to meet them.

Standard 1. Security Management Process

Risk Analysis (required) – Thoroughly assess potential risks and vulnerabilities concerning the confidentiality, integrity, and availability of ePHI.
Risk Management (required) – Implement security measures to keep ePHI violations to a minimum.
Sanction Policy (required) – Establish appropriate sanctions for employees who don’t comply with privacy and security policies.
Information System Activity Review (required) – Establish procedures for regularly reviewing records of information system activity.

Standard 2. Assigned Security Responsibility

Assigned Security Responsibility (required) – Appoint someone to develop and carry out privacy policies and procedures.

Standard 3. Workforce Security

Authorization and/or Supervision (addressable) – Establish procedures to supervise and oversee employees working with ePHI.
Workforce Clearance Procedure (addressable) – Establish procedures that ensure that an employee’s access to ePHI is authorized.
Termination Procedures (addressable) – Implement procedures to ensure that a terminated employee will no longer have access to ePHI.

Standard 4. Information Access Management

Isolating Health Care Clearinghouse Functions (required) – This applies specifically to clearinghouses that are part of larger organizations. In that case, make sure the clearinghouse has policies that ensure its ePHI isn’t compromised by unauthorized members of the broader organization.
Access Authorization (addressable) – Establish procedures for granting access to ePHI through particular workstations, processes, or programs.
Access Establishment and Modification (addressable) – Enact policies that will establish, document, and modify a user’s right to access ePHI.

Standard 5. Security Awareness and Training

Security Reminders (addressable) – Establish a method for periodic security updates.
Protection from Malicious Software (addressable) – Have procedures to guard against malicious software that may be able to access and compromise ePHI.
Log-in Monitoring (addressable) – Implement a method to monitor log-in attempts and keep track of any discrepancies.
Password Management (addressable) – Implement procedures for creating, changing, and safeguarding passwords.

Standard 6. Security Incident Procedures

Response and Reporting (required) – Identify, mitigate, and document any security breaches or incidents and their effects.

Standard 7. Contingency Plan

Data Backup Plan (required) – Make sure there are ways to retrieve copies of ePHI in case of a breach or malfunction.
Disaster Recovery Plan (required) – Create plans around restoring any lost data.
Emergency Mode Operation Plan (required) – Establish how to continue critical business operations while protecting the privacy of ePHI in emergency conditions.
Testing and Revision Procedures (addressable) – Be able to periodically test and revise contingency plans.
Applications and Data Criticality Analysis (addressable) – Implement procedures to assess the relative importance of specific data and applications as part of contingency plans.
Standard 8. Evaluation

Evaluation (required) – Periodically assess technical and non-technical elements of ePHI security, especially in response to environmental or operational changes.

Standard 9. Business Associate Contracts and Other Arrangements

Written Contract or Other Arrangement (required) – Document in writing that business associates will comply with all ePHI protection procedures.

The HIPAA Compliance Checklist Physical Safeguards

There are four Physical Safeguards, which are geared toward protecting electronic systems and their data from outside threats, environmental hazards, and unauthorized intrusion.

Standard 1. Facility Access Controls

Contingency Operations (addressable) – Establish procedures that enable facility access and data restoration in case of emergency.
Facility Security Plan (addressable) – Establish procedures to safeguard the facility and its equipment from unauthorized access, tampering, and theft.
Access Control and Validation Procedures (addressable) – Implement procedures to control and validate a person’s facility access, and implement a way to control access to software programs for testing.
Maintenance Records (addressable) – Establish procedures to record repairs and modifications to physical components of the facility, like doors, locks, or walls.

Standard 2. Workstation Use

Workstation Use (required) – Enact policies that specify functions, how those functions are performed, and the physical attributes of workstations from which ePHI can be accessed.

Standard 3. Workstation Security

Workstation Security (required) – Implement physical safeguards for all workstations that access ePHI in order to limit access solely to authorized users.

Standard 4. Device and Media Controls

Disposal (required) – Implement policies for the final disposal of ePHI or the hardware and electronic media on which it is stored.
Media Re-use (required) – Establish policies concerning how ePHI should be removed from electronic media before it can be reused.
Accountability (addressable) – Create policies to track movements of hardware and electronic media.
Data Backup and Storage (addressable) – Implement policies to create retrievable, exact copies of ePHI before any equipment is moved.

The HIPAA Compliance Checklist Technical Safeguards

Five Technical Safeguards are put in place to protect data and access to it.

Standard 1. Access Control

Unique User Identification (required) – Establish procedures to assign a unique name and/or number to identify and track user identity and usage.

Emergency Access Procedure (required) – Establish procedures for obtaining necessary ePHI in an emergency.

Automatic Logoff (addressable) – Establish procedures to automatically log users off after a certain period of inactivity.

Encryption and Decryption (addressable) – Establish policies to ensure encryption and decryption of ePHI.

Standard 2. Audit Controls

Audit Controls (required) – Implement hardware, software, or other mechanisms that will record and examine activity in the systems containing ePHI.

Standard 3. Integrity

Mechanism to Authenticate Electronic Protected Health Information(addressable) – Implement electronic mechanisms to corroborate that ePHI has not been inappropriately altered or destroyed.

Standard 4. Person or Entity Authentication

Person or Entity Authentication (required) – Implement procedures to verify that a user requesting access to ePHI is the correct user.

Standard 5. Transmission Security

Integrity Controls (addressable) – Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
Encryption (addressable) – Implement a mechanism to encrypt ePHI whenever appropriate.

A recommended policy would be to encrypt the files before they are transmitted via secure HTTP (HTTPS) to Dropbox, thereby protecting the files in transit and at rest. The encryption scheme employs an HMAC to ensure that the data cannot be modified or destroyed without detection.

Following steps outlined in these HIPAA Compliance Checklists is a good place to start, but we recommend asking an attorney or privacy officer to review each rule in its entirety.

Checklist in hand, you might now be clearer on the policies you’re supposed to establish, but a little lost when it comes to actually implementing them—never mind actually protecting PHI.

References

______________________________________________________

“Once more unto the breach, dear friends, once more;”

___________________________________________

We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!

Rick's Cafe' American

___________________________________________

About Rick Ricker

An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502

Wasabi Roll

Wednesday, August 21, 2019

HIPAA - 101.. Vol 8 rel 7