Our HIPAA posts clarify what recent Office for Civil Rights (OCR) guidance, state privacy statutes, and FTC data-breach actions mean for everyday practice. Whether OCR narrows website-tracking rules or a state tightens minors’ record protections, we outline compliance steps—not just the legal theory—to safeguard protected health information (PHI).
Each article reviews recent fines, settlements, and court opinions. We explain how a medical group fell short on encryption, why an outdated business-associate agreement led to penalties, and what risk-analysis gaps auditors flagged. Checklists translate those lessons into updated password policies, media-response templates, and patient-notification timelines.
Blogs tackle thorny topics such as charging reasonable copying fees, redacting records that contain reproductive-health information, and handling portal requests from family members. We break down the legal text and offer sample workflows so practices can provide timely access without sacrificing privacy or opening the door to refund demands dressed as HIPAA complaints.
Responding to negative reviews while preserving confidentiality is a recurring theme. Posts give physicians vetted scripts for addressing grievances, clarify when a brief acknowledgment is permissible, and outline steps to rebut defamation through platform channels or legal remedies—all without disclosing PHI.
You’re in the middle of a busy clinic when federal agents walk through your front door. They flash their badges. “We’re from ICE,” one says. “We’re looking for someone.” Do you let them in? It’s a question that makes every physician and practice manager pause—not because anyone is hiding fugitives, but because we live in … Read more
Each year, there are over 100 million emergency department visits in the US. Imaging is performed in over 50% of such encounters. CT scans are performed in 20% of such visits. Not infrequently, a surprise finding is identified. It is estimated that an actionable incidental finding (AIF), defined as a “mass or lesion, detected by … Read more
The Department of Health and Human Services (HHS) issued a guidance document called Online Tracking Bulletin. It then revised that document. The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued in November 2023 arguing that HHS over-reached and that the bulletin was unlawful. This was not … Read more
Can You Store Protected Health Information on iCloud? No. The information stored on a cloud provider must be transported to and stored securely. How secure? Reasonably secure. iCloud likely meets that test. In addition, there must be a signed Business Associate Agreement (BAA) in place before Protected Health Information PHI is transferred between organizations. This … Read more
If a patient asks for their records, according to HIPAA, what records must you provide? According to HIPAA you need to send the patient their medical (dental) records. And within 30 days in the format they want. Some states, such as California, have an accelerated timeline of 15 days. OK, so, what are “patient records?” … Read more
This question hit my desk. I’ve received some version of this same question over and over. A plastic surgeon performed aesthetic surgery on a patient. Objectively the results look good. Subjectively, the patient disagrees. Sound familiar? There’s a conflict. The patient takes the conflict online. She posts photos which are a few days post-op. They … Read more
Physicians take all sorts of photographs. Some are part and parcel of a surgeon’s practice. Before and after photos of cosmetic surgery. For example. No surprises there. Patients of Lehigh Valley Health Network were surprised that hackers obtained photos of their naked bodies while undergoing radiation treatment. Hackers breached the network. A Lehigh Valley Health … Read more
Generally, a patient needs to sign a HIPAA authorization form to disclose their protected health information. Unless there’s an exception. Such as addressing Treatment, Payment, or Operations (“TPO”). No written authorization is needed for such exceptions – for example, to disclose limited protected health information to resolve a financial dispute (say, a credit card chargeback … Read more
When the Health Insurance Portability and Accountability Act (HIPAA) was first established in 1996, it lacked the stringent penalties we see today. But in recent years, the enforcement landscape has transformed significantly. The Office for Civil Rights (OCR) conducts random audits, and multi-million dollar fines are now common. This means that no practice is immune … Read more
I hear from so many physicians about how much they love documenting in the medical record. In fact, if they could do it every waking hour, they would. Just kidding. Today, patients have easy access to their medical records and test results. What happens when they disagree with what you wrote? Do you have to … Read more
