Our HIPAA posts clarify what recent Office for Civil Rights (OCR) guidance, state privacy statutes, and FTC data-breach actions mean for everyday practice. Whether OCR narrows website-tracking rules or a state tightens minors’ record protections, we outline compliance steps—not just the legal theory—to safeguard protected health information (PHI).
Each article reviews recent fines, settlements, and court opinions. We explain how a medical group fell short on encryption, why an outdated business-associate agreement led to penalties, and what risk-analysis gaps auditors flagged. Checklists translate those lessons into updated password policies, media-response templates, and patient-notification timelines.
Blogs tackle thorny topics such as charging reasonable copying fees, redacting records that contain reproductive-health information, and handling portal requests from family members. We break down the legal text and offer sample workflows so practices can provide timely access without sacrificing privacy or opening the door to refund demands dressed as HIPAA complaints.
Responding to negative reviews while preserving confidentiality is a recurring theme. Posts give physicians vetted scripts for addressing grievances, clarify when a brief acknowledgment is permissible, and outline steps to rebut defamation through platform channels or legal remedies—all without disclosing PHI.
The following request occasionally pops up. “You took care of my wife. She recently passed away. Can I have a copy of her records?” HIPAA survives death. For 50 years. The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual. This … Read more
New HIPAA Requirements for Substance Use Disorder Privacy Protections On recent visits to see my physicians, I’m asked to use an electronic pen to sign a pad “about HIPAA.” I have no idea what I’m signing. I’m not shown the document, though I assume if I asked, the receptionist would grudgingly find a copy. One … Read more
As per HIPAA, a covered entity cannot disclose protected health information unless the referenced patient (or guardian/representative) gives authorization. Or there’s an exception to that requirement. So, what IS protected health information (PHI)? Protected health information is information, including demographic information, which relates to: For example, a medical record, laboratory report, or hospital bill would … Read more
HIPAA is not a “set it and forget it” rulebook. It’s a living framework that evolves as technology changes, as patient expectations shift, and as regulators redefine what qualifies as protected health information (PHI). Even if you haven’t touched your privacy policies in years, you might still be violating HIPAA today—without realizing it. Let’s look … Read more
You’re in the middle of a busy clinic when federal agents walk through your front door. They flash their badges. “We’re from ICE,” one says. “We’re looking for someone.” Do you let them in? It’s a question that makes every physician and practice manager pause—not because anyone is hiding fugitives, but because we live in … Read more
Each year, there are over 100 million emergency department visits in the US. Imaging is performed in over 50% of such encounters. CT scans are performed in 20% of such visits. Not infrequently, a surprise finding is identified. It is estimated that an actionable incidental finding (AIF), defined as a “mass or lesion, detected by … Read more
The Department of Health and Human Services (HHS) issued a guidance document called Online Tracking Bulletin. It then revised that document. The AHA, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued in November 2023 arguing that HHS over-reached and that the bulletin was unlawful. This was not … Read more
Can You Store Protected Health Information on iCloud? No. The information stored on a cloud provider must be transported to and stored securely. How secure? Reasonably secure. iCloud likely meets that test. In addition, there must be a signed Business Associate Agreement (BAA) in place before Protected Health Information PHI is transferred between organizations. This … Read more
If a patient asks for their records, according to HIPAA, what records must you provide? According to HIPAA you need to send the patient their medical (dental) records. And within 30 days in the format they want. Some states, such as California, have an accelerated timeline of 15 days. OK, so, what are “patient records?” … Read more
This question hit my desk. I’ve received some version of this same question over and over. A plastic surgeon performed aesthetic surgery on a patient. Objectively the results look good. Subjectively, the patient disagrees. Sound familiar? There’s a conflict. The patient takes the conflict online. She posts photos which are a few days post-op. They … Read more
