# The HIPAA Guide Site URL: https://www.hipaaguide.net Generated: 2025-06-16 14:09:03 UTC -------------------------------------------------- ## HIPAA Advice - [Guide to HIPAA Incident Management](https://www.hipaaguide.net/guide-to-hipaa-incident-management/) - HIPAA incident management covers all stages of identifying and reporting an incident, tracking the incident, responding to the incident and mitigating its consequences, and documenting the incident and its outcome. - [Healthcare Worker Background Checks](https://www.hipaaguide.net/healthcare-worker-background-checks/) - Healthcare worker background checks are most often required by state regulations rather than federal regulations but, in some circumstances, can also be a condition of participation in Medicare and Medicaid or a condition of participation in a federal grant program. - [How to Plan for a HIPAA Incident Response](https://www.hipaaguide.net/plan-for-a-hipaa-incident-response/) - All HIPAA covered entities and business associates are required to plan for a HIPAA incident response in order to comply with the Security Incident Procedures standard of the HIPAA Security Rule. - [Is Telling a Story about a Patient a HIPAA Violation?](https://www.hipaaguide.net/is-telling-a-story-about-a-patient-a-hipaa-violation/) - Whether telling a story about a patient is a HIPAA violation will depend on who is telling the story, the audience of the story, whether any protected health information PHI is disclosed, and whether the disclosure has been authorized by the subject of the PHI. - [Is Emailing Patient Names Considered as a HIPAA Violation?](https://www.hipaaguide.net/is-emailing-patient-names-considered-as-a-hipaa-violation/) - Emailing patient names is not considered as a HIPAA violation unless an email also contains unsecured information relating to an individual’s health condition, treatment for the condition, or payment for the treatment AND the individual has not given their consent for Protected Health Information to be sent by email. - [What are the HIPAA Telephone Rules?](https://www.hipaaguide.net/hipaa-telephone-rules/) - The HIPAA telephone rules govern what information can be disclosed over the telephone by a member of a covered entity’s or business associate’s workforce, who the information can be disclosed to, and what safeguards must be implemented to prevent impermissible disclosures of Protected Health Information. - [How Does the HIPAA Privacy Rule Apply to Minors?](https://www.hipaaguide.net/hipaa-privacy-rule-minors/) - The HIPAA Privacy Rule applies to minors inasmuch as minors’ protected health information is subject to the same privacy and security protections as adult’s protected health information regardless of whether the minor is an emancipated minor or is represented by a parent, guardian, or other third party. - [HIPAA Compliant Software Development](https://www.hipaaguide.net/hipaa-compliant-software/) - HIPAA compliant software development consists of developing software for the healthcare and health insurance industries that – when it is used by a HIPAA covered entity to create, receive, store, or transmit Protected Health Information – will support compliance with all applicable standards of the HIPAA Administrative Simplification Regulations. - [HIPAA Compliant Website Requirements](https://www.hipaaguide.net/hipaa-compliant-website/) - The requirements for a HIPAA compliant website are that any forms, apps, or tracking technologies that are used to collect Protected Health Information PHI or track user activity are configured to comply with HIPAA and that any communication of PHI between the website and the servers running the website are encrypted to ensure the confidentiality and integrity of data. - [HIPAA Subpoena for Medical Records: What You Need to Know](https://www.hipaaguide.net/hipaa-subpoena-for-medical-records/) - What you need to know when – as a healthcare provider – you receive a HIPAA subpoena for medical records is that there is considerable potential for a HIPAA violation due to the conditions under which it is permissible to disclose PHI in response to the subpoena without a patient’s authorization. - [Disadvantages of HIPAA](https://www.hipaaguide.net/disadvantages-of-hipaa/) - The disadvantages of HIPAA include administrative burden on healthcare organizations, potential financial strain due to compliance costs, hindrance to healthcare innovation, challenges in accessing data for research, complications in patient communication, legal consequences for violations, inconsistent interpretation and enforcement, complexity for patients, and occasional conflicts between privacy and patient safety concerns. - [Four Areas of HIPAA That Are Important to Patients](https://www.hipaaguide.net/four-areas-of-hipaa-that-are-important-to-patients/) - The four areas of HIPAA that are important to patients are the privacy of healthcare data, the security of healthcare data, notifications of healthcare data breaches, and patient rights over their own healthcare data. - [What Information can be Shared without Violating HIPAA?](https://www.hipaaguide.net/what-information-can-be-shared-without-violating-hipaa/) - The information that can be shared without violating HIPAA includes any Protected Health Information PHI that is used or disclosed for a permitted purpose and any individually identifiable information that does not qualify as PHI because it is not maintained in the same designated record set as PHI. - [What happens if a nurse violates HIPAA?](https://www.hipaaguide.net/what-happens-if-a-nurse-violates-hipaa/) - What happens if a nurse violates HIPAA depends on the nature of the violation, the consequences of the violation, the nurse’s previous history of HIPAA compliance, and the content of the employer’s sanctions policy. - [Password Managers and HIPAA](https://www.hipaaguide.net/password-managers-and-hipaa/) - Password managers are effective tools to support HIPAA compliance subject to them having the capabilities to comply with the safeguards of the Security Rule and – if used to store or transmit PHI – subject to the vendor signing a Business Associate Agreement. - [Is WhatsApp HIPAA Compliant?](https://www.hipaaguide.net/is-whatsapp-hipaa-compliant/) - WhatsApp is not HIPAA compliant and should not be used to send or receive Protected Health Information PHI unless a patient requests confidential communications via WhatsApp or initiates a conversation via WhatsApp. - [What are the HIPAA Requirements for Mobile Devices?](https://www.hipaaguide.net/hipaa-requirements-for-mobile-devices/) - The HIPAA requirements for mobile devices are that they are included in risk analyses, that apps and services are configured to reduce risks to a reasonable level, and that members of the workforce are trained on the appropriate use of mobile devices. - [Does HIPAA Apply to Therapists?](https://www.hipaaguide.net/does-hipaa-apply-to-therapists/) - HIPAA applies to therapists who own, who work for, or who are contracted to a healthcare organization or practice that qualifies as a HIPAA covered entity. - [How Much is a HIPAA Violation Lawsuit Worth? 3 Cases That Could Shape Future Judgements](https://www.hipaaguide.net/hipaa-violation-lawsuit-worth/) - How much a HIPAA violation lawsuit is worth depends on the nature of the violation, the harm caused, and the availability of a suitable state law with a private right of action. - [Can Employees Who Violate HIPAA Rules Be Terminated?](https://www.hipaaguide.net/should-employees-that-violated-hipaa-rules-be-terminated/) - Employees that violate HIPAA rules can be terminated if the nature of the violation and its consequences are significant, and – even if the consequences are not significant – if they have a previous record of non-compliance with their employer’s workplace policies. - [Why is PHI Valuable to Criminals?](https://www.hipaaguide.net/why-is-phi-valuable-to-criminals/) - PHI is valuable to criminals because there are many ways in which stolen Protected Health Information can be monetized and because it often takes longer to identify the theft and misuse of PHI – giving criminals more time to profit from the stolen data. - [HIPAA Pictures and Videos. What are the Rules?](https://www.hipaaguide.net/hipaa-pictures-videos/) - The HIPAA rules for pictures and videos are the same as for any piece of information that qualifies as Protected Health Information PHI when pictures or videos relate to an individual’s health condition or treatment for the condition, or when pictures or videos could be used to identify the subject of the PHI. - [What is 45 CFR § 164.530?](https://www.hipaaguide.net/what-is-45-cfr-164-530/) - In the Code of Federal Regulations, 45 CFR § 164.530 relates to the administrative requirements of the HIPAA Privacy Rule – eleven standards that apply to organizations operating in the healthcare and health insurance sectors who are subject to the rules of the Healthcare Insurance Portability and Accountability Act. - [What is the HIPAA Minimum Necessary Standard?](https://www.hipaaguide.net/hipaa-minimum-necessary-standard/) - The HIPAA Minimum Necessary standard requires all HIPAA covered entities and business associates to restrict the uses and disclosures of protected health information PHI to the minimum amount necessary to achieve the purpose for which it is being used, requested, or disclosed. - [How Long Does it Take to Get HIPAA Certified?](https://www.hipaaguide.net/how-long-does-it-take-to-get-hipaa-certified/) - How long it takes to get HIPAA certified varies depending on the purpose of the certification, the intensity of the certification program, and the depth of knowledge required to get HIPAA certified. - [What is Considered as PHI Under HIPAA?](https://www.hipaaguide.net/what-is-considered-as-phi-under-hipaa/) - What is considered as PHI under HIPAA should be understood by all members of a covered entity’s or business associate’s workforce – not only to prevent impermissible uses and disclosures of PHI, but also to prevent information not considered as PHI under HIPAA being secured unnecessarily. - [What are the HIPAA Rules Regarding Text Messaging?](https://www.hipaaguide.net/hipaa-rules-regarding-text-messaging/) - The HIPAA Rules regarding text messaging are that it is permissible for healthcare providers to send Protected Health Information by SMS text if a patient has initiated a communication by SMS text or exercised their right to request confidential communications by SMS text. - [What are the HIPAA e-Signature Requirements?](https://www.hipaaguide.net/hipaa-e-signature-requirements/) - At present, there are no HIPAA e-signature requirements other than “any electronic signature used will result in a legally binding contract under applicable state or other law”. - [Is OneDrive HIPAA Compliant?](https://www.hipaaguide.net/onedrive-hipaa-compliant/) - OneDrive is HIPAA compliant and can be used to store, sync, and share files containing Protected Health Information provided organizations subscribe to a Microsoft 365 or Office 365 plan that supports HIPAA compliance and the file storage system is configured to comply with HIPAA Security Rule safeguards. - [What is 45 CFR § 164.308?](https://www.hipaaguide.net/what-is-45-cfr-164-308/) - 45 CFR § 164.308 is the section of the Code of Federal Regulations that contains the Administrative Safeguards of the HIPAA Security Rule which covers areas such as security management processes, security awareness training, and contingency planning. This section of the HIPAA Security Rule supports the Physical and Technical Safeguards in the context of preventing the loss, theft, or unauthorized disclosure of electronic Protected Health Information (ePHI). - [Are All Emails HIPAA Compliant?](https://www.hipaaguide.net/are-all-emails-hipaa-compliant/) - All emails are not HIPAA compliant because only emails containing Protected Health Information PHI are required to be HIPAA compliant when they originate from a member of a HIPAA covered entity’s or business associate’s workforce. - [What is the HIPAA Omnibus Rule?](https://www.hipaaguide.net/hipaa-omnibus-rule/) - The HIPAA Omnibus Rule is a Rule published by HHS’ Office for Civil Rights in January 2013 that modified areas of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules to comply with the requirements of the Health Information Technology for Economic and Clinical Health Act HITECH and the Genetic Information Non-discrimination Act GINA. - [Can I get fired for an accidental HIPAA violation?](https://www.hipaaguide.net/can-i-get-fired-for-an-accidental-hipaa-violation/) - You can get fired for an accidental HIPAA violation depending on the nature of the violation, the consequences of the violation, the content of your employer’s sanctions policy, and – possibly most importantly – your history of previous “accidental” HIPAA violations. - [HIPAA and Incidental Disclosures of PHI](https://www.hipaaguide.net/hipaa-and-incidental-disclosures-of-phi/) - HIPAA permits incidental disclosures of PHI provided that HIPAA covered entities implement reasonable safeguards to protect individuals’ privacy, and that both the primary disclosures of PHI and incidental disclosures of PHI comply with the minimum necessary standard when applicable. - [What are HIPAA Covered Transactions?](https://www.hipaaguide.net/hipaa-covered-transactions/) - HIPAA covered transactions are electronic communications between two parties for administrative or financial activities related to healthcare that use standards adopted by the Secretary for Health and Human Services in Part 162 of the HIPAA Administrative Simplification Regulations. - [What is Texas HB-300 Compliance?](https://www.hipaaguide.net/texas-hb-300-compliance/) - Texas HB-300 compliance is compliance with Chapter 181 of the Texas Health and Safety Code relating to the privacy of medical records and the the amendments made to this chapter by HB-300 in 2011, SB-1609 in 2013, SB-219 in 2015, and SB-930 in 2021. - [HIPAA Compliance for HR Departments](https://www.hipaaguide.net/hipaa-compliance-for-hr-departments/) - HIPAA compliance for HR departments consists of determining whether HIPAA applies to any of the department’s activities and, if so, implementing policies and procedures to safeguard Protected Health Information PHI from impermissible disclosures and unauthorized access. - [What Employees Should Know about HIPAA Compliance](https://www.hipaaguide.net/what-employees-should-know-about-hipaa-compliance/) - What employees should know about HIPAA compliance is that the objective of HIPAA compliance is not to avoid sanctions and penalties, but rather to protect patients and health plan members from medical identity theft. - [Why is HIPAA Training Important?](https://www.hipaaguide.net/why-is-hipaa-training-important/) - HIPAA training is important because all members of covered entities’ and business associates’ workforces need to understand what Protected Health Information PHI is, why it needs to be protected, and what the consequences are if PHI is impermissibly disclosed due to a lack of knowledge or if the failure to understand HIPAA policies and procedures results in a data breach. - [HIPAA Privacy and Security Training](https://www.hipaaguide.net/hipaa-privacy-and-security-training/) - HIPAA privacy and security training must be designed to ensure that all workforce members with access to PHI are aware of when PHI can be used or disclosed in compliance with HIPAA, and that all workforce members – regardless of their access to PHI – are aware of an organization’s security policies and procedures, and the sanctions for violating them. - [Plastic Surgery Practice Pays $500,000 Penalty to Settle Alleged HIPAA Violations](https://www.hipaaguide.net/plastic-surgery-associates-south-dakota-hipaa-penalty/) - Plastic Surgery Associates of South Dakota was investigated by the Department of Health and Human Services HHS Office for Civil Rights OCR over a 2017 ransomware attack and data breach involving the electronic protected health information ePHI of 10,229 patients. - [How Often is HIPAA Training Required?](https://www.hipaaguide.net/how-often-is-hipaa-training-required/) - HIPAA training is required as often as is necessary to ensure the privacy of Protected Health Information PHI and the confidentiality, integrity, and availability of electronic PHI – notwithstanding that internal and external factors can increase the frequency of HIPAA training. - [HIPAA Training for Dental Offices](https://www.hipaaguide.net/hipaa-training-in-a-dental-office/) - HIPAA training for dental offices has the same objectives as HIPAA training for other types of covered entity inasmuch as workforce members must know how to protect the privacy and confidentiality of individually identifiable health information and comply with the dental office’s HIPAA policies and procedures. - [Is FaceTime HIPAA Compliant?](https://www.hipaaguide.net/is-facetime-hipaa-compliant/) - Facetime is not HIPAA compliant, and should not be used by a HIPAA covered entity to communicate Protected Health Information unless a patient has requested confidential communications via Facetime and has been warned of the risks associated with Facetime, but has still chosen to receive confidential communications via this channel. - [Is MailChimp HIPAA Compliant?](https://www.hipaaguide.net/is-mailchimp-hipaa-compliant/) - Mailchimp is not HIPAA compliant and cannot be used to send marketing emails or newsletters that contain Protected Health Information PHI unless the subject of the PHI has given their authorization for their individually identifiable health information to be shared in marketing communications via a noncompliant channel of communication. - [Is Google Voice HIPAA Compliant?](https://www.hipaaguide.net/is-google-voice-hipaa-compliant/) - Google Voice is HIPAA compliant provided the service is used as an add-on to a HIPAA-enabled Workspace account, licenses are assigned to managed users, and the Google Voice account is configured to prevent impermissible disclosures of Protected Health Information to non-compliant services. - [How to Make Office 365 HIPAA Compliant](https://www.hipaaguide.net/office-365-hipaa-compliant/) - The way to make Office 365 HIPAA compliant is to subscribe to an Office 365 plan that supports HIPAA compliance, configure the products and services to comply with the Security Rule, and train members of the workforce how to use the products and services in compliance with HIPAA. - [Is Google Chat HIPAA Compliant?](https://www.hipaaguide.net/is-google-chat-hipaa-compliant/) - Google Chat is HIPAA compliant when the messaging service is utilized as part of a Workspace account that has been configured to support HIPAA compliance and when the services is covered by a Business Associate Addendum to the Workspace Terms of Service. - [Is SharePoint HIPAA Compliant?](https://www.hipaaguide.net/is-sharepoint-hipaa-compliant/) - SharePoint is HIPAA compliant when the collaboration and content management system is used within a HIPAA enabled Microsoft 365 subscription which has been configured to support HIPAA compliance. - [Is Google Forms HIPAA Compliant?](https://www.hipaaguide.net/google-forms-hipaa-compliant/) - Google Forms is HIPAA compliant and can be used to collect, export, and share protected health information provided the service is used as part of a Workspace plan that supports HIPAA compliance, the service settings are configured to comply with the HIPAA Security Rule, and the workforce is trained on its compliant use. - [Is Google Docs HIPAA Compliant?](https://www.hipaaguide.net/is-google-docs-hipaa-compliant/) - Google Docs is HIPAA compliant and can be used by covered entities and business associates to create and transmit Protected Health Information if the service is included in a HIPAA enabled Google Workspace account which is configured to restrict sharing permissions and disable add-ons. - [Is Smartsheet HIPAA Compliant?](https://www.hipaaguide.net/is-smartsheet-hipaa-compliant/) - Smartsheet is HIPAA compliant provided that organizations subscribe to an Enterprise Plan, enter into a Business Associate Agreement with Smartsheet, and configure the security settings so the platform can be used in compliance with the HIPAA Security Rule. - [Is Calendly HIPAA Compliant?](https://www.hipaaguide.net/is-calendly-hipaa-compliant/) - Calendly is not HIPAA compliant and should not be used to create, collect, store, or transmit Protected Health Information as this would not only violate Calendly’s Terms and Conditions, but would also violate HIPAA as Calendly will not enter into Business Associate Agreements with HIPAA covered entities or business associates. - [Is PayPal HIPAA Compliant?](https://www.hipaaguide.net/is-paypal-hipaa-compliant/) - PayPal is exempt from compliance with HIPAA in respect of payment processing activities and covered entities can use the online payment system to collect payments from patients and plan members. - [Is Paubox HIPAA Compliant?](https://www.hipaaguide.net/is-paubox-hipaa-compliant/) - Paubox is a HIPAA compliant email service that enables covered entities and business associates to encrypt emails by default and that offers additional capabilities to help safeguard Protected Health Information against phishing, ransomware, and data loss. - [Is QuickBooks HIPAA Compliant?](https://www.hipaaguide.net/quickbooks-hipaa-compliant/) - QuickBooks is not HIPAA compliant because it lacks the safeguards to protect individually identifiable health information from unauthorized uses and disclosures. - [Is HubSpot HIPAA Compliant?](https://www.hipaaguide.net/is-hubspot-hipaa-compliant/) - HubSpot is HIPAA compliant for a limited number of features provided that covered entities or business associates subscribe to an enterprise plan and activate the necessary sensitive data settings. - [Is Google Workspace HIPAA Compliant?](https://www.hipaaguide.net/is-google-workspace-hipaa-compliant/) - Google Workspace is HIPAA compliant for core services with included functionality which can be used to collect, receive, store, or transmit PHI. - [Is Discord HIPAA Compliant?](https://www.hipaaguide.net/is-discord-hipaa-compliant/) - Discord is not HIPAA compliant and, due to the way in which data is collected and used by the platform, covered entities and business associates should prohibit members of the workforce sharing Protected Health Information PHI via Discord and implement a HIPAA compliant alternative in its place. - [Is Zapier HIPAA Compliant?](https://www.hipaaguide.net/is-zapier-hipaa-compliant/) - Zapier is not HIPAA compliant and cannot be used to automate healthcare processes and workflows that expose Protected Health Information because – despite the high level of security – the apps used by Zapier to automate many processes and workflows do not support HIPAA compliance themselves. - [Is Signal HIPAA Compliant?](https://www.hipaaguide.net/is-signal-hipaa-compliant/) - Signal is not HIPAA compliant despite being an open-source messaging platform that encrypts all messages, calls, and media. - [What is a Business Associate Agreement?](https://www.hipaaguide.net/what-is-a-business-associate-agreement/) - A Business Associate Agreement is a contract between a covered entity and a business associate required by the Administrative Simplification Regulations of the Health Insurance Portability and Accountability Act HIPAA when Protected Health Information PHI is exchanged between the parties. - [Planned Parenthood Investigating Cyberattack; RansomHub Group Takes Credit](https://www.hipaaguide.net/planned-parenthood-ransomware-ransomhub/) - The RansomHub threat group, a ransomware-as-a-service operation behind several recent attacks on healthcare organizations, has added Planned Parenthood to its dark web data leak site and claims to have stolen 93 GB of data in the attack. - [Poor Email Practices are a Leading Cause of HIPAA Violations](https://www.hipaaguide.net/poor-email-practices-cause-hipaa-violations/) - Poor email practices and bad email compliance are common causes of HIPAA violations and often lead to major data breaches. - [Does HIPAA Apply to Dentists?](https://www.hipaaguide.net/does-hipaa-apply-to-dentists/) - HIPAA applies to dentists that qualify as – or who are employed by – HIPAA covered entities and to dentists that provide services to or on behalf of a HIPAA covered entity as a business associate. - [Is Google Drive HIPAA Compliant?](https://www.hipaaguide.net/is-google-drive-hipaa-compliant/) - Google Drive is HIPAA compliant and can be used to store, share, and collaborate on files containing Protected Health Information, provided the service is used as part of a Google Workspace subscription that supports HIPAA compliance and is configured to be used in compliance with HIPAA. - [Is a HIPAA Email Disclaimer Worthwhile?](https://www.hipaaguide.net/hipaa-email-disclaimer/) - A HIPAA email disclaimer is a note included at the end of an email that alerts the recipient the email contains Protected Health Information and that, if they have received the email in error, they should report the error and delete the email. - [When Should you Promote HIPAA Awareness?](https://www.hipaaguide.net/when-should-you-promote-hipaa-awareness/) - You should promote HIPAA awareness whenever it is feasible to promote HIPAA awareness because, as an entity responsible for the health of individuals, there are sometimes more important things to prioritize than explaining what designated record sets are or what direction workstations should face. - [Does an Email Subject Line have to be HIPAA Compliant?](https://www.hipaaguide.net/does-an-email-subject-line-have-to-be-hipaa-compliant/) - An email subject line has to be HIPAA compliant if an email containing Protected Health Information is sent by or on behalf of a HIPAA covered entity for a purpose permitted by the HIPAA Privacy Rule via an email service that meets the requirements of the HIPAA Security Rule – when applicable – unless an exception applies. - [What Does PHI Stand For?](https://www.hipaaguide.net/what-does-phi-stand-for/) - In healthcare, PHI stands for Protected Health Information – information relating to an individual’s health condition, treatment for the health condition, or payment for the treatment, and any other information that could identify the subject of the PHI when it is maintained in the same designated record set. - [Healthcare Data Breach Statistics](https://www.hipaaguide.net/healthcare-data-breach-statistics/) - The US Department of Health and Human Services’ Office for Civil Rights OCR publishes healthcare data breach statistics relating to data breaches involving more than 500 records. - [Is Dropbox HIPAA compliant?](https://www.hipaaguide.net/is-dropbox-hipaa-compliant/) - Dropbox is HIPAA compliant and can be used to store and share files containing Protected Health Information provided HIPAA-covered organizations subscribe to a plan that supports HIPAA compliance and the file hosting service is configured so it is used in compliance with HIPAA. - [What is the HIPAA Conduit Exception Rule?](https://www.hipaaguide.net/what-is-the-hipaa-conduit-exception-rule/) - The HIPAA Conduit Exception Rule exempts organizations that provide transmission services from qualifying as business associates when access to Protected Health Information during the provision of a service is temporary. - [Is Proton Mail HIPAA Compliant?](https://www.hipaaguide.net/is-proton-mail-hipaa-compliant/) - Proton Mail is HIPAA compliant and can be used either with an existing domain or as a standalone service to send, receive, and store emails containing Protected Health Information PHI. - [Is Amazon Web Services HIPAA Compliant?](https://www.hipaaguide.net/is-amazon-web-services-hipaa-compliant/) - Amazon Web Services is HIPAA compliant for “HIPAA eligible services” covered by AWS’ general Business Associate Addendum or by a service-specific Business Associate Agreement (i.e., Alexa Health Skills). However, Amazon Web Service is not HIPAA compliant “off the shelf”. In order to use AWS’ HIPAA eligible services in compliance with HIPAA, it is necessary to architect the services to support HIPAA compliance. - [Can Healthcare Professionals Use Personal Phones at Work Without Violating HIPAA?](https://www.hipaaguide.net/can-healthcare-professionals-use-personal-phones-at-work-without-violating-hipaa/) - Healthcare professionals can use personal phones at work without violating HIPAA if the phone is not used to create, receive, store, or transmit Protected Health Information PHI, or – if it is – provided that safeguards are in place to protect the privacy and security of PHI, and that any disclosures of PHI over personal phones are permitted by the Privacy Rule. - [Is ChatGPT HIPAA Compliant?](https://www.hipaaguide.net/chatgpt-hipaa-compliant/) - ChatGPT is not HIPAA compliant at the time of writing and cannot be used by covered entities or their workforces to create content that requires disclosures of Protected Health Information. - [Examples of HIPAA Email Violations](https://www.hipaaguide.net/examples-of-hipaa-email-violations/) - It is easy to find clear examples of HIPAA email violations in the archive pages of HHS’ Breach Portal, but many more types of data breach have an email element. - [What is a Healthcare IT MSP?](https://www.hipaaguide.net/healthcare-it-msp/) - A healthcare IT MSP provides a range of IT services to healthcare organizations and manages the services for the organization – configuring the services to support HIPAA compliance when necessary. - [What is HIPAA Compliant Texting?](https://www.hipaaguide.net/hipaa-compliant-texting/) - HIPAA compliant texting is when a covered entity or business associate – or a member of either’s workforce – sends a text message that includes Protected Health Information for a purpose permitted by the Privacy Rule in compliance with the applicable standards of the Security Rule. - [Can A Patient File A Lawsuit for A HIPAA Violation?](https://www.hipaaguide.net/can-a-patient-file-lawsuit-for-a-hipaa-violation/) - A patient may be able to file a lawsuit for a HIPAA violation if the consequences of the violation result in avoidable harm and if the nature of the violation is covered by a state or federal law other than HIPAA, as HIPAA has no private cause of action. - [When Can HIPAA be Broken?](https://www.hipaaguide.net/when-can-hipaa-be-broken/) - HIPAA cannot be “broken” inasmuch as the HIPAA Privacy Rule accommodates the circumstances in which covered entities may use or disclose Protected Health Information for purposes other than treatment, payment, or health care operations. - [Is it Possible to Make Wix HIPAA Compliant?](https://www.hipaaguide.net/make-wix-hipaa-compliant/) - It is not possible to make Wix HIPAA compliant but there are ways in which websites built and hosted on Wix can collect personal data without violating HIPAA. - [Is HIPAA a Federal Law?](https://www.hipaaguide.net/is-hipaa-a-federal-law/) - The Health Insurance Portability and Accountability Act HIPAA is Federal law that was enacted in 1996 with the primary objective of eliminating obstacles to economic movement by ensuring continued health insurance coverage when employees changed – or were between – jobs. - [Is HelloFax HIPAA Compliant?](https://www.hipaaguide.net/is-hellofax-hipaa-compliant/) - HelloFax is HIPAA compliant if covered entities/business associates subscribe to a Dropbox Sign package that supports HIPAA compliance, configure the fax service to comply with the Security Rule, and train authorized members of the workforce on the compliant use of HelloFax. - [Is Ivy Pay HIPAA Compliant?](https://www.hipaaguide.net/is-ivy-pay-hipaa-compliant/) - Ivy Pay is HIPAA compliant for licensed independent therapists and mental health professionals that qualify as covered or hybrid entities, or that provide services for or on behalf of a covered or hybrid entity as a business associate. - [What are HIPAA identifiers?](https://www.hipaaguide.net/what-are-hipaa-identifiers/) - The HIPAA identifiers are elements of information that can identify an individual and that have to be removed from a designated record set before the remaining content is considered de-identified using the safe harbor method of de-identification. - [Is Slack HIPAA Compliant?](https://www.hipaaguide.net/is-slack-hipaa-compliant/) - Slack is HIPAA compliant for covered entities and business associates that subscribe to an Enterprise Grid Plan, configure the platform to comply with Slack’s limitations on use, and enter into a Business Associate Agreement. - [What is individually identifiable health information?](https://www.hipaaguide.net/what-is-individually-identifiable-health-information/) - Individually identifiable health information is roughly defined by the HIPAA Administrative Simplification Regulations §160. - [Can Healthcare Vendors Get HIPAA Certification?](https://www.hipaaguide.net/can-healthcare-vendors-get-hipaa-certification/) - Healthcare vendors can get HIPAA certification, but it is important for organizations to be aware that a HIPAA certification for healthcare vendors is a point-in-time accreditation. - [What is PII in Healthcare?](https://www.hipaaguide.net/what-is-pii-in-healthcare/) - PII in healthcare stands for Personally Identifiable Information – the type of information not covered by the HIPAA Privacy Rule unless it is maintained in the same designated record set as Protected Health Information PHI. - [What Does HIPAA Mean?](https://www.hipaaguide.net/what-does-hipaa-mean/) - HIPAA means the Health Insurance Portability and Accountability Act – an Act which led to the development of a Federal floor of privacy protections for individually identifiable health information. - [What is the Administrative Simplification Section of HIPAA?](https://www.hipaaguide.net/administrative-simplification-section-of-hipaa/) - The Administrative Simplification section of HIPAA contains the regulations, standards, and implementation specifications that resulted from Congress’ instruction to the Secretary of Health and Human Service to standardize transaction codes, develop security standards for electronic transactions, and make recommendations for the privacy of health information. - [Can Google Sheets Be Used with PHI by Healthcare Organizations?](https://www.hipaaguide.net/can-google-sheets-be-used-with-phi-by-healthcare-organizations/) - Google Sheets can be used with PHI by healthcare organizations provided the program is used as part of a Google Workspace account that is configured to control access to Google Sheets stored in Google Drive, and provided healthcare organizations agreed to Google’s Business Associate Addendum to the Workspace Terms of Service. - [Guide to Patient Rights under HIPAA](https://www.hipaaguide.net/patient-rights-under-hipaa/) - Patient rights under HIPAA include the rights to access health information, request corrections when errors exist, restrict how health information is used, and control who it is disclosed to. - [Is Zelle HIPAA Compliant?](https://www.hipaaguide.net/is-zelle-hipaa-compliant/) - Zelle is not HIPAA compliant, but does not have to be due to payment processors being exempted from complying with HIPAA in §1179 of the 1996 Act – an exemption confirmed by the Department of Health and Human Services in the preamble to the Omnibus Final Rule in 2013. - [What is HIPAA Authorization?](https://www.hipaaguide.net/what-is-hipaa-authorization/) - A HIPAA authorization is permission given by a patient or plan member that allows a covered entity or business associate to disclose or make use of PHI for a purpose that the HIPAA Privacy Rule would otherwise not permit. - [Who is Required to Follow HIPAA Requirements?](https://www.hipaaguide.net/who-is-required-to-follow-hipaa-requirements/) - Those required to follow HIPAA requirements include most healthcare providers, most health plans, and health care clearing houses collectively known as covered entities, business associates, and covered entities’ and business associates’ workforces. - [Where is the Best Location to Post a Notice of Privacy Practices?](https://www.hipaaguide.net/best-location-to-post-a-notice-of-privacy-practices/) - The best location to post a Notice of Privacy Practices is a physical location where it can be seen and read by individuals – without causing an access issue – or a virtual location such as an easy-to-access web page that offers a downloadable option. - [5 Real HIPAA Violation Consequences](https://www.hipaaguide.net/hipaa-violation-consequences/) - Many sources discussing HIPAA violation consequences tend to focus on civil monetary penalties and criminal charges – which affect fewer than 1% of non-compliant organizations – and ignore the real HIPAA violation consequences of delayed payments, worse workforce morale, increasing cybersecurity insurance prmiums, and the costs to victims of identity theft. - [The HIPAA Authorization Form to Release Medical Records](https://www.hipaaguide.net/the-hipaa-authorization-form-to-release-medical-records/) - A HIPAA authorization form to release medical records must be obtained from a patient or their personal representative before any Protected Health Information PHI is shared with a third party for a purpose not permitted by the Privacy Rule. - [What is the HIPAA Privacy Rule?](https://www.hipaaguide.net/what-is-the-hipaa-privacy-rule/) - The HIPAA Privacy Rule contains the Standards for the Privacy of Individually Identifiable Health Information, which were originally the Recommendations with Respect to the Privacy of Certain Health Information made to Congress by HHS Secretary Donna Shalala in 1997. - [Who Does HIPAA Apply To?](https://www.hipaaguide.net/who-does-hipaa-apply-to/) - Most sources tackling the question who does HIPAA apply to tend to rely on the applicability clause of the Administration Simplification General Provisions for their answer (45 CFR § 160.102). - [Can You Go To Jail for a HIPAA Violation?](https://www.hipaaguide.net/can-you-go-to-jail-for-a-hipaa-violation/) - You can go to jail for a HIPAA violation if you knowingly and wrongfully use or disclose – or cause to be used or disclosed – individually identifiable health information maintained by a covered entity. - [Is Rackspace HIPAA Compliant?](https://www.hipaaguide.net/is-rackspace-hipaa-compliant/) - Rackspace is HIPAA compliant for “HIPAA-eligible services” provided that the services are configured to support HIPAA compliance, that all traffic between a customer and Rackspace is encrypted, and that the customer agrees to Rackspace’s HIPAA Addendum to the Terms of Service. - [HITRUST vs HIPAA](https://www.hipaaguide.net/hitrust-vs-hipaa/) - A HITRUST vs HIPAA analysis can help healthcare organizations understand why it may be worth pursuing a HITRUST certification, but why a HITRUST certification is no guarantee of HIPAA compliance, or why a certification may not help an organization avoid a penalty for a violation of HIPAA. - [What Does HIPAA Stand for in Medical Terms?](https://www.hipaaguide.net/what-does-hipaa-stand-for-in-medical-terms/) - In medical terms, HIPAA stands for the Privacy, Security, and Breach Notification Rules that govern how healthcare providers and their business associates must protect the privacy of individually identifiable health information and notify affected individuals when the confidentiality, integrity, or availability of their health information is compromised. - [NIST Releases Final HIPAA Security Rule Implementation Guide](https://www.hipaaguide.net/hipaa-security-rule-implementation-guide/) - The National Institute of Standards and Technology NIST and the HHS Office for Civil Rights OCR have released the final version of their HIPAA Security Rule Implementation Guide Special Publication 800-66, Revision 2. - [What are the Objectives of the HIPAA Technical Safeguards?](https://www.hipaaguide.net/hipaa-technical-safeguards/) - The objectives of the HIPAA Technical Safeguards – together with the Physical and Administrative Safeguards – are to protect the confidentiality, integrity, and availability of electronic Protected Health Information ePHI via a series of standards and implementation specifications. - [Can Hotmail Be Considered as HIPAA Compliant?](https://www.hipaaguide.net/can-hotmail-considered-hipaa-compliant/) - Hotmail cannot be considered HIPAA compliant for sending or receiving emails containing PHI unless a user’s Hotmail account is connected to a Microsoft 365 or Office 365 Enterprise account that supports HIPAA compliance and is configured to comply with the Security Rule. - [Is HoneyBook HIPAA Compliant?](https://www.hipaaguide.net/is-honeybook-hipaa-compliant/) - HoneyBook is not HIPAA compliant and – at present – the CRM platform should not be used for activities in which Protected Health Information PHI is exposed to HoneyBook’s servers. - [Is Constant Contact HIPAA Compliant?](https://www.hipaaguide.net/is-constant-contact-hipaa-compliant/) - Constant Contact is HIPAA compliant provided users subscribe to a business plan with the capabilities to support HIPAA compliance, configure the capabilities to meet the requirements of the Security Rule, and enter into a Business Associate Agreement with the software vendor. - [Is WordPress HIPAA Compliant?](https://www.hipaaguide.net/is-wordpress-hipaa-compliant/) - WordPress is not HIPAA compliant by default and although it is possible for covered entities and business associates to make WordPress HIPAA compliant, the work involved is substantial. - [Is Facebook Messenger HIPAA Compliant?](https://www.hipaaguide.net/is-facebook-messenger-hipaa-compliant/) - Facebook Messenger is not HIPAA compliant because it lacks many of the controls required to support compliance with the safeguards of the Security Rule and because Facebook’s owners – Meta – will not enter into a Business Associate Agreement with HIPAA covered entities and business associates. - [What are the Responsibilities of a HIPAA Compliance Officer?](https://www.hipaaguide.net/what-are-the-responsibilities-of-a-hipaa-compliance-officer/) - The responsibilities of a HIPAA compliance officer include ensuring the organization complies with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations, developing workforce policies and procedures, and overseeing business associate relationships. - [What is the HIPAA Security Rule?](https://www.hipaaguide.net/what-is-the-hipaa-security-rule/) - The HIPAA Security Rule stipulates the standards and implementation specifications that must be complied with – when applicable – to protect the confidentiality, integrity, and availability of electronic Protected Health Information ePHI. - [What is the Purpose of HIPAA?](https://www.hipaaguide.net/purpose-of-hipaa/) - The original purpose of HIPAA was to reform the health insurance industry, but due to concerns the cost of the reforms would increase insurance premiums and reduce tax revenues, measures were also introduced to reduce fraud and simplify the administration of healthcare transactions. - [The Rules of Dental HIPAA Compliance](https://www.hipaaguide.net/dental-hipaa-compliance/) - The rules of dental HIPAA compliance are no different from the rules governing other HIPAA Covered Entities and Business Associates, however there may be more occasions when dentists and dental practices have to apply exceptions to the rules – or not apply the rules at all. - [When Does State Privacy Law Supersede HIPAA?](https://www.hipaaguide.net/state-privacy-law-supersede-hipaa/) - State privacy law supersedes HIPAA when it has more stringent privacy protections or more patient rights than HIPAA, when a state law permits disclosures of PHI for public health surveillance, investigation, or intervention, or when disclosures are required by a state to audit, evaluate, or certify facilities or individuals. - [What happens after a HIPAA complaint is filed?](https://www.hipaaguide.net/what-happens-after-a-hipaa-complaint-is-filed/) - What happens after a HIPAA complaint is filed depends on who is making the complaint, the nature of the complaint, and who the complaint is filed to – notwithstanding that two-thirds of HIPAA complaints are dismissed on review due to not being violations of HIPAA. - [HIPAA Compliance for Home Health Care Workers](https://www.hipaaguide.net/hipaa-compliance-for-home-health-care-workers/) - HIPAA compliance for home health care workers can often be more challenging than HIPAA compliance for health care professionals working in brick-and-mortar facilities due to the different ways in which home health care workers communicate with patients and their carers either remotely or in the patient’s home environment. - [What is a HIPAA Covered Entity?](https://www.hipaaguide.net/what-is-a-hipaa-covered-entity/) - A HIPAA covered entity is an individual or organization whose primary occupation is a health plan provider, a health care clearinghouse, or a health care provider that conducts electronic healthcare transactions for which the Department of Health and Human Services has adopted standards. - [What Does HIPAA Stand For?](https://www.hipaaguide.net/what-does-hipaa-stand-for/) - HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed in 1996 that was intended to reform the health insurance industry and that led to the subsequent publication of the HIPAA Administrative Simplification Regulations. - [HIPAA and Social Media – What are the Guidelines?](https://www.hipaaguide.net/hipaa-and-social-media/) - HIPAA social media guidelines can mitigate the risk of impermissible disclosures of PHI in violation of HIPAA while still enabling covered entities and business associates to use social media to promote healthy lifestyles and provide valuable health information. - [What are the Penalties for HIPAA Violations?](https://www.hipaaguide.net/hipaa-violation-penalties/) - The penalties for HIPAA violations vary depending on the nature of the violations, the degree of harm caused, the number of people affected by the violations, and the previous compliance history of the individual or organization responsible for violating HIPAA. - [Does HIPAA Apply after Death?](https://www.hipaaguide.net/does-hipaa-apply-after-death/) - HIPAA applies after the death of an individual for a period of fifty years, during which time the same limits apply to permissible uses and disclosures of PHI as if the individual was still alive. - [Is Microsoft Teams HIPAA Compliant?](https://www.hipaaguide.net/is-microsoft-teams-hipaa-compliant/) - Microsoft Teams is HIPAA compliant and can be used to collect, save, share, or export protected health information provided the platform is used as part of a business plan that supports HIPAA compliance and is configured to comply with the implementation specifications of the Security Rule. - [What is a HIPAA Violation?](https://www.hipaaguide.net/what-is-a-hipaa-violation/) - A HIPAA violation is the failure by a HIPAA covered entity or business associate to comply with any applicable regulations, standards, and implementation specifications of the HIPAA Administrative Simplification Regulations (45 CFR Subtitle A Subtitle C). - [Is Marketo HIPAA Compliant?](https://www.hipaaguide.net/is-marketo-hipaa-compliant/) - Marketo is HIPAA compliant for organizations that subscribe to Adobe’s Experience Cloud for Healthcare, that agree to the terms of Adobe’s Business Associate Agreement, and that configure the platform to comply with the Security Rule safeguards. - [Is iCloud HIPAA-Compliant?](https://www.hipaaguide.net/can-icloud-considered-hipaa-compliant/) - iCloud cannot be considered HIPAA compliant and cannot be used to store, sync, or share media which include PHI due to Apple prohibiting the use of iCloud services for any purposes that would make it a business associate of a covered entity. - [HB 300 Training](https://www.hipaaguide.net/hb-300-training/) - HB 300 training is the training that has to be provided in addition to HIPAA training by covered entities and business associates that assemble, collect, analyze, use, evaluate, store, or transmit the Protected Health Information of a Texas resident. - [To Whom Should HIPAA Complaints be Reported to Within a Covered Entity?](https://www.hipaaguide.net/to-whom-should-hipaa-complaints-be-reported-within-the-covered-entity/) - HIPAA complaints within the covered entity should be reported to an immediate supervisor; or, if the compliant originates from a member of the public to the Privacy Officer responsible for documenting the complaint and responding to it. - [Who is subject to HIPAA?](https://www.hipaaguide.net/who-is-subject-to-hipaa/) - Entities subject to HIPAA include most – but not all – healthcare providers, health care clearinghouses, and health plans when the provision of healthcare insurance is the primary activity of the health plans. - [Telemedicine HIPAA requirements](https://www.hipaaguide.net/telemedicine-hipaa-requirements/) - The telemedicine HIPAA requirements affect any medical sector employee or healthcare organization that supplies a remote service to patients in their homes or at community-based centers particularly with regards to obtaining consent, verifying the identity of the patient, and complying with the minimum necessary standard. - [Reporting a HIPAA Violation at Work](https://www.hipaaguide.net/reporting-a-hipaa-violation-at-work/) - The procedures for reporting a HIPAA violation at work are set by each individual covered entity or business associate and should be explained to members of the workforce during their initial HIPAA or security awareness training. - [HIPAA Business Associate Examples](https://www.hipaaguide.net/hipaa-business-associate-examples/) - Many sources of HIPAA business associate examples tend to rely on and repeat the examples of HIPAA business associates provided by the Department of Health & Human Services HHS on its business associate web page. - [What Happens to PHI After a Healthcare Business Closes?](https://www.hipaaguide.net/happens-phi-healthcare-business-closes/) - What happens to PHI after a healthcare business closes should be that any individually identifiable health information must be securely stored until it meets the state’s retention limit for medical records, while any HIPAA documentation must be securely stored for up to six years. - [How long does a HIPAA investigation take?](https://www.hipaaguide.net/how-long-does-a-hipaa-investigation-take/) - How long a HIPAA investigation takes depends on factors such as the nature of the violation, the consequences of the violation, the covered entity’s willingness to cooperate with HHS’ Office for Civil Rights, and any other compliance issues that are identified during the course of the initial investigation. - [Is a Client’s Photo Considered PHI?](https://www.hipaaguide.net/client-photo-phi/) - A client’s photo is considered to be PHI under HIPAA in certain circumstances and it is important for healthcare organizations and their workforces to be aware of what these circumstances are in order to avoid unintentional HIPAA violations due to impermissible disclosures of PHI. - [Why is the HITECH Act Important?](https://www.hipaaguide.net/why-is-the-hitech-act-important/) - The HITECH Act is important because it promoted the widespread adoption of healthcare information technology in order to support the sharing of clinical data between healthcare professionals and others in the healthcare industry. - [Is Workplace Gossip a HIPAA Violation?](https://www.hipaaguide.net/is-workplace-gossip-a-hipaa-violation/) - Workplace gossip can be a HIPAA violation depending on who the subject of the gossip is, what the gossip is about, who is doing the gossiping, and whether or not the subject of the gossip has given their permission for stories to be told about them. - [Which Entity Enforces HIPAA?](https://www.hipaaguide.net/which-entity-enforces-hipaa/) - Although the entity most often referred to as the enforcer of HIPAA is the Department of Health and Human Services’ Office for Civil Rights, the actual answer to the question which entity enforces HIPAA has a number of answers depending on which Title of HIPAA is being referred to. - [What is the HIPAA Breach Notification Rule?](https://www.hipaaguide.net/hipaa-breach-notification-rule/) - The HIPAA Breach Notification Rule is a Rule introduced by the HITECH Act that requires covered entities – and in some cases business associates – to notify HHS Office for Civil Rights and affected individuals of any incident due to which PHI is disclosed impermissibly. - [Reporting an Anonymous HIPAA Violation Complaint](https://www.hipaaguide.net/reporting-an-anonymous-hipaa-violation-complaint/) - Reporting an anonymous HIPAA violation compliant to HHS’ Office for Civil Rights OCR is likely to result in the complaint being ignored due to a lack of resources and the risk that the complaint is unjustified or malicious. - [The Duties of a HIPAA Compliance Officer](https://www.hipaaguide.net/the-duties-of-a-hipaa-compliance-officer/) - Under the Healthcare Insurance Portability and Accountability Act HIPAA, covered entities and business associates must assign a person or persons to carry out the duties of a HIPAA Compliance Officer – usually a HIPAA Privacy Officer with responsibilities for privacy and security, or in larger organizations, separate Privacy and Security Officers. - [When Was HIPAA Enacted?](https://www.hipaaguide.net/when-was-hipaa-enacted/) - HIPAA has been enacted in various stages since the passage of the Health Insurance Portability and Accountability Act, with some provisions of the Act being enacted immediately, while others took up to ten years to enact. - [What are Examples of Protected Health Information?](https://www.hipaaguide.net/what-are-examples-of-protected-health-information/) - Articles listing examples of protected health information often refer to the list of identifiers that must be removed from a designated record set before any remaining individually identifiable health information in the designated record set is considered de-identified. - [Pharmacies and HIPAA](https://www.hipaaguide.net/pharmacies-and-hipaa/) - A connection between pharmacies and HIPAA exists because the definition of health care provided in §160. - [Why is HIPAA Important?](https://www.hipaaguide.net/why-is-hipaa-important/) - HIPAA is important because it creates a federal floor of privacy and security protection for individually identifiable health information created, collected, maintained, or transmitted by a HIPAA-covered entity or business associate. - [What are the HIPAA Breach Notification Requirements?](https://www.hipaaguide.net/hipaa-breach-notification-requirements/) - The HIPAA breach notification requirements are the processes and procedures that must be followed by a HIPAA covered entity and, in some cases, by a HIPAA business associate when unsecured Protected Health Information in any format is disclosed impermissibly. - [Understanding HIPAA and the HITECH Act](https://www.hipaaguide.net/hipaa-and-the-hitech-act/) - The HITECH Act updated HIPAA and is concerned with promoting the adoption of electronic health records and meaningful use of health information technology and is part of the American Recovery and Reinvestment Act of 2009. - [When Can You Break Patient Confidentiality Under HIPAA?](https://www.hipaaguide.net/break-patient-confidentiality-under-hipaa/) - The challenge with answering when can you break patient confidentiality under HIPAA is that HIPAA does not define patient confidentiality, yet the HIPAA Privacy Rule “authorizes” multiple uses and disclosures of Protected Health Information that might be classed as breaches of patient confidentiality under other definitions of the term. - [How to Get HIPAA Certification](https://www.hipaaguide.net/how-to-get-hipaa-certification/) - How to get HIPAA certification depends on the purpose of the certification and whether the certification is being sought by an individual or an organization. - [Who Created HIPAA?](https://www.hipaaguide.net/who-created-hipaa/) - Some areas of HIPAA were created by the Clinton administration’s Health Plan Task Force, others were created by House Representative Bill Archer, and the areas of HIPAA most people associate with the Act were created by the Department of Health and Human Services. - [Why was HIPAA Created?](https://www.hipaaguide.net/why-was-hipaa-created/) - HIPAA was created to reform the health insurance industry; but, because the reforms would incur costs and potentially reduce tax revenues, Congress introduced measures to neutralize the costs by reducing health insurance fraud and simplifying the administration of healthcare transactions. - [HIPAA Guidelines for Mental Health Professionals](https://www.hipaaguide.net/hipaa-guidelines-for-mental-health-professionals/) - The HIPAA guidelines for mental health professionals are the same as the HIPAA guidelines for other types of healthcare professionals. - [Is Gmail HIPAA Compliant?](https://www.hipaaguide.net/is-gmail-hipaa-compliant/) - Gmail is HIPAA compliant when an organization subscribes to a Google Workspace plan that supports HIPAA compliance and enters into a Business Associate Amendment with Google. - [What is FWA in Healthcare?](https://www.hipaaguide.net/fwa-in-healthcare/) - FWA in healthcare stands for fraud, waste, and abuse – an issue currently estimated to cost the country between $68 billion and $230 billion each year, or between 3% and 10% of annual healthcare spending. - [7 Questions to Ask HIPAA Compliance Consultants](https://www.hipaaguide.net/hipaa-compliance-consultants/) - HIPAA compliance consultants are individuals or firms of compliance professionals with an understanding of the Health Insurance Portability and Accountability Act and how it is applied to different types of covered entities and business associates depending on their functions, their locations, and their organizational structures. - [OCR Stresses the Importance of a HIPAA Sanction Policy](https://www.hipaaguide.net/importance-hipaa-sanction-policy/) - The Privacy and Security Rules of the Health Insurance Portability and Accountability Act HIPAA require covered entities and their business associates to ensure that members of the workforce comply with all appropriate provisions of the HIPAA Rules. - [Examples of Poor Communication between Nurse and Patient](https://www.hipaaguide.net/examples-of-poor-communication-between-nurse-and-patient/) - It is rare to find many real-life examples of poor communication between nurse and patient in the United States because any admission of error can be grounds for a medical malpractice lawsuit. - [What are the HIPAA Reporting Requirements?](https://www.hipaaguide.net/hipaa-reporting-requirements/) - The HIPAA reporting requirements are often confused with the notification requirements following a breach of unsecured Protected Health Information PHI. - [OCR Issues Guidance on Educating Patients About Telehealth Risks](https://www.hipaaguide.net/ocr-issues-guidance-on-educating-patients-about-telehealth-risks/) - The HHS’ Office for Civil Rights has issued guidance for healthcare providers to help them educate patients about the privacy and security risks associated with telehealth services, and tips for patients on protecting their privacy when availing of telehealth services. - [Who Needs to be HIPAA Compliant?](https://www.hipaaguide.net/who-needs-to-be-hipaa-compliant/) - The question of who needs to be HIPAA compliant has multiple answers due to the variety of activities within the health insurance and healthcare industries and because of how other laws can impact compliance with HIPAA. - [Is a HIPAA Violation a Felony?](https://www.hipaaguide.net/hipaa-violation-felony/) - A HIPAA violation felony involves the knowing and wrongful use or disclosure of individually identifiable health information contrary to §1320d-6 of the Social Security Act. - [Within HIPAA, How Does Security Differ From Privacy?](https://www.hipaaguide.net/within-hipaa-how-does-security-differ-from-privacy/) - Within HIPAA, the security standards apply to Protected Health Information PHI that is created, received, maintained, or transmitted electronically, whereas the privacy standards apply to all forms of PHI. - [What To Do If Accused of a HIPAA Violation](https://www.hipaaguide.net/what-to-do-if-accused-of-a-hipaa-violation/) - What you should do if accused of a HIPAA violation depends on who you are, who is accusing you, and the nature of the violation you are being accused of. - [The HIPAA Guidelines for Medical Offices](https://www.hipaaguide.net/hipaa-guidelines-for-medical-offices/) - The HIPAA guidelines for medical offices are no different than for any other healthcare facility that qualifies as a HIPAA covered entity or business associate. - [What is a HIPAA Form?](https://www.hipaaguide.net/what-is-a-hipaa-form/) - A HIPAA form can be one of several documents. - [Who is Covered by HIPAA?](https://www.hipaaguide.net/who-covered-hipaa/) - A lack of knowledge about who is covered by HIPAA can lead to misconceptions about when it is permissible to disclose health information and who to. - [What Should be Included in a HIPAA Photography Policy?](https://www.hipaaguide.net/hipaa-photography-policy/) - A HIPAA photography policy should govern the use of cameras and mobile phones in healthcare environments – and the security of medical images – in order to protect the privacy of individually identifiable health information and prevent impermissible disclosures of Protected Health Information PHI. - [What is the Difference between EMS and EMT in Healthcare?](https://www.hipaaguide.net/difference-between-ems-and-emt/) - The difference between EMS and EMT in healthcare is that EMS is an acronym for Emergency Medical Services, while EMT is an acronym for an Emergency Medical Technician – an individual who most often works within an EMS team as a first responder. - [What Does it Mean to be HIPAA Compliant?](https://www.hipaaguide.net/what-does-it-mean-to-be-hipaa-compliant/) - There are many interpretations of the question what does it mean to be HIPAA compliant, and therefore many answers. - [What is SOC 2 Compliance?](https://www.hipaaguide.net/soc-2-compliance/) - SOC 2 compliance is compliance with the Service Organization Control 2 standards for managing and securing data developed by the American Institute of Certified Public Accountants AICPA. - [What are HHS OIG Exclusions?](https://www.hipaaguide.net/hhs-oig-exclusions/) - HHS OIG exclusions are individuals and entities that are prohibited from participating in any federal health care program because they have violated a clause of §1128 of the Social Security Act. - [Warnings Issued by OCR & FTC Over Tracking Technology Use](https://www.hipaaguide.net/warnings-issued-by-ocr-ftc-over-tracking-technology-use/) - Warning letters have been sent by the HHS’ Office for Civil Rights OCR and the Federal Trade Commission FTC to hospitals and telehealth companies over the use of website and mobile app tracking technologies. - [Is Gravity Forms HIPAA Compliant?](https://www.hipaaguide.net/is-gravity-forms-hipaa-compliant/) - Gravity Forms is not HIPAA compliant and should not be used in its default state by covered entities and business associates to collect, store, or transmit Protected Health Information PHI. - [Benefits of HIPAA](https://www.hipaaguide.net/benefits-of-hipaa/) - HIPAA provides a range of benefits including bolstering patient data security through rigorous standards, safeguarding individual privacy in the handling of personal health information, promoting streamlined and standardized healthcare transactions for improved efficiency, empowering patients by granting them control over their own health data, and ensuring continuity of health insurance coverage despite job changes or life transitions, all contributing to a more secure, patient-centered, and transparent healthcare ecosystem. - [Is Google Meet HIPAA Compliant?](https://www.hipaaguide.net/is-google-meet-hipaa-compliant/) - Google Meet is HIPAA compliant for meetings between healthcare professionals and for providing telehealth services to patients subject to safeguards being implemented to ensure the service is configured and used correctly. - [Who Enforces HIPAA Privacy Provisions in Non-Criminal Cases?](https://www.hipaaguide.net/who-enforces-hipaa-privacy-provisions-in-non-criminal-cases/) - In order to best answer the question who enforces HIPAA privacy provisions in non-criminal cases, it is necessary to be aware of what HIPAA is, what it does, what the privacy provisions are, who they apply to, who enforces them, and the difference between criminal and non-criminal cases. - [HIPAA Authorization Form](https://www.hipaaguide.net/hipaa-authorization-form/) - The Privacy Rule stipulates that a valid HIPAA authorization form must be completed before using or disclosing Protected Health Information for a purpose not otherwise allowed by the Rule. - [Does HIPAA Apply to Schools?](https://www.hipaaguide.net/does-hipaa-apply-to-schools/) - In most cases, the question of does HIPAA apply to schools is answered by the definition of a HIPAA Covered Entity. - [What is the Difference between PHI and ePHI?](https://www.hipaaguide.net/difference-between-phi-and-ephi/) - The difference between PHI and ePHI is that the acronym PHI relates to Protected Health Information in all formats, while the acronym ePHI relates to Protected Health Information in electronic format. - [Website and Other Tracking Code May Violate HIPAA](https://www.hipaaguide.net/website-and-other-tracking-code-may-violate-hipaa/) - In July, the independent journalism site, The Markup, discovered one-third of the top 100 hospitals in the United States were using tracking code on their websites provided by Meta, and that code – Meta Pixel – was transmitting patient information to Meta/Facebook. - [Is an Email Address Considered PHI?](https://www.hipaaguide.net/is-an-email-address-considered-phi/) - An email address is considered PHI when it is maintained in a designated record set by a HIPAA covered entity or business associate, and the designated record set contains health, treatment, or payment information about an individual who could be identified by the email address. - [Why is HIPAA important to patients?](https://www.hipaaguide.net/why-is-hipaa-important-to-patients/) - The Health Insurance Portability and Accountability Act was introduced in 1996, and since then has seen many updates. - [How can you avoid HIPAA violations?](https://www.hipaaguide.net/how-can-you-avoid-hipaa-violations/) - Given how serious they are, how can you avoid HIPAA violations? - [How long do you have to report a HIPAA violation?](https://www.hipaaguide.net/how-long-do-you-have-to-report-a-hipaa-violation/) - If a HIPAA violation has been discovered, it is not only essential that it is reported in a timely manner – it is actually required by HIPAA. - [How Password Managers Help Prevent Phishing Attacks](https://www.hipaaguide.net/how-password-managers-help-prevent-phishing-attacks/) - Anyone who is unsure about the scale of the threat from phishing should read the web descriptions of data breaches recorded on HHS´ Breach Report Archive. - [What Does HIPAA Protect?](https://www.hipaaguide.net/what-does-hipaa-protect/) - There are various answers to the question what does HIPAA protect depending on the perspective from which you look at the Health Insurance Portability and Accountability Act. - [What is HITECH in healthcare?](https://www.hipaaguide.net/what-is-hitech-in-healthcare/) - The Health Information Technology for Economic and Clinical Health Act HITECH Act came into effect in 2009 as part of the American Recovery and Reinvestment Act ARRA. - [Compliance with HIPAA and EHR Policies](https://www.hipaaguide.net/hipaa-and-ehr/) - Despite the best efforts of many Covered Entities, there appears to be an upward trend in violations of HIPAA and EHR policies – or rather, gaps in EHR policies – are a contributing factor. - [What is Considered a Breach of HIPAA?](https://www.hipaaguide.net/what-is-considered-a-breach-of-hipaa/) - The terms “violation” and “breach” are sometimes conflated in HIPAA-related discussions, and it is important for covered entities and business associates to understand the distinction between the two terms in order to respond appropriately to events considered a breach of HIPAA. - [Updated Security Risk Assessment Tool Released by HHS](https://www.hipaaguide.net/updated-security-risk-assessment-tool-released-by-hhs/) - The HIPAA Security Rule requires HIPAA-regulated entities to conduct a security risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. - [How to Make a HIPAA Complaint](https://www.hipaaguide.net/make-a-hipaa-complaint/) - Despite the Privacy Rule requiring healthcare organizations and health plans to provide information about how to make a HIPAA complaint, some individuals are unsure about the circumstances in which they can make a complaint, who they should make it to, and what information the complaint should include. - [What is covered under HIPAA?](https://www.hipaaguide.net/what-is-covered-under-hipaa/) - Many patients will be aware of HIPAA, and know that it guarantees some protections for their privacy, but what is covered under HIPAA? - [What happens if HIPAA is violated?](https://www.hipaaguide.net/what_happens_if_hipaa_is_violated/) - What happens if HIPAA is violated? - [Who can violate HIPAA?](https://www.hipaaguide.net/who-can-violate-hipaa/) - Who can violate HIPAA? - [Is HIPAA still in effect?](https://www.hipaaguide.net/is-hipaa-still-in-effect/) - It may have been around for a long time now, but is HIPAA still in effect? - [What Happens if you Violate HIPAA?](https://www.hipaaguide.net/what-happens-if-you-violate-hipaa/) - What happens if you violate HIPAA depends on the nature of the violation and its consequences, the motive behind the violation, the measures taken to mitigate the consequences, and whether you are a HIPAA-regulated entity or a member of a regulated entity’s workforce. - [The Importance of HIPAA Security Rule Information Access Management and Access Control Compliance](https://www.hipaaguide.net/the-importance-of-hipaa-security-rule-information-access-management-and-access-control-compliance/) - The HHS’ Office for Civil Rights has recently reminded HIPAA-covered entities and their business associates about the importance of carefully controlling access to electronic protected health information ePHI. - [Can Employers ask Employees about COVID-19 Vaccinations?](https://www.hipaaguide.net/can-employers-ask-employees-about-covid-19-vaccinations/) - In the United States, mask mandates are starting to be lifted and people who have been fully vaccinated against COVID-19 are now not required to wear a mask, so can employers ask employees about COVID-19 vaccinations and their current vaccine status before allowing them back to the workplace or to work without a facemask, or would that constitute a HIPAA violation? - [How Often Do You Need HIPAA Training?](https://www.hipaaguide.net/how-often-do-you-need-hipaa-training/) - How Often Do You Need HIPAA Training? - [City of New Haven Settles HIPAA Violation Case with OCR for $202K](https://www.hipaaguide.net/city-of-new-haven-settles-hipaa-violation-case-with-ocr-for-202k/) - The City of New Haven in Connecticut has settled a HIPAA violation case with the U.S. Department of Health and Human Services’ Office for Civil Rights and has been ordered to pay a financial penalty of $202,400. A corrective action plan has also been adopted to ensure that all areas of noncompliance with the HIPAA Rules are addressed. The City will be monitored by OCR for 2 years to ensure continued compliance with the HIPAA Rules. - [Athens Orthopedic Clinic Agrees to Pay $1.5 Million to Settle OCR HIPAA Violation Case](https://www.hipaaguide.net/athens-orthopedic-clinic-agrees-to-pay-1-5-million-to-settle-ocr-hipaa-violation-case/) - The Department of Health and Human Services’ Office for Civil Rights OCR has settled another HIPAA violation case – The 6th case to be resolved with a financial penalty in the past week and the 9th of 2020. - [Americans Largely Unaware of Extent that Health Insurers Access their Online Data](https://www.hipaaguide.net/americans-largely-unaware-of-extent-that-health-insurers-access-their-online-data/) - A recent MITRE-Harris poll has revealed most Americans are unaware of the extent to which health insurers are accessing their online personal information and how that information is used to build profiles on customers and predict an individual’s healthcare costs. - [OCR Updates mHealth Portal Adding New Resources for HIPAA Health App Developers](https://www.hipaaguide.net/ocr-updates-mhealth-portal-adding-new-resources-for-hipaa-health-app-developers/) - In certain circumstances, the developers of mobile health apps are classed as business associates and are required to comply with the Rules of the Health Insurance Portability and Accountability Act HIPAA. - [Before You Can Safeguard PHI, You Must Know Where it is Located](https://www.hipaaguide.net/before-you-can-safeguard-phi-you-must-know-where-it-is-located/) - HIPAA-covered entities and their business associates are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information ePHI. - [Telehealth Policy Changes Could Become Permanent When COVID-19 Public Health Emergency Ends](https://www.hipaaguide.net/telehealth-policy-changes-could-become-permanent-when-covid-19-public-health-emergency-ends/) - If there is one good thing to come out of the COVID-19 pandemic it is the changes that have been made to telehealth policies. - [Reports of COVID-19 Diagnoses by Media Suggest Violations of HIPAA](https://www.hipaaguide.net/reports-of-covid-19-diagnoses-in-media-suggest-violations-of-hipaa/) - When famous people are diagnosed with an illness or suffer an accident, that can be headline news. - [OCR Issues Guidance on Telehealth Services During COVID-19 Public Health Emergency](https://www.hipaaguide.net/ocr-issues-guidance-on-telehealth-services-during-covid-19-public-health-emergency/) - Last week, the Trump Administration extended Medicare telehealth services as the COVID-19 crisis deepened. - [2019 Novel Coronavirus and HIPAA Compliance](https://www.hipaaguide.net/2019-novel-coronavirus-and-hipaa-compliance/) - Important information on the 2019 Novel Coronavirus and HIPAA compliance, the limited HIPAA waiver announced by the HSS, and potential violations of HIPAA Rules in relation to telecommunications platforms and the use of telehealth services in a public health emergency. - [20 Common HIPAA Myths Debunked](https://www.hipaaguide.net/20-common-hipaa-myths-debunked/) - In this post we cover some of the many HIPAA myths that have been circulating on the internet and often get talked about. - [Failure to Encrypt ePHI on Portable Devices Results in $3 Million Financial Penalty](https://www.hipaaguide.net/failure-to-encrypt-ephi-on-portable-devices-results-in-3-million-financial-penalty/) - The HHS’ Office for Civil Rights OCR has announced its sixth HIPAA penalty of 2019. - [HHS Confirms When Business Associates Can be Held Directly Liable for HIPAA Violations](https://www.hipaaguide.net/hhs-confirms-when-business-associates-can-be-held-directly-liable-for-hipaa-violations/) - The Health Information Technology for Economic and Clinical Health HITECH Act of 2009, and the subsequent HIPAA Omnibus Final Rule of 2013, required business associates of HIPAA covered entities to comply with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. - [Study Reveals Widespread Nonconformance with HIPAA Rules and NIST CSF Controls](https://www.hipaaguide.net/study-reveals-widespread-nonconformance-with-hipaa-rules-and-nist-csf-controls/) - It has been 14 years since the HIPAA Security Rule requirements have been mandatory, but many healthcare organizations are still not in conformance with all aspects of the Security Rule, according to a recent study by consultancy firm CynergisTek. - [Are Google Home and Google Assistant Compliant With HIPAA?](https://www.hipaaguide.net/are-google-home-and-google-assistant-compliant-with-hipaa/) - Can medical practitioners use Google Home and Google Assistant? - [Is DocuSign HIPAA Compliant?](https://www.hipaaguide.net/is-docusign-hipaa-compliant/) - Can healthcare organizations use DocuSign in association with electronic protected health information ePHI without breaking HIPAA Rules? - [Is Evernote HIPAA Compliant?](https://www.hipaaguide.net/is-evernote-hipaa-compliant/) - Evernote is a useful cloud-based tool for taking notes, making to do lists, planning projects, and collaborating with team members. - [Is Google Keep HIPAA Compliant?](https://www.hipaaguide.net/is-google-keep-hipaa-compliant/) - Google Keep is a cloud-based note taking application that allows notes to be created and shared across multiple devices. - [Is Return Path HIPAA Compliant?](https://www.hipaaguide.net/is-return-path-hipaa-compliant/) - Return Path is an email marketing and optimization program that helps companies to put their email marketing campaigns and analytics on autopilot. - [Is Mandrill HIPAA Compliant?](https://www.hipaaguide.net/is-mandrill-hipaa-compliant/) - Does Mandrill support HIPAA compliance? - [Is SparkPost HIPAA Compliant?](https://www.hipaaguide.net/is-sparkpost-hipaa-compliant/) - SparkPost is a well-known email delivery and analytics program used by a lot of businesses for communicating with their customers. - [Is JotForm HIPAA Compliant?](https://www.hipaaguide.net/is-jotform-hipaa-compliant/) - JotForm is a software solution that can be used for making online forms. - [HIPAA-Compliant SFTP Server Requirements](https://www.hipaaguide.net/hipaa-compliant-sftp-server-requirements/) - If healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities need to use FTP to move protected health information PHI, they need to make sure that the service provider employs a sFTP server that is HIPAA compliant. - [Is Zendesk HIPAA Compliant?](https://www.hipaaguide.net/is-zendesk-hipaa-compliant/) - Zendesk is a provider of a customer service software program and support ticketing system. - [HIPAA Violation Fines](https://www.hipaaguide.net/hipaa-violation-fines/) - This article list the HIPAA violation fines issued by HHS’ Office for Civil Rights OCR and the settlements reached between violating entities and the agency from 2010 to 2018. - [GDPR-Style Data Privacy Law Signed into California Legislature](https://www.hipaaguide.net/gdpr-style-data-privacy-law-in-california-signed-into-law/) - California governor Jerry Brown has signed AB 375 – the California Consumer Privacy Act of 2018 – into law after the Senate and Assembly made a unanimous decision to pass the bill. - [What Information Does the HIPAA Law Protect?](https://www.hipaaguide.net/what-information-does-the-hipaa-law-protect/) - To find the answer to the question what information does the HIPAA law protect, you have to look beyond the text of the Health Insurance Portability and Accountability Act and review the Privacy Rule that emerged from the Administrative Simplification provisions of the Act. - [How to Improve Hospital Workflows](https://www.hipaaguide.net/how-to-improve-hospital-workflows/) - Achieving Workflow Optimization in Hospitals The matter of improving hospital workflows is a senior healthcare management concern. - [HIPAA Compliance for Call Centers](https://www.hipaaguide.net/hipaa-compliance-for-call-centers/) - HIPAA Compliant Texting in Call Centers HIPAA compliance for call centers is an important concern for all companies offering the healthcare industry an answering or call-forwarding service. - [How Employees Can Help Prevent HIPAA Violations](https://www.hipaaguide.net/how-employees-can-help-prevent-hipaa-violations/) - Healthcare institutions and their business associates must be in compliance with the HIPAA Privacy, Security, and Breach Notifications Rules and need to implement a range of controls to avoid HIPAA violations. - [HIPAA Security Officer](https://www.hipaaguide.net/hipaa-security-officer/) - The Administrative Safeguards of the HIPAA Security Rule 45 CFR 164. - [HIPAA Encryption for iPhones and Android Phones](https://www.hipaaguide.net/hipaa-encryption-for-iphones-and-android-phones/) - Should healthcare providers encrypt data in the smartphones they use? - [What Are Covered Entities Under HIPAA?](https://www.hipaaguide.net/what-are-covered-entities-under-hipaa/) - The Health Insurance Portability and Accountability Act HIPAA is applicable to healthcare organizations and their business associates. - [CMS Explains the Use of Text Messages in Healthcare](https://www.hipaaguide.net/cms-explains-the-use-of-text-messages-in-healthcare/) - The Centers for Medicare and Medicaid Services CMS has confirmed to healthcare providers that using text messages in healthcare is forbidden because of issues relating to security and patient privacy. - [Technology Use in Healthcare Versus HIPAA Compliance](https://www.hipaaguide.net/technology-healthcare-hipaa-compliance/) - Why Modern Technology May Not be HIPAA Compliant A lot of healthcare professionals today use their mobile devices to connect to healthcare networks and collaborate about patient care. - [The Most Common HIPAA Violations Healthcare Organizations Should be Aware Of](https://www.hipaaguide.net/most-common-hipaa-violations/) - The most common HIPAA violations committed by healthcare organizations that have resulted in financial penalties are the failure to: Conduct a comprehensive risk analysis to pinpoint threats to the confidentiality, integrity, and availability of protected health information PHI Enter into a HIPAA-compliant business associate agreement BAA Prevent impermissible disclosures of PHI Send breach notifications without delay and within 60 days of discovery Safeguard PHI The Department of Health and Human Services’ Office for Civil Rights OCR pursues financial penalties for egregious HIPAA violations. - [New Health Sector Cybersecurity Coordination Center Opened by HHS](https://www.hipaaguide.net/new-health-sector-cybersecurity-coordination-center-opened-by-hhs/) - The U. - [HIPAA Risk Analysis Guidance and Tools](https://www.hipaaguide.net/guidance-and-tools-hipaa-risk-analysis/) - The HIPAA risk analysis is a fundamental component of HIPAA compliance, but a lot of healthcare agencies and business associates fail to get risk analyses right. - [How is the HITECH Act Related to HIPAA and Electronic Health and Medical Records?](https://www.hipaaguide.net/how-is-the-hitech-act-related-to-hipaa-and-electronic-health-and-medical-records/) - The Health Insurance Portability and Accountability Act HIPAA was enacted in August 1996. - [What is Regarded as Protected Health Information According to HIPAA?](https://www.hipaaguide.net/what-is-regarded-as-protected-health-information-according-to-hipaa/) - Protected Health Information according to HIPAA is individually identifiable health information collected, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate that: Relates to the past, present, or future physical or mental health or condition of an individual, Or the provision of health care to an individual, Or the past, present, or future payment for the provision of health care to an individual, AND that identifies the individual or can be used to identify the individual. - [When is a HIPAA Release Form Necessary?](https://www.hipaaguide.net/when-is-a-hipaa-release-form-necessary/) - A HIPAA release form signed by the patient ought to be acquired prior to sharing that individual’s protected health information PHI with other persons or companies, except in the instance of routine information sharing for treatment, payment or healthcare operations that are permitted by the HIPAA Privacy Rule. - [New Guidance on Using EHR Data in Clinical Research Issued By the U.S. FDA](https://www.hipaaguide.net/new-guidance-on-using-ehr-data-in-clinical-research-issued-by-the-u-s-fda/) - The U.S. Food and Drug Administration (FDA) has introduced new guidance about the usage of EHR data in clinical research and the prerequisite to make sure that proper controls are implemented to protect the confidentiality, integrity, and availability of health information. - [Phishing Attack on FAPD and Black River Medical Center](https://www.hipaaguide.net/phishing-attack-on-fapd-and-black-river-medical-center/) - Two HIPAA-covered organizations have recently announced they have been victims of phishing attacks that potentially resulted in the disclosure of the protected health information PHI of patients. - [Understanding the Requirements on Issuing Individual Authorization for Uses and Disclosures of PHI for Research](https://www.hipaaguide.net/requirements-on-issuing-individual-authorization-for-uses-and-disclosures-of-phi-for-research/) - To help HIPAA-covered entities to streamline HIPAA authorizations for the use of protected health information PHI in research, as mandated by the 21st Century Cures Act of 2016, the Department of Health and Human Services’ Office for Civil Rights has issued guidance. - [Hospitals and Physicians Confirm Mobile Technology Helps Improve Patient Outcomes](https://www.hipaaguide.net/more-hospitals-and-physicians-use-mobile-technology-to-improve-patient-services/) - Black Book Research has published the results of a survey on the use of mobile technology by hospitals and physicians. - [Are Law Firms Violating HIPAA When Using Geofencing Technology to Target Patients in ER Rooms?](https://www.hipaaguide.net/are-law-firms-violating-hipaa-when-using-geofencing-technology-to-target-patients-in-er-rooms/) - Geofencing is a technology that creates a digital fence around a particular location or space online allowing individuals to be identified when they pass through that invisible boundary. - [Covered Entities Are Reminded Not to Neglect Physical Security Controls](https://www.hipaaguide.net/covered-entities-are-reminded-not-to-neglect-physical-security-controls/) - The Department of Health and Human Services’ Office for Civil Rights OCR is reminding HIPAA covered entities that they should not only focus on technical controls but on physical security controls to safeguard protected health information PHI. - [Why Choosing Secure Messaging Platforms Over Pagers is Important for HIPAA Compliance](https://www.hipaaguide.net/why-choose-secure-messaging-over-pagers-to-comply-with-hipaa/) - Is it the End of Paging? - [How to make HIPAA Complaints within a Covered Entity](https://www.hipaaguide.net/hipaa-complaints-covered-entity/) - Who should be informed within the covered entity when you want to make a HIPAA complaint? - [Nine Security No-Nos for Healthcare Employees](https://www.hipaaguide.net/what-employees-should-not-do-to-prevent-hipaa-violations/) - Healthcare companies and their business associates need to adhere to the HIPAA Privacy, Security, and Breach Notifications Regulations and employ safety measures to avoid HIPAA violations. - [Can Amazon Alexa Be Used in Healthcare?](https://www.hipaaguide.net/can-amazon-alexa-be-used-in-healthcare/) - The use of Amazon Alexa is limited in healthcare because it is not HIPAA compliant. - [De-identification of Protected Health Information](https://www.hipaaguide.net/de-identification-of-protected-health-information/) - The de-identification of Protected Health Information removes Privacy Rule and the Security Rule protections from any information remaining in a designated record set as this information cannot be used to commit fraud, abuse, or theft if it is acquired by a bad actor. - [How to Report a HIPAA violation](https://www.hipaaguide.net/how-to-report-a-hipaa-violation/) - It is the duty of HIPAA covered entities to make sure that their personnel know the right steps for reporting a HIPAA violation. - [What Should A Patient Do If There is an Obvious HIPAA Violation?](https://www.hipaaguide.net/how-to-sue-for-hipaa-violation/) - A patient is unable to sue a healthcare organization for a HIPAA violation and demand damages even though the incident resulted in harm. - [Problems in the Oversight of Medicare Beneficiary Data Security](https://www.hipaaguide.net/problems-in-the-oversight-of-medicare-beneficiary-data-security/) - Because of the recent data breaches, the U.S Senate Committee on Finance, the House Committee on Energy and Commerce and the House Committee on Ways and Means chairmen requested the U.S. Government Accountability Office (GAO) to perform a study on the work of HHS’ Centers for Medicare and Medicaid Services (CMS). The study seeks to evaluate CMS’ work of protecting the Medicare beneficiary data from getting accessed by external entities. - [What Entities Can Get Access to Medicare Beneficiary Data?](https://www.hipaaguide.net/what-entities-get-access-to-medicare-beneficiary-data/) - The Department of Health and Human Services HHS Centers for Medicare and Medicaid Services CMS protect Medicare beneficiary data when being accessed by external entities. - [What are the Penalties When Pharmacies Violate HIPAA Rules?](https://www.hipaaguide.net/what-are-the-penalties-when-pharmacies-violate-hipaa-rules/) - Whether you have a large or small business, if you’re engaged in the healthcare industry, HIPAA compliance is a must. - [What Does Contingency Planning Mean As Per HIPAA Rules?](https://www.hipaaguide.net/what-does-contingency-planning-mean-as-per-hipaa-rules/) - OCR explained in its March 2018 cybersecurity newsletter the importance of contingency planning. - [Is the Use of Google Forms Compliant With HIPAA Rules?](https://www.hipaaguide.net/is-the-use-of-google-forms-compliant-with-hipaa-rules/) - Google Forms is an online tool that anyone can use to create surveys and get feedback from people. - [Guidelines on Using Social Media to Avoid HIPAA Violations](https://www.hipaaguide.net/guidelines-on-using-social-media-to-avoid-hipaa-violations/) - ProPublica released a study in 2015 that showed the reality of HIPAA social media violations involving healthcare employees in 2015. - [How to Ensure HIPAA Compliant File Sharing](https://www.hipaaguide.net/how-to-ensure-hipaa-compliant-file-sharing/) - HIPAA compliant file sharing requires maintaining the security, integrity and confidentiality of PHI both at rest and in transit. - [What Must Be Done Before Using Cloud Service Providers to Ensure HIPAA Compliance?](https://www.hipaaguide.net/must-done-using-cloud-service-providers-ensure-hipaa-compliance/) - Cloud service providers are classified as business associates based on the HIPAA Omnibus Rule, which states “A data storage company that has access to protected health information whether digital or hard copy qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. - [Identity and Access Management Policies That Govern Terminated Employees](https://www.hipaaguide.net/identity-access-management-policies-govern-terminated-employees/) - The HIPAA Security Rule calls for the efficient management of information access. - [MediaPro Report Reveals Poor Security Awareness of Healthcare Employees](https://www.hipaaguide.net/mediapro-report-reveals-poor-security-awareness-healthcare-employees/) - MediaPro published a recent report indicating the lack of preparedness of the healthcare industry to deal with cyberattack scenarios and security threats. - [Which Entities Should Comply with the HIPAA Rule?](https://www.hipaaguide.net/entities-comply-hipaa-rule/) - The Health Insurance Portability and Accountability Act HIPAA Rules aim to keep protected health information secure and define its allowable uses and disclosures. - [Must Know Facts About Individually Identifiable Health Information](https://www.hipaaguide.net/must-know-facts-individually-identifiable-health-information/) - What are considered individually identifiable health information? - [Is Azure HIPAA Compliant?](https://www.hipaaguide.net/is-azure-hipaa-compliant/) - Healthcare companies are not forbidden by HIPAA to utilize cloud services. - [Is WebEx HIPAA Compliant?](https://www.hipaaguide.net/is-webex-hipaa-compliant/) - WebEx is a platform for online video conferencing and collaboration helping organizations interact with distant individuals and partners as though they are all together in one room. - [How To Comply With the HIPAA Password Requirements](https://www.hipaaguide.net/hipaa-password-requirements-best-way-comply/) - According to the HIPAA password requirements, there must be procedures in place for creating, changing and safeguarding passwords except when there’s an alternative security measure that is put in place which is equally effective. - [The Security Risks of Using Mobile Devices to Manage ePHI](https://www.hipaaguide.net/security-risks-using-mobile-devices-manage-ephi/) - Most healthcare organizations today use mobile devices including laptop computers, tablets, mobile phones and portable storage devices to boost productivity. - [What are the Penalties for Violating HIPAA Breach Notification Requirements?](https://www.hipaaguide.net/penalties-violating-hipaa-breach-notification-requirements/) - The HIPAA Breach Notification requirements must be followed by all covered entities and business associates to avoid financial penalties that the Department of Health and Human Services’ Office for Civil Rights HHS OCR may impose. - [Does HIPAA Apply to Employers?](https://www.hipaaguide.net/does-hipaa-apply-to-employers/) - “Does HIPAA Apply to Employers” is a question that has triggered varied responses because of the complex nature of the HIPAA Privacy Rule. - [What Are Reportable HIPAA Breaches? What Are the Exemptions?](https://www.hipaaguide.net/reportable-hipaa-breaches-exemptions/) - Following the HIPAA breach notification requirements is a must for all HIPAA covered entities. - [Security Breach at a New York Pharmacy Exposed 12,172 Customers’ PHI](https://www.hipaaguide.net/security-breach-new-york-pharmacy-exposed-12172-customers-phi/) - ShopRite Supermarkets, Inc announced to its pharmacy customers about a security breach as a result of the improper disposal of a device used for capturing customers’ signatures. - [What is the Importance of HIPAA to Patients?](https://www.hipaaguide.net/what-is-the-importance-of-hipaa-to-patients/) - The majority of Americans know that HIPAA relates to healthcare providers, but many people do not realize how important HIPAA is to patients. - [HIPAA Compliance for Self-Administered Group Health Plans](https://www.hipaaguide.net/hipaa-compliance-for-self-administered-group-health-plan/) - One of the most confusing aspects of HIPAA legislation is HIPAA compliance for self-insured group health plans and self-administered health group plans. - [HIPAA Compliance and Medical Records](https://www.hipaaguide.net/hipaa-compliance-and-medical-records/) - Stage 2 Meaningful Use, HIPAA Compliance and EHRs Stage 2 Meaningful Use elevates the standard on the conditions that must be satisfied to ensure HIPAA compliance and the security of medical records. - [Is Skype HIPAA Compliant?](https://www.hipaaguide.net/is-skype-hipaa-compliant/) - Messaging platforms such as Skype are an efficient way of communicating between individuals and groups, but healthcare organizations must only use communications platforms to discuss information relating to patients that are compliant with HIPAA. - [Limiting the Potential for the Unauthorized Accessing of Patient Medical Records](https://www.hipaaguide.net/unauthorized-access-to-patient-medical-records/) - The most common reason for the unauthorized accessing of patient medical records is not hacking and IT security incidents, but rather healthcare employees snooping on patient medical records according to new research conducted by Veriphyr Identity and Access Intelligence. - [What Does a Limited Data Set Mean Under HIPAA?](https://www.hipaaguide.net/what-does-limited-data-set-mean-under-hipaa/) - A limited data set, as defined in the HIPAA Privacy Rule, is a set of identifiable healthcare data that covered entities are allowed to share with specific entities for reasons including research, public health activities, and healthcare operations without the need to obtain prior patient authorization, if specified conditions are satisfied. - [Employee Snooping the Most Common Cause of HIPAA Breaches](https://www.hipaaguide.net/employee-snooping-as-the-most-common-cause-of-hipaa-security-breaches/) - The theft of mobile devices could result in a major exposure of Protected Health Information PHI; but, according to a study by Veriphyr Identity and Access Intelligence, small scale snooping by employees is actually the most common cause of HIPAA security breaches. - [Is Zoom HIPAA Compliant?](https://www.hipaaguide.net/is-zoom-hipaa-compliant/) - Zoom is a well-known video and web conferencing platform that 750,000 businesses now use, but can healthcare organizations use the service for sharing PHI? - [What are the HIPAA rules for dentists?](https://www.hipaaguide.net/hipaa-rules-for-dentists/) - Despite the fact that many dental clinics are self-contained centers, the HIPAA rules for dentists apply to any dental services that may issue claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests digitally. - [HIPAA Encryption Requirements](https://www.hipaaguide.net/hipaa-encryption-requirements/) - Strictly speaking, the HIPAA encryption requirements are addressable implementation specifications rather than “requirements”. - [What are the rules for HIPAA Compliant Telemedicine?](https://www.hipaaguide.net/hipaa-compliant-telemedicine/) - The rule for HIPAA Compliant Telemedicine in call centers is something every company, providing an answering service or call-forwarding service for the healthcare industry, should be making themselves very familiar with in order to avoid potential breaches. - [HIPAA Regulations for SMS](https://www.hipaaguide.net/hipaa-regulations-for-sms/) - Almost all SMS messaging platforms aren’t HIPAA Compliant. - [Importance of the HIPAA](https://www.hipaaguide.net/importance-of-the-hipaa/) - The Health Insurance Portability and Accountability Act HIPAA is a legislation introduced in 1996, mainly to deal with one concern: Insurance coverage for people who are in between jobs. - [Key Points of HIPAA Compliance for Pharmacies](https://www.hipaaguide.net/key-points-of-hipaa-compliance-for-pharmacies/) - Pharmacies are HIPAA-covered entities that must comply with the acceptable uses and disclosures of protected health information PHI. - [Is Yammer HIPAA Compliant?](https://www.hipaaguide.net/is-yammer-hipaa-compliant/) - Yammer is another platform that healthcare organizations can potentially use for sharing ePHI. - [Is Google Sheets HIPAA Compliant?](https://www.hipaaguide.net/google-sheets-hipaa-compliant/) - Google Sheets is a service provided by Google to create, view and share spreadsheets. - [Is IBM Cloud HIPAA Compliant?](https://www.hipaaguide.net/ibm-cloud-hipaa-compliant/) - IBM Cloud is a service offered by IBM allowing organizations to do certain functions such as building native cloud apps, developing mobile and web services, hosting infrastructure and other cloud-based services that share, process and analyze data.