HIPAA

HIPAA Right of Access Investigation
Fines, HIPAA

OCR Settles Ninth HIPAA Right of Access Investigation

October 9, 2020 Comments Off on OCR Settles Ninth HIPAA Right of Access Investigation

October 9, 2020 The OCR has proven they keep their promises (unlike that former friend we all know), taking only two days to fulfill their recent pledge of continued right of access enforcement and announcing yet another HIPAA fine. For those of you counting, that’s 7 right of access fines in less than a month – so take the hint, and pay attention to what your practice should be doing when it comes to patient right of access. This time, the fine goes to NY Spine Medicine (NY Spine), a New York based neurology and pain management medical practice, who was hit with a $100,000 fine and two year corrective action plan for failing to provide records to a patient in 2019. After making multiple requests beginning in June 2019, NY Spine failed to provide diagnostic film records to a patient, only providing the records in October 2020 after OCR investigation. Important to note about this case is that NY Spine did provide some records to the patient, but not the ones she had actually requested – making this still a right of access violation.  As OCR Director Roger Severino put it, “no one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.”  If you’re a covered entity of any kind, now would be the right time to say ’message received’. If the OCR’s words aren’t enough, take a look at the stats: If you need a refresher, read up on the five right of access fines announced in September or this Wednesday’s $160,000 right of access fine.  What should your practice be doing right now? First, don’t panic. Second, if you think you might not be up to snuff on patient right of access, we have the inside scoop on how to get compliant and update your policies and know-how (wink wink). Just sign up for an educational webinar to learn what steps you can take right away to prevent being the next enforcement victim. 

Life Before HIPAA
HIPAA

Life Before HIPAA

October 8, 2020 Comments Off on Life Before HIPAA

October 8, 2020 Likely, the number of times someone older than you may have used the phrase “back in my day” is staggering. And while it’s unlikely previous generations did walk 20 miles uphill both ways in the snow to school every day, they DID have to deal with far less patient privacy protections than we have today. So when did protecting patients’ sensitive data become a priority? With the introduction of the Health Insurance Portability Act, better known as HIPAA, in 1996. HIPAA has had a bad reputation since being signed into law but read on to see why HIPAA is actually a good thing – for your practice, and for patients everywhere. Prior to 1996, health information privacy was like the wild west. There was no federal rule governing the privacy and protection of health information. While most providers acted within reason, no one had defined what protecting your sensitive information meant or how it was going to be regulated. So let’s take a moment to picture ‘life before HIPAA’. Imagine you’re in the running for the big promotion at work. You’re definitely the best candidate, but your anxiety (undiagnosed bipolar disorder) has started to affect your work performance. Instead of seeking medical help, you pretend everything’s a-okay. You know that if you see a professional, your employer could be notified and your chance at promotion would be out the window. Meanwhile, your anxiety over hiding your anxiety takes an even greater toll – the promotion goes to Chad from Accounting instead.  This scenario was REAL for many individuals prior to HIPAA. Companies used to receive detailed updates regarding employees’ health insurance. At the same time, patients weren’t necessarily able to receive their own medical records. This was a problem. The only way to protect your health information at the time was not to have any created in the first place – preventing patients from seeking the care they needed. Enter HIPAA. HIPAA laws standardize the ’right way’ to handle sensitive patient information. While sometimes these standards are anything but simple, it’s clear HIPAA guidelines make sure PHI is actually protected – not just given away like candy. Protecting PHI means ensuring its privacy (the HIPAA Privacy Rule) as well as its security (the HIPAA Security Rule). Ultimately, HIPAA law standardized protections for your patient data through required safeguards in addition to privacy requirements to prevent unauthorized disclosures. Because of HIPAA, individuals can feel comfortable going to a doctor to receive treatment without fear that it will be the talk of the office break room the next day. Not only do patients have the ability to determine who can and can’t be in the know, but they also have the ability to access records themselves to stay on top of their own care. So next time you’re frustrated with the need to have patients sign a HIPAA authorization form, just remember that HIPAA is what stands between you and chaos. Well, maybe we’re being a bit dramatic, but when sensitive data falls into the wrong hands, it could certainly feel like the end of the world.

HIPAA Settlement Patient Right of Access
Fines, HIPAA

OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center

October 7, 2020 Comments Off on OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center

October 7, 2020 The Office for Civil Rights (OCR) has officially kept their foot on the gas heading into October, announcing their 8th HIPAA right of access fine and adding to a string of nine total HIPAA fines announced since September 15th. Five of those recent fines also centered on providing patients appropriate access to their records, an initiative the OCR pledged to enforce in 2019. The latest practice left in the OCR’s dust is St. Joseph’s Hospital and Medical Center (SJHMC), an acute care hospital with several hospital-based clinics providing a variety of health services out of Phoenix, Arizona. SJHMC was slapped with a $160,000 fine, along with a 2-year corrective action plan to settle their potential HIPAA violation.  Continuing the patient right of access violation trend, SJHMC failed to provide patient records requested by a patient’s personal representative within any sort of a reasonable timeframe, and certainly not within HIPAA-mandated and state-specific deadlines. OCR involvement began in April 2018, when a complaint was received from an SJHMC patient’s mother stating that since January of 2018 she made various requests for a copy of her son’s medical records that SJHMC had failed to fulfill. While the hospital provided partial records, they failed to produce the full records requested despite follow-ups made by the mother in March, April, and May of 2018. The records were only provided a long 22 months later, in December 2019, after the OCR got involved to investigate the complaint. The deadline to provide patient records after a request in Arizona is 30 days.   If you haven’t realized the enforcement trend yet, the OCR made it pretty clear in their statement announcing the fine. “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously,” OCR Director Roger Severino stated, “OCR has many rights of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”  Not only did OCR Director Roger Severino call out practices who aren’t actively focusing on their HIPAA compliance program, he emphasized that there is more to come related to patient right of access. This fine, along with the many others announced in recent weeks, emphasizes just how important a HIPAA compliance program is and having the right policies in place to fulfill all aspects of HIPAA compliance – including meeting patient’s access requests.    

Business Associate Exposes 6 Million Records
Business Associates, Fines, HIPAA

OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records

September 23, 2020 Comments Off on OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records

September 23, 2020 The Office for Civil Rights has been dropping fines left and right in the last week, releasing their 7th (and largest) HIPAA settlement earlier today and bringing their running total to seven fines in just 8 days. The latest violation came with a hefty payout of $2.3 million as well as an extensive 2-year corrective action plan – and not to mention a whole lot of apology letters to write.  The lucky winner of the latest HIPAA settlement is CHSPSC LLC, a business associate who serves a number of hospitals and clinics owned by Community Health Systems, Inc out of Tennessee. You may be thinking, “well no biggie, I’m a covered entity not a business associate so that wouldn’t be me,” but the 6 million+ patients affected and the reasons the OCR gave for levying a fine would beg to differ. Just like any covered entity might be, this business associate was the victim of a cyberattack that even after alarms were raised went unmitigated for months. As if that wasn’t enough, the OCR investigation discovered long standing non-compliance with the HIPAA Security Rule ultimately landing the business associate at the top of the most expensive 2020 fines list. On April 10, 2014, CHSPSC’s information system was infiltrated by a threat group that went unnoticed until the company was notified by the FBI 8 days later. The hackers continued to have a field-day, accessing the sensitive data for 4 months after the initial attack. CHSPSC’s continued disregard for implementing the necessary security protections required by HIPAA even AFTER receiving federal notice was described by OCR Director, Roger Severino, as “inexcusable”. The cyberattack affected 237 different covered entities served by CHSPSC and withdrew the PHI of 6,121,158 individuals including everything from names and birthdays to emergency contact information and social security numbers.  As if over 6 million patients records being taken wasn’t bad enough, an OCR investigation into the business associate found several gaps in their compliance program including:  It doesn’t matter whether you’re a healthcare provider, business associate, or just the average joe – falling victim to a cyberattack is fair game. Because business associates require the same HIPAA safeguard requirements as covered entities, no matter who gets hacked the OCR is looking for the same requirements and can hand out the same fines for either type of health related entity.  For providers especially, entrusting your patients sensitive data to your business associates comes with added risks. In this case, 237 covered entities had to find that out the hard way. While there’s no way to be 100% in the clear from things like cyber attacks, having the proper business associate agreements in place at least takes the liability of an incident off your practice’s hands. If you had been one of those 237 entities affected here, lack of an agreement could have put your practice on the same chopping block as CHSPSC. 

$1.5 million HIPAA Fine
Cybersecurity, Fines, HIPAA

OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 Comments Off on OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 The OCR is certainly seeing $$$ this September. On top of the record five fines announced last week, the Office for Civil Rights (OCR) has just announced the latest settlement of a whopping $1,500,000 fine and 2-year corrective action plan for an orthopedic clinic out of Georgia. Athens Orthopedic Clinic found themselves in the HIPAA violation hot seat after a hacking incident sparked an OCR investigation beginning in 2016. The OCR found Athens Orthopedic had longstanding noncompliance with HIPAA rules, especially required technical safeguards, that led to the breach incident.   On June 26, 2016, the orthopedic clinic was notified that their database of patient records had been posted online for sale. Two days later, a hacker contacted the clinic demanding money in return for the stolen database. After investigation, Athens Orthopedic determined that the hacker was able to gain access through a vendor’s credentials on June 14, 2016, and the hacker continued to access protected health information (PHI) for a month after the initial breach. On July 29, 2016, Athens Orthopedic filed a breach report with the OCR noting all of the sensitive PHI that had been hacked: names, dates of birth, social security numbers, and other personal medical information of the 208,557 patients affected. The breach initiated a full-scale investigation into the clinic’s HIPAA program, where the OCR discovered a laundry list of key compliance elements that the practice was missing: Cyber threats are an ongoing and rising threat to the healthcare industry. When practices lack the proper safeguards to secure their patients’ PHI, they put themselves at the top of hackers ‘easy target’ list (would your practice be posted if such a list existed?). Along with the fine, OCR Director Roger Severino emphasized that “Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” So how do you ‘hack proof’ your business? Well, you probably can’t completely prevent a hack given how quickly hackers adapt to new security measures, but your practice CAN go a long way to avoid being targeted (and getting slapped with a HIPAA fine) by ensuring your HIPAA compliance program – especially your technical safeguards – is up to scratch.

Requesting Access to Medical Records and HIPAA
Best Practices, HIPAA

Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 Comments Off on Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 When it comes to medical records requests, you just hand over patient files – right? Wrong! The HIPAA Privacy Rule unequivocally provides individuals with the right to see and receive copies of their medical records upon request – but has some requirements when it comes to the who, what, and how of handing those records off. Appropriate patient access can be a fine line, and if you stray too far to either side you may end up in the next historic Office for Civil Rights (OCR) announcement of multiple access-related fines. Here’s the 411 on patient record access: Access is just for the patient, right? We hope it’s obvious that patients should be able to access their own records (who doesn’t want a hard copy of their dry eye disease diagnosis), but it’s not just patients that have the right to request records. In fact, the OCR levied two fines just this week for not providing access to an authorized personal representative of a patient. A ‘personal representative’ is someone with the authority under state law to make health care decisions for another individual. This may be the case if: How must access be requested? Making things easy (cough cough), HIPAA law does not specify any required method of requesting access. Patients may ask verbally, in writing, or by secure email or patient portal – really, whatever method suits the patient. Your practice CAN specify the way you want patients to request access, they just have to be informed first about this requirement (possibly as part of your onboarding forms). We do recommend making access requests written, just to document the date of the request. Do I need to verify the requester is authorized? Once you have a patient or their personal representative requesting access, you can just hand over the records, right? Not so fast. The HIPAA Privacy Rule requires practices to take reasonable steps to verify the individual making a request for access is who they say they are. While there’s no specific form of verification required, such as a copy of their driver’s license, it’s extremely important for your practice to use professional judgment when determining that a request is ‘legit’. Verification must also be done without adding unnecessary delays in fulfilling the request. What form must records be provided in? We’re long past the days of keeping everything on paper, and most practice’s manage their health records electronically. However, the Privacy Rule requires a practice to provide access to protected health information (PHI) in the format that it was requested in – either a paper or electronic copy. If the records are not readily producible in the requested format, you’ll need to agree on an alternative format instead. How quickly do records need to be provided? The phrase “ASAP” is nice and all until it comes to meeting specific HIPAA deadlines. When a request is made, the practice must provide access as soon as possible and at minimum within 30 calendar days (the federal law) or less depending on your specific state laws. If unable to provide access within 30 days, the practice can inform the individual of the reasons for the delay and can have no more than one 30 day extension period.  Timeliness is key when it comes to patient access. One practice in particular didn’t provide patient records until 9 months after the initial request was made. The patient filed a complaint to the OCR that resulted in an $85,000 fine along with a corrective action plan. If you thought 9 months was bad, just this week the OCR announced another fine for failing to provide medical records for almost 3 years.    Can I charge patients for copies of their records? Depending on the format requested or the time needed to collect records, there might be some costs involved. Thankfully HIPAA accounts for this, and lets your practice impose a reasonable, cost-based fee for requests. This fee can include:  There’s a lot more that goes into requesting records than simply handing them over. If you’re confused about all this – and we get it, we were too – having a HIPAA expert on deck to help sort out specific scenarios quickly can help your practice stay on top of requirements without unintentionally violating HIPAA. Don’t have an expert to help? Work with an outside HIPAA compliance provider (just picture us saying “pick me!”) who can help you manage the intricacies of access laws before winding up on the next OCR HIPAA settlement announcement.

5 HIPAA Settlements at Once
Fines, HIPAA

OCR Announces Historic 5 HIPAA Settlements at Once

September 15, 2020 Comments Off on OCR Announces Historic 5 HIPAA Settlements at Once

September 15, 2020 Earlier today the Office for Civil Rights (OCR) announced five HIPAA settlements (yes, you heard that right, five) breaking the record for total HIPAA settlements in one day.  Since 2019 the OCR has honed in on their HIPAA Right of Access Initiative, prioritizing patient’s ability to access their medical records in a timely manner. These five settlements bring the total to seven access related enforcement actions – so if you need any hints on what to make sure your practice is looking out for, this is it.    1. Housing Works Inc. This $38,000 fine resulted from a complaint received by the OCR last July alleging that Housing Works Inc., a New York City based non-profit organization, failed to provide the complainant with a copy of their medical records. The OCR received a second complaint a month later stating that the practice still hadn’t provided the patient with record access (strike number two) which ultimately led to a hefty fine along with a corrective action plan.   2. All Inclusive Medical Service, Inc. This Carmichael, CA based medical practice agreed to a $15,000 fine and corrective action plan after the OCR received a complaint in April 2018 that the practice had denied patient access to inspect and receive a copy of her records in January 2018. Only after the OCR’s investigation was the patient given access to her records – 32 months (almost three years) after she had initially requested.   3. Beth Israel Lahey Health Behavioral Services (BILHBS) This whopping $70,000 HIPAA settlement came from a complaint alleging that the behavioral health corporation failed to respond to a request from a personal representative seeking access to her father’s medical records in February 2019. The OCR investigation found that BILHBS failed to complete the request which meant a costly violation of HIPAA Right of Access.  4. Wise Psychiatry, PC This Psychiatry Practice based in Colorado agreed to a $10,000 settlement along with a corrective action plan after the OCR received a patient right of access complaint related to not providing a personal representative with access to their minor son’s medical records in February of 2018. The OCR provided the practice with technical assistance and closed the complaint just a few months later, but Wise Psychiatry found themselves back on the OCR’s radar in October 2018 when a second complaint from the same individual was filed noting records still had not been received. It wasn’t until May 2019 that the patient records were finally provided.  5. King MD Last but not least (actually, we take that back, this is the smallest HIPAA fine to date), Patricia King MD & Associates – a psychiatric care provider in Chesapeake, Virginia – agreed to pay a $3,500 fine along with adopting a corrective action plan to settle a potential HIPAA right of access violation. In October of 2018, the OCR received a complaint that the practice had failed to respond to an individual’s request to record access in August 2018. After the OCR provided them with technical assistance the complaint was closed. However, in February 2019, the OCR received a second complaint stating that King MD had still failed to provide the same patient with proper access and as a result, the practice was hit with a violation.   The main takeaways? Well if it isn’t already obvious, providing patients with timely access to their medical records is extremely important and is something that is commonly missed by practices. While Patient Right of Access is an enforcement priority for the OCR, that doesn’t mean it’s the only thing you have to watch out for. OCR Director Roger Severino emphasized in the announcement that, “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”  If you needed any more reason to get HIPAA compliance to the top of your priority list – 5 violation settlements announced all in one day should do the trick.      

What is a HIPAA Corrective Action Plan?
Audits, Fines, HIPAA

What is a ‘Corrective Action Plan’?

September 9, 2020 Comments Off on What is a ‘Corrective Action Plan’?

September 9, 2020 HIPAA Settlements are more than just $$$ If you’re like most practices, you might just see $$$ when a HIPAA fine makes the news. And yeah – million dollar fines are no joke. But a HIPAA violation settlement is more than just a dollar sign, and often includes something called a ‘corrective action plan’.  This corrective action plan, or CAP, is basically equivalent to ‘you messed up, here’s two years of administrative paperwork to fix your issues and think about what you’ve done.’ Yeah, you read that right – two years. If you thought paying a fine and putting it behind you was the extent of the bad news, we’re here to tell you why a CAP is just as important if slapped with a HIPAA violation. ALL the Paperwork The goal of a CAP is to correct the issues that caused the HIPAA violation in the first place. However, CAP requirements aren’t just a simple ‘do this next time’ and involve quite a bit of paperwork. Over the course of the designated time frame, one to typically two years, practices are required to: Lets face it, no one likes paperwork (even hearing that word makes us cringe). Having to complete what’s required in a CAP is often far more paperwork than maintaining a regular HIPAA compliance program would be – another reason to be compliant before an incident occurs. Even More Consequences Failing to complete a corrective action plan within the designated time frame can void the initial settlement and can leave a practice open to additional fines and penalties – yikes. It may just be paperwork, but the OCR takes it seriously, and leaves practice’s having to juggle a CAP on top of their already full plate of patient care, regular operations, and reputation management after landing in the news for a HIPAA violation.  So, who doesn’t want to be stuck with a mound of paperwork and the OCR breathing down your neck? (We’re raising our hand – both hands actually.) Getting ahead of violations by completing the SRA and HIPAA program requirements before a breach, complaint or audit will save your practice the pain of a CAP and help avoid a violation in the first place. After all, if you have all the right policies, SRA, and risk management plan in place before a breach you’ve already got OCR requirements down – but with less time spent, on your own schedule, and without the OCR looking over your shoulder.

Top 4 HIPAA Violations
Fines, HIPAA

Top 4 HIPAA Violations Your Practice Should Avoid

September 4, 2020 Comments Off on Top 4 HIPAA Violations Your Practice Should Avoid

September 4, 2020 Even with everything else going on in the world today, HIPAA violations are still making headlines. While these news stories reinforce that the Office for Civil Rights (OCR) hasn’t let up on HIPAA enforcement, they also provide great examples of what not to do when it comes to your own practice. Based on these violations and recent OCR investigation data, we’ve compiled the top four types of violations investigated by the OCR:  1. Impermissible Uses & Disclosures The reigning champion of HIPAA violations over the past 5 years – impermissible uses or disclosures – covers any access, use, or sharing of protected health information (PHI) that is done in a manner not permitted under HIPAA and compromises the security or privacy of a patient’s sensitive information. Common culprits include: Having the right policies in place outlining the proper ways staff may use and disclose PHI is key to ensuring your practice doesn’t join the growing list of improper use violators.  2. Missing Physical, Technical and Administrative Safeguards HIPAA law requires practices to implement safeguards to ensure PHI is protected and secured. These safeguards include:  Failing to implement key safeguards is what gets practice’s into trouble, which is why it is essential to perform in-depth as well as ongoing Security Risk Analyses in order to properly identify which safeguards are missing  3. Improper Access Your data library shouldn’t be fair game to every employee regardless of their role. Even if just glancing at a patient’s information, any access to patient information that is not necessary to complete a specific job function is a violation of HIPAA. With remote work becoming more and more common, we can expect improper access violations to rise as employees use data in less secure environments and with less supervision than there would be in a typical practice setting. Appropriate access is featured heavily in HIPAA, and it’s important to limit and document your access roles. It’s not just internal access to PHI that can get your practice into trouble. There are specific guidelines for providing patients with medical records as well, and while this may seem straightforward 51% of providers fail to comply with HIPAA Right of Access laws. Understanding what Patient Right of Access laws entail is important to keeping your patients happy and avoiding a problem with the OCR.  4. Violations of Minimum Necessary Requirement Less is more when it comes to sensitive health information. Only the minimum information necessary should be provided when PHI is requested, accessed, or disclosed. Violations of this requirement could include providing additional information such as previous medical conditions that may not pertain to the actual purpose of the task at hand. Having proper training and documented policies in place that define what information is considered necessary is an essential piece to protecting your patient’s information and steering clear of a HIPAA violation.   A Violation is Just a Slap on the Wrist, Right? While a violation in any of these areas could be minor, a HIPAA violation fine ranges anywhere from a few hundred to a million dollars based on various factors such as:  The biggest fine so far? $16 million in a single settlement. Monetary fines aren’t the only thing you have to worry about if you find yourself facing a HIPAA violation. Jail time and extensive corrective action plans involving extra oversight and administrative work are real possibilities if a violation is found. So How Can You Best Avoid a HIPAA Violation? Many HIPAA violations can be attributed to a lack of employee education on what’s required under federal law. Violations aren’t usually intentional or malicious, which is why it’s so important to create a culture of compliance within your organization and promote good habits. Keeping up with your HIPAA compliance program and staying updated on any changes to federal regulations is the best way to keep your patients’ information secure and avoid ending up as another HIPAA headline. 

HIPAA Compliant PHI Disposal
Best Practices, HIPAA

Disposing of PHI: Why, What and How

August 27, 2020 Comments Off on Disposing of PHI: Why, What and How

August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of?  Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network).    RELATED: So You Have PHI to Dispose of – Now What?  What is considered proper digital data disposal?  Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored.  Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X