• Recently Written

  • Software update prevents users Brabeion RoHS
  • If our government to give free insurance?
  • Patient data are never really safe?
  • Importance of dog insurance in the life of your pet
  • Drug HIPA A friendly service Transcript
  • The importance of life insurance for your pet dog
  • If our government is giving away free insurance?
  • If our government is giving away free insurance?
  • Label
  • Health cards

• Categories

  • Healthcare Industry News
  • HIPAA
  • HIPAA (General)
  • HIPAA Compliance
  • HIPAA Compliant Software
  • HIPAA Enforcement
  • HIPAA Jobs
  • HIPAA Law
  • HIPAA Lawsuits
  • HIPAA News
  • HIPAA Privacy
  • HIPAA Regulation
  • HIPAA Security
  • HIPAA Technology
  • HIPAA Training
  • Medical Privacy
  • Privacy News
  • Sarbanes-Oxley

• Archives

  • August 2010
  • July 2010
  • October 2009
  • September 2009
  • July 2009
  • June 2009
  • May 2009
  • January 2009
  • September 2008
  • June 2008
  • April 2008
  • August 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • November 2005
  • October 2005
  • May 2005
  • April 2005
  • March 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004

• Admin

  • Log in
  • Wordpress
  • XHTML

• Search

Guidelines for HIPAA compliance in the works – Computerworld

Health care organizations looking for more information on how to comply with HIPAA security mandates may soon get more help.

URAC, a nonprofit accreditation agency for the health care industry, along with the Workgroup for Electronic Data Interchange and the National Institute of Standards and Technology, is developing guidelines for implementing HIPAA security policies.

The Healthcare Security Workgroup, which the three organizations created earlier this year, met in Washington last week to discuss how to consolidate industry best practices and security standards into a set of easily implemented instructions. The goal is to give organizations subject to the Health Insurance Portability and Accountability Act something they can use to ensure compliance with the law’s security requirements by the April 15, 2005, deadline, said Adam Stone, a member of the workgroup. The group aims to deliver the guidelines by the middle of next year.

“No standard measures exist in the health care industry” to implement HIPAA’s security requirements, Stone said. “One of the major problems with the rule is that it is so broad. There are a million different ways to approach it in terms of compliance.”

Getting these standards formalized is going to help make it a lot easier to figure out how to be HIPAA compliant.

Read entire article

This article helps to humanize the process of understanding the admission process into a nursing home, including a mention of the HIPAA forms required and how if you are a patient you should save copies for your records. Very good advice!

Articles for Caregiving: Understanding Your Admission to A Nursing Home For Rehabilitation

Understanding Your Admission to A Nursing Home For Rehabilitation

Admitting yourself or someone you love to a nursing home for rehabilitation is sometimes something that we have to do and not what we want to. As you age the risk increases for a health accident even if you are healthy. Unfortunately not all of the care we need can be provided in the hospital or at a rehabilitation specialty center. Some of us will need to go to a skilled unit in a nursing home. Understanding your insurance benefits for a medical health care accident must be a priority even if it is for a short rehabilitation stay.

Read entire article.

From HIPAAClickAndComply.com:

HIPAA compliance is a great challenge to health organizations. Our HIPAA compliance training software can make this a manageable task. The HIPAA Privacy Rule applies to any organization that handles protected health information. HIPAA requires mandatory training. The consequences for non-compliance include civil and criminal penalties.

Basic Privacy Awareness Training – This primer course teaches the general HIPAA privacy requirements. It provides useful context for almost anyone in your organization even if they do not directly work with health information. But it is also a prerequisite to our other courses.

Policies and Procedures Training – This course is designed to meet the HIPAA Federal rule (§164.530(b1)) that your organization “…train all members of its workforce on the policies and procedures with respect to protected health information…appropriate…to carry out their function”. Anyone who comes in contact with patient health information should take this course, which gives workers a thorough understanding about how to protect patients’ privacy and rights. Basic Awareness Training, which is included at no extra charge, must be successfully completed before starting the Policies and Procedures Training.

Privacy Officer Training – This course covers the HIPAA details not covered in the two prerequisite courses above (which are included at no extra charge) that a Privacy Officer should know. Organizations like yours must appoint at least one Privacy Officer to perform the duties that are detailed in this training.

Click here for a free demo.

The HHSDC Training Center offers a variety of HIPAA training courses available for group purchase. These courses cover the following HIPAA topics:

• HIPAA Overview
• Privacy
• Security
• Transactions, Code Sets, and Identifiers
• Electronic Data Interchange (EDI)
• EDI Gap Analysis
• ASC X12 Syntax
• HIPAA Implementation Planning

You may choose among four training providers – Covansys, Gartner Consulting, KPMG Consulting, and PricewaterhouseCoopers LLP – and a variety of courses offered by each provider.

To schedule a class, simply contact the HHSDC Training Center at (916) 739-7502. See below for more information.

If you are new to this field, you may be wondering what exactly is “HIPAA Compliant Software.”

Well, you’re not going to like the answer. Because it’s tautological.

HIPAA Compliant Software is software that complies with the Health Insurance Portability and Accountability Act of 1996. That’s all.

There are a wide range of software packages that comply with HIPAA. There are also many grey areas in the law, so it will still take several more years before all of the vendors, doctors, hospitals, agencies, HMOs, etc. are all on the same page in regards to medical privacy standards.

If you are just beginning your quest into the bastion of governmental regulation that is HIPAA, we feel for you.

The fine editors here at HIPAA Blog were once like you in this fine quest to find out more about medical privacy regulation.

So…drumroll… the $1,000,000 question is:

What DOES HIPAA Stand for?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996

We here at HIPAA Blog have compiled the following pages (based on the official US Government documents) to help you get you started in this crazy world of medical information and privacy compliance.

Here’s a good overview about what HIPAA is all about:
Overview of Standards for Privacy of Individually Identifiable Health Information

Please visit each page and use the ‘Back’ button on your browser to return to this master index.

HIPAA Blog’s Getting Started Guide

1. Introduction
2. HIPAA Law Background
3. HIPAA Privacy Rules – Who is Covered?
4. HIPAA Definition of Business Associates
5. HIPAA Information Protected
6. HIPAA Disclosure Principles
7. HIPAA – Permitted Uses and Disclosures
8. HIPAA Privacy – Obtaining Authorization
9. HIPAA Privacy – Psychotherapy Authorization
10. HIPAA Privacy – Minimum Necessary Rule
11. HIPAA Privacy Practice Notice
12. HIPAA – Administrative Requirements
13. HIPAA Privacy – Organizational Options
14. HIPAA Privacy – Personal Representatives and Minors
15. HIPAA and State Law
16. HIPAA Enforcement and Penalties for Noncompliance
17. HIPAA Compliance Dates

Compliance Schedule

All covered entities, except “small health plans,” must be compliant with the Privacy Rule by April 14, 2003.90 Small health plans, however, have until April 14, 2004 to comply.

Small Health Plans. A health plan with annual receipts of not more than $5 million is a small health plan.91 Health plans that file certain federal tax returns and report receipts on those returns should use the guidance provided by the Small Business Administration at 13 Code of Federal Regulations (CFR) 121.104 to calculate annual receipts. Health plans that do not report receipts to the Internal Revenue Service (IRS), for example, group health plans regulated by the Employee Retirement Income Security Act 1974 (ERISA) that are exempt from filing income tax returns, should use proxy measures to determine their annual receipts.92

Compliance. Consistent with the principles for achieving compliance provided in the Rule, HHS will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Rule.87 The Rule provides processes for persons to file complaints with HHS, describes the responsibilities of covered entities to provide records and compliance reports and to cooperate with, and permit access to information for, investigations and compliance reviews.

Civil Money Penalties. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement.88 That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule
requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30
days of when it knew or should have known of the violation.

Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment.89 The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.

Preemption. In general, State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply.85 “Contrary” means that it would be impossible for a covered entity to
comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.86 The Privacy Rule provides exceptions to the general rule of federal preemption for contrary State laws that (1) relate to the privacy of individually identifiable health information and provide greater privacy protections or privacy rights with respect to such information, (2) provide for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) require certain health plan reporting, such as for management or financial audits.

Exception Determination. In addition, preemption of a contrary State law will not occur if HHS determines, in response to a request from a State or other entity or person, that the State law:
- Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
- Is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
- Is necessary for State reporting on health care delivery or costs,
- Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
- Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Personal Representatives. The Privacy Rule requires a covered entity to treat a “personal representative” the same as the individual, with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule.84 A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual.

Special case: Minors. In most cases, parents are the personal representatives for their minor children. Therefore, in most cases, parents can exercise individual rights, such as access to the medical record, on behalf of their minor children. In certain
exceptional cases, the parent is not considered the personal representative. In these situations, the Privacy Rule defers to State and other law to determine the rights of parents to access and control the protected health information of their minor children.
If State and other law is silent concerning parental access to the minor’s protected health information, a covered entity has discretion to provide or deny a parent access to the minor’s health information, provided the decision is made by a licensed health care professional in the exercise of professional judgment.

The Rule contains provisions that address a variety of organizational issues that may affect the operation of the privacy protections.

Hybrid Entity. The Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a “hybrid entity.”77 (The activities that make a person or organization a covered entity are its
“covered functions.”78) To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” After making this designation, most of the requirements of the Privacy
Rule will apply only to the health care components. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule.

Affiliated Covered Entity. Legally separate covered entities that are affiliated by common ownership or control may designate themselves (including their health care components) as a single covered entity for Privacy Rule compliance.79 The
designation must be in writing. An affiliated covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions.

Organized Health Care Arrangement. The Privacy Rule identifies relationships in which participating covered entities share protected health information to manage and benefit their common enterprise as “organized health care arrangements.”80 Covered entities in an organized health care arrangement can share protected health information with each other for the arrangement’s joint health care operations.81

Covered Entities With Multiple Covered Functions. A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions.82 The covered entity may not use or disclose the protected health information of an individual who receives services from one covered function (e.g., health care provider) for another covered function (e.g., health plan) if the individual is not
involved with the other function.

Group Health Plan disclosures to Plan Sponsors. A group health plan and the health insurer or HMO offered by the plan may disclose the following protected health information to the “plan sponsor”—the employer, union, or other employee organization that sponsors and maintains the group health plan83:
- Enrollment or disenrollment information with respect to the group health plan or a health insurer or HMO offered by the plan.
- If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend, or terminate the group health plan. “Summary health information” is information that summarizes claims history, claims expenses, or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan, and that is stripped of all individual identifiers other than five digit zip code (though it need not qualify as de-identified protected health information).
- Protected health information of the group health plan’s enrollees for the plan sponsor to perform plan administration functions. The plan must receive certification from the plan sponsor that the group health plan document has been amended to impose restrictions on the plan sponsor’s use and disclosure of the protected health information. These restrictions must include the representation that the plan sponsor will not use or disclose the protected health information for any employment-related action or decision or in connection with any other benefit plan.

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.64

Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing
individuals with information on the covered entity’s privacy practices.65

Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).66 A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions.67 A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.68

Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.69

Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the
Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.70 For example, such safeguards might include shredding documents containing protected health information before
discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. See OCR “Incidental Uses and Disclosures”
Guidance.

Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule.71 The covered entity must explain those procedures in its privacy practices notice.72 Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS.

Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the
person believes in good faith violates the Privacy Rule.73 A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.74

Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.75

Fully-Insured Group Health Plan Exception. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.76

Each covered entity, with certain exceptions, must provide a notice of its privacy practices.51 The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities
must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.

- Notice Distribution. A covered health care provider with a direct treatment relationship with individuals must deliver a privacy practices notice to patients starting April 14, 2003 as follows:
- Not later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery);
- By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice; and
- In emergency treatment situations, the provider must furnish its notice as soon as practicable after the emergency abates.

Covered entities, whether direct treatment providers or indirect treatment providers (such as laboratories) or health plans must supply notice to anyone on request. A covered entity must also make its notice electronically available on any web site it maintains for customer service or benefits information.

The covered entities in an organized health care arrangement may use a joint privacy practices notice, as long as each agrees to abide by the notice content with respect to the protected health information created or received in connection with participation in the arrangement. Distribution of a joint notice by any covered entity participating in the organized health care arrangement at the first point that an OHCA member has an obligation to provide notice satisfies the distribution obligation of the other participants in the organized health care arrangement.

A health plan must distribute its privacy practices notice to each of its enrollees by its Privacy Rule compliance date. Thereafter, the health plan must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request. A health plan satisfies its distribution obligation by furnishing the notice to the “named insured,” that is, the subscriber for coverage that also applies to spouses and dependents.

Acknowledgement of Notice Receipt. A covered health care provider with a direct treatment relationship with individuals must make a good faith effort to obtain written acknowledgement from patients of receipt of the privacy practices notice.54 The Privacy Rule does not prescribe any particular content for the acknowledgement. The provider must document the reason for any failure to obtain the patient’s written acknowledgement. The provider is relieved of the need to request acknowledgement in an emergency treatment situation.

Access. Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information in a covered entity’s designated record set.55 The “designated record set” is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical
management record systems.56 The Rule excepts from the right of access the following protected health information: psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory
Improvement Act (CLIA) prohibits access, or information held by certain research laboratories. For information included within the right of access, covered entities may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion.57 Covered entities may impose reasonable, cost-based fees for the cost of copying and postage.

Amendment. The Rule gives individuals the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete. 58 If a covered entity accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the covered entity knows might rely on the information to the individual’s detriment.59 If the request is denied, covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Rule specifies processes for requesting and responding to a request for amendment. A covered entity must amend protected health information in its designated record set upon
receipt of notice to amend from another covered entity.

Disclosure Accounting. Individuals have a right to an accounting of the disclosures of their protected health information by a covered entity or the covered entity’s business associates.60 The maximum disclosure accounting period is the six years
immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date.

The Privacy Rule does not require accounting for disclosures: (a) for treatment, payment, or health care operations; (b) to the individual or the individual’s personal representative; (c) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.

Restriction Request. Individuals have the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care
or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death. A covered entity is under no obligation to agree to requests for restrictions. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.

Confidential Communications Requirements. Health plans and covered healthcare providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs.63 For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card.

Health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the protected health information could endanger the individual. The health plan may not question the individual’s statement of
endangerment. Any covered entity may condition compliance with a confidential communication request on the individual specifying an alternative address or method of contact and explaining how any payment will be handled.

Limiting Uses and Disclosures to the Minimum Necessary

A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use,
disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

The minimum necessary requirement is not imposed in any of the following circumstances: (a) disclosure to or a request by a health care provider for treatment; (b) disclosure to an individual who is the subject of the information, or the
individual’s personal representative; (c) use or disclosure made pursuant to an authorization; (d) disclosure to HHS for complaint investigation, compliance review or enforcement; (e) use or disclosure that is required by law; or (f) use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA
Administrative Simplification Rules.

Access and Uses. For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.

Disclosures and Requests for Disclosures. Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health
information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.

Reasonable Reliance. If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from: (a) a public official, (b) a professional (such as an attorney or accountant) who is the covered entity’s business associate, seeking the information to provide services to or for the covered entity; or (c) a researcher who provides the documentation or representation required by the Privacy Rule for research.

Next Page →

• Featured Links

Resources

Lasoo Online Catalogues

Asbestos Compensation

wholesale beauty

Links

• HIPAA Book
• HIPAA Jobs
• HIPAA News
• HIPAAClicks.com
• HIPAAdvisory
• The HIPAA Summit
• US Gov’s HIPAA Site

Meta

• Log in
• Entries RSS
• Comments RSS
• WordPress.org