Upcoming Webinars 


The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Log in

Log in

HIPAA Blog and Updates

Welcome to out HIPAA blog.  Here we post news, articles, and site updates on HIPAA.  

  • 17 Jul 2019 1:18 PM | Zachary Edgar (Administrator)

    The purpose of the Health Insurance Portability and Accountability (HIPAA) Security Rule is to:

    • Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity (healthcare provider, health plan) or business associate creates, receives, maintains, or transmits;
    • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
    • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and
    • Ensure compliance of the covered entity’s workforce.  45 C.F.R. §164.306.

    The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements.  Each one of these sections has multiple “standards” that must be followed by the covered entity.  Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”. 

    A “required” implementation specification must be implemented by the covered entity.

    An “addressable” implementation specification is more flexible, but it is not optional.  A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:

    • Implement the addressable implementation specification;
    • Implement an equivalent alternative measure that allows the entity to comply with the standard; or
    • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

    Covered entities must document the assessment and decision made regarding each specification.

    If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

    • The entity's risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
    • The entity’s security analysis - What security measures are already in place or could reasonably be put into place?
    • The entity’s financial analysis - How much will implementation cost?


    45 CFR §164.306

    U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities

    NIST SP 800-66

  • 22 May 2019 12:06 PM | Zachary Edgar (Administrator)

    Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

    Read the HHS Press Release

  • 15 May 2019 12:04 PM | Zachary Edgar (Administrator)

    Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients' protected health information – May 6, 2019

    Touchstone Medical Imaging ("Touchstone") has agreed to pay $3,000,000 to OCR, and to adopt a corrective action plan to settle potential violations of the HIPAA Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

    Read the HHS Press Release

Powered by Wild Apricot Membership Software