Q: I perform monthly HIPAA audits of computer systems at the medical group where I am employed. I recently started auditing physicians and allied health professionals who are credentialed members of our medical staff.
Q: It is my understanding that written authorization is required for the release of PHI even for treatment, payment, and operations purposes. I believe this is true in New York state, but am unsure if it is also true nationally.
Q: Is there a sample risk analysis about how an enterprise or clinic might evaluate and determine if data-at-rest protection through encryption is reasonable and appropriate as defined in the HIPAA Security Rule?
