Q: It is my understanding that written authorization is required for the release of PHI even for treatment, payment, and operations purposes. I believe this is true in New York state, but am unsure if it is also true nationally.
Q: Is there a sample risk analysis about how an enterprise or clinic might evaluate and determine if data-at-rest protection through encryption is reasonable and appropriate as defined in the HIPAA Security Rule?
Release of information (ROI) is typically a function that is managed by the HIM department, but privacy and security officers often play a critical role in ensuring records remain secure during transmission.
There's considerable confusion about what HIPAA means and what your obligations are under the regulations. I recently presented at a Midwest physician association conference. As is almost always the case, in the front row was an attendee just waiting for the Q&A session.
