Q: We see many assertions that encryption at the right level meets the National Institute of Standards and Technology (NIST)/HIPAA safe harbor provision with no explanation of what is necessary to prove the breached electronic protected health information (PHI) was actually encrypted at the moment of breach. How can a covered entity prove the PHI was actually encrypted at the time of the breach?
Handling requests for information from law enforcement can throw staff for a loop. Most staff are aware of their organization’s policies and the basic HIPAA requirements for disclosing patient information to family members, friends, and other individuals such as legal guardians. But handling requests from law enforcement officials can be a different matter.
Q: I am told if I elect to work from home, I will not be allowed to print any medical records. My home office is secure and I have a shredder. Would printing medical records violate HIPAA, or is this too restrictive?
OCR’s 2016 guidance on patient access opened up a debate in the industry and brought questions about fulfilling patient access requests to the foreground.
