An independent reference on HIPAA, the Security and Privacy Rules, risk analysis, and Washington State health-data law for compliance-minded organizations.
Who HIPAA covers, what it protects, and how it is enforced.
A plain-language overview of HIPAA: what the law is, what it protects, its main rules, and who has to follow it.
Understand the difference between covered entities and business associates under HIPAA, and why business associate agreements matter.
Learn what counts as protected health information under HIPAA, the 18 identifiers, and how de-identification removes data from HIPAA's scope.
How OCR enforces HIPAA: complaints, investigations, corrective action, the tiered penalty structure, and possible criminal referrals.
Safeguards for electronic protected health information.
What the HIPAA Security Rule requires: protecting ePHI through administrative, physical, and technical safeguards, and the role of required vs. addressable specs.
A breakdown of the three Security Rule safeguard categories - administrative, physical, and technical - with practical examples for each.
How the HIPAA Security Rule treats access control and authentication, including unique user IDs, least privilege, and multi-factor authentication.
Why encryption is addressable under HIPAA, how it relates to the breach safe harbor, and practical guidance for data at rest and in transit.
An overview of the proposed HIPAA Security Rule updates (NPRM). These changes are proposed and not yet final - what they would do and how to prepare.
Rules for using, disclosing, and protecting health information.
What the HIPAA Privacy Rule does: setting national standards for how PHI may be used and disclosed, and the rights it gives patients.
When HIPAA lets you use or disclose PHI without authorization, including treatment, payment, operations, and public-interest exceptions.
How HIPAA's minimum necessary standard works, when it applies, when it does not, and how to operationalize it with role-based access.
The rights HIPAA gives patients, including access to records, amendments, accounting of disclosures, restrictions, and confidential communications.
Risk analysis, breach response, and building a compliance program.
Understand the HIPAA security risk analysis: what it requires, why it is foundational, and how it differs from a gap assessment.
A practical, step-by-step walkthrough of a HIPAA security risk assessment, from scoping and data mapping to risk rating and remediation.
What the HIPAA Breach Notification Rule requires: the breach definition, risk assessment factors, and who must be notified and when.
The building blocks of a sustainable HIPAA compliance program: governance, risk analysis, policies, training, vendor management, and incident response.
Washington health-data law beyond HIPAA, including the My Health My Data Act.
An overview of Washington's My Health My Data Act: who it covers, consumer rights, the private right of action, and how it differs from HIPAA.
How long Washington providers should retain medical records, the difference from HIPAA's documentation retention, and where to verify the rules.
How health data breach reporting works in Washington: HIPAA federal duties, the state breach notification law, and the Attorney General's role.