HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?

By Rob Pierce on August 2, 2017August 2, 2017

One of the areas we are required to evaluate on every HIPAA audit or compliance assessment is whether our client is compliant with HIPAA’s record retention requirements.

The HIPAA “Wall Of Shame”

By Kerry Shackelford on December 21, 2016August 1, 2017

If you’re already following HIPAA compliance-related news, you’re probably already familiar with the “Wall of Shame.” If you’re just getting started, read on. The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to report breaches of protected health information (PHI) to the U. S. Department of Health and Human Services (HHS).

The Security Risk Analysis and HIPAA Compliance

By Kerry Shackelford on June 15, 2016June 15, 2016

The HIPAA Security Rule places a great deal of emphasis on the importance of the security risk analysis—so much so that it was positioned front-and-center as an implementation specification under first standard in the first section of HIPAA. The requirement to complete a security risk analysis is under the Security Management Process standard in the […]

De-Identification of Personal Information

By Kerry Shackelford on April 13, 2016May 6, 2016

The topic of de-identification of personal information has come up in discussions with clients several times in the past year. In each scenario, our client or potential client is collecting and maintaining a store of personal information which must be protected from breach—customer records, payment card industry cardholder data, electronic protected health information (ePHI), etc. […]

The HIPAA Contingency Plan

By Kerry Shackelford on February 3, 2016April 12, 2016

One of the areas we review on all audits and assessments of the HIPAA Security Rule is HIPAA’s requirements concerning contingency plans.

What’s the Difference Between the SOC 2 Security and AT 601 HIPAA Security Requirements?

By Kerry Shackelford on November 13, 2015November 13, 2015

Linford & Company offers two types of reports that address security, the SOC 2 Security report and the AT 601 HIPAA Security report.

SaaS HIPAA Considerations

By Rob Pierce on February 18, 2015February 18, 2015

With the use of cloud technology trending upward, many cloud companies are touting themselves as “HIPAA certified.” In fact, there is no such thing as a HIPAA certification.

Patch Management and HIPAA Compliance

By Kerry Shackelford on January 28, 2015January 22, 2015

You won’t find the words “Patch Management” in the HIPAA Security Rule, but given recent action taken by the US government agency that enforces HIPAA compliance, it’s there.

What’s in Scope of a HIPAA Security Compliance Audit?

By Kerry Shackelford on June 12, 2014June 12, 2014

The first step in conducting a HIPAA security compliance audit is to “take inventory” of the electronic protected health information (ePHI) environment.