HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?

By Rob Pierce on August 2, 2017August 2, 2017

One of the areas we are required to evaluate on every HIPAA audit or compliance assessment is whether our client is compliant with HIPAA’s record retention requirements.

The HIPAA Contingency Plan

By Kerry Shackelford on February 3, 2016April 12, 2016

One of the areas we review on all audits and assessments of the HIPAA Security Rule is HIPAA’s requirements concerning contingency plans.

SaaS HIPAA Considerations

By Rob Pierce on February 18, 2015February 18, 2015

With the use of cloud technology trending upward, many cloud companies are touting themselves as “HIPAA certified.” In fact, there is no such thing as a HIPAA certification.

Patch Management and HIPAA Compliance

By Kerry Shackelford on January 28, 2015January 22, 2015

You won’t find the words “Patch Management” in the HIPAA Security Rule, but given recent action taken by the US government agency that enforces HIPAA compliance, it’s there.

Using the SOC 2 or AT 601 Reports to Demonstrate Compliance with HIPAA

By Kerry Shackelford on September 18, 2013November 20, 2013

The modifications to HIPAA known as the “HIPAA Omnibus Rule” became effective March 26, 2013, and covered entities and business associates were give about 6 months to get in compliance.

Required vs. Addressable Implementation Specifications in the HIPAA Security Rule

By Kerry Shackelford on September 4, 2013September 4, 2013

The HIPAA Security Rule’s implementation specifications are each labeled as either “required” or “addressable.”