Designated Record Set: What It Includes, What It Does Not, and Why It Matters
HIPAA and Marketing: When You Need Authorization and What “Marketing” Actually Means
Compliance Software for Small Practices: What to Look For and How to Evaluate It
BAA Refusal and Required Contract Terms: What to Do When a Vendor Will Not Sign
This article explains how to determine whether a vendor actually requires a BAA, what contract terms HIPAA requires in a compliant BAA, why some “standard vendor BAAs” still fail the requirements, and how to respond when a vendor will not sign. The goal is to give clinics a repeatable decision process that produces defensible outcomes and a clean documentation trail.
AI Scribes, Call Recording, and Voicemail Transcription Under HIPAA
This article breaks the topic into three practical systems: AI scribes, call recording, and voicemail transcription. The guiding question is consistent across all three: where does the PHI go, who touches it, how is it secured, and what contractual and policy controls prove that it is handled in a HIPAA-compliant way.
Employee Offboarding and Termination of Access Under HIPAA
This article explains what HIPAA expects regarding termination procedures and access removal, what “addressable” means in practice for smaller clinics, and how to build an offboarding process that is both defensible and workable. It is informational, not legal advice.
What Happens When OCR Gets a Complaint About Your Clinic
This article explains, in operational terms, what OCR looks at during complaint intake, what typically happens after OCR accepts a complaint for investigation, what kinds of information OCR can request, and how a clinic should respond when the first letter arrives. It focuses on the actual rules and OCR’s published process descriptions, not folklore.
Reproductive Health Care Requests and the HIPAA Attestation Requirement
This article explains what the HIPAA attestation requirement for reproductive health care information was designed to do, how it would have worked in real-world request workflows, and what the landscape looks like today.
Paid-in-Full Restrictions to Health Plans Under HIPAA
This report lays out the rule, when it applies, and a defensible implementation workflow for small clinics, including templates for reference.
Online Reviews and HIPAA
This article gives a defensible playbook: the legal framework, response scripts that stay out of PHI territory, escalation rules for when to stop replying publicly, vendor and BAA considerations for reputation management, and an incident-response approach if PHI is posted.
What Can We Leave on Voicemail Under HIPAA?
Does HIPAA Apply if We’re Cash-Only or Don’t Bill Insurance?
Can Parents Access a Minor Child’s Medical Records Under HIPAA?
How Should a Small Clinic Respond to a Subpoena or Court Order for Records?
If you run a small clinic, you will eventually receive a request for records that looks official and urgent: a subpoena, a court order, or some other legal demand. The two failure modes are predictable. One is handing over too much, too fast, because the document looks scary. The other is ignoring it, because no one knows what to do. HIPAA sits in the middle: it allows disclosures for judicial and administrative proceedings, but only under specific conditions and with tight limits on scope.
We Sent Records to the Wrong Person: Is It a HIPAA Breach?
Sending medical records to the wrong person by email, fax, or mail is usually an impermissible disclosure under the HIPAA Privacy Rule, and it is presumed to be a reportable HIPAA “breach” unless you can fit the event into a specific exclusion or you can document a four-factor risk assessment showing a low probability that the PHI was compromised.
When is an IT Company a HIPAA Business Associate?
If your IT vendor creates, receives, maintains, or transmits protected health information (PHI) on your behalf, or if it needs access to PHI to perform its services, HIPAA generally treats it as a business associate and expects a business associate agreement (BAA) to be in place before PHI is involved.
Do You Have to Report a HIPAA Incident if No Data Left the System?
A breach, for breach-notification purposes, is built around impermissible acquisition, access, use, or disclosure of protected health information (PHI), plus a presumption and a required risk assessment framework. Whether data actually left the system is relevant evidence, but it is not the deciding factor by itself. The right answer is usually: you may not have to notify patients or HHS, but you almost always have to analyze, document, and treat the event as a security incident until you can justify a different conclusion.
How Long Do Clinics Have to Respond to a Medical Records Request?
Under the HIPAA Privacy Rule, a clinic must act on an individual’s request for access no later than 30 calendar daysafter receiving the request. “Act on” is not vague. It means you either provide the requested access (in whole or in part) or you issue a written denial for any portion you are not providing.
When Is a HIPAA Business Associate Agreement Required, and When Is It Not?
Under HIPAA, a BAA is required in specific situations: when a person or company is acting as your business associate because they create, receive, maintain, or transmit protected health information (PHI) on your behalf while performing certain functions or services for you.
What Does the HIPAA Minimum Necessary Rule Mean in Practice?
The expectation is straightforward: when minimum necessary applies, you make reasonable efforts to limit PHI to what is needed to accomplish the purpose of the activity.