End of Year SRA

By Art Gross – A security risk assessment must be conducted to maintain HIPAA compliance per the Security Rule. A security risk assessment is also referred to as an SRA. It is a requirement for government plans such as Medicare, Obamacare, and Medicaid.


By Art Gross – The National Institute of Standards and Technology has provided updated guidance for the health care industry. Designed to help with electronically protected health information, they have created a new draft titled Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide.

Electronic Health Records and The Security Rule

By Art Gross – Patient care in a digital age means that most information is stored electronically. These records, known as electronic Protected Health Information, are collected as EHRs and then stored in a variety of systems. With the HIPAA in mind, how do you maintain security around the ePHI beyond the EHR?

Tips for Securing ePHI on Mobile Devices

By Art Gross – While mobile devices play a major role in how we stay connected to the world in our personal lives, they are also becoming increasingly popular in our work environments. Not only are mobile devices such as smartphones, tablets and laptops convenient in the workplace, but they can also help increase productivity.

Google to Remove ePHI from its Search Results

By Jonathan Krasner – HIPAA data breaches can occur if ePHI is posted on an open web site. In that situation, not only is the ePHI available for viewing, it also can be indexed by an Internet search engine such as Google. Many data breaches have been uncovered by finding the unauthorized ePHI via a Google search.

New HIPAA Guidance on Ransomware Attacks and ePHI Security

By Bob Grant – HHS Office for Civil Rights has released new guidance about how HIPAA-beholden entities can better equip themselves to deal with ransomware attacks. Ransomware is a targeted kind of malware attack that takes data ‘hostage.’ The attackers responsible then give the organization a countdown to a time at which they expect to receive a ‘ransom’ in exchange for restored access to the withheld data.

When Does the HIPAA Conduit Exception Rule Apply?

By Gene Fry – The HIPAA conduit exception rule is only applicable to providers of purely conduit services who do not have access to protected health information (PHI) other than infrequently or randomly. For this reason, conduit providers do not have to sign a Business Associate Agreement (BAA). But what exactly is a conduit service, and when does the HIPAA conduit exception rule apply?