Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Generally, no. CSPs that provide cloud services to a covered [...]
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Yes, because the CSP receives and maintains (e.g., to process [...]
May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
Yes, provided the covered entity or business associate enters into [...]
Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
No. However, a covered entity must ensure through its contract [...]
What were the major modifications to the HIPAA Privacy Rule that the Department of Health and Human Services (HHS) adopted in August 2002?
Based on the information received through public comments, testimony at [...]
Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?
Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory [...]
Can an authorization be used together with other written instructions from the intended recipient of the information?
A transmittal or cover letter can be used to narrow [...]
Does the Privacy Rule require that an authorization be notarized or include a witness signature?
The Privacy Rule does not require that a document be [...]
May a covered entity disclose protected health information specified in an authorization, even if that information was created after the authorization was signed?
Yes, provided that the Authorization encompasses the category of information [...]
Must an authorization include an expiration date?
The Privacy Rule requires that an Authorization contain either an [...]