The Privacy Professional

HIPAA regulations make up two main parts: The Privacy (HIPAA) Rights of individuals related to their Personally Healthcare Information (PHI) and the Security (HITECH) of the healthcare information held by Covered Entities .  The Privacy Rule requires covered entities to provide individuals with a copy of their notice of privacy practices, at the first visit/date of service. Covered Entities must be able to prove that patients received these notices; thus they generally require individuals to sign a document called "receipt of notices of privacy practices." These notices must contain information on how the covered entity's   use   and disclosures of the PHI. For example, there should be   a statement   that the PHI will be used consistent with payment of claims, treatment of the individual and for business operations (quality control, auditing or internal monitoring). In addition, the notice should contain information on instances when a signed release would be re

Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o