Kimberly Shutters

Size Matters

Third-Party Vendors – Size Doesn’t Matter!

Third-Party Vendors Size Doesn’t Matter That’s right folks – if you are a healthcare third-party vendor size doesn’t matter when it comes to HIPAA compliance. Healthcare third-party vendors that create, receive, maintain, and/or transmit protected health information is required by law to comply with the regulations.  Did You Know? A healthcare third-party vendor, referred to by the Department …

Third-Party Vendors – Size Doesn’t Matter! Read More »

When it comes to healthcare, what does Minimum Necessary mean?

HIPAA Privacy Rule Minimum Necessary In this week’s “Know The Rules!,” I am discussing the Privacy Rule minimum necessary standard, [45 CFR 164.502(b), 164.514(d)]. Minimum necessary applies: When using or disclosing protected health information (PHI) or when requesting PHI from another Covered Entity (CE) or Business Associate (BA), a CE or BA must make reasonable …

When it comes to healthcare, what does Minimum Necessary mean? Read More »

Audit Controls

HIPAA Security Audit Controls and Audit Logs

HIPAA Audit Controls and Audit Logs Today I am breaking down the one of the Technical Safeguard standards,  Audit Controls, 45 § 164.312(b), into byte-size portions to help you understand how it is significant to your organization. Audit Logs are  The HIPAA Security Rule provision on requires regulated entities to: Implement hardware, software, and/or procedural mechanisms that record and …

HIPAA Security Audit Controls and Audit Logs Read More »

Anti-Kickback Statute

Today, I am presenting a case study of what happens when a Covered Entity (CE) and a pharmaceutical company collude to violate the Federal Anti-Kickback Statute and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Healthcare has a Federal Anti-kickback Statute (AKS), 42 U.S.C. § 1320a-7b(b), that makes it illegal for providers to …

Anti-Kickback Statute Read More »


Do I need my HIPAA Security Plan Evaluated? It is important for Covered Entities (CEs) and Business Associates (BAs) to know if their security plans and procedures continue to adequately protect their electronic protected health information (ePHI). To accomplish this, CEs and BAs must implement and monitor your Evaluation Plan. CEs and BAs must periodically …

Evaluation Read More »