Learn HIPAA, in Plain English
CFR-cited explainers for small US healthcare practices — what HIPAA requires, who it applies to, and what to actually do about it.
What is HIPAA? A Plain-English Guide for Small Healthcare Practices
HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is the federal law that governs how US healthcare providers handle patient health information. If you're a small healthcare practice in the United States, HIPAA applies to you the same way it applies to a 500-bed hospital, and the federal government enforces it through the HHS Office for Civil Rights (OCR).
Read article →
Business Associate Agreements (BAAs): What They Are and Why You Need Them
A Business Associate Agreement (BAA) is a written contract between a HIPAA covered entity and any third party that handles Protected Health Information on the covered entity's behalf. If your dental lab receives x-rays tied to a patient name, your billing service processes insurance claims, or your EHR vendor stores your patient charts — they're business associates, and they need a BAA before you can legally transmit PHI to them.
Read article →
The HIPAA Security Risk Assessment: What It Is and How to Do One
The Security Risk Assessment (SRA) is the foundational document of any HIPAA compliance program — and it's the single most common missing item in OCR enforcement actions. Required under 45 CFR § 164.
Read article →
The HIPAA Breach Notification Rule: What to Do When PHI Gets Out
When patient information gets out — through a lost laptop, a ransomware attack, a misrouted fax, or an employee accessing records they shouldn't — HIPAA's Breach Notification Rule (45 CFR Part 164 Subpart D) sets out exactly what you have to do, in what order, and by when. Get the timing wrong and you face penalties on top of whatever caused the breach.
Read article →