Subscription Required

Only paid subscribers* to Report on Patient Privacy can access this Web portal with three years of back issues, searchable article archives and other valuable resources.

Subscribers to Report on Patient Privacy receive

  1. Report on Patient Privacy, AIS’s industry-leading monthly newsletter, a copy of which will be mailed to you and posted — along with searchable archives of past articles and a convenient library with PDFs of back issues — on the subscriber-only website.
  2. Access to the industry’s most exhaustive HIPAA privacy and security website, which features:
    • 31 detailed narrative sections of guidance written by experts on every HIPAA compliance topic from A to Z. These exhaustive treatments are packed with sample forms, policies, procedures, decision trees and other practical tools you can adapt to your privacy and security compliance programs ... and it’s updated regularly.
    • Links to critical government documents required for compliance with privacy and security regulations and other related federal requirements.
    • Special E-Alerts when timely news breaks
    • Searchable archives of the monthly newsletter Report on Patient Privacy.
    • Recent stories of interest and hot topic articles grouped for convenient reading, and
    • Regular postings from your editor.
View a sample and get more information
September 2016

Recent Stories

From Report on Patient Privacy - Since 2009, covered entities (CEs) have been dutifully sending annual reports to the HHS Office for Civil Rights (OCR) that tick off every “small” breach that exposes the protected health information (PHI) from a single person and up to 499 people, in addition to the quicker reporting (60 days) required when more than 500 individuals are affected. So far this year, OCR collected $20.3 million in settlement agreements from organizations experiencing mostly “large” breaches affecting more than 500 people. Read more

The loss of four desktop computers due to a 2013 break-in, which… Read more

Last month, in rapid succession, the HHS Office for Civil Rights (OCR)… Read more

With just one day to spare before the 60-day deadline to notify… Read more

From the Editor

Welcome to your Report on Patient Privacy subscriber-only Web page

Be sure to visit often, for PDFs of issues, article archives, narrative sections by privacy and security experts, and more!

Please e-mail me with your comments on the last issue of Report on Patient Privacy, story ideas for future issues, or any other suggestions you have that can make the newsletter more useful for you.

Mobile Device Use Policy & Procedure

This sample Mobile Device Use Policy and Procedure was provided to RPP subscribers by Chris Apgar, president of Apgar & Associates, LLC, in Portland, Ore. For more information, please contact Apgar at

Click here to access the policy.

September 7, 2016
Sutter Health's Physical Audit Checklist

Sutter Health, a not-for-profit system of 24 hospitals based in Sacramento, designed this seven-part "Physical Audit Checklist" to ensure that no protected health information is inappropriately disclosed or displayed, particularly in facilities it is acquiring that may have been vacated by others. For more information, contact Jacki Monson, Sutter's chief privacy and security officer, at

September 7, 2016
Checklists from NIST’s Computer Security Incident Handling Guide

Click here for two checklists from NIST’s Computer Security Incident Handling Guide — an Initial Security Incident Handling Checklist and a Generic Incident Handling Checklist for Uncategorized Incidents.

August 19, 2016
Expect More Investigations of Small Breaches

OCR has announced that its regional offices will immediately expand investigations of breaches affecting fewer than 500 individuals. Criteria the offices will use to select breaches for investigation include the following:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
  • Regions also may consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to similar covered entities and business associates. The Aug. 18 announcement was distributed via the HHS privacy list-serv.

    It's quick and easy to sign up for FREE access to!

    Why do I need to register?