Subscription Required

Only paid subscribers* to Report on Patient Privacy can access this Web portal with three years of back issues, searchable article archives and other valuable resources.

Subscribers to Report on Patient Privacy receive

  1. Report on Patient Privacy, AIS’s industry-leading monthly newsletter, a copy of which will be mailed to you and posted — along with searchable archives of past articles and a convenient library with PDFs of back issues — on the subscriber-only website.
  2. Access to the industry’s most exhaustive HIPAA privacy and security website, which features:
    • 31 detailed narrative sections of guidance written by experts on every HIPAA compliance topic from A to Z. These exhaustive treatments are packed with sample forms, policies, procedures, decision trees and other practical tools you can adapt to your privacy and security compliance programs ... and it’s updated regularly.
    • Links to critical government documents required for compliance with privacy and security regulations and other related federal requirements.
    • Special E-Alerts when timely news breaks
    • Searchable archives of the monthly newsletter Report on Patient Privacy.
    • Recent stories of interest and hot topic articles grouped for convenient reading, and
    • Regular postings from your editor.
View a sample and get more information
November 2016

Recent Stories

From Report on Patient Privacy - In 2011, Idaho State University (ISU) discovered that a contractor forgot to reactivate a firewall at one of its medical practices, potentially exposing the protected health information (PHI) of some 17,000 patients over a nine-month period. Two years after reporting the breach to the HHS Office for Civil Rights, ISU paid OCR $400,000 and agreed to a two-year corrective action plan (CAP) that called for an updated risk analysis (RPP 6/13, p. 1). Read more

HIPAA covered entities (CEs) seeking to keep their protected health information (PHI)… Read more

In an year of escalating settlements that defy enforcement trends, the HHS… Read more

Recent settlements between the HHS Office for Civil Rights (OCR) and HIPAA… Read more

From the Editor

Welcome to your Report on Patient Privacy subscriber-only Web page

Be sure to visit often, for PDFs of issues, article archives, narrative sections by privacy and security experts, and more!

Please e-mail me with your comments on the last issue of Report on Patient Privacy, story ideas for future issues, or any other suggestions you have that can make the newsletter more useful for you.

Mobile Device Use Policy & Procedure

This sample Mobile Device Use Policy and Procedure was provided to RPP subscribers by Chris Apgar, president of Apgar & Associates, LLC, in Portland, Ore. For more information, please contact Apgar at

Click here to access the policy.

December 2, 2016
More Info on Phishing Scam; New Audits Announced

OCR issued two important announcements via email on Nov. 30.

First, it added more information regarding the phishing scam that appears to come on official HHS letterhead (see Nov. 28 post below). The phishing email originates from the email address and directs individuals to a URL at Notice the slight difference between the fake email address (italicized above) and OCR’s email. OCR’s email is

Second, OCR said that it had notified select business associates of their inclusion in the Phase 2 HIPAA audits.

November 28, 2016
Phishing Email Disguised as Official OCR Audit Communication

Critical Alert from OCR: On Nov. 28, OCR sent out the following alert on its OCR listserv regarding phishing scams :

"It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at"

Do not open this email or click on the link.

November 3, 2016
FTC Guidance Helps With Compliance

The Federal Trade Commission, in conjunction with OCR, has issued guidance to help businesses comply with both HIPAA and the FTC Act. The guidance cautions businesses that even if they are in compliance with HIPAA, their disclosure statements may be deceptive under the FTC Act. It lists five recommendations to help entities comply with both laws.

It's quick and easy to sign up for FREE access to!

Why do I need to register?