Subscription Required

Only paid subscribers* to Report on Patient Privacy can access this Web portal with three years of back issues, searchable article archives and other valuable resources.

Subscribers to Report on Patient Privacy receive

  1. Report on Patient Privacy, AIS’s industry-leading monthly newsletter, a copy of which will be mailed to you and posted — along with searchable archives of past articles and a convenient library with PDFs of back issues — on the subscriber-only website.
  2. Access to the industry’s most exhaustive HIPAA privacy and security website, which features:
    • 31 detailed narrative sections of guidance written by experts on every HIPAA compliance topic from A to Z. These exhaustive treatments are packed with sample forms, policies, procedures, decision trees and other practical tools you can adapt to your privacy and security compliance programs ... and it’s updated regularly.
    • Links to critical government documents required for compliance with privacy and security regulations and other related federal requirements.
    • Special E-Alerts when timely news breaks
    • Searchable archives of the monthly newsletter Report on Patient Privacy.
    • Recent stories of interest and hot topic articles grouped for convenient reading, and
    • Regular postings from your editor.
View a sample and get more information
January 2017

Recent Stories

From Report on Patient Privacy - As 2016 comes to a close, HIPAA covered entities (CEs) and business associates (BAs) should catch their breath and reflect on what the HHS Office for Civil Rights’ (OCR) record year actually means — to entities other than the unfortunate 13 organizations fined a total of $24.5 million. The total far outpaces OCR’s previous high, set in 2014, of $7.5 million. (The most recent entity fined was with the University of Massachusetts Amherst — see story, below). This year was one for the record books, not just for the number of settlements and amounts. Read more

Under normal circumstances, word of a bad decision involving “hybrids” usually would… Read more

In 2011, Idaho State University (ISU) discovered that a contractor forgot to… Read more

HIPAA covered entities (CEs) seeking to keep their protected health information (PHI)… Read more

From the Editor

Report on Patient Privacy

AIS is pleased to announce that Report on Patient Privacy has been acquired by the Health Care Compliance Association. The same strong editorial team, with Theresa Defino at the helm, will be writing the newsletter and ensuring its independence and objectivity. Readers will continue to have access to valuable tools on RPP's subscriber-only web pages, and will benefit from the compliance resources and professional contacts available through HCCA.

Your subscription will be delivered with no interruption in services. Please look for emails from HCCA with information related to your subscription. And be sure to add to your safe sender list. Any questions regarding your subscription can be directed to or 888.580.8373.

Visit HCCA's RPP website at

Mobile Device Use Policy & Procedure

This sample Mobile Device Use Policy and Procedure was provided to RPP subscribers by Chris Apgar, president of Apgar & Associates, LLC, in Portland, Ore. For more information, please contact Apgar at

Click here to access the policy.

December 2, 2016
More Info on Phishing Scam; New Audits Announced

OCR issued two important announcements via email on Nov. 30.

First, it added more information regarding the phishing scam that appears to come on official HHS letterhead (see Nov. 28 post below). The phishing email originates from the email address and directs individuals to a URL at Notice the slight difference between the fake email address (italicized above) and OCR’s email. OCR’s email is

Second, OCR said that it had notified select business associates of their inclusion in the Phase 2 HIPAA audits.

November 28, 2016
Phishing Email Disguised as Official OCR Audit Communication

Critical Alert from OCR: On Nov. 28, OCR sent out the following alert on its OCR listserv regarding phishing scams :

"It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at"

Do not open this email or click on the link.

November 3, 2016
FTC Guidance Helps With Compliance

The Federal Trade Commission, in conjunction with OCR, has issued guidance to help businesses comply with both HIPAA and the FTC Act. The guidance cautions businesses that even if they are in compliance with HIPAA, their disclosure statements may be deceptive under the FTC Act. It lists five recommendations to help entities comply with both laws.

It's quick and easy to sign up for FREE access to!

Why do I need to register?