medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule

What do I do if…

Real situations healthcare teams face — with clear steps. Not legal advice; use this to know what to escalate and when to call your privacy officer.

Role

A patient calls asking for their spouse's test results

You generally cannot release this without written authorization from the patient — even to a spouse.

Get the answer →

I accidentally sent a fax to the wrong number

This may be a reportable breach. Take these steps in the next 24 hours.

Get the answer →

I saw a coworker looking at patient records they shouldn't be

This is an internal HIPAA violation. You have an obligation to report it.

Get the answer →

A patient wants a copy of their medical records

Patients have a legal right to their records. You have 30 days to provide them.

Get the answer →

A family member is asking about a patient's condition

This depends on what the patient has authorized. When in doubt, say nothing.

Get the answer →

I think a staff member at our practice violated HIPAA

Investigate promptly. Document everything. Determine if it is a reportable breach.

Get the answer →

We think we may have had a data breach

Treat it as a breach until proven otherwise. The 60-day clock is running.

Get the answer →

A customer is asking us to sign a BAA

If you handle their patient data, you need one. Review it carefully before signing.

Get the answer →

A vendor is asking us to send them patient information

Only share what they need, with a BAA in place, and through a secure method.

Get the answer →

A patient says they are filing a HIPAA complaint

Stay calm, document everything, and notify your privacy officer immediately.

Get the answer →

A colleague from another office asked about a patient we both treat

If it's for coordinated care and you're both involved in treatment, limited sharing is usually OK — stay professional and minimal.

Get the answer →

Someone overheard us talking about a patient

Treat it seriously. Report it and work on preventing a repeat — volume and location matter.

Get the answer →

We learned an employee accessed a customer's patient data without authorization

Investigate, document, revoke access, and determine if this is a reportable breach.

Get the answer →

We had a security incident (malware, intrusion, or lost device)

Activate your incident plan, preserve evidence, and involve legal counsel early.

Get the answer →

A customer asked, "Are you HIPAA compliant?"

Be honest: explain your controls and BAAs — never promise a checkbox no one can guarantee.

Get the answer →