"HIPAA requires that disclosure of health care records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information (PHI) is only entitled to those data points necessary to perform their function, e.g. names and addresses.... HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure.... [I]ncorporating compliance into the succession plan at the earliest possible stage is the prudent approach."  MORE >>