HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Within our pharmacy dispensing system, we have the ability to enter free-form notes for certain records such as a patient record, prescription records, and physician records. The notes entered in the patient record are customer-service focused and not treatment- or payment-related in nature. Would these notes be considered PHI, and would there be a retention requirement concerning these notes prior to purging the patient notes?

A: Anything documented is potentially discoverable. The information in your system is undoubtedly PHI as it certainly contains patient names, dates of birth, and other demographic information. Remember, for the notes to not be considered PHI, they must be stripped of all 18 elements that constitute PHI. Click here for additional guidance.

I recommend consulting your attorney or risk management company for guidance on this question, as retention laws vary by state. You should definitely have a written policy that specifies exactly what constitutes your legal health record (LHR), since presumably there are many pieces of information in your organization (e.g., your pharmacy system) that you do not routinely consider part of your LHR. Also, consider whether this information is maintained elsewhere and, if so, whether it could be destroyed under the theory that it could be reproduced from the alternate location if needed.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

justice02_25965964The Indiana Court of Appeals recently upheld a $1.4 million verdict against Walgreens following a HIPAA violation, according to www.indystar.com. Walgreens had requested that the appeals court overturn a July 2013 verdict that awarded damages to pharmacy customer Abigail Hinchy after a pharmacist inappropriately accessed her records.

Hinchy filed a lawsuit in Marion Superior Court after learning that pharmacist Audra Withers accessed her prescription information without authorization. Withers shared the confidential information with her husband, who is Hinchy’s ex-boyfriend and the father of her child. Withers’ husband shared Hinchy’s private information with at least three other people and planned to use it in a paternity lawsuit, according to www.indystar.com.

Walgreens argued that it should not be liable for Withers’ actions. However, the court of appeals unanimously decided that Withers violated her duties by viewing and sharing information found in Hinchy’s records and that the trial court ruling allowed jurors to consider Walgreens’ liability, according to www.indystar.com.

Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: While at an appointment, I noticed a staff member place patient folders in a stand on top of the counter at the registration desk, easily accessible to anyone nearby. I noticed a receipt sticking out of one folder, and I could read the patient’s name, last four digits of his or her Social Security number, and diagnosis/billing codes. Is this a HIPAA violation since anyone walking by could read this information, or is it just a bad practice?

A: HIPAA requires that covered entities minimize and mitigate incidental disclosures such as the one you describe. The practice should not leave documents where those who are not authorized to access them could do so and should not speak of details where unauthorized persons may overhear.

The practice would be required, based on a complaint you might voice, to do a risk ¬assessment of the incident to determine if it is an actual breach. The key to that assessment would be determining whether you could have reasonably retained the information you saw. That you could view the patient’s Social Security number is concerning. Depending on where the organization is located, you may also have to comply with state-specific notification requirements.

Bottom line: It is definitely a poor practice and quite possibly a breach that would require notification to HHS and to the patient whose information you saw. I would recommend you report it to the organization so they can rectify this potential problem.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (1)

guidelines01_53597356In light of the recent Ebola outbreak in the U.S., the Office for Civil Rights (OCR) released new guidance November 10 regarding the release of PHI in emergency situations.

According to OCR, covered entities (CE) and business associates should adhere to the HIPAA Privacy Rule standards when releasing PHI for treatment, to protect the nation’s public health, and for other critical purposes. CEs may disclose PHI without the patient’s consent for the following reasons:

  • To treat the patient or another patient, which includes coordination and management of care and services by one or more healthcare providers and others, or for consultation between providers, and referrals
  • To grant public health authorities (e.g., the Centers for Disease Control and Prevention) access to PHI that is critical to carrying out its public health mission
  • To provide information for the patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care
  • As necessary to identify or locate a patient and notify his or her family, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death
  • To prevent or lessen a serious and imminent threat to the health and safety of a person or the public

In addition, the HIPAA Privacy Rule permits the release of limited facility directory information if the patient has not objected to or restricted the release of such information. If the patient is incapacitated, CEs may disclose this information if it is believed to be in the best interest of the patient and is consistent with any prior preferences of the patient, according to OCR.

In most instances, CEs must make an effort to adhere to minimum necessary requirements by disclosing only that information that is necessary to care for the patient, except when providing patient information to healthcare providers. BAs may disclose the minimum necessary information when authorized to do so by a CE or BA to the extent outlined in a BA agreement, according to OCR.

CEs must implement reasonable safeguards to protect PHI against impermissible uses and disclosures and must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule for ePHI, according to OCR.

Comments (2)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: A former employee at the agency where I work disclosed one patient’s information to another patient while still employed by the company. The confidentiality agreement each employee signs states that patient information will remain confidential during and subsequent to employment. Is the agency required to treat this as a breach? Can the agency sanction the former employee?

A: The HIPAA Omnibus Rule requires every potential incident to have a documented risk assessment. In this case, you don’t indicate whether the disclosure was deliberate or accidental, or the nature of the information disclosed. It certainly sounds like notification would be required if PHI was disclosed to another patient, assuming the recipient was able to retain the information.

As to sanctions, the employee left the organization, so you can’t do much apart from not giving him or her a good reference or reporting the former employee to his or her professional board, which could be considered if applicable. (Consult legal counsel before taking that step.)

The employee could be held civilly or criminally liable should the patient whose information was breached choose to file an OCR complaint and OCR were to find that the breach was worthy of pursuing to that level (unlikely but possible). Remember, your records of training and auditing are important to show that you have done your best to protect your patients from inappropriate access to PHI.

 Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)