HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: Within the pharmacy dispensing system at the facility where I am employed, we can enter free-form notes for certain records such as a patient record, prescription records, and physician records. The notes entered in the patient record are customer-service focused and not related to treatment or payment. Would these notes be considered PHI? Would there be a retention requirement concerning these notes?

A: If these notes contain patient-identifiable information, they would be considered PHI and must be protected from unauthorized use or disclosure under the HIPAA Privacy Rule. However, the Privacy Rule does not establish record retention requirements. Instead, state law/regulation establishes retention requirements for medical records and some other records.

Check your state law to see if there are any retention requirements for information in pharmacy dispensing systems. Your state board of pharmacy may be a good resource. Search “(state name) State Board of Pharmacy” into your web browser for more information (i.e., Texas State Board of Pharmacy).

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

HHS recently released guidance about HIPAA regulations affected by the Supreme Court’s 2013 United States v. Windsor ruling that found Section 3 of the federal Defense of Marriage Act (DOMA) unconstitutional. Section 3 of DOMA states that federal law would only recognize opposite-sex marriage.

The HIPAA Privacy Rule includes information about the role of family members in patient care. Section 45 CFR 160.10 of the rule includes the terms “spouse” and “marriage” under the definition of family member.

To maintain consistency with the United States v. Windsor ruling, the term spouse includes people in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction. However, same-sex marriages performed in a foreign jurisdiction must be recognized in the United States for a patient’s partner to be recognized as a spouse under HIPAA.

Similarly, the HIPAA Privacy Rule recognizes marriage between same-sex and opposite-sex couples and defines a family member as a dependent of a marriage. These definitions apply to people who are legally married whether the jurisdiction where they reside recognizes the marriage or not.

Under §164.510(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purpose, covered entities are permitted under certain circumstances to share PHI with a patient’s family member. Legally married same-sex couples are family members for the purpose of this provision regardless of where they reside.

The definition of family member also applies to §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes, which prohibits health plans with the exception of issuers of long-term care policies from using or disclosing genetic information for underwriting purposes. Plans are not permitted to make underwriting decisions about a patient based on his or her same-sex spouse’s genetic test results or manifestation of disease.

Comments (0)

More than 750 healthcare organizations recently agreed to participate in CyberRX 2.0, simulated cyber-attacks with HHS and HITRUST, according to a Business Wire announcement.

The no-cost simulated attacks will begin in October and are intended to prepare organizations for actual electronic infiltrations. The first CyberRX exercise was held in April 2014, after which the program was expanded, according to the announcement.

CyberRX 2.0 is tiered program with offerings at the local, regional, and national level. The local tier, scheduled for October through December 2014, involves simulations that an organization can administer itself to gauge cyber-threat readiness. The regional tier is scheduled for January through April 2015 and offers more advanced exercises, as well as the opportunity for organizations to collaborate. The national tier is scheduled for June through July 2015 and offers advanced simulations, as well as the opportunity to assess internal and external readiness, response, and management, according to the HITRUST website.

Categories : HHS
Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: I am employed by an independent and assisted living retirement facility. The facility does not transmit electronic records (i.e., PHI) of our residents or staff for any kind of reimbursement. We offer health insurance to our employees and have been asked by our health insurance broker to sign a business associate agreement (BAA) because our broker says our organization is considered a covered entity (CE) under HIPAA. Upon requesting that the facility enter into a BAA, the broker sent the following message:

“As an employer, you are a ‘covered entity’ under HIPAA because you sponsor a Group Health Plan. That means you are responsible for making sure that your business associates who receive PHI about you or your employees handle this information properly—we are one of these business associates.”

The retirement facility does not consider itself a CE. Is the organization considered a CE because it offers health insurance to its employees?

A: CEs under HIPAA are healthcare clearinghouses, certain healthcare providers (those that use covered transactions like electronic billing), and health plans.

A group health plan is a CE (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as CEs under HIPAA.

 Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

A former employee of Tri-City Medical Center in Oceanside, California, removed unauthorized ED logs containing the PHI of approximately 6,500 patients on August 8, according to a press release.

The former employee placed the records at the bottom of a cart he used when transporting his personal belongings from the hospital to his vehicle. The hospital used the logs in an onsite regulatory review the day prior to the theft, according to the medical center website. The former employee took the records to the San Diego Office of the California Department of Public Health, which oversees California hospital regulations. Tri-City Medical Center was in contact with the California Department of Public Health following the unauthorized removal of the logs from its premises, according to a breach notification letter sent to affected patients.

The paper logs contained the full names, dates of service, dates of birth, admitting physicians, medical record numbers, diagnoses and admit dates and times for patients admitted to the hospital or transferred to another facility from December 1, 2013 through May 13, 2014. The hospital alerted law enforcement officials of the incident, according to the press release.

Comments (0)