HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


The Community Health Systems, Inc., (CHS) breach affecting 4.5 million patients is one of the largest breaches of health data, but what we don’t know yet is the total monetary impact on the Tennessee-based organization. Forbes attempted to take some of the guess work out of this equation by using information from similar breaches reported to OCR to calculate the total cost of a breach of this magnitude, which it estimates at $75–150 million.

Forbes considered the following when calculating the potential cost to CHS:

  • Technical, legal, and administrative remediation.
  • Recent OCR monetary penalties for large breaches, including the $4.8 million penalty OCR imposed on Columbia University and New York Presbyterian Hospital in May 2014. The CHS breach is the second-largest of its kind, falling just behind the Tricare Management Activity breach that affected 4.9 million military patients in 2011.
  • Average identity theft protection or credit monitoring costs for affected patients who opt in.
  • Lawsuits and settlement costs associated with recent breaches. This is already a real threat for CHS after a group of patients in Alabama filed a class action lawsuit in the wake of the breach.
  • Insurance fraud costs that Medicare, Medicaid, and private insurance companies can impose on healthcare organizations following a breach involving patients’ Social Security numbers.


The costs outlined by Forbes should serve as a teachable moment for healthcare organizations. Although the most public cost is usually the one imposed by OCR, organizations must invest additional dollars and resources in resolving a breach. Don’t forget to consider the effect that a breach of any size may have on patient perception and an organization’s reputation.
CHS released information about the breach to the U.S. Securities and Exchange Commission August 18 and posted a breach notification letter to its website August 19.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I understand that a patient’s insurance identification number (ID) is considered individually identifiable health information. Is disclosure of a patient’s name and his or her ID without any reference to provision of healthcare a breach of PHI, or is it simply an incident that could lead to identity theft?

A: If the patients’ names and IDs were not secure and the information was breached, this constitutes a breach of unsecure PHI. Covered entities are required to assume notification is required and conduct a four-factor risk assessment to determine the risk to the patient. After you conduct the risk assessment, if you determine the risk to the patient is low, you do not need to notify patients. Click here for more information about breach notification requirements.

A breach of patient names and health plan IDs could lead to medical identity theft. Electronic information that is breached may be collected by black market criminals who collect information about individuals over time. This can lead to collecting enough information to commit medical identity theft (e.g., filing false Medicare and Medicaid claims).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : Data Breach, HIPAA Q&A
Comments (0)

Community Health Systems, Inc., based in Franklin, Tennessee, announced that hackers accessed data of approximately 4.5 million individuals who were referred to or received care from physicians affiliated with the health system over the last five years, according to an August 18 filing with the U.S. Securities and Exchange Commission.

Community Health Systems operates 206 hospitals in 29 states. The hackers gained access to patient names, addresses, birthdates, telephone numbers, and Social Security numbers, according to the filing.

Community Health Systems and its forensic expert Mandiant believe that the hack was the work of an advanced persistent threat group in China that accessed the health system’s network in April and June 2014. The hackers used malware to bypass security measures and enter the network. The health system and Mandiant removed the malware from the systems after learning about the attack and later implemented safeguards to protect against future attacks of this nature, according to the filing.

Categories : Data Breach
Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work at a skilled nursing facility and I want to ensure that the organization is HIPAA compliant. What requirements and safeguards are necessary to ensure HIPAA compliance at our facility? Is there a document we can or should use to help us maintain compliance?

A: The best place to find out more about HIPAA privacy and security requirements is from OCR, which has published a wealth of information about HIPAA requirements, including guidance for small practices and health plans. OCR has also made available a sample business associate agreement and a model Notice of Privacy Practices.

To ensure your security program is up to date, you must conduct a risk analysis. A risk analysis is the foundation of any good security program and is mandated by the HIPAA Security Rule. A risk analysis should be conducted annually and when any major business or IT system change occurs. OCR and the Office of the National Coordinator for Health Information Technology has made available a risk analysis tool. You can conduct the risk analysis yourself or find a reputable vendor to assist you.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

Organizations in Florida have one more thing to worry about following a breach of personal information or a security breach. The Florida Information Protection Act of 2014 (FIPA), which went into effect July 1, requires covered entities (CE) or third-parties to notify affected individuals and the Florida Department of Legal Affairs (DLA) of a breach of security or PHI within 30 days of discovery unless delayed by law enforcement. Previously, state law required CEs and third-parties to notify affected individuals of a breach within 45 days.

FIPA set forth a detailed definition of “personal information,” which includes an individual’s first name or first initial and last name combined with one of the following:

  • Social Security number
  • A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
  • A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • An individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual
  • A user name or email address combined with a password or security question and answer that would permit access to an online account

The law states that the definition of a CE goes beyond healthcare organizations to include “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”

Unlike HIPAA, FIPA places little responsibility for breach notification upon third-parties. FIPA requires third-parties notify the CE of a breach within 10 days of discovery, at which time the CE is responsible for breach notification.

FIPA is enforced by the DLA under the Florida Deceptive and Unfair Trade Practices Act. Violators may face civil prosecution and/or fines not exceeding $500,000 for violating the state breach notification requirements. The DLA will submit a breach report to the Legislature by February 1 each year. CEs and third-parties must still comply with HIPAA regulations in addition to FIPA.

Comments (0)