HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

question-marks-300x300Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: What type of information can we email to patients? For example, is it permissible to email appointment reminders? I’m wondering what sort of PHI the email can include and what we should omit. Also, I am unsure whether to include the information in the body of the email or in an attachment.

A: CEs can send appointment reminders to patients via unencrypted email as long as the CE sending the reminder is not a specialty practice, such as a mental health practitioner, because that will reveal the condition of the patient if someone intercepts the email. Any PHI may be sent to the patient as long as the email is encrypted—in the body of the email and as an attachment.

The Omnibus Rule specifically permitted healthcare providers to communicate with patients using unsecure email as long as the patient is made aware of the risks before an email containing PHI is sent. Meaningful Use Stage 2 takes security a step further and requires hospitals, critical access hospitals, and eligible healthcare professionals to implement secure email so the provider and the patient can communicate securely.

In the end, if PHI is included in an unencrypted email and the email is intercepted, it is a breach of unsecure PHI and may be reportable to the individual and OCR.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

chklist_paperIn early 2014, HCPro’s Medical Records Briefing (MRB) newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, 2013 implementation date. This year, MRB asked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.

With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% from 2014 to 2015.

However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase. Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.

The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches. The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.

This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Similar to 2014, nearly half of this year’s respondents (49%) serve as the privacy officers for their organizations compared to 50% in 2014, while just 33% reported being privacy officers prior to the Omnibus Rule implementation in early 2013. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the 2015 survey also serve as the privacy officer.

Categories : HIPAA Compliance
Comments (0)

securitycomputerA password-protected unencrypted laptop containing the PHI of approximately 8,000 patients was reported missing from Riverside County Regional Medical Center in Moreno Valley, California, according to The Press Enterprise.

A breach notification letter sent to affected patients states that the medical center learned December 1, 2014, about the missing laptop that was used by its ophthalmology and dermatology clinics. This is the second time in less than a year that the medical center reported a missing laptop, according to The Press Enterprise.

The medical center notified law enforcement and began its own internal investigation, but was unable to find the laptop at the time of the January 29, 2015 letter, which states that the laptop may have contained the following patient information:

  • Names
  • Addresses
  • Dates of birth
  • Telephone numbers
  • Social Security numbers
  • Treating physician or department
  • Diagnosis and treatment information
  • Medical record number
  • Medical service code
  • Health insurance information

The medical center does not believe the laptop was taken in an effort to access or misuse patient information. However, it is offering identity protection alerts for affected patients, according to the letter.

Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: If a patient gives verbal and written permission to have his or her photograph taken for educational reasons, is it a HIPAA violation to use the photograph in a presentation as long as the patient’s name, date of birth, admission date, etc., are not shown? Is using the photo—without PHI—in a group text discussing the patient’s clinical course a HIPAA violation? I have attended presentations that include patient photographs. I think this should be permitted with the patient’s permission. What is your opinion?

A: A patient’s photo may be used in a presentation as long as he or she signed an authorization permitting the use of the photo. Keep in mind that the photograph alone is PHI. This is true even if the name, date of birth, and so forth are not displayed. Don’t rely on verbal authorization.

There is an exception: if the patient’s picture is used internally for training purposes or other activities that fall under the umbrella of healthcare operations, then authorization is not necessary.

It’s not necessarily a violation of HIPAA to text a patient’s picture to a group if it’s for care coordination or treatment and is internal to the hospital, but it’s not a good idea unless that text message is encrypted. If the unencrypted text is intercepted or the mobile device that stores the message is stolen, it’s a breach of unsecure PHI.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

justice02_25965964Anthem subscribers are rallying together to file lawsuits in response to the cyberattack on the insurer that exposed the PHI of 80 million current and former Anthem subscribers, according to the Times Union.

Subscribers filed class-action lawsuits against Anthem in Alabama, California, Georgia, and Indiana. Each lawsuit seeks more than $5 million in damages.

Anthem set up a website that includes a letter from President and Chief Executive Officer Joseph R. Swedish and frequently asked questions about the breach.

Click here for more information.

Comments (0)