HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility’s CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients’ names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?

A: Healthcare organizations are permitted to use PHI without patient authorization or consent for their own healthcare operations. This use could be considered part of healthcare operations, so it would not be a violation of HIPAA.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for the Central Texas Division of Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

securityThe PHI of 5,117 patients treated at a physician group affiliated with St. Peter’s Health Partners in Albany, New York, was exposed when a manager’s cellphone was stolen, according to www.bizjournals.com.

The stolen cellphone had access to corporate email systems and PHI for patients of St. Peter’s Medical Associates, P.C., including:

  • Patient names
  • Dates of birth
  • Days, times, and locations of medical appointments
  • General descriptions of reasons for appointments

The PHI was primarily limited to that of patients treated from August to November 2014. Health system officials learned of the cellphone theft November 24, 2014. Home addresses and phone numbers of two patients were listed in an email that could be accessed from the phone. The health system notified all affected patients, according to www.bizjournals.com.

Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?

A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:

  • Demographic information about the individual
  • Date(s) healthcare services were provided
  • The department where service was provided
  • The name of the treating physician
  • Outcomes
  • Health insurance status

Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.

There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

rep02Indiana Attorney General Greg Zoeller recently reached a $12,000 settlement for HIPAA violations with a former dentist accused of improperly disposing of medical records, according to Legal Newsline.

The Indiana Board of Dentistry revoked Joseph Beck’s license to practice in Indiana over allegations of negligence and fraudulent billing practices. More than 60 boxes of medical records of patients treated by Beck from 2002 to 2007 were found in an Indianapolis dumpster in 2013, not long after his license was revoked. The boxes contained the PHI of more than 5,600 patients including full names, phone numbers, addresses, and Social Security numbers, according to Legal Newsline.

Beck allegedly hired the third-party vendor Just the Connection, Inc., in Carmel, Indiana, to dispose of the records, according to Legal Newsline.

Categories : HIPAA Violations
Comments (0)

securitycomputerThe St. Louis County Health Department recently discovered that a document containing PHI was emailed to the personal account of a former employee, according to the St. Louis Post-Dispatch.

The document listed names and Social Security numbers of inmates treated at Buzz Westfall Justice Center in Clayton, Missouri, from 2008 through 2014. The St. Louis County Health Department instructed the former employee to delete the document. The department did not identify the former employee by name, but said she resigned in November 2014 after being employed by the department for 25 years. The former employee held a clerical position and her duties involved verifying medical claims information for inmates, the St. Louis Post-Dispatch reported.

The health department notified authorities and affected patients of the breach, although there is no indication that the information in the PHI in the document was misused. The department is taking precautions to ensure an incident like this will not occur again. It will continue conducting annual HIPAA training, according the St. Louis Post-Dispatch.

Comments (0)