HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

securityThe PHI of 5,117 patients treated at a physician group affiliated with St. Peter’s Health Partners in Albany, New York, was exposed when a manager’s cellphone was stolen, according to www.bizjournals.com.

The stolen cellphone had access to corporate email systems and PHI for patients of St. Peter’s Medical Associates, P.C., including:

  • Patient names
  • Dates of birth
  • Days, times, and locations of medical appointments
  • General descriptions of reasons for appointments

The PHI was primarily limited to that of patients treated from August to November 2014. Health system officials learned of the cellphone theft November 24, 2014. Home addresses and phone numbers of two patients were listed in an email that could be accessed from the phone. The health system notified all affected patients, according to www.bizjournals.com.

Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?

A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:

  • Demographic information about the individual
  • Date(s) healthcare services were provided
  • The department where service was provided
  • The name of the treating physician
  • Outcomes
  • Health insurance status

Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.

There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

rep02Indiana Attorney General Greg Zoeller recently reached a $12,000 settlement for HIPAA violations with a former dentist accused of improperly disposing of medical records, according to Legal Newsline.

The Indiana Board of Dentistry revoked Joseph Beck’s license to practice in Indiana over allegations of negligence and fraudulent billing practices. More than 60 boxes of medical records of patients treated by Beck from 2002 to 2007 were found in an Indianapolis dumpster in 2013, not long after his license was revoked. The boxes contained the PHI of more than 5,600 patients including full names, phone numbers, addresses, and Social Security numbers, according to Legal Newsline.

Beck allegedly hired the third-party vendor Just the Connection, Inc., in Carmel, Indiana, to dispose of the records, according to Legal Newsline.

Categories : HIPAA Violations
Comments (0)

securitycomputerThe St. Louis County Health Department recently discovered that a document containing PHI was emailed to the personal account of a former employee, according to the St. Louis Post-Dispatch.

The document listed names and Social Security numbers of inmates treated at Buzz Westfall Justice Center in Clayton, Missouri, from 2008 through 2014. The St. Louis County Health Department instructed the former employee to delete the document. The department did not identify the former employee by name, but said she resigned in November 2014 after being employed by the department for 25 years. The former employee held a clerical position and her duties involved verifying medical claims information for inmates, the St. Louis Post-Dispatch reported.

The health department notified authorities and affected patients of the breach, although there is no indication that the information in the PHI in the document was misused. The department is taking precautions to ensure an incident like this will not occur again. It will continue conducting annual HIPAA training, according the St. Louis Post-Dispatch.

Comments (0)

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Is it considered a breach if an employee of an organization views his or her own records or the records of their family members (containing full name, Social Security number, diagnosis, medications, etc.) without a legitimate business need?

A: Accessing the records of family members without a legitimate business need may well be a breach, but a staff member accessing his or her own records may not be. If there is no legitimate reason for accessing family member records, that would be a breach of unsecure PHI.

A number of CEs have implemented policies requiring employees to access their own medical records in the same way as all other patients—by submitting a written request and having the record copied or setting up a time for the employee to view his or her own record. Having an employee view his or her own record is not a breach of unsecure PHI. However, it may be a violation in the CE’s policy and result in sanctions.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : Uncategorized
Comments (0)