HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: What must an organization consider in terms of HIPAA if it were to film a commercial on-site? Does the hospital need to sign a confidentiality agreement or business associate agreement (BAA) with the film crew? Should the privacy, security, or compliance officers be notified? Would the crew be permitted to film in the ED without consent from those present if the curtains were drawn and doors were closed?

A: You should have the film crew sign confidentiality agreements since they may see or overhear patient information while they are on-site. If the commercial is being produced for the healthcare organization, the company creating the commercial would be considered a business associate (BA) and should sign a BAA.

Discuss the situation with your HIPAA privacy, security, and compliance officers in advance to ensure the filming complies with your organization’s policies.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

securitycomputerTwo thieves were recently indicted for using the stolen PHI of approximately 1,400 Detroit hospital patients to receive nearly $500,000 in false tax returns, according to The Detroit News.

Markitta Washington, 29, of Hampton, Georgia, allegedly obtained the PHI without authorization while working for Henry Ford West Bloomfield Hospital in West Bloomfield, Michigan, and DMC Harper Hospital in Detroit. Washington shared a home with Martez Lear, 29, of Farmington Hills, Michigan, who was also indicted for identity theft crimes. A search of the home uncovered the names, dates of birth, and Social Security numbers of 1,400 patients, according to The Detroit News.

Washington and Lear allegedly filed false returns for tax years 2011 and 2012 using the stolen information of at least 305 people, which resulted in them receiving approximately $489,000. Authorities also discovered re-encoded credit cards and gift cards during their search. The theft affected 141 patients who received impatient neurology or outpatient radiology services at Henry Ford West Bloomfield Hospital from January 1, 2012, through December 31, 2013. Both Henry Ford West Bloomfield Hospital and DMC Harper Hospital are offering credit protection and monitoring for affected patients, according to The Detroit News.

Categories : Uncategorized
Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Within our pharmacy dispensing system, we have the ability to enter free-form notes for certain records such as a patient record, prescription records, and physician records. The notes entered in the patient record are customer-service focused and not treatment- or payment-related in nature. Would these notes be considered PHI, and would there be a retention requirement concerning these notes prior to purging the patient notes?

A: Anything documented is potentially discoverable. The information in your system is undoubtedly PHI as it certainly contains patient names, dates of birth, and other demographic information. Remember, for the notes to not be considered PHI, they must be stripped of all 18 elements that constitute PHI. Click here for additional guidance.

I recommend consulting your attorney or risk management company for guidance on this question, as retention laws vary by state. You should definitely have a written policy that specifies exactly what constitutes your legal health record (LHR), since presumably there are many pieces of information in your organization (e.g., your pharmacy system) that you do not routinely consider part of your LHR. Also, consider whether this information is maintained elsewhere and, if so, whether it could be destroyed under the theory that it could be reproduced from the alternate location if needed.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

justice02_25965964The Indiana Court of Appeals recently upheld a $1.4 million verdict against Walgreens following a HIPAA violation, according to www.indystar.com. Walgreens had requested that the appeals court overturn a July 2013 verdict that awarded damages to pharmacy customer Abigail Hinchy after a pharmacist inappropriately accessed her records.

Hinchy filed a lawsuit in Marion Superior Court after learning that pharmacist Audra Withers accessed her prescription information without authorization. Withers shared the confidential information with her husband, who is Hinchy’s ex-boyfriend and the father of her child. Withers’ husband shared Hinchy’s private information with at least three other people and planned to use it in a paternity lawsuit, according to www.indystar.com.

Walgreens argued that it should not be liable for Withers’ actions. However, the court of appeals unanimously decided that Withers violated her duties by viewing and sharing information found in Hinchy’s records and that the trial court ruling allowed jurors to consider Walgreens’ liability, according to www.indystar.com.

Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: While at an appointment, I noticed a staff member place patient folders in a stand on top of the counter at the registration desk, easily accessible to anyone nearby. I noticed a receipt sticking out of one folder, and I could read the patient’s name, last four digits of his or her Social Security number, and diagnosis/billing codes. Is this a HIPAA violation since anyone walking by could read this information, or is it just a bad practice?

A: HIPAA requires that covered entities minimize and mitigate incidental disclosures such as the one you describe. The practice should not leave documents where those who are not authorized to access them could do so and should not speak of details where unauthorized persons may overhear.

The practice would be required, based on a complaint you might voice, to do a risk ¬assessment of the incident to determine if it is an actual breach. The key to that assessment would be determining whether you could have reasonably retained the information you saw. That you could view the patient’s Social Security number is concerning. Depending on where the organization is located, you may also have to comply with state-specific notification requirements.

Bottom line: It is definitely a poor practice and quite possibly a breach that would require notification to HHS and to the patient whose information you saw. I would recommend you report it to the organization so they can rectify this potential problem.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (1)