HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

 

The PHI of 9,700 patients at Service Coordination, Inc., in Frederick, Md., was compromised when the nonprofit organization’s computers were hacked, CBS Baltimore reported.   

A hacker gained access to approximately 70% of the organization’s medical records, including Social Security numbers. However, there was no evidence that the PHI was misused. Investigators identified the alleged hacker and seized his or her equipment, CBS Baltimore reported.

Service Coordination is a state-licensed provider of services for developmentally disabled individuals. The breach first came to light in October 2013, but the U.S. Department of Justice requested that Service Coordination keep the incident under wraps during the federal investigation. Affected individuals were notified of the breach in March, CBS Baltimore reported.

Comments (0)

Q. Our organization does not support the use of USB drives. Is that typical?

A. Not allowing the use of USB drives in company workstations is becoming more and more common. What is also increasingly common is limiting the use of USB drives and requiring encryption for all USB drives. There is significant risk associated with USB drives, as with all other portable media, if they are not properly managed. The loss of an unencrypted USB drive storing PHI can get very expensive, very quickly.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com.

Categories : HIPAA Q&A
Comments (0)

HHS has teamed up with the Health Information Trust Alliance (HITRUST) in Frisco, Texas, to offer monthly security threat briefings for the healthcare industry. The free, online briefings provide information about “recent, ongoing and prospective cyber threats and events, as well as any lessons learned,” according to the HITRUST website.

The information provided in the briefings is intended to be appropriate for organizations of all sizes. The first 60–75 minute briefing should be available this month.

Visit the HITRUST website to register.  

Categories : HIPAA security
Comments (0)

 

In a recent HIPAA Q&A, our HIPAA expert mentioned that it was appropriate to send emails containing PHI as long as your organization’s server is secured. In instances where a server is not secured, patients should be de-identified. For example, you could refer to someone as “the patient in room 301-A” because a room number is not considered an identifier under HIPAA. In response, one of our readers submitted a follow-up question about identifiers.

Q: My organization views a patient’s room number as an identifier because we think this is information that someone could use to identify the patient. Please explain why this is not considered an identifier?

A: A patient’s room number is not considered “identifiable” under the HIPAA Privacy Rule. PHI is considered identifiable if it contains any one of 18 identifiers of individuals and their family members, employers, or household members, including:

  1. Names
  2. Geographic subdivisions smaller than a state
  3. All elements of dates (except for year) for birth, admission, discharge, and death
  4. All ages over 89, including year
  5. Telephone numbers
  6. Fax numbers
  7. Email addresses
  8. Social Security numbers
  9. Medical record numbers
  10. Health plan beneficiary numbers
  11. Account numbers
  12. Certificate/license numbers
  13. Vehicle identifiers
  14. Device identifiers
  15. URLs
  16. IP addresses
  17. Biometric identifiers, including fingerprints and voiceprints
  18. Full-face photographs

 

While a room number may help a facility’s staff to identify a particular patient, it’s not likely that anyone outside the organization could identify a specific patient based on the room number. Most healthcare organizations regularly move patients from room to room, so I don’t have any concerns about room numbers being patient-identifiable information. The organization may choose to treat the room number as an identifier, but it is not required by HIPAA.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA newsletter. Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.

Categories : HIPAA Q&A
Comments (0)

The number of patients affected by a February break-in at Sutherland Healthcare Solutions in Torrance, Calif., has nearly doubled as the investigation progresses, the Los Angeles Times reported. Sutherland handles billing and collections for the county’s Department of Health Services and Department of Public Health.

On March 19, HIPAA Update reported that the PHI of 168,500 Los Angeles County medical facility patients was compromised when a thief stole eight computers from Sutherland. The total number of affected patients was upped to 338,700.

Three class action lawsuits have been filed against Los Angeles County as a result of the breach. The county is reviewing Sutherland’s security practices, the Los Angeles Times reported.

Comments (0)