HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I understand that a patient’s insurance identification number (ID) is considered individually identifiable health information. Is disclosure of a patient’s name and his or her ID without any reference to provision of healthcare a breach of PHI, or is it simply an incident that could lead to identity theft?

A: If the patients’ names and IDs were not secure and the information was breached, this constitutes a breach of unsecure PHI. Covered entities are required to assume notification is required and conduct a four-factor risk assessment to determine the risk to the patient. After you conduct the risk assessment, if you determine the risk to the patient is low, you do not need to notify patients. Click here for more information about breach notification requirements.

A breach of patient names and health plan IDs could lead to medical identity theft. Electronic information that is breached may be collected by black market criminals who collect information about individuals over time. This can lead to collecting enough information to commit medical identity theft (e.g., filing false Medicare and Medicaid claims).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : Data Breach, HIPAA Q&A
Comments (0)

Community Health Systems, Inc., based in Franklin, Tennessee, announced that hackers accessed data of approximately 4.5 million individuals who were referred to or received care from physicians affiliated with the health system over the last five years, according to an August 18 filing with the U.S. Securities and Exchange Commission.

Community Health Systems operates 206 hospitals in 29 states. The hackers gained access to patient names, addresses, birthdates, telephone numbers, and Social Security numbers, according to the filing.

Community Health Systems and its forensic expert Mandiant believe that the hack was the work of an advanced persistent threat group in China that accessed the health system’s network in April and June 2014. The hackers used malware to bypass security measures and enter the network. The health system and Mandiant removed the malware from the systems after learning about the attack and later implemented safeguards to protect against future attacks of this nature, according to the filing.

Categories : Data Breach
Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work at a skilled nursing facility and I want to ensure that the organization is HIPAA compliant. What requirements and safeguards are necessary to ensure HIPAA compliance at our facility? Is there a document we can or should use to help us maintain compliance?

A: The best place to find out more about HIPAA privacy and security requirements is from OCR, which has published a wealth of information about HIPAA requirements, including guidance for small practices and health plans. OCR has also made available a sample business associate agreement and a model Notice of Privacy Practices.

To ensure your security program is up to date, you must conduct a risk analysis. A risk analysis is the foundation of any good security program and is mandated by the HIPAA Security Rule. A risk analysis should be conducted annually and when any major business or IT system change occurs. OCR and the Office of the National Coordinator for Health Information Technology has made available a risk analysis tool. You can conduct the risk analysis yourself or find a reputable vendor to assist you.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

Organizations in Florida have one more thing to worry about following a breach of personal information or a security breach. The Florida Information Protection Act of 2014 (FIPA), which went into effect July 1, requires covered entities (CE) or third-parties to notify affected individuals and the Florida Department of Legal Affairs (DLA) of a breach of security or PHI within 30 days of discovery unless delayed by law enforcement. Previously, state law required CEs and third-parties to notify affected individuals of a breach within 45 days.

FIPA set forth a detailed definition of “personal information,” which includes an individual’s first name or first initial and last name combined with one of the following:

  • Social Security number
  • A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
  • A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • An individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual
  • A user name or email address combined with a password or security question and answer that would permit access to an online account

The law states that the definition of a CE goes beyond healthcare organizations to include “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”

Unlike HIPAA, FIPA places little responsibility for breach notification upon third-parties. FIPA requires third-parties notify the CE of a breach within 10 days of discovery, at which time the CE is responsible for breach notification.

FIPA is enforced by the DLA under the Florida Deceptive and Unfair Trade Practices Act. Violators may face civil prosecution and/or fines not exceeding $500,000 for violating the state breach notification requirements. The DLA will submit a breach report to the Legislature by February 1 each year. CEs and third-parties must still comply with HIPAA regulations in addition to FIPA.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: My employer is trying to monitor its systems more closely. Which systems in particular are the most important with respect to monitoring? Which activities should the organization monitor?

A: Before setting up a monitoring program, it’s a good idea to conduct a risk analysis to determine where PHI is stored. This will help determine which applications you should monitor. It’s a good idea to monitor applications such as EHRs, claims adjudication systems, practice management systems, and any other application that is used to access or store PHI.

You should monitor when users log into systems such as your network and applications used to store PHI. In addition, it’s sound practice to monitor activity on your network and devices that protect your network, such as firewalls, to ensure no one is hacking in to your network.

If you’ve turned audit logs on in your applications, you do need to look at them. If you don’t, that could be considered willful neglect by OCR. You don’t need to look at all of the logs—you can set up a monitoring program that reviews a random sample of your logs.

Also, it’s a good idea to look for clues that your security policies are being violated. For example, if an employee is looking at a patient or health plan member’s record with the same last name as the employee, that’s a red flag. It doesn’t mean access is unauthorized, but it does mean that you should investigate why the employee was looking at information about someone who may be a family member.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)