HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work in a medical records office and consider myself familiar with HIPAA rules and regulations. I recently tried to schedule an appointment for my fiancé at his dentist’s office, which I have done in the past. However, I was told on this occasion that I am not permitted to schedule the appointment because my fiancé did not authorize me to do so on HIPAA disclosure documents. I thought this was strange, so I requested that the office manager call me and I also requested a copy of the dental office’s notice of privacy practices (NPP). The practice refused to give me its NPP, and I have been waiting for more than a week for a return call. Does HIPAA dictate who can schedule a patient’s appointment? If so, should an NPP include this information? If this is part of a practice’s NPP, I wonder whether a breach occurred when I scheduled an appointment for my fiancé in the past.

A: There are a couple of issues here. First, the office should certainly provide you with a copy of its NPP. In fact, it is required to post it on its website if it has one, and at minimum on the wall at the practice.

HIPAA addresses disclosure of information. You can make an appointment for your fiancé without office staff needing to reveal any information about him to you and, therefore, this is acceptable under HIPAA. You are not bound by HIPAA as an individual and may share whatever information requested by the practice to make and confirm the appointment.

It may be that staff at the practice refused to make the appointment because they are confused or that they are concerned about no shows. However, there is no reason to refuse your request to make an appointment for your fiancé—unless, of course, he has requested this restriction.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

In just one week, Rady Children’s Hospital-San Diego uncovered multiple breaches of PHI caused by human error that affected more than 20,000 patients, according to a hospital press release.

The first breach occurred June 6 and affected 14,121 patients admitted to the hospital from July 1, 2012, through June 30, 2013. The breach occurred when a hospital employee accidentally emailed a spreadsheet containing PHI to four job applicants when trying to send a training file to evaluate the applicants. Upon contacting the four applicants, the hospital learned that one forwarded the email and attachment to two additional people. The spreadsheet contained patients’ names, dates of birth, primary diagnoses, admit/discharge dates, and medical record numbers, as well as insurance carrier and claim information, according to the press release.

While performing an internal investigation following the June 6 breach, the hospital learned that a similar breach affecting 6,307 patients occurred in August, November, and December 2012. In this instance, a hospital employee emailed a test file containing PHI to three job applicants. An additional six applicants took the same test at the hospital, but were unable to save, store, or send the data. The test contained patients’ names, discharge dates, location they were seen, payer name, and balance, according to the press release.

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work for an ophthalmology practice that sees many patients from skilled nursing facilities (SNF). The SNFs often send my organization information sheets about the patients that include logistical information along with medications and clinical diagnoses. The SNF requests that the ophthalmologist complete and return paperwork that summarizes the patient’s visit. Is copying the patient’s visit summary for that day and returning it to the SNF in a sealed envelope acceptable, or does this violate the minimum necessary requirement?

A: This is acceptable. The information is for continuing care. Thus, it falls under HIPAA permissible disclosures for treatment, payment, and healthcare operations. A copy of the office note should meet the minimum necessary standard for information that should be returned to the nursing home.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (3)

HCPro’s Medical Records Briefing (MRB) newsletter is conducting its benchmarking survey on electronic health record implementation, and we would appreciate your input. Please take a few moments to complete this survey.

To show our thanks, we will select one respondent at random to win a complimentary HCPro webcast of his or her choice. To enter to win, please include your contact information at the end of the survey once you have answered the questions.

Here’s the link to the survey: https://www.surveymonkey.com/s/J6DRJBR.

Thank you for your input!

Categories : Meaningful use
Comments (0)

A former East Texas hospital employee faces up to 10 years in prison for HIPAA violations, according to a press release from the U.S. Department of Justice.

Joshua Hippler, 30, formerly of Longview, Texas, faces charges for wrongful disclosure of individually identifiable health information. Hippler was accused of obtaining PHI with the intent to use it for personal gain while employed by the hospital in question from December 1, 2012, through January 14, 2013. A grand jury recently indicted Hippler, according to the press release.

Comments (0)