HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: A patient recently informed me that she was surprised to learn from a physician at our facility that her adult child had been prescribed blood pressure medication. Is it a HIPAA violation for providers to discuss the care of adult children with parents? Would it be considered a violation if the child was a minor?

A: Yes, it is a violation for a practitioner to share information about one patient with another without permission, even if the patients are related. The only exception would be if the mother is providing care to the adult child. In that case, it would be acceptable for the provider to share only the information necessary for the mother to provide care.

In most cases, it is acceptable and even required that practitioners share information with the parent(s) of minors. Exceptions to this might be information on mental health information, substance abuse treatment, sexually transmitted disease treatment, etc. Check your state statutes for specifics.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

The 21st Century Cures Act, a new healthcare bill that would relax portions of HIPAA privacy laws to further medical research and penalize health IT vendors that fail to comply with interoperability standards, has passed through the full House Committee on Energy & Commerce.

The bill would inject billions of dollars into medical drug research and innovative treatments, accelerate the entire process and clear away regulatory hurdles on various levels. One provision of the bill, however, requires HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.

The Privacy Rule currently allows healthcare providers to use PHI without authorization for treatment, billing and internal healthcare operations. Under the proposed law, however, those covered entities and their business associates would have the same unfettered access to those records to use in researching new drugs and treatments.

The bill would also impose penalties for vendors who engage in information blocking. The Wall Street Journal reports there is criticism about relaxing regulations on drug and device safety as well.

Proponents of the bill argue all these changes will remove barriers for patients to life-saving medical advancements and say PHI used in research would still be fully protected under HIPAA Privacy, Security and Breach Notification Rules. There’s also consideration of seeking one-time authorization from patients.

The bill passed through the health subcommittee on May 14 and was unanimously approved by the full committee May 21. None of the amendments to the bill, however, address concerns about changes in privacy law. The full House is expected to take up the bill later this year.

Categories : HHS, HIPAA privacy
Comments (0)

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: Are HIPAA requirements different for college campus health centers than for larger facilities or private practices? For instance, would a college campus health center be permitted to disclose information about students who are patients to faculty members if the health center believed a student’s condition may affect his or her ability to come to class or complete assignments? What if the health center believed the student may be a danger to himself or herself, or to others?

A: Campus health centers are covered entities and must follow HIPAA. Information should not be shared with faculty without the patient’s written permission (this would not be a release for treatment, payment, or operations), although a note excusing a student from class or supporting an extension to a deadline (similar to a work note) would be appropriate (without details).

If there is an immediate concern that the patient is a danger to himself or herself, or to others, then there is a “duty to warn” exception that allows you to share information (again, minimum necessary). However, this would not include notifying the faculty unless the threat was against a faculty member. Even then, if your providers believe the threat is significant enough that faculty need to be notified, it would be appropriate to involve the police and to take whatever steps are indicated in your state to initiate a psychiatric hospitalization, either voluntary or involuntary.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

CareFirst BlueCross BlueShield, a nonprofit health insurer that serves Maryland, Washington D.C. and northern Virginia, announced Wednesday it was targeted by a “sophisticated” cyber-attack, affecting 1.1 million people who are current or past members of CareFirst or who have done business with the company.

The May 20 statement on the CareFirst website explained the hackers “gained limited, unauthorized access to a single…database.” The intrusion was actually discovered in the midst of an exhaustive review the company was performing on its own IT security measures in the wake of recent cyber-attacks on other health insurers.

CareFirst said the review found cyber-attackers gained access to a database on June 20, 2014 that stores data members and other users enter to access CareFirst websites and online services. Only people who registered to use the online services before June 20 were affected.

The compromised database didn’t contain Social Security numbers, medical claims or other sensitive employment or financial information, according to the company, but the hackers may have acquired individual’s user names as well as members’ names, birthdates, email addresses, and subscriber identification numbers.

The corresponding passwords to those user names, however, are stored in a separate, fully encrypted system as a safeguard against such attacks, the company said. But “out of an abundance of caution,” member access to the affected accounts was blocked and those individuals will be asked to create new user names and passwords.

CareFirst is also offering two years’ worth of free credit monitoring and identity theft protection to anyone affected in the breach.

“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell in the statement. “We are making sure those affected understand the extent of the attack – and what information was and was not affected.”

“Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information,” Burrell said.

Video courtesy of CareFirst BlueCross BlueShield.

Categories : Data Breach
Comments (0)

Drug kingpin Stuart Seugasala was just convicted and sentenced on a string of federal charges that includes HIPAA violations in the course of running a violent drug trafficking ring in Alaska. Authorities said the trafficking ring imported and distributed illicit drugs, perpetrated armed home invasions, drive-by shootings, kidnappings, and sexual assaults.

securitycomputerThe Alaska U.S. Attorney’s Office said it was the state’s first HIPAA conviction and one of only a few such cases nationwide.

Seugasala, 40, was sentenced May 15 to three life terms in prison following his conviction on drug trafficking and kidnapping charges earlier this year, but separate from that sentence was another 20 years for unauthorized access to medical records of two victims he hospitalized in 2013.

On March 13, 2013, Seugasala and his associates kidnapped, tortured, and sexually assaulted two men with a hot curling iron because one of the men owed them a large, past due debt on heroin, according to prosecutors. They said Seugasala ordered the rape to be videotaped so he could use the footage to intimidate other debtors.

One of the victims was so badly injured after three hours of torture that he was admitted to Providence Hospital in Anchorage. Two days later, Seugasala shot and wounded another man in an unrelated incident. That man also checked himself in to the hospital.

At that point, Seugasala contacted a friend who worked at the hospital–Stacy Laulu–and asked her via a text message to find out the extent of the men’s injuries and whether they were cooperating with police, prosecutors said.

They said Laulu, who was then employed as a financial counselor, accessed both men’s medical files and reported back to Seugasala, violating the men’s privacy rights.

According to prosecutors, Laulu’s husband, who was in jail on unrelated murder charges, was a close associate of Seugasala and the couple was receiving drug money from Seugasala.

Laulu was also convicted in January on the HIPAA felony violations and is scheduled for sentencing May 29. The maximum sentence is 10 years for each of those convictions. Three other members of the drug ring have also been sentenced or are due for sentencing in June.

Comments (0)