HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

securitycomputerExperian recently released its 2015 Second Annual Data Breach Industry Forecast, which highlights anticipated data breach trends for 2015.

Experian identified six data breach trends that are expected to be a threat in 2015, one of which specifically addressed threats to healthcare organizations. The report states that healthcare breaches are expected to increase in 2015 due to the shift to electronic medical records and the potential economic gain from hackers. Experian recommends that healthcare organizations enhance their security programs and data breach response plans.

Other data breach trends identified by Experian include:

  • Payment breaches. Card companies will be required to implement EMV “Chip and PIN” technology by October 2015, which is expected to decrease the likelihood of a point-of-sale attack by a hacker. Experian predicts that because the chip and PIN technology has been made public, hackers may have time to identify chip and PIN vulnerabilities before the technology is implemented. This may lead to a sense of false security among consumers.
  • Cloud breaches. Experian predicts an increase in cloud breaches in 2015, resulting in the loss of usernames, passwords, and other data stored on the cloud. To combat this, Experian recommends that organizations develop an incident response plan that provides for a means of resetting passwords on a large scale.
  • Shifting accountability. Cyber attacks have shifted from an IT issue to an enterprise-wide issue. Business leaders are now held responsible for breaches. As a result, Experian recommends that leaders in the C-suite get involved in data breach preparedness and response.
  • Employee errors. The report states that the majority of breaches are caused by a company’s employees, whether it be a malicious attack or human error. Experian urges organizations not to overlook the potential for breaches caused by employees and recommends implementing regular security training.
  • Third-party breaches via the Internet of Things (IoT). Vulnerabilities will increase as companies look to leverage the IoT to gather, store, and process data. Experian recommends that organizations using the IoT have sound risk management processes and assess the security of third-party vendors.
Categories : Data Breach
Comments (0)

DollarSignsThe Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release.

OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.

The resolution agreement states that ACMHS failed to:

  • Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
  • Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
  • Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012

In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:

  • Provide an updated version of its security policies and procedures
  • Adopt a revised version of OCR-approved security policies and procedures
  • Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
  • Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures
Comments (0)

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: The hospital where I am employed conducts research. The research coordinators are hospital employees, and the screening is to find candidates who meet the study criteria, so no information is shared with the research sponsors unless the patient is enrolled and signs an informed consent form for the study. The consent explains in detail what information will be collected and with whom it is shared. We always include an institutional review board (IRB) waiver of authorization for our studies. Is the work done by research coordinators to find suitable candidates for a research study reasonably considered part of operations under HIPAA?

A: Research is not part of healthcare operations, but it is permitted. The preparatory research provision [45 CFR 164.512(i)(1)(ii)] permits covered entities (CE) to use or disclose PHI for purposes preparatory to research, such as to aid study recruitment. However, the researcher is not permitted to remove PHI from the CE’s site.

A researcher who is an employee or a member of the CE’s workforce may use PHI to contact prospective research subjects. In that instance, an IRB waiver of authorization is not required.

Researchers who are not part of the CE need a partial waiver of individual authorization by an IRB or privacy board to obtain contact information.

The OCR website provides answers to many practice questions, including those involving research. Visit the OCR website and type a keyword into the search bar or select a category (e.g., research) from the dropdown menu.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

justice02_25965964Authorities recently arrested a New York radiologist for allegedly stealing the PHI of 96,998 patients, according to a press release from the Nassau County District Attorney’s office.

James Kessler, 38, is charged with improperly accessing the patients’ records from January 17, 2014, through April 27, 2014, while working as a radiologist at NRAD Medical Associates, with locations in Nassau and Queens, New York. Authorities found a hard drive that contained patient records, patient billing system dates, NRAD corporate credit card information, corporate marketing materials, and IT information during a search of Kessler’s home, according to the press release.

The Nassau County District Attorney charged Kessler with unauthorized use of a computer, unlawful duplication of computer-related material in the second degree, and petit larceny, according to the press release. NRAD discovered the breach in April and notified HHS in June prior to sending a notification letter to affected patients, according to the press release.

Kessler is due to be arraigned January 6, 2015, and faces up to one year in prison if convicted.

Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work for a small hospital that recently received requests to sign business associate agreements (BAA) with physician practices in the area whose patients we treat. I have heard that BAAs are required for business associates (BA) who are dealing with PHI but are not required when the relationship is based on providing direct patient care. I do not think we need to sign these BAAs. What is correct under HIPAA?

A: You are correct. Since your hospital is not providing services on behalf of these physician practices, they are not BAs. However, you may share PHI with them as part of the treatment process. Your hospital would be a BA of the practices if it performed specific services, such as billing, for them.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)