HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

HHS recently released guidance about HIPAA regulations affected by the Supreme Court’s 2013 United States v. Windsor ruling that found Section 3 of the federal Defense Against Marriage Act (DOMA) unconstitutional. Section 3 of DOMA states that federal law would only recognize same-sex marriage.

The HIPAA Privacy Rule includes information about the role of family members in patient care. Section 45 CFR 160.10 of the rule includes the terms “spouse” and “marriage” under the definition of family member.

To maintain consistency with the United States v. Windsor ruling, the term spouse includes people in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction. However, same-sex marriages performed in a foreign jurisdiction must be recognized in the United States for a patient’s partner to be recognized as a spouse under HIPAA.

Similarly, the HIPAA Privacy Rule recognizes marriage between same-sex and opposite-sex couples and defines a family member as a dependent of a marriage. These definitions apply to people who are legally married whether the jurisdiction where they reside recognizes the marriage or not.

Under §164.510(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purpose, covered entities are permitted under certain circumstances to share PHI with a patient’s family member. Legally married same-sex couples are family members for the purpose of this provision regardless of where they reside.

The definition of family member also applies to §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes, which prohibits health plans with the exception of issuers of long-term care policies from using or disclosing genetic information for underwriting purposes. Plans are not permitted to make underwriting decisions about a patient based on his or her same-sex spouse’s genetic test results or manifestation of disease.

Comments (0)

More than 750 healthcare organizations recently agreed to participate in CyberRX 2.0, simulated cyber-attacks with HHS and HITRUST, according to a Business Wire announcement.

The no-cost simulated attacks will begin in October and are intended to prepare organizations for actual electronic infiltrations. The first CyberRX exercise was held in April 2014, after which the program was expanded, according to the announcement.

CyberRX 2.0 is tiered program with offerings at the local, regional, and national level. The local tier, scheduled for October through December 2014, involves simulations that an organization can administer itself to gauge cyber-threat readiness. The regional tier is scheduled for January through April 2015 and offers more advanced exercises, as well as the opportunity for organizations to collaborate. The national tier is scheduled for June through July 2015 and offers advanced simulations, as well as the opportunity to assess internal and external readiness, response, and management, according to the HITRUST website.

Categories : HHS
Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: I am employed by an independent and assisted living retirement facility. The facility does not transmit electronic records (i.e., PHI) of our residents or staff for any kind of reimbursement. We offer health insurance to our employees and have been asked by our health insurance broker to sign a business associate agreement (BAA) because our broker says our organization is considered a covered entity (CE) under HIPAA. Upon requesting that the facility enter into a BAA, the broker sent the following message:

“As an employer, you are a ‘covered entity’ under HIPAA because you sponsor a Group Health Plan. That means you are responsible for making sure that your business associates who receive PHI about you or your employees handle this information properly—we are one of these business associates.”

The retirement facility does not consider itself a CE. Is the organization considered a CE because it offers health insurance to its employees?

A: CEs under HIPAA are healthcare clearinghouses, certain healthcare providers (those that use covered transactions like electronic billing), and health plans.

A group health plan is a CE (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as CEs under HIPAA.

 Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

A former employee of Tri-City Medical Center in Oceanside, California, removed unauthorized ED logs containing the PHI of approximately 6,500 patients on August 8, according to a press release.

The former employee placed the records at the bottom of a cart he used when transporting his personal belongings from the hospital to his vehicle. The hospital used the logs in an onsite regulatory review the day prior to the theft, according to the medical center website. The former employee took the records to the San Diego Office of the California Department of Public Health, which oversees California hospital regulations. Tri-City Medical Center was in contact with the California Department of Public Health following the unauthorized removal of the logs from its premises, according to a breach notification letter sent to affected patients.

The paper logs contained the full names, dates of service, dates of birth, admitting physicians, medical record numbers, diagnoses and admit dates and times for patients admitted to the hospital or transferred to another facility from December 1, 2013 through May 13, 2014. The hospital alerted law enforcement officials of the incident, according to the press release.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am employed by an acute care psychiatric hospital. The hospital’s police department will sometimes take photographs of injuries patients have at the time of admission. The photos are not kept with the medical record; they are kept separately with our police department. If a patient asks for a copy of his or her medical record—including the photos—may we release copies of the photos along with the copy of the record? There is some debate about whether a court order is needed for the photos because a standard release signed by the patient is insufficient. Are there any HIPAA rules pertaining to this issue?

A: Under the HIPAA Privacy Rule, individuals have the right to access PHI in a designated record set. Generally, the designated record set includes medical and billing records. If you define your legal medical record to exclude these photographs, you are under no obligation to release them as part of your designated record set. You may release them if you choose, but you have the right to deny the patient access to the photographs if they are not part of your designated record set.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (1)