HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: After I scheduled a colonoscopy with my physician, I received information about a colonoscopy prep company with which the practice has a business associate (BA) relationship.

The prep company’s website features a photograph of my physician and an appointment reminder about my screening. My physician’s practice shared my information with a company that can provide the prep kit I need for my screening. Does this constitute marketing? Can a BA act as a cover for what is essentially forced marketing to a target group without consent? May I as a patient ask to see the BA contract to try to understand who benefits from the relationship and how?

A: If the prep company has publicly posted your appointment data along with your name or your picture, it is a breach of your health information. I recommend you discuss this with the practice if this is the case. Sharing your health information with a BA for the purpose of treatment is not considered marketing. The practice does not sell the prep kit you need for the screening. In this situation, similar to referral to another supplier to purchase other healthcare supplies, the practice is working with an outside vendor to provide these supplies.

If the prep company uses your information to market other healthcare supplies or services without your authorization, this would be considered marketing and a violation of the HIPAA Privacy Rule. In this case, you have the right to register a complaint with the practice and your regional OCR office. The practice may or may not share its BA agreement with you because that is not an individual right granted by the HIPAA Privacy Rule.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

The Community Health Systems, Inc., (CHS) breach affecting 4.5 million patients is one of the largest breaches of health data, but what we don’t know yet is the total monetary impact on the Tennessee-based organization. Forbes attempted to take some of the guess work out of this equation by using information from similar breaches reported to OCR to calculate the total cost of a breach of this magnitude, which it estimates at $75–150 million.

Forbes considered the following when calculating the potential cost to CHS:

  • Technical, legal, and administrative remediation.
  • Recent OCR monetary penalties for large breaches, including the $4.8 million penalty OCR imposed on Columbia University and New York Presbyterian Hospital in May 2014. The CHS breach is the second-largest of its kind, falling just behind the Tricare Management Activity breach that affected 4.9 million military patients in 2011.
  • Average identity theft protection or credit monitoring costs for affected patients who opt in.
  • Lawsuits and settlement costs associated with recent breaches. This is already a real threat for CHS after a group of patients in Alabama filed a class action lawsuit in the wake of the breach.
  • Insurance fraud costs that Medicare, Medicaid, and private insurance companies can impose on healthcare organizations following a breach involving patients’ Social Security numbers.

 

The costs outlined by Forbes should serve as a teachable moment for healthcare organizations. Although the most public cost is usually the one imposed by OCR, organizations must invest additional dollars and resources in resolving a breach. Don’t forget to consider the effect that a breach of any size may have on patient perception and an organization’s reputation.
CHS released information about the breach to the U.S. Securities and Exchange Commission August 18 and posted a breach notification letter to its website August 19.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I understand that a patient’s insurance identification number (ID) is considered individually identifiable health information. Is disclosure of a patient’s name and his or her ID without any reference to provision of healthcare a breach of PHI, or is it simply an incident that could lead to identity theft?

A: If the patients’ names and IDs were not secure and the information was breached, this constitutes a breach of unsecure PHI. Covered entities are required to assume notification is required and conduct a four-factor risk assessment to determine the risk to the patient. After you conduct the risk assessment, if you determine the risk to the patient is low, you do not need to notify patients. Click here for more information about breach notification requirements.

A breach of patient names and health plan IDs could lead to medical identity theft. Electronic information that is breached may be collected by black market criminals who collect information about individuals over time. This can lead to collecting enough information to commit medical identity theft (e.g., filing false Medicare and Medicaid claims).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : Data Breach, HIPAA Q&A
Comments (0)

Community Health Systems, Inc., based in Franklin, Tennessee, announced that hackers accessed data of approximately 4.5 million individuals who were referred to or received care from physicians affiliated with the health system over the last five years, according to an August 18 filing with the U.S. Securities and Exchange Commission.

Community Health Systems operates 206 hospitals in 29 states. The hackers gained access to patient names, addresses, birthdates, telephone numbers, and Social Security numbers, according to the filing.

Community Health Systems and its forensic expert Mandiant believe that the hack was the work of an advanced persistent threat group in China that accessed the health system’s network in April and June 2014. The hackers used malware to bypass security measures and enter the network. The health system and Mandiant removed the malware from the systems after learning about the attack and later implemented safeguards to protect against future attacks of this nature, according to the filing.

Categories : Data Breach
Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work at a skilled nursing facility and I want to ensure that the organization is HIPAA compliant. What requirements and safeguards are necessary to ensure HIPAA compliance at our facility? Is there a document we can or should use to help us maintain compliance?

A: The best place to find out more about HIPAA privacy and security requirements is from OCR, which has published a wealth of information about HIPAA requirements, including guidance for small practices and health plans. OCR has also made available a sample business associate agreement and a model Notice of Privacy Practices.

To ensure your security program is up to date, you must conduct a risk analysis. A risk analysis is the foundation of any good security program and is mandated by the HIPAA Security Rule. A risk analysis should be conducted annually and when any major business or IT system change occurs. OCR and the Office of the National Coordinator for Health Information Technology has made available a risk analysis tool. You can conduct the risk analysis yourself or find a reputable vendor to assist you.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)