HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: If someone calls a facility to schedule an appointment for a patient, is it a violation of HIPAA to admit the patient receives care at the practice? For example, the practice where I work often helps victims of domestic abuse. We received a call from a patient’s estranged spouse who asked to schedule an appointment for the patient when, in reality, he was trying to determine the whereabouts of his spouse so he could harm her. I realize this is a safety issue but wonder whether it is also a HIPAA issue.

A: I don’t see why you would need to confirm with the caller whether someone is currently a patient in order to make a new appointment. You may permit others to make appointments for patients because they are giving you information as ­opposed to you sharing information with them, which could be a HIPAA concern.

I would be especially cautious when your intuition tells you that the caller may have an ulterior motive or you work somewhere that often helps victims of abuse, as in your scenario. At minimum, I would ensure the appointment is confirmed with the patient directly and not with anyone else.

Similarly, if someone calls looking for a patient currently in your office, the correct response is, “Due to privacy rules I can’t share that information with you, but leave your name and number and if I see [patient name], I will let him/her know that you are trying to get in touch.” Follow through with relaying the message to the patient if he or she is available. This patient-friendly approach should protect your patients’ privacy.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

A security breach at a third-party vendor in Ohio may have compromised the medical records of patients treated by a physician at Penn Highlands Brookville in Pennsylvania, according to a Penn Highlands Healthcare announcement.

Penn Highlands Brookville is one of four hospitals operated by Penn Highlands Healthcare. The hospital discovered August 14 that an unauthorized party gained access to the Ohio-based third-party server used to store PHI of patients of Barry J. Snyder, MD, who is employed by the hospital. The medical records stored on the server may have contained the following patient information:

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Social Security numbers
  • Phone numbers
  • Insurance information
  • Medical information
  • Gender

 

Upon learning of the incident, the hospital hired security and computer forensics experts to conduct an investigation. PHI of Dr. Snyder’s patients was moved to a secure server and the data contained on the affected server was destroyed, according to the announcement.

Comments (1)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work in the ED at a regional hospital. While working, I noticed my neighbor arrive in the ambulance and overheard someone say he needed to be taken to the operating room. I was on duty, but was not responsible for treating my neighbor. However, I felt compelled to call his wife, who works in another department in the hospital, to let her know what happened. If I were to tell my neighbor’s wife that he was just brought into our hospital, would that constitute a HIPAA violation?

A: CMS patients’ rights standards mandate the notification of someone on behalf of patients who are admitted urgently, assuming the patient cannot speak for him- or herself. Here, the patient’s wife is the obvious next of kin, so she should be notified.

The issue here is whether you should be the one notifying the next of kin. The answer is no, unless this is part of your job. Presumably, your ED has notification procedures for these situations.

Talk to your supervisor if you are unsure, but it is a HIPAA violation to use or disclose any information you obtain in the course of doing your job for any reason not pertaining to your job. Caring or concern is not a sufficient reason for you to use your access to information for a purpose that is not part of your work.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (3)

California amended its data breach notification standards September 30 when it passed AB 1710, according to The National Law Review.

Companies that are the source of a data breach and want to provide identity theft prevention and mitigation services to affected individuals must do so for at least 12 months at no cost if the breach exposed or may have exposed personal information, according to the new law. California is the first state to impose such a law, according to The National Law Review.

The law also expands the range of businesses that are required to implement and maintain security procedures and practices to protect individuals’ personal information. Previously, businesses that own or license personal information about California residents were subject to the law, but now businesses that maintain personal information must comply as well. The law maintains that with certain exceptions a person or entity may not sell, advertise for sale, or offer to sell a person’s Social Security number. The law is effective January 1, 2015.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: I recently read about a breach involving a subcontractor hired by the Maryland Developmental Disabilities Administration (DDA) to mail the administration’s annual quality-of-life survey to individuals who receive DDA services. The postcards were not enclosed in envelopes, thereby disclosing to anyone who viewed them that the intended recipients received services from DDA, so the administration reported the breach. I work for a medical equipment company that sends customer satisfaction survey postcards in the mail as well. While the only PHI listed on our postcards is name and address, it is apparent that they received some type of service or equipment from us. Is this truly a HIPAA breach? Should I assume the breach is caused by U.S. Postal Service workers viewing the information on the postcards?

A: I do not recommend sending any information to patients via postcard. In addition to post office employees, the individuals’ family members and others who may pick up the mail will see the information. This risk is probably not worth taking to save a few pennies on postage. In Maryland, PHI pertaining to mental health may receive special protections, which makes the initial scenario you mention more concerning, but postcards are not a good idea in any case.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)