HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Should we permit workforce members to use their personal cell phones to communicate with patients? If yes, is there a HIPAA-compliant means of doing so for calls, email, and text messages?

A: It is hard to see why this would be necessary when there are so many landlines available in a hospital or physician office setting. Personal cell phone communication, including text, isn’t usually encrypted, so this practice would be risky. (Some patient portals have encrypted messaging capability, which would serve as a secure means of messaging patients.)

If, after conducting a risk analysis on this practice, you determine that the risk is an appropriate one to take (for instance, I can imagine a home health provider calling to verify the convenience of a visit), keep the communication brief and administrative. For example, say “I will be there at 2 p.m.” rather than “I will be there at 2 p.m. to help you with your dressing change.” I would recommend creating a policy that outlines acceptable and unacceptable cell phone communication with patients. If this practice is permitted, it is also advisable to conduct documented workforce training.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

chklist_paperOCR Director Jocelyn Samuels recently stated that audit procedures for phase two HIPAA audits have yet to be finalized, delaying the start date of the audits, according to lexology.com. OCR originally planned to begin phase two audits in fall 2014.

Unlike phase one, the second phase of HIPAA privacy, security, and breach notification audits will likely be desk-based, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available. OCR representatives confirmed during a panel at the 2014 AHIMA Convention and Exhibit September 30, 2014, that the agency had begun its process of randomly selecting CE for the next round of audits, but had not sent notifications to facilities yet. At minimum, it will include large and small hospitals, dental practices, health insurance companies, and health plans in its pool of organizations that may be selected for an audit. BA audits are expected to begin after CE audits are underway, according to the panel.

Visit the OCR audit program website for the latest on HIPAA audits.

Categories : OCR
Comments (0)

security (2)Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.

Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.

However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.

At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.

Categories : Breach Notification
Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work in long-term care and I am familiar with the language in HIPAA regulations regarding requests for electronic copies of medical records for a reasonable fee according to community standards. However, my company does not maintain its medical records in electronic form, nor do we presently have the capability of converting our paper records into electronic format. Our state legislature addressed the issue of “reasonable charges and community standards” by state statute in 2006 by providing a formula for every medical provider to follow state-wide for copy charges regarding paper copies.

When someone requests copies of our medical records in electronic form, we first have to make a paper copy of the records, then pay an outside service to scan the records and convert them into electronic form. When we billed the person using the state statute for making paper copies, the person objected to paying for the paper copies because he didn’t believe that we didn’t create the electronic record ourselves. He then threatened to file a complaint with HIPAA.

Are we correct in charging for paper copies according to state statute that provides the same formula for all communities in this state if we cannot produce electronic copies?

 

A: Not surprisingly, state and federal statutes have been slow to comment about charges for electronic copies of PHI. It sounds like the law in your state pertains to paper copies only.

HIPAA allows a covered entity to impose a “reasonable, cost-based fee” for a copy of PHI. However, the fee permitted under HIPAA (45 CFR 164.524(c)(4)) can only include the cost of:

  • Labor for copying the PHI, whether in paper or electronic form
  • Supplies for creating the paper copy or electronic media (if electronic media is requested)
  • Postage

As long as the fee you are charging actually represents the cost of creating the copy (including labor and postage) and does not exceed the costs permitted by your state statute, your charging practices sound acceptable.

I suggest you network with your state AHIMA group or hospital association to develop a charging policy for electronic copies.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H., answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

 

Categories : HIPAA Q&A
Comments (0)

computerHackers gained access to the email accounts of employees at St. Mary’s Health in Evansville, Indiana, by uncovering their usernames and passwords. The hack exposed the PHI of nearly 4,400 St. Mary’s patients, according to a breach notice.

What’s more, some have speculated that St. Mary’s may have violated the HIPAA Breach Notification Rule as it appears it did not notify individuals of the breach within 60 days of initial discovery. On December 3, 2014, St. Mary’s learned that its employees’ usernames and passwords were compromised. After launching an investigation, the healthcare facility discovered January 8 that the compromised email accounts contained patient PHI. St. Mary’s posted a breach notification letter on its website March 5 stating that it would also notify affected individuals by mail and alert media outlets.

PHI linked to the compromised email accounts included:

  • Names
  • Dates of birth
  • Gender
  • Dates of service
  • Insurance information
  • Limited health information
  • Some Social Security numbers
Categories : Breach Notification
Comments (0)