HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for October, 2009

HHS published in the Federal Register today the HIPAA enforcement interim final rule as part of the provisions in the HITECH Act, according to an OCR press release.

No major changes to HITECH enforcement. Just some slight language changes.

The interim final rule becomes effective November 30. HHS has invited public comments on the interim final rule, which will be considered if received by December 29.

 Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?

 A: The CE has sole responsibility for notifying individuals when required. The CE must notify HHS immediately if a breach involves 500 or more individuals and/or at the end of the calendar year with respect to all breaches, regardless of whether the CE or the BA caused the breach.
A review of the breach notification interim final rule, which is final and was published in the Federal Register August 24, is a good idea. Visit www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
Chris Apgar, CISSP, answered this question in the Octobert 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
Categories : Compliance Monitor
Comments (0)

Survey: “Red Flags” rule

Posted by: | Comments (1)
Email This Post Print This Post
Is your facility compliant with the FTC “Red Flags” rule to protect against identity theft?
1. Yes
2. No
3. I don’t know

To submit your answer, go to “Quick Poll” at HCPro’s Corporate Compliance Web site.

Categories : Compliance Monitor
Comments (1)

The House of Representatives unanimously passed a bill Tuesday, Oct. 20, that would exempt providers with fewer than 20 employees from complying with the FTC’s identity theft Red Flags Rule.

Categories : Red Flags Rule
Comments (2)

Throw in some more rhetoric in support of HHS eliminating its “harm threshold” from its interim final rule on breach notification. This time, it’s the consumer advocacy group Consumer Watchdog, which says in a letter to HHS:

Inexplicably, and flouting Congressional intent, the Department of Health and Human Services has introduced a “harm” standard before breach notification is required. You have decided to interpret “compromises the security” of data to include a substantial harm standard. Under the HHS interpretation, if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule.

In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous.

It is even more troublesome when one recalls that the House Committee on Energy and Commerce considered a similar “harm” standard during discussions of health and information technology legislation in May 2008. Committee members considered public comments and practices of various states; they explicitly rejected a “harm” standard.

Read the full letter.

Categories : Breach Notification, HHS
Comments (0)