HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for November, 2009


Survey: HIPAA sanctions policy

Posted by: | Comments (0)
Email This Post Print This Post
Do you have an internal HIPAA sanctions policy?
  • Yes
  • No
  • I don’t know
To submit your answer, go to “Quick Poll” at HCPro’s Corporate Compliance Web site.

Categories : Compliance Monitor
Comments (0)

If you’re reading this, sorry you’re on the clock!

Maybe you’d like to take a minute to say what you’re thankful for in terms of your HIPAA compliance team at your facility.

Happy Turkey Day!

— HIPAA Update

Categories : Uncategorized
Comments (0)

Expert: Encryption best way to go

Posted by: | Comments (2)
Email This Post Print This Post

It seems as if everyone is talking about encryption these days, and that is certainly the case on our HIPAA Update blog.

HHS added encryption layers in its interim final rule on breach notification to specify the technologies and methods that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” Some of these layers were not specified in draft guidance
HHS released in April.

“You now need to really consider encryption,” says Jeff Drummond, HIPAA blogger and health law partner in the Dallas office of Jackson Walker, LLP. “That’s sort of your first opportunity to avoid breach notification. You can’t do much about your paper records other than destroying them, which eliminates their utility. But for electronic data, you can keep it and use it, but should encrypt so it is considered ‘secured’ under HIPAA.”

In the interim final rule, the definitions for acceptable encryption include:

Q. Returned mail for a patient account is sent to a business associate (BA), who looks for another address or guarantor. Sometimes, the people at the new address the BA gives us call to say they don’t have children or a medical bill with us. Is this a HIPAA privacy breach?

A. You should take appropriate steps to ensure that a new address is correct before sending PHI to that address. The BA should try to contact the patient or guarantor by telephone, using telephone numbers you have on file, to determine the correct mailing address.

Editor’s note: Angela Mitchell asks the question in the title of this blog post. Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Categories : HIPAA Q&A
Comments (4)

Covered entities and business associates can protect themselves against the dangers of unsecured social networking Web sites and communication practices by taking a hard stance against them, experts advise.

You can protect your organization by investing in communication devices such as BlackBerry® smartphones and banning sites such as Facebook and Twitter from hospital computers, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.

Education is essential, and it must be specific—it’s no good if it’s vague, he says.

Use these four models together to educate employees and protect your facility:

  • New employee training (i.e., orientation)
  • Annual refresher training
  • Security reminders (e.g., weekly helpful e-mails, information in the hospital newsletter, messages that flash on staff member computer monitors)
  • Communication policy: During annual staff member performance reviews, require staff members to acknowledge in writing that they have read and understood the policy

Teach clinical staff members to adopt the habit of texting messages that express urgency without including PHI. For example, write “Call me” or “I have an important message and I’m going to leave you a voicemail.” Then, if you lose information, you’re not losing anything that’s personally identifiable.

Editor’s note: This is an excerpt from an article in the November edition of the HCPro, Inc. newsletter, Briefings on HIPAA.

Comments (0)