HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for March, 2010



Posted by: | Comments (1)
Email This Post Print This Post

Our family practice now houses a laser tech. They are their own corporation but work under the guidance of our M.D.

If the laser techs fail to shred their PHI documents, are they solely responsible as their own business or is the family practice MD also liable because it occurred under her roof even though she is a separate corporation?

Tony Martin

Comments (1)

New hire requirements

Posted by: | Comments (1)
Email This Post Print This Post

What is the timeline for a new hire to receive her OSHA and HIPAA training for a medical practice?

Should it be completed on the first date of hire?

Shelley Macaluso

Comments (1)

David Lazarus of the LA Times wrote a great piece that talks about a lack of transparency on breaches posted on the OCR Web site.

Categories : Breach Notification, HHS
Comments (0)

HIPAA Q&A: Family member’s record

Posted by: | Comments (0)
Email This Post Print This Post

Q. What does HIPAA require with respect to employees of a covered entity (CE) viewing their own or a family member’s medical record?

A. With respect to HIPAA, treat employees as you would any other patient. Most CEs require that their employees request to view or receive a copy of their medical records as would any other patient. CEs generally don’t allow employees to view their medical records directly or randomly. Employees have the same privacy rights as other patients—they may view, inspect, or request a copy of their medical records.

Employees who wish to access a spouse’s, adult child’s, or, in some cases (depending on state law), minor child’s medical records must first obtain authorization from the specific family member.

Employees may not access family members’ medical records without permission unless it is for treatment, payment, or healthcare operations and is directly related to the employee’s responsibilities at work. Effective February 2010, doing so is a criminal act, pursuant to HIPAA and the HITECH.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Apgar is president of Apgar & Associates, LLC, in Portland, OR. He has more than 17 years of experience in IT and specializes in security compliance, assessments, training, and strategic planning.


Comments (0)

The Office for Civil Rights (OCR) cannot post the names of entities that report breaches of unsecured personal health information affecting 500 or more individuals unless the entity gives it written consent, OCR tells HIPAA Update.

In cases where OCR does not have written consent, it will cite the entity on its Web site as “private practice.” This method has led industry insiders to question OCR, says Kate Borten, CISSP, CISM, president, The Marblehead (MA) Group.

Per the HITECH, OCR must post “a list that identifies each covered entity” that reports breaches of 500 or more.

However, of the 44 organizations listed on the Web site as of Friday, seven are cited by OCR as “private practice.”

“Under current Privacy Act restrictions,” OCR writes to HIPAA Update in an e-mail, “OCR may not disclose the names or other identifying information about private practitioners without their written consent.”

Five of those “private practices” are from the same city on the same date—Torrance, CA, September 27, 2009—but each post with a different number of individuals affected. The highest number of affected individuals is 6,145. The other two “private practices” are out of Stoughton, MA, and Wilmington, NC.

Borten says listing private practice “defeats the purpose of public posting. I doubt this is what Congress had in mind.”

Since September, of the 44 entities that have reported such large breaches, 10 involved business associates (BAs). It is not clear whether the “private practices” are BAs or covered entities.

The most egregious breach case came from Blue Cross Blue Shield of Tennessee, which affected 500,000 as a result of stolen hard drives, OCR reported on its Web site.

Following Blue Cross Blue Shield is AvMed, Inc., a Gainesville, FL, health plan. A stolen laptop on December 10, 2009, resulted in a reported breach affecting 359,000 individuals, according to OCR.

Borten says she’s also concerned that the Web site posting of the breaches of 500 or more is hard to find. To get to the 500 list, users must click “New Breach Notification Web Pages” on the privacy home page. From there, the link to the 500 list is on the bottom right-hand corner.

In response to HealthLeaders’ inquiry about the prominence of the site, OCR wrote, “The OCR HIPAA Privacy Web site is one of the most visited Web sites in the department, and the link to the new breach Web site is prominently available from the home page.”

Borten says she “respectfully disagrees.”

“Only someone who is determined to find the site and knows it must be there is likely to find it by drilling down,” she says.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says he too feels the Web site is hard to track.

“I didn’t necessarily see the Web-based notices all that easy to find,” Ruelas says. “I would have expected them to be a bit more prominently displayed.”

Borten says she hopes OCR will reconsider “where and how it posts breaches so that the full intent and impact of the law is met.”

But OCR stands by its method, telling HealthLeaders, “The posting of breaches affecting over 500 individuals, as with other provisions in HITECH, has brought a strong refocus on compliance with the HIPAA Privacy and Security rules.”

Comments (0)