HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for March, 2010

The facility I work at is a covered entity.

We continually receive requests to sign a business associate (BA) agreement from other covered entities we do routine business with.

Is there a statement or stated language in the HIPAA/HITECH that can be used to state to these covered entities that we do not need a BA agreement with the other covered entity because we are a covered entity?

It seems that BA documents are being used inappropriately, or as a “catch all, just in case” scenarios.  And, if these are being used like this, is it safer in being compliant to just go ahead and sign the BA even though it is not needed?

Sharon Hallberg

OCR and the NIST Computer Security Division will host a conference geared toward security best practices in May.

The “Safeguarding Health Information: Building Assurance through HIPAA Security” conference will be held May 11 and May 12 at the Cohen Building Auditorium in Washington, DC.

OCR says the conference will provide a forum to discuss the current HIT security landscape, as well as practical strategies, tips, and techniques for implementing the requirements of the HIPAA Security Rule.

Visit the conference Web site for more information and to register.

Comments (0)

CMS security audit findings

Posted by: | Comments (4)
Email This Post Print This Post

CMS’ 2008 audits revealed six areas where covered entities (CE) struggle to comply with the HIPAA Security Rule:

  • Risk assessment
  • Currency of policies and procedures
  • Security training
  • Workforce clearance
  • Workstation security
  • Encryption

CMS’ audit report also detailed corrective actions organizations took to resolve problems. OCR now has responsibility for enforcing the Security Rule.

Check out these PDFs for the full CMS report.

Categories : Uncategorized
Comments (4)

Eliminating small practices from complying with the FTC's identity theft prevention program regulation would lead to more identity violations, according to one authority on Red Flags Rule compliance.

Randy Berry, BA, CPA, financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, says it would be unfortunate if entities with 20 or fewer employees are let off the compliance hook.

In December 2009, the U.S. District Court issued a summary judgment in favor of the American Bar Association that said the Red Flags Rule does not apply to attorneys or law firms.

Piggybacking off that decision, a group that includes the American Dental Association, American Medical Association, American Osteopathic Association, and the American Veterinary Medical Association wrote a letter to the FTC urging it to remove them from compliance. Also, the House passed a bill last year that calls for removing entities with 20 or fewer employees from Red Flags Rule compliance.

The FTC's compliance date with Red Flags has been in effect for nearly a year and a half (November 1, 2008). The enforcement date, however, has been delayed four times. It is now June 1, 2010.

Read more on HealthLeaders Media.

Comments (1)

OCR today issued a “HITECH Act Rulemaking and Implementation Update” on its Web site, confirming it expects to release proposed rules regarding privacy and security provisions of HITECH.

OCR did not say when it will release the rules, but said on its Web site it will release the provisions through will through notice and comment rulemaking.

These provisions include:

  • Business associate liability
  • New limitations on the sale of protected health information, marketing, and fundraising communications
  • Stronger individual rights to access electronic medical records and restrict the disclosure of certain information