HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for March, 2010

Blue Cross and Blue Shield of Minnesota is being sued for releasing a woman’s personal medical information accidentally.

Comments (1)

How is your entity handling third party billers in terms of patient’s requests for restrictions?

We have added a new insurance plan (self pay restricted) and require the patient to sign a form that explains to them that their request only applies to HOSPITAL or CLINIC controlled billing. Third party billers such as radiologists and physicians must be contacted separately, which really undermines the intent of the law.

In an unrelated issue…

We have had an increase in patients bringing in their own portable media (thumbdrives, CDs, DVDs) instead of paper medical records. How is your organization handling:

1. Accessing and storing the data on the media for patient care
2. Patient requests to add your organizations medical record and/or image to the patient’s portable media

Our organization is requiring that all portable media except radiology images be scanned by our staff for viruses before being printed or saved to a secure drive.

As for patient requests to “add to” their own portable media, we will not. We will burn a fresh CD that we know is clean instead.

I would be interested to hear others’ approaches.

Mimi Hart

Categories : Provider Posts
Comments (1)

Breach notification rule

Posted by: | Comments (1)
Email This Post Print This Post

I am sure we are like most of you, trying to wade through these murky waters trying to distinguish between a breach to report vs. not being required to report. I have been researching and trying to find some examples for our associates from an educational standpoint.

Does anyone have any information that might be helpful?


Tina Smith


HIPAA Q&A: Remote HIPAA training

Posted by: | Comments (1)
Email This Post Print This Post

Q. Is HIPAA training via WebEx or a similar Internet format adequate for workforce members who work remotely, such as sales and account representatives? What type of documentation is necessary for training completed entirely in this manner? How should we document that a workforce member attended a training session? Is in-person HIPAA training preferable? If so, why?

A. Remote HIPAA training using Internet-based, computer-based, or Internet meeting services (e.g., WebEx or GoToMeeting) is an acceptable form of workforce training. Reasonably ensure that any Internet-based learning tools include an audit log to document the beginning and end of training sessions and whether a workforce member completed the training.

Internet-based meeting services will generally provide a log that documents when a participant logs into and out of the training session. Each can be used to document that the workforce member attended and completed the training.

Requiring workforce members to complete a test related to the material covered during training is advisable. Some online HIPAA training tools include this feature. Develop a test and require completion by participants who undergo training via the Internet to document knowledge retention and attendance.

In-person training works well for centrally located workforce members, but it is not necessarily the preferred form of training. It does offer workforce members an opportunity to interact with the instructor and ask questions pertaining to their job. However, neither the HIPAA privacy nor security rule indicates a preferred training method.

Important considerations include:

  • Did the workforce member attend a training session?
  • Did the workforce member understand the information presented?
  • Does the covered entity or business associate repeat training sessions for all workforce members at least once annually, using the method(s) it deems most effective?

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Comments (1)

OCR: HITECH guidance coming

Posted by: | Comments (1)
Email This Post Print This Post

Expect OCR to deliver privacy rule guidance soon.

OCR officials told the crowd today at the two-day “Workshop on the HIPAA Privacy Rule’s De-Identification Standard” in Washington that guidance on changes to the privacy rule and other HITECH-required guidance is forthcoming.

Linda Sanches, a senior advisor on Health Information Privacy in the OCR Boston office, and  Susan McAndrew, OCR’s deputy director of Health Information Privacy, each spoke at the workshop today and hinted at upcoming guidance.

Per the HITECH, OCR was supposed to deliver guidance on the following by February 18:

  • Business associate contracts
  • Modifying privacy rule provisions regarding right to request restrictions, minimum necessary, patient access to electronically held PHI
  • Modifying privacy rule regarding marketing and fundraising
  • Clarifying that certain entities are BAs
  • Issuing guidance on the privacy rule requirements for de-identification
  • Report to Congress on HIPAA Privacy and Security Compliance
  • Study and report to Congress on privacy and security requirements for entities that are not HIPAA covered entities or business associates
  • Study the HIPAA Privacy Rule’s definition of “psychotherapy notes” with regard to including certain test data and mental health evaluations

Also, by June 18, OCR must issue regulations to modify the HIPAA Privacy Rule’s accounting of disclosures provisions.

OCR is taking written submissions at OCRPrivacy@hhs.gov on the discussions at the two-day workshop on or before Friday, March 5. You must write “Workshop on the HIPAA Privacy Rule’s De-Identification Standard” in the subject line, according to its meeting notice.