Archive for April, 2010
We’ve been serious all along about possible prison time for a HIPAA violation.
One of my colleagues made a Web site on Google and only “invitees” can access the Web site.
My colleague would like to upload an excel spreadsheet that is password protected, which have clientele’s names and diagnosis.
Although it’s password protected, I believe that it will comprise our HIPAA compliance.
The timing of the release of proposed HIPAA regulations per the HITECH Act became a little more clear this week.
The Department of Health & Human Services (HHS) released its semi-annual regulatory agenda in the Federal Register Monday and wrote that modifications to the HIPAA privacy, security and enforcement rules will be coming in May.
HHS did not detail exactly which proposed rules would be released. But last month, the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said regulations forthcoming include:
- Business associate (BA) liability
- New limitations on the sale of personal health information, marketing, and fundraising communications
- Stronger individual rights to access electronic medical records and restricting the disclosure of certain information
Earlier this month, HHS sent for review regulations per HITECH requirements to the Office of Information and Regulatory Affairs (OIRA), according to privacy and security experts.
OIRA has 90 days to review the regulations, though the head of the submitting agency can extend that time and OIRA may request a one-time 30-day extension, says Jana Aagaard of the Law Office of Jana Aagaard in Carmichael, CA.
The industry has been waiting on rules from OCR concerning HITECH provisions effective February 17. Until this week, nor HHS or OCR had provided any specific timeline on the release of regulations.
The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last fall has put at risk the private information of nearly one million customers in least 32 states, the insurer said April 6 in an investigative update.
So far, no identity theft or credit fraud affecting BlueCross members has been documented as a result of this incident, BCBS of Tennessee said in a media release.
“As of April 2, 2010, a total of 998,422 current and former members have been identified as being at risk,” said BCBS of Tennessee spokesperson Mary Thompson, adding that the total figure includes 447,549 current and former members identified in the lowest-risk Tier 1 category.
“These newly-identified members in Tier 1 began receiving their notification letters the week of April 5. To date, a total of 550,873 notifications have been sent to members indicating that their personal information was included on the stolen hard drives,” Thompson said.
Read more on HIPAA Update.
Q. May we tell residents in our long-term care facility that another resident has died when they inquire? From our perspective, they should know because they are part of the long-term care family and need to grieve and/or discuss the loss. Do we need to obtain permission from families/designated representatives?
A. You may disclose limited information to individuals who inquire about patients by name. This would include a patient’s location in the facility, discharge, or death. You don’t need the family’s permission to disclose this information, unless the patient had requested “no information” status.
Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.