HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for June, 2010


Wellpoint suffers major breach

Posted by: | Comments (1)
Email This Post Print This Post

This isn’t the first for the large insurer.


HIPAA Q&A: Updates to NPP?

Posted by: | Comments (2)
Email This Post Print This Post

Q. Do we need to update our Notice of Privacy Practices (NPP) to include information about breach notification?

A. There is no requirement to update the NPP in this situation. This would be good information to include in an updated NPP, but no regulation requires it.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.

Comments (2)

The FTC will not enforce the medical identity theft prevention and protection rule, Red Flags Rule, against doctors or any American Medical Association (AMA) or state medical society members until lawsuits are settled.

Some associations have sued the FTC for forcing them to comply with the Red Flags Rule.

Comments (0)

A healthcare lawyer brought forth the latest prediction on when HIPAA-related HITECH regulations will hit the streets—no later than July 8.

Gerald DeLoss, of counsel with Krieg DeVault LLP and a member of the firm’s Health Care Practice Group, wrote in an American Health Lawyers Association listserv e-mail this week that an OCR official at a conference made that estimate on the release of the proposed rules.

He wrote that David Mayer, senior advisor for HIPAA Compliance and Enforcement at OCR, who presented at a conference this month, said the industry should expect the proposed rules on HIPAA regulations by July 8.

“As a bonus,” DeLoss writes in the e-mail, “[Mayer] also stated that the regs will not require an amendment to existing [Business Associate] Agreements (to incorporate the new requirements) but that there may be very good business reasons for a new or revised BA Agreement.”

OCR, in an e-mail to HealthLeaders Media today, did not verify that July 8 prediction.

“Mr. Mayer’s comments may have been taken out of context,” OCR wrote in the e-mail. “The department cannot predict [Office of Management and Budget’s] timeframe for publication. Further, the Office for Civil Rights at HHS cannot comment on the content of the [proposed rule] before it is published.”

On April 12, OCR sent proposed regulations amending the HIPAA Privacy Rule in accordance with the HITECH Act requirements to the Office of Information and Regulatory Affairs for review (OIRA). That office is under the Office of Management and Budget (OMB).

Earlier this month, a consultant who attended the North Carolina Healthcare Information and Communications Alliance (NCHICA) annual conference this month, said OCR will release proposed rules around June 26.

After its sixth annual Academic Medical Center Conference in Chapel Hill, NC, Phyllis A. Patrick, MBA, FACHE, CHC, co-founder & managing director of AP Health Care Compliance Group, sent an e-mail obtained by HIPAA Weekly Advisor that reported the HITECH regulations would be released in “about two weeks or around June 26th.”

Categories : HIPAA News, HITECH Act
Comments (2)

Q. I am beginning to hear about HIPAA violations occurring on popular Internet sites (e.g., Facebook and MySpace). Do you have any guidelines or recommendations regarding the sharing of patient information and/or PHI in the healthcare setting? Retaining control of employee use of social networks is becoming increasingly difficult because healthcare workers access them on personal time away from work.

A. This is a challenge for many healthcare organizations. Those that have addressed it generally prohibit their employees from including any information about patients on their social network pages, even if patients have given them permission to do so. Some organizations also prohibit healthcare workers from linking to a patient’s social network page.

Individuals are free to disclose any information they choose on their own social network pages, including their PHI. However, many healthcare organizations are sensitive about their employees linking to these pages because of the appearance of impropriety.

Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Brandt is president of Brandt & Associates, Inc., a healthcare consulting firm in Bellaire, TX. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. She is also the former director of policy and research for the American Health Information Management Association.

Comments (3)