HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for July, 2010

HIPAA privacy and security concerns with the government’s EHR certification program are so great that hundreds of practitioners have called for the program’s cancellation, the Department of Health & Human Services (HHS) announced in its final rule on meaningful use released Tuesday.

It hasn’t happened, of course.

The final rule, issued through the Centers for Medicare & Medicaid Services (CMS), defines “meaningful use” for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.

HHS released a second final rule the same day, through the Office of the National Coordinator for Health Information Technology (ONC). It establishes an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.

Through its technology standards final rule, HHS addresses privacy and security concerns by requiring organizations to perform risk analyses and correct security deficiencies and by requiring the EHR technology to include among other security functions:

  • Encryption capabilities
  • Auditing capabilities including read-only access to patient records
  • Automatic log-off capabilities
  • File and message integrity checking

“It’s good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information,” said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. “Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they’ll be used.”

Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. “It will still be up to the eligible provider to implement the security technologies in a reasonable manner,” she says.

In all, Borten calls the security standards in the EHR certification program “all good security controls.”

“Most are basic and have been required by the security rule since 2005 (like unique user IDs),” she adds. “Some that are ‘addressable’ in the security rule are required to be built into the EHR technology such as automatic logoff.”

Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.

“The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information,” Verdugo said in an e-mail to HealthLeaders Media when asked about providers’ concerns with privacy and security. “While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas.”


HIPAA Q&A: Substitute notification

Posted by: | Comments (0)
Email This Post Print This Post

Q. If a breach of PHI occurs and the business associate (BA) or covered entity does not have current contact information for 10 or more individuals, substitute notification is required. What does the interim final rule on breach notification require with respect to substitute notification?

A. Pursuant to the substitute notification requirements, covered entities must prominently post a notice including information about the breach on the home page of their Web site for no less than 90 days. The notice must include a toll-free number for patients to check whether their PHI is affected that is active for no less than 90 days. Alternatively, covered entities may provide notification about the breach, including the toll-free number, through major media outlets in the area where individuals affected by the breach likely reside.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.

Comments (0)

OCR posted its final guidance, per HITECH requirements, here.

Categories : Uncategorized
Comments (0)

Editor’s note: This is the fifth in a series of tips in HIPAA Update on laptop security. The excerpts are courtesy of the HCPro, Inc. newsletter, Briefings on HIPAA.

Encryption technology is now available, mature, and proven, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group, which has offices in Pittsburgh and Purchase, NY. “Encryption has progressed considerably since the HIPAA Security Rule became effective in 2005.”

You should encrypt all laptop computers, Patrick says. Modern laptop computers are capable of whole-disk encryption without hindering performance.

Healthcare organizations should purchase laptop computers with hardware-based encryption technology to ensure that data on lost or stolen equipment are secure, says Daniel F. Gottlieb, Esq., a partner at McDermott Will & Emery, LLP, in Chicago. Passwords, even robust passwords, are not adequate protection because hackers and thieves often can crack them.

Gottlieb also recommends configuring laptop and desktop computers to either shut down automatically or enter a password-protected screensaver mode after 15 or 30 minutes of inactivity.

Primary concerns about encryption pertain to management decisions. Management need to decide what to encrypt, how to recover passwords to unlock encrypted data when users lose their passwords or leave the organization, and whether to make passwords available to unattended backup and client management software.

Don’t require additional passwords for users to remember, advises Patrick. Encryption software works with single sign-on and other technologies many healthcare organizations use today.

Ensure that users receive proper training in the process dictated by the encryption software’s documentation. Also, ensure that IT support for users is readily available and easily accessible, Patrick says. Plan to increase help desk resources, if necessary, to support staff members who use encrypted laptop computers.

A properly encrypted laptop computer (one that meets certification standards) should not present a security risk, says Patrick. Access the certification standards.

Comments (0)

by Dom Nicastro

The Department of Health and Human Services (HHS) softened some of its proposed requirements for healthcare entities to become meaningful users of electronic health records (EHRs) in a final rule released today.

The final rule—issued through the Centers for Medicare & Medicaid Services (CMS)—defines “meaningful use” for the first two years (2011 and 2012) of a long-term financial incentive plan through Medicare and Medicaid under the Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009.

The later phases will be governed by different rules. HHS did not release the expected published dates of those rules.

HHS also released today a final rule—through the Office of the National Coordinator for Health Information Technology (ONC)—establishing an initial set of standards, implementation specifications, and certification for EHR technology for vendor products.

The rules went public despite “hundreds” of comments that called for a cancellation of the EHR incentive program due to privacy and security risks involved with the technology, according to the CMS final rule.

“This seems like a significant pushback because on some level this represents a concern which represents to some degree the willingness of these commenters to leave money on the table given the privacy and security risks involved,” said Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ.

Differences between the proposed, finalized rules

During a press briefing this morning, David Blumenthal, MD, MPP, national coordinator for health information technology, said his department received more than 2,000 comments from the January 2010 proposed rule on meaningful use.

The comments resulted in fewer core objectives that clinicians and hospitals must meet in the first two years of available meaningful use incentives. HHS had proposed 23 objectives for hospitals and 25 for clinicians, Blumenthal said, and many commenters felt it was an “all or nothing approach.”

The final rule changes that, dividing the objectives into two sets: a core set of objectives and an additional set. Of the additional objectives, providers must maintain only some of them during the initial phase from 2011–2012. This allows providers to then choose which ones they will push to the phase after 2012. (See the two sets of objectives in this table from the New England Journal of Medicine).

“This gives providers latitude to pick their own path toward full EHR implementation and meaningful use,” according to a statement from HHS.

Other notable changes in the final rule include:

  • A decrease in the percentage of prescriptions to be prescribed electronically, from 75% to 40%
  • An increase in the time period allowed to provide patients with a copy of their EHR, from 48 hours to three business days
  • A requirement that hospitals and clinicians conduct or review a security risk analysis of the certified EHR technology and implement security updates and correct deficiencies as part of their risk management process
  • Two added objectives for eligible providers (EP) and eligible hospitals, in accordance with recommendations from the Health Information Technology Policy Committee:
  1. Identify and provide condition-specific patient education resources
  2. Record advance directives for patients 65 years of age and older
  • A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, pursuant to the Continuing Extension Act of 2010
  • Inclusion of critical access hospitals within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid

Next steps for eligible hospitals and EPs

Ruelas said that entities will likely need to revisit their policies to differentiate the timelines associated with requests for electronic copies of patients’ health information versus those for hardcopies.

HHS also clarified that only information that an eligible hospital or clinician has available electronically must be provided to the patient—not all paper records.

Blumenthal called the criteria “ambitious but achievable” in striding toward President Obama’s goal of all entities moving to EHRs by 2014.

Each clinician is eligible for up to $44,000 through Medicare and $63,750 through Medicaid as incentives for achieving meaningful use.

The American Health Information Management Association (AHIMA) said paper records fail to meet the demands of today’s healthcare decision-making, and it is “ready to ensure the proper implementation of electronic health records.”

“With this last hurdle behind us, the health information management profession can move forward with final preparations for implementation,” Rita K. Bowen, president of AHIMA’s board of directors, said in a statement.

Today’s final rules are the third and fourth in a series of rules released in the past month under HITECH. ONC published a final rule June 24 establishing a temporary certification program for health information technology. The Office for Civil Rights (OCR), enforcer of the HIPAA privacy and security rules, released a proposed rule July 8 that would strengthen and expand privacy, security, and enforcement protections under HIPAA.

Editor’s note: For more information, visit the HHS website.

A CMS/ONC fact sheet on the rules is available at http://www.cms.gov/EHRIncentivePrograms/.

A technical fact sheet on ONC’s standards and certification criteria final rule is available at http://healthit.hhs.gov/standardsandcertification.

Categories : EHRs, Meaningful use
Comments (0)