HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for November, 2010

Q. Our family practice recently allowed a cosmetic laser procedure practitioner to share our space. Our physician is now that practitioner’s medical director. If the laser procedure component of the business does not shred PHI, can the family practice “landlord” be held accountable or equally as liable for any HIPAA violations?

A. Your exposure is a result of your physician’s status as medical director of the laser procedure practice. As medical director of the laser practice, your physician may be held liable for unauthorized disclosures of PHI. As medical director, your physician should ensure that the laser practice provides appropriate protection for PHI.

Editor’s note: Mary D. Brandt, vice president, health information management, at Scott &White Healthcare, Temple, TX, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Categories : HIPAA Q&A
Comments (0)
Nov
23

HIPAA Q&A: Disclosure forms

Posted by: | Comments (0)
Email This Post Print This Post

Q. A sister company has created a wellness walking trail through a medical record storage warehouse. Must employees of the sister company complete confidentiality/disclosure forms?

A. No. Employees using the wellness walking trail should not provide unmonitored access to medical records. If they simply walk through storage areas during times when staff members are present, signed confidentiality agreements are not necessary; they should not have access to medical records. Obviously, employees should not be able to access the walking trail through record storage areas after hours when staff members are not present.

Editor’s note: Mary D. Brandt, vice president, health information management, at Scott &White Healthcare, Temple, TX, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Comments (0)
Nov
22

HIPAA Q&A: Minor’s record

Posted by: | Comments (1)
Email This Post Print This Post

Q. Whom should we notify if a minor’s record is breached? For example, a grandparent who works in our healthcare organization reviews the record of a newborn grandchild without authorization.

A. When breaches occur, you are required to notify the affected patients or their legal representatives. A minor child’s legal representative is a parent or legal guardian.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. Brandt, a nationally recognized expert on patient privacy, information security, and regulatory compliance, is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.
 

Comments (1)
Nov
18

Definition of PHI

Posted by: | Comments (7)
Email This Post Print This Post

We have a question on the definition of PHI. We have read § 160.103 definitions for PHI and individually identifiable health information as well as sections § 164.502(d) and § 164.514 on de-identification. Unfortunately we have different interpretations. If the following information is disclosed, would this be PHI?

  1. Patient name, address, patient number, admit date, account balance, and the name of the hospital
  2. Patient name, patient number, date of birth, date of service, medical record number, and name of hospital

These would appear in the form of a letter to patient. If they were received by someone other than the patient, would this be considered PHI since the person who received it would not be able to determine anything about the patient’s diagnosis or treatment received at hospital? Also, there is no way for the person to access the patient’s information since the patient number or medical record number would have to be looked up in the hospital’s information system.

LaWanda Gray

Categories : HIPAA Q&A
Comments (7)
Nov
17

Chart transport

Posted by: | Comments (4)
Email This Post Print This Post

We have a satellite clinic that we travel to once a month. We do not have EMR currently, so charts are transported home with an employee on Thursday evening (we are closed on Friday) so they can be brought with the employee to the satellite clinic Monday morning.

While this is not ideal, there is no other way that I know of to get the charts to the satellite clinic. If the employee’s car gets broken into and information stolen, who is liable? Does anyone have a suggestion on how to better transport the charts that I have not thought of?

Thanks.

Categories : HIPAA Q&A
Comments (4)