HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for November, 2010

Nov
16

HIPAA Q&A: Record retention

Posted by: | Comments (0)
Email This Post Print This Post

Q. How long must we retain the list of authorized and unauthorized disclosures pertaining to our nursing home residents? We assume that we must retain these lists while residents remain here, but how long must we retain this information after death or discharge?

A. The HIPAA Privacy Rule generally requires covered entities to retain documentation for six years to demonstrate their compliance with the rule. You may dispose of documentation after that time.

Editor’s note: Mary D. Brandt, vice president, health information management, at Scott &White Healthcare, Temple, TX, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Categories : HIPAA Q&A
Comments (0)

The American Medical Association last week adopted a social media use policy to help physicians protect patient privacy, and physicians’ personal and professional reputations.

“Using social media can help physicians create a professional presence online, express their personal views and foster relationships, but it can also create new challenges for the patient-physician relationship,” says AMA Board Member Mary Anne McCaffree, MD. “The AMA’s new policy outlines a number of considerations physicians should weigh when building or maintaining a presence online.”

The new policy encourages physicians to:

  • Use privacy settings to safeguard personal information on social networking sites.
  • Monitor their own Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others, is accurate and appropriate.
  • Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality is maintained.
  • Consider separating personal and professional content online.
  • Recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may even have consequences for their medical careers.

The policy on professionalism when using social media was adopted last week at AMA’s semi-annual policy making meeting in San Diego.

See also:
Social media cuts healthcare costs
Doctors experimenting with social media
Some doctors join Facebook, Twitter; others wary

Comments (0)
Nov
12

HIPAA Q&A: BA contracts

Posted by: | Comments (0)
Email This Post Print This Post

Q. An answering service has a business associate (BA) agreement with another BA, which has a BA agreement with a covered entity (CE). Must the answering service have a BA agreement directly with the CE?

A. The answer to your question depends on the relationship between the answering service and the CE. If the answering service provides services directly to the CE and bills the CE for its services, the CE should have a BA agreement with the answering service.

But if the answering service is an agent of another company, such as a practice management company, that provides services to the CE, and that company bills the CE, the answering service does not need a BA agreement with the CE. As an agent of the BA, it still must comply with HIPAA, however.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance and is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Comments (0)

Health Net keeps paying for its data breach in 2009.

The Connecticut Insurance Commission announced Monday that it reached a settlement with Health Net in which the insurer will pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.

The fine stems from the untimely notification of the 2009 loss of a disk drive from the Shelton, CT, location resulting in the loss of PHI of approximately 500,000 Connecticut members.

Health Net cooperated fully with the state. It provided credit monitoring protection for two years to all Connecticut members and providers affected and “has undertaken significant steps to improve data and equipment security in both Shelton locations,” according to the state’s press release.

“We are pleased with the way Health Net responded to the department’s concerns regarding its internal practices,” Commissioner Thomas R. Sullivan said in a statement. “I believe they have taken the proper actions to implement systemic changes and guard against injury to its members resulting from the lost disk drive.”

In July, Connecticut’s state attorney general’s office announced that it has reached a settlement with Health Net and its affiliates over the failure to secure the private medical records of policyholders and for the insurers’ delay in reporting the breach.

Connecticut Attorney General Richard Blumenthal said the settlement imposes a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.

Comments (0)

Officially what we unofficially discussed earlier this week — “Benchmark Study on Patient Privacy and Data Security

Categories : Uncategorized
Comments (2)