HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for March, 2011

Q: We are required to report information, including patient account numbers and diagnosis codes, to our state tumor registry. Must we enter each patient’s name into a database to track these as accountable disclosures?

A: Account numbers reported to the state are considered patient-identifiable information. Therefore, you must include them in an accounting of disclosures in response to patient requests. Entering each disclosure into a database is probably not worth the effort. Most healthcare organizations receive very few requests for accounting, so researching individual cases takes less time than entering every case into a database for tracking.

When patients request an accounting, simply review their records to determine whether diagnoses include those that would have been reported to the state tumor registry.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question for the HIPAA Update blog. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Categories : HIPAA Q&A
Comments (0)

Remember the mistakes that cost Rite Aid Corporation and CVS Caremark Corp. millions for HIPAA violations? Disposing pill bottles in public trash containers without shredding them?

They could have been avoided by simply enforcing HIPAA policies and procedures and providing ongoing staff training, experts say.

There is a right way to avoid a HIPAA violation here – and we show you the way in our new HIPAA/HITECH video.

HCPro, Inc.’s Privacy, Security and You: Protecting Patient Confidentiality Under HIPAA and HITECH, Second Edition is the updated version of our best-selling HIPAA training video that covers both privacy and security training.

Check out this clip about pill bottles, one of several case examples included in the video.

The DVD video also covers important HIPAA compliance matters such as:

  • Laptop security
  • Identity theft
  • Discussing PHI in hallways
  • E-mail encryption
  • Misdirected faxes
  • Family-member inquiries on PHI

If you want more information, go to the video’s page on our marketplace.

Thanks!

Dom Nicastro
Senior managing editor
HIPAA Update
dnicastro@hcpro.com

From the Department of Health & Human Services:

Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, state laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).

Categories : HIPAA Q&A
Comments (0)

So when is a HIPAA enforcement plan coming from OCR? The final rule on enforcement out of HITECH? The periodic audits?

One expert says the state of enforcement is likely somewhere in the middle of the two camps.

“While I do not believe the industry has remained stagnant, I do believe it has not changed as rapidly as we might have originally thought or been led to believe. But that is not to say further change is not coming,” says Chris Hourihan, director of operations at Meditology Services, a healthcare IT risk management and deployment services firm based in Atlanta.

The delay on the federal level has occurred because OCR is carefully considering its options and gathering data about the state of the industry before taking action, he says.

“I suspect that by the end of 2011, OCR will have its audit and enforcement plan defined,” Hourihan says.

Editor’s note: This was an excerpt from the March 2011 edition of the HCPro, Inc. newsletter, Briefings on HIPAA.

Comments (0)
Mar
23

HIPAA Q&A: Accounting of disclosures

Posted by: | Comments (0)
Email This Post Print This Post

Q. We are required to report information, including patient account numbers and diagnosis codes, to our state tumor registry. Must we enter each patient’s name into a database to track these as accountable disclosures?

A. Account numbers reported to the state are considered patient-identifiable information. Therefore, you must include them in an accounting of disclosures in response to patient requests. Entering each disclosure into a database is probably not worth the effort. Most healthcare organizations receive very few requests for accounting, so researching individual cases takes less time than entering every case into a database for tracking.

When patients request an accounting, simply review their records to determine whether diagnoses include those that would have been reported to the state tumor registry.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. Brandt is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for HIPAA privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.
 

Comments (0)