HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for March, 2011

The business associate (BA) involved in Health Net, Inc.’s potential data breach affecting 1.9 million customers says it is helping the insurance giant investigate missing server drives that have yet to be found nearly a week after initial reports.

IBM notified the insurer that it could not locate several server drivers, Health Net said in a March 14 press release. IBM manages Health Net’s IT infrastructure.

The potential breach sparked investigations in multiple states whose residents may have had personal information and/or protected health information (PHI) on those missing drives. A July 2010 HHS proposed rule modifying the HIPAA privacy, security and enforcement rules calls for BAs to be directly liable for breaches.

If the number of affected individuals remains at 1.9 million, this would be the largest breach of unsecured PHI since the Office of Civil Rights (OCR), the HIPAA privacy and security rule enforcer, began posting breaches of 500 or more individuals in February 2010.

IBM would not go into details regarding the case when questioned, however W. Bruce McConnel, of IBM’s external relations, wrote in an e-mail to HIPAA Update March 24 that “IBM continues to assist Health Net with its investigation of unaccounted-for server drives.” He deferred all other questions to Health Net media relations.

Brad Kieffer, director of communications at Health Net of California in Woodland Hills, said in a phone interview that same day with HIPAA Update that the insurer is standing by its initial press release from Monday, March 14 and has no further information.

Read more on Health Net’s potential breach here.

Comments (2)

The Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, is asking for an increase of $5.6 million in its Fiscal Year 2012 budget proposal, mostly to adhere to HIPAA compliance and enforcement requirements.

Nearly half ($2.283 million) is needed because of OCR’s requirement to hire “regional privacy officers” who offer guidance and education to covered entities, business associates, and individuals regarding HIPAA privacy and security.

OCR is requesting another $1.335 million to help investigate HITECH breach reports. As of September, 30, 2010, OCR has received a total of 9,300 breach reports — 191 impact more than 500 individuals and 9,109 impact fewer than 500 individuals.

The numbers have increased since the report. As of Wednesday, March 16, 249 entities have reported breaches affecting 500 or more individuals to OCR.

OCR says it needs help investigating the small breaches. It needs additional full time equivalent employees and resources to “ensure it is able to conduct investigations of potential small- and mid-sized breaches.”

The new breach reports represent a 109% increase in OCR’s HIPAA workload – and they are in addition to the nearly 9,400 HIPAA privacy and security rule complaints that OCR received in FY 2010.

“Based on OCR’s current HIPAA case load, almost all breach reports that impact [fewer] than 500 individuals are not investigated,” OCR writes.

OCR’s other budget requests are:

  • Enforcement of the HIPAA Security Rule ($1 million). Helps support OCR’s new delegated authority for the administration and enforcement of the security standards in the HIPAA Security Rule.
  • Compliance review program ($1 million). Supports OCR’s establishment of a compliance review program designed to evaluate, educate, and ensure compliance within a sample of the expanded covered programs and providers each year. OCR anticipates that FY 2012 will be the starting point for a steady increase in civil rights complaints requiring investigation and compliance reviews.

“OCR’s 2012 Budget Justification highlights that while our workload has increased, we are working smarter and more strategically to fortify our enforcement activities across the board,” an OCR spokesperson wrote in an e-mail to HealthLeaders Media. “OCR is the primary defender of the public’s right to privacy and security of protected health information and the public’s right to non-discriminatory access to federally-funded health and human services, and we take these responsibilities very seriously.”

Another HITECH enforcement requirement – OCR’s periodic audits – has yet to be released. The last update came last May when OCR announced it had hired an outside firm, Booz Allen Hamilton, to help build its HITECH-required HIPAA auditing plan. OCR told HealthLeaders Media it was “presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement.

Categories : HITECH Act
Comments (7)

Is this willful neglect?

Posted by: | Comments (6)
Email This Post Print This Post

I recently learned that a manager at my hospital received notification from the Employee Health nurse that one of her subordinates did not receive clearance to return to work because the associate failed her drug screen. This manager subsequently repeated this to two employees in the organization who did not have a need to know.

The hospital does not view this as a HIPAA violation. My argument is:

  • Information found in the employee health record is protected health information
  • This constitutes the highest level HIPAA violation (willful neglect)

Can you comment on this?

Thank you.

Categories : HIPAA Q&A
Comments (6)

Q: I work in patient financial services at a hospital. Like me, several of my coworkers have aging parents. Sometimes at lunch, we discuss the medical problems of our parents, who are not patients at our hospital. My supervisor says these discussions of family members’ medical problems violate the HIPAA Privacy Rule. Is this true?

A: Discussing the health problems of family members who are not patients at your facility does not violate the HIPAA Privacy Rule. Your hospital is a covered entity pursuant to HIPAA. As an employee, you are required to protect the confidentiality of patients at your facility.

Nonetheless, you should still be respectful of your parents’ privacy and limit these discussions with individuals outside the family. Think about the information you’re sharing and ask yourself whether you would want your information discussed in this manner. Also remember that your coworkers may not keep these conversations confidential and may share this information with their friends or family members.

This question and answer tip was adapted from the March 2011 issue of Briefings on HIPAA. More information about Briefings on HIPAA is available at the HCMarketplace.

Categories : HIPAA Q&A
Comments (0)

For the second time in less than a year, health insurance giant Health Net, Inc., is involved in a potential major breach of clients’ protected health information (PHI).

The insurer, which serves 6 million clients, is investigating the potential loss of nine server drives that included PHI and personal information of 1.9 million past and current enrollees from its data center operation in Rancho Cordova, CA, the California Department of Managed Health Care (DMHC) wrote in a press release Monday.

Though Health Net did not specify how many individuals were affected in its own March 14 press release, DMHC came to the 1.9 million total after, including the records of 622,000 of DMHC’s state enrollees in the breach.

If California’s numbers hold up, it would be the largest breach of unsecured PHI reported to the Office for Civil Rights (OCR). The HIPAA privacy and security rule enforcer began posting entities reporting breaches of 500 or more individuals in February, 2010, per a provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Right now, a breach in Manhattan that affected 1.7 million patients is No.1 on the OCR list. On February 9, The New York City Health and Hospitals Corporation (HHC) reported that it began to notify the affected patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.

The Connecticut attorney general is asking Health Net for identity theft and credit protections for nearly 25,000 Connecticut residents “because their medical and personal information may have been compromised in a nationwide data breach in early February,” according to a press release from Connecticut Attorney General George Jepsen’s office.

Health Net’s potential loss included PHI and personal information for 24,599 Connecticut residents, including 18,279 Medicare subscribers, 700 Medicaid subscribers, and 5,620 commercial subscribers.

The information may include:

  • Names
  • Addresses
  • Health information
  • Social Security numbers
  • Financial information

IBM, a business associate of Health Net, notified the insurer that it could not locate several server drivers. IBM manages Health Net’s IT infrastructure.

“After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and healthcare providers is on the drives,” Health Net wrote on its website.

Health Net has notified the individuals whose information is on the drives. It has offered them two years of free credit monitoring services, “including fraud resolution and, if necessary, restoration of credit files, as well as identity theft insurance.”

In January, Health Net paid for the third time over its loss of a portable disk drive that exposed PHI of 1.5 million people. Vermont’s state attorney general fined the insurer $55,000; the case included 525 Vermonters.

Health Net discovered the drive was missing May 14 but did not start notifying affected parties until more than six month later, the state AG’s office reported in a press release.

Attorney General William Sorrell’s January 14 complaint against Health Net, Inc., and Health Net of the Northeast, Inc. charges the insurer with violations of HIPAA, Vermont’s Security Breach Notice Act, and the Consumer Fraud Act.

For the former breach, Health Net settled with the Connecticut state attorney general’s office for $250,000 and also with the Connecticut Insurance Commission. That state AG’s office reached a settlement with Health Net in which the insurer had to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.

It was the first such settlement for HIPAA violations involving newly-granted HIPAA lawsuit powers through HITECH.