HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for April, 2011


Q&A: Whiteboards and HIPAA

Posted by: | Comments (0)
Email This Post Print This Post

Q: Is it permissible to list patients by name on whiteboards in the nursing units?

A: Yes, provided the information is limited to the minimum necessary. The whiteboard should not have any information about the patient’s diagnoses or procedures. Identify patients only by last name or initials, if possible. And be sure that “no information” patients are not listed on the whiteboard.

It’s also a good idea to place the whiteboard where it is accessible to staff but cannot be seen easily by visitors.

This week’s Q&A was adapted from The Privacy Officer’s Handbook. For more information about this book, visit the HCMarketplace.

Categories : HIPAA News
Comments (0)

Q. We inadvertently sent a clinical note to the wrong healthcare provider. Must we conduct a risk analysis of this disclosure even if is not a reportable breach? We documented the inadvertent disclosure in the patient’s electronic health record, but must we do more?

A. Your documentation should include a brief risk analysis, such as: “Minimal risk of harm to patient because information was disclosed to another staff physician, who also must comply with privacy regulations.”

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. Brandt is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for HIPAA privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Comments (0)

Editor’s note: These tips are excerpts from the April edition of the HCPro, Inc. newsletter, Briefings on HIPAA. For more information on subscriptions and purchasing this full article, go here.

Be aware of what is happening and attend to all aspects of ensuring privacy and security, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, president of Margret\A Consulting, LLC, in Schaumburg, IL. For example, organizations need to tighten access controls and audit logging as they transition toward EHR. Include provisions to encrypt any data that leaves an organization to prevent breaches, she says.

Review the status of BA contracts. "I'm advising a wait-and-see approach," says John R. Christiansen, Esq., whose practice at Christiansen IT Law in Seattle, which focuses on health IT. With respect to updating BA contracts, "I think it's very clear we will have an ability to have grandfathered contracts," he says.

Christiansen updates some versions of contracts in accordance with the proposed rule on modifications to the HIPAA privacy and security rules, but he doesn't recommend that organizations adopt them unless contracts are expiring and rolling over. With respect to rollovers, organizations must decide whether to use the updated contracts or wait for the final rule.

Comments (0)

Healthcare privacy and security teams are watching closely for new rules and regulations that will modify the HIPAA privacy and security rules.

However, they should also keep an eye on another security standard that last month cost a Massachusetts restaurant chain $110,000.

The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft. View the regulation.

Boston-based The Briar Group LLC, which runs popular restaurants in the city agreed to the settlement after it was charged with not taking reasonable steps to protect the personal information found on diners’ credit and debit cards.

Healthcare entities must take caution here, too. If you take plastic, you must comply with PCI DSS. And not all entities are aware, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

“I think healthcare organizations—and many others—are still unaware of PCI DSS,” Borten says. “They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO [International Organization for Standardization], HIPAA, and other regulations and frameworks, simply good practice.”

PCC DSS standards require organizations who take plastic to do the following:

  • Build and maintain a secure network
  • Install and maintain a firewall configuration to protect cardholder data
  • Not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
  • Use and regularly update antivirus software
  • Develop and maintain secure systems and applications
  • Implement strong access control measures
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Regularly monitor and test networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain an information security policy
  • Maintain a policy that addresses information security

Borten says she used the news out of Boston to help students in her security class understand the importance of protecting firewalls.

“PCI DSS Requirement 1 deals with firewalls and includes many, many detailed good practices for any healthcare organization today,” Borten says. “Not only is DSS good advice, but simply the existence of such standards makes it harder for any organization to defend itself in case of a breach and the organization isn’t following them.”

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, agrees with Borten that many healthcare entities are unaware of PCI DSS.

She also cautions that despite the fact that President Obama exempted some entities from following the Red Flags Rule in December 2010—at which point many healthcare providers completely removed Red Flags Rule from their area of concern—they do need to realize that not all healthcare providers were excluded.

“It only excluded those healthcare providers that do not regularly request credit reports for credit transactions from needing to comply with the Red Flags Rule,” Herold says. “There are still many providers who, because of the way they accept payments, must still follow the Red Flags Rule.”

The Boston restaurant incident should highlight the need for hospitals to think beyond HIPAA and the HITECH Act, Herold adds. They must ensure they are appropriately safeguarding all the information related to payment processing, and the associated credit checks that go along with it.

“Hospitals are, by their nature, open environments with an abundance of patients, visitors and other non-workers constantly going into the many different areas of the hospital,” Herold says. “I know that it is increasingly common for hospitals to accept credit card payments beyond their gift stores and cafeterias.”

Herold says that hospitals should follow this high-level strategy to help mitigate risks:

  • Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
  • Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
  • Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
  • Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
  • Enforce and sanction noncompliance consistently, and have strong executive support for the policies and related actions

Further, Herold says, take these specific actions to reduce risks:

  • Ensure only those staff members who have responsibilities related to credit card payments can access credit card information.
  • Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times.
  • Discard hard copy credit card slips only after finely shredding them, or put them into secured trash receptacles.
  • Restrict nonpersonnel and staff members without responsibilities related to credit card payments, from accessing payments systems. This includes keeping stations that access such payment systems well-secured and locked when no one authorized is around.
  • Do not keep credit card payment information within patient files or with patient papers posted in or outside of patient rooms.
Categories : Uncategorized
Comments (1)

HIPAA Q&A: Voicemail messages

Posted by: | Comments (4)
Email This Post Print This Post

Q. May ambulatory surgery center (ASC) staff members leave preoperative messages on patients’ voice mail or answering machines that include:

  • The caller’s first name
  • The name of the ASC
  • Instructions to call a certain number

Messages neither identify the procedure nor provide other information about the patient. I believe this practice is acceptable unless patients have specifically requested that we not do this (e.g., cosmetic cases).

What information concerning a scheduled procedure (e.g., arrival time, medication reminder, what to bring) may we leave on a patient’s voicemail or answering machine? What information may we leave in a post-procedure follow-up message?

A. You are correct. The practice you describe is acceptable because the information in the message is limited to the minimum necessary. Voicemail messages left for patients should not reveal anything about the patient’s diagnosis or surgical procedure. They may convey practical information, such as expected arrival time and medications.

Follow-up messages should be general, such as, “Mr. Smith, this is Sally at XYZ Surgery Center. I wanted to see how you’re doing after your procedure. Please call me back at 999-9999.”

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. Brandt is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for HIPAA privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Comments (4)