HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for May, 2011

Q. An emergency medical technician (EMT) employed by our municipality challenged his dismissal during a public town meeting. The fire chief presented a copy of an ambulance run sheet, which included the patient’s name, address, and other PHI, to town council members. Unfortunately, this is not an isolated incident. I want to educate the council members and the fire department about HIPAA and patient privacy. What can I do?

A. Your assessment is correct. This is a violation of the HIPAA privacy rule. Public discussion of the EMT’s dismissal may have been necessary, but the council did not need to identify the patient involved. Because the hospital is responsible for the volunteer fire department/ambulance crew, it also is responsible for educating them about their obligation to protect patient privacy.

Discuss this incident with the hospital’s compliance officer. You can offer to help develop a training program for the fire department/ambulance crew.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. Brandt is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for HIPAA privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Categories : HIPAA Q&A
Comments (1)

The following is the first in a series of tips to follow if the OCR investigates your facility.

OCR has statutory authority to enforce the HIPAA Privacy and Security Rules. And now, pursuant to HITECH, state attorneys general also have enforcement authority.

An investigation can start with a letter or a civil investigative demand (CID), said Andrew B. Serwin, Esq., a partner at Foley & Lardner, LLP's Washington, DC, office, who spoke at the HIPAA Summit in February.

A CID is similar to a subpoena, but broader, Serwin said. Investigators will likely want to examine your documents and interview members of your organization about what happened.

Upon receipt of a notice of an impending audit or complaint investigation from OCR, immediately confirm receipt, Greg Young, information security officer at Mammoth Hospital in Mammoth Lakes, CA, told Briefings on HIPAA via e-mail.

Young speaks from experience, having worked with OCR on several investigations. He immediately went to work to provide OCR officials the information they requested in the notice. "If I have questions, I ask them. But most important is a timely response and documentation of that response," he said. Young recommends that organizations use e-mail or write a letter to document and have proof of their communication.

Comments (0)

How much info. is too much?

Posted by: | Comments (2)
Email This Post Print This Post

I just met with people who volunteer in our skilled nursing facility. One related a recent incident – she took a resident to another area of our community (we are a CCRC) for a special event. While there the resident began choking. A kind person ran and got glass of water.

Fortunately, the volunteer had overheard at some point that the resident was restricted to thickened liquids. So, the volunteer did not allow the kind Samaritan to give the resident the water.

While this seems an isolated incident, just how much info. can we give to a volunteer or friend who is “responsible” for the resident when off the unit?

Categories : HIPAA Q&A
Comments (2)

by Andrea Kraynak, CPC, senior managing editor, HCPro, Inc.

The HHS Office of the Inspector General (OIG) released two reports today questioning the efforts of the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) in helping to ensure the protection of electronic protected health information (ePHI).

The report on the audit of ONC’s security efforts, “Audit of Information Technology Security Included in Health Information Technology Standards,” notes that ONC has application IT security controls in the interoperability specification but no HIT standards for general information IT security controls  (e.g., policies and procedures for an organization’s overall computer operations or to create a secure environment for application systems and controls).

“We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed,” according to the report.

OIG recommends that the ONC take a number of steps in addition to developing standards for general IT security controls, including offering guidance on HIT security standards and best practices to the industry, emphasizing the importance of HIT and working with the OCR and CMS to develop security controls.

Meanwhile, the report detailing the OCR’s and CMS’ efforts, “Nationwide Rollup Review of the CMS HIPAA Oversight,” focuses on seven hospital audits. OIG identified 151 vulnerabilities concerning ePHI, the vast majority of which it categorized as “high impact”. Issues included wireless access vulnerabilities, ineffective encryption, and lack of monitoring. The report stated the following:

These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.

The report found CMS’ prior enforcement actions to be insufficient and notes that while the OCR has a process for conducting compliance reviews in situations unrelated to complaints, it has not done so.

Comments (1)

Patient information on Google calendar

Posted by: | Comments (3)
Email This Post Print This Post

We are looking at getting different calendars to keep track of client appointments. On the calendar we would like to have the client’s full name and phone number, that  is all.

One that works well is Google Calendar. It is password protected and does not have information about clients except phone number and session date/time. There is a vigorous debate about whether using the full name and phone number would be a violation of HIPAA. Do we need permission from the clients to proceed?

Are we missing anything or are we being too strict in how safe we want our info.?

Categories : HIPAA Q&A
Comments (3)