HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for June, 2011


HIPAA Q&A: Morgue walk-in cooler

Posted by: | Comments (0)
Email This Post Print This Post

Q. Does maintenance of a list of deceased individuals, including names and dates of birth, on a clipboard inside a morgue walk-in cooler violate HIPAA? The intent is for funeral home representatives to sign adjacent to the decedent’s name when retrieving the body.

A. This practice doesn’t violate HIPAA if the clipboard is in an area not accessible to the general public. This is similar to maintaining a patient chart sign-out list that includes patient names, chart numbers, and another patient identifier at the end of a chart rack that is accessible only by authorized workforce members.

Editor’s note: Chris Apgar, CISSP, answered this question. He is president of Apgar & Associates, LLC, in Portland, OR.

Categories : HIPAA Q&A
Comments (0)

The following is the sixth in a series of tips to follow if the Office for Civil Rights (OCR) investigates your facility:

Immediately upon receiving notice of a potential problem, focus on internal compliance, said Andrew B. Serwin, Esq., a partner at Foley & Lardner, LLP's Washington, DC, office, who spoke at the HIPAA Summit in February. Begin remediation immediately, implementing any administrative, technical, and physical safeguards to prevent a problem from recurring, he said.

"There's usually work to be done. You're going to have to take corrective actions," Serwin said. You can begin to remediate a problem even before you issue a consent decree.

Categories : HHS
Comments (0)

Q:Can I obtain a list of the names of hospital staff members who may have inappropriately accessed my medical records? If all personnel have access to my information, why can't I have access to their names?

A:The HIPAA Privacy Rule does not require covered entities (CE) to provide patients an accounting of disclosures for treatment, payment, or healthcare operations.

Hospital staff members can legitimately access PHI for these uses.

However, pursuant to American Recovery and Reinvestment Act of 2009, CEs that acquire an electronic health records (EHR) system after January 1, 2009, must provide an accounting of disclosures for treatment, payment, and healthcare operations by January 1, 2011, or the date on which they acquire an EHR.

CEs that had an EHR in place as of January 1, 2009, have until January 1, 2014, to comply with this requirement.

At this time, many CEs are not required to provide the information you seek. However, if you believe ­specific individuals inappropriately accessed your medical records, you can file a complaint with the organization's privacy officer. Be prepared to provide the names of the individuals you believe inappropriately accessed your information and why you believe they did so.

This tip was adapted from the June 2011 issue of Briefings on HIPAA. More information about Briefings on HIPAA is available at the HCMarketplace.

Categories : HIPAA Q&A
Comments (2)

HIPAA Q&A: Medicaid and HIPAA

Posted by: | Comments (0)
Email This Post Print This Post

Q. Our state Medicaid office requires Medicaid managed care organizations (MMCO) to share Medicaid beneficiaries’ PHI regarding care management services provided. It also requires a list of current authorizations signed by Medicaid beneficiaries for medical, behavioral health, and pharmaceutical services to the receiving MMCO when Medicaid beneficiaries transfer from one MMCO to another.

Is this permissible pursuant to HIPAA, or must an MMCO obtain authorization from Medicaid beneficiaries before sharing this information?

A. Medicaid is a covered entity and must adhere to HIPAA privacy and security requirements. No exceptions exist for public plans (e.g., Medicare, Champus). This doesn’t prevent MMCOs from sharing Medicaid beneficiaries’ PHI with a new MMCO for continuity of care purposes.

Exceptions exist, however. HIPAA specifically allows more stringent state law to preempt its privacy requirements. For example, some state laws specifically protect health information such as mental health information, HIV/AIDS, and sexually transmitted diseases. Other federal law, specifically 42 CFR Part 2 for alcohol and chemical dependency information, also preempts it.

When records include alcohol and chemical dependency treatment information and state law specially protected health information, state and other federal law require MMCOs to obtain Medicaid beneficiaries’ authorization before releasing any specially protected PHI. The MMCO is not permitted to release this health information to another MMCO without specific authorization.

This includes sharing an authorization form that allows a physician to disclose mental health or other specially protected health information with an MCCO. Simply sharing the authorization form communicates that the Medicaid beneficiary has a specially protected mental or physical condition.

Simply put, HIPAA doesn’t prevent MCCOs from sharing PHI with each other, but other state and/or federal law may do so. Sharing information that could be considered specially protected with a beneficiary’s new MMCO without carefully reviewing it to determine whether specific authorization is necessary is not wise.

Editor’s note: Chris Apgar, CISSP, answered this question. He is president of Apgar & Associates, LLC, in Portland, OR.

Categories : HIPAA Q&A
Comments (0)

Think the United States has its problems with securing patient health information?

We’re not alone.

London Health Programmes, a medical research organization based at the NHS North Central London health authority, has reported missing an unencrypted laptop containing information of 8.63 million patients and 18 million hospital visits, operations and procedures, according to today’s issue of The Sun.

The data does not include names, “but patients could be identified from postcodes and details such as gender, age and ethnic origin,” according to the newspaper. Information on the laptop included records of cancer, HIV, mental illness and abortions.

The computer was one of 20 lost, and officials have since recovered eight. The research organization “only just” reported the missing laptops to police although they went missing three weeks ago, according to the newspaper.

The Information Commissioner’s Office, Great Britain’s independent authority that promotes data privacy for individuals, has issued a statement regarding the laptop theft:

“Any allegation that sensitive personal information has been compromised is concerning and we will now make inquiries to establish the full facts of this alleged data breach.”

That British authority has been busy this month in terms of protecting private information, according to press releases on its website:

Health information breaches have taken center stage since President Obama signed into law the HITECH Act in February of 2009. It included a provision that allows government enforcers to publicize reports from healthcare entities suffering a breach that affects 500 or more individuals; their information appears on the website of the Office for Civil Rights (OCR), the HIPAA privacy and security rule enforcer.

The breach reported in Great Britain this week towers over the largest reported patient health information breach in the United States in terms of number of individuals affected — by nearly 7 million.

Health insurance giant Health Net, Inc. earned the top spot after it reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR in March. On the Health Net report, the “type of breach” is “unknown,” and the “location of breached info” is listed as “other.”

Since OCR began posting such information in February 2010, the list has grown to 288 reports.