HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for August, 2011

Survey: Is your compliance officer also your HIPAA privacy officer?

  • Yes
  • No
  • I don’t know

To submit your response, visit “Quick Poll” at HCPro’s Corporate Compliance Web site.

Comments (1)

The Office for Civil Rights has revealed the top areas of interest on its HIPAA privacy and security compliance radar.

Adam Greene, former senior health information technology and privacy advisor at OCR and now partner at the law firm Davis Wright Tremaine in Washington, D.C., recently discussed each hot topic with HealthLeaders Media.

Hotspot: Incident detection and response (OCR’s top issue)

Greene: I recommend both a top-down and bottom-up approach. From the top, covered entities and business associates should evaluate whether they are reasonably logging system activities and reviewing those logs in a way that is reasonably likely to detect impermissible uses and disclosures.

From the bottom, covered entities and business associates should ensure that all staff who have access to PHI are reasonably trained to be able to spot an impermissible use or disclosure and report it to the appropriate person (since the HITECH Act makes clear that the entire organization is treated as knowing of a breach if anyone, other than the person who committed the impermissible use or disclosure, knows of the breach.

Hotspot: Review of log access

Greene: No entity can review every instance of access. The key is how to reasonably spend your limited resources in a way that will best identify problems. This generally should include looking for patterns of unusually large access by an employee and paying special attention to high risk areas such as access to patient records of VIPs.

If appropriate for your organization, this may also include more sophisticated algorithms, such as comparing patient addresses and employee addresses to detect potential cases of neighbor snooping by employees, or looking for access that is unusual for a department (e.g., a labor and delivery nurse looking up a male patient).

There is no one-size-fits-all answer, but covered entities and business associates should document what options they have considered and how they concluded that their approach was reasonable.

Hotspot: Secure wireless network

The May 2011 OIG report regarding CMS oversight of the Security Rule is helpful here, highlighting a number of vulnerabilities in wireless networks that the OIG found when auditing hospitals. For example, OIG found hospitals where no authentication was required to access the network or where there was an inability to detect devices intruding on the network.

For smaller providers, it may be less complicated issues, such as ensuring that encryption is turned on, and that the administrative access to configure the access is properly password protected.

Hotspot: Management of user access and passwords

Greene: Covered entities should ensure that there are policies generally prohibiting the sharing of user IDs, systems are configured to require strong passwords when accessing higher-risk information and to require changing of default passwords, and that access to administrative accounts is closely controlled.

Hotspot: Theft or loss of mobile devices

Greene: Good policies and training on safeguarding mobile devices is a good first step. But, no matter what administrative steps are taken, mobile devices will get lost or stolen. Accordingly, I would highly recommend encryption of such devices and trying to maintain PHI centrally, whenever possible (rather than storing PHI on mobile devices themselves).

Hotspot: Up-to-date software

Greene: Covered entities and business associates should ensure that patches that address vulnerabilities are pushed out to workstations [regularly] and should consider whether an upgrade to software or an operating system is necessary if that version is no longer supported by the vendor. Of course, it is also imperative to keep anti-malware software up-to-date.

Hotspot: Role based access – lack of information access management

Greene: Staying on top of role-based access is always challenging. If standards are too lax, there are significant security risks. If standards are too tight, then patient safety may be jeopardized due to unexpected situations in which an employee needs legitimate access to information but does not have the needed access level. A closely monitored break-the-glass solution may help remedy some of the concerns.

Comments (0)

Covered entities have reported breaches of unsecured protected health information affecting 500 or more individuals to the Office for Civil Rights (OCR) nearly once every other day since the HIPAA privacy and security enforcer began posting the information 18 months ago.

The list, posted on the OCR breach notification website, hit the 300 mark last week. OCR went live with the site in February 2010, recording breaches that date back to September of 2009.

That’s about 13 breaches per month dating back to the fall of 2009.

The website is part of the breach notification interim final rule, in effect since September 2009. OCR withdrew the rule a little more than one year ago from the hands of the Office of Management and Budget (OMB), which reviews rules for government agencies. OCR wanted more time to pursue changes to the rule.

The provisions in the rule include:

  • Notice to patients of breaches “without reasonable delay” within 60 days
  • Notice to covered entities by BAs when BAs discover a breach
  • Notice to “prominent media outlets” on breaches of more than 500 individuals
  • Notice to “next of kin” on breaches of patients who are deceased
  • Notice to the Secretary of HHS of breaches of 500 or more without reasonable delay
  • Annual notice to the Secretary of HHS of breaches of less than 500 of “unsecured PHI” that pose a significant financial risk or other harm to the individual, such as reputation

OCR enforcement by the numbers:

  • 420: Complaints alleging a violation of the HIPAA Security Rule made to OCR since October 2009
  • 192: Security complaints closed by OCR after investigation and appropriate corrective action
  • 294: Open security complaints and compliance as of May 31, 2011
  • 61,333: HIPAA Privacy Rule complaints since the compliance date in April 2003
  • 55,858: Complaints resolved through investigation and enforcement (13,745); through investigation and finding no violation (7,132); and through closure of cases that were not eligible for enforcement (40,456).

HIPAA compliance auditors contracted by the Office for Civil Rights (OCR) will review whether covered entities have corrective action plans in place and if they diligently work to remediate any problems, according to an expert who worked with OCR’s privacy chief on a recent audio conference.

Cliff Baker, managing partner with Meditology Services in Atlanta, teamed on an audio conference July 28 with Susan McAndrew, deputy director of health information privacy for OCR, and Adam Greene, former senior health information technology and privacy advisor at OCR and now a partner at the law firm Davis Wright Tremaine in Washington, D.C.

Baker summarized the key points from the presentation in a follow-up e-mail, including some of the major issues on OCR’s radar for the industry:

  • Incident detection and response (OCR’s top issue)
  • Access log review
  • Secure wireless network
  • User access and passwords management
  • Theft or loss of mobile devices
  • Up-to-date software
  • Role-based access — lack of information access management

Background on the HITECH-required audits

OCR in June awarded KPMG, LLP a $9.2 million contract to administer the HIPAA privacy and security compliance audits required by Congress via HITECH. The first phase of the audits – in which OCR plans to visit 150 covered entities – is expected to start this coming fall and end by December 31, 2012.

OCR is taking a systematic approach to determine which organizations to audit based on risk, Baker says. Audits will no longer be driven by responses to complaints or breaches, but they will be directed at organizations that OCR selects based on an overall risk profile.

“The audits are seen as an opportunity to gather information about exposures in the industry and proactively identify certain issues ahead of time before they result in breaches across the industry,” Baker says. “The results of the audit will be a learning opportunity for the entire industry.”

Conducting the audits

OCR is working on a model for objectively selecting organizations for audit based on risk factors (e.g., size, type of entity).

“The audits will not simply focus on organizations that had an incident,” Baker says. “The initial focus will largely be on covered entities, as this is a group that’s identifiable today.”

McAndrews told HealthLeaders Media August 5 that OCR is unsure whether to audit business associates in the first round.

Entities will receive advanced notice before any audits. And though OCR is budgeted for 150 audits, Baker said it’s “unlikely” the auditors will get through that many by the end of 2012. OCR plans to release aggregate findings across all audits as a “learning process for the industry,” Baker says.

“OCR expects that organizations are performing risk assessments,” Baker adds. “Risk assessments are not expected to be ‘clean,’ but it’s important that organizations have corrective action plans in place and are diligently working to remediate issues.”

Comments (0)

An Office for Civil Rights investigation into the nation’s largest drugstore chain for potential HIPAA violations that cost the industry’s second- and third-largest chains millions of dollars in settlements one year later is still just that – an investigation.

Last August, OCR confirmed its investigation into Walgreens based on the same television media reports that led to million-dollar settlements with CVS and Rite Aid for potential HIPAA violations.

Contacted recently, Amanda Fine, spokesperson for OCR, offered no comment but confirmed in an e-mail to HIPAA Update that the investigation into Walgreens remains “open.”

“OCR cannot comment on the timing or the details of an open investigation,” Fine said when asked about Walgreens.

The government’s investigations into the pharmacies date back four years. The HIPAA privacy and security rule enforcer’s investigation into CVS and Rite Aid began September 27, 2007, according to each pharmacy chain’s consent agreement with the Department of Health & Human Services.

The agreement included a $2.25 million settlement for CVS (announced February 18, 2009) and a $1 million payment by Rite Aid (announced July 27, 2010) with HHS.

Though neither consent agreement mentioned an investigation into Walgreens, OCR confirmed last year that it is looking into the HIPAA compliance practices of the Deerfield, IL, company.

Walgreens operates the most number of drugstores in the country ahead of No. 2 CVS and No. 3 Rite Aid.

HHS’s consent agreements with CVS and Rite Aid revealed that the pharmacies disposed pill bottles and prescriptions that included protected health information in trash containers without proper safeguards.

WTHR, the Indianapolis television outlet that broke the improper disposal practices after a nationwide “dumpster-diving” investigation, reported that Walgreens was one of the pharmacies where it found PHI in Dumpsters with easy access by the public.

In addition to paying HHS $1 million, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.

CVS, meanwhile, agreed to implement a robust corrective action plan that requires:

  • Privacy rule compliant policies and procedures for safeguarding disposed patient information
  • Employee training on HIPAA
  • Employee sanctions for noncompliance

In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.

Rite Aid’s corrective action plan is similar.

The money collected by OCR through these settlements goes to “enforcement activities under the HITECH Act and the HIPAA Privacy and Security regulations,” OCR wrote in an e-mail to HealthLeaders Media.

Categories : Uncategorized
Comments (0)