HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for August, 2011

Q. We have a medical unit for a pediatric population. This campus includes a school for educating the children. How do we transmit information between the school and the medical unit without violating HIPAA?

A. You may provide information to the school without patient/parent authorization if the school is providing healthcare services to the patient as part of the treatment process. Otherwise, you should obtain authorization from the child’s legal representative to release PHI to the school if school officials don’t need this information for ongoing care.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.

Categories : HIPAA Q&A
Comments (0)

The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.

OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.

The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.

The flash drive did not include patient addresses, Social Security numbers, personal identification numbers, dates of birth, financial information, or other identifiable information, according to the report on the Saint Barnabas website.

KPMG reported the matter to the New Jersey healthcare system June 29, 2010. KPMG believes the flash drive was misplaced on or about May 10, 2010, according to Saint Barnabas.

“KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,” according to the healthcare system’s report. “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person. … KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Reached August 5 via e-mail, Pete Settles of KPMG external communications confirmed the incident with Saint Barnabas but said that “for reasons of confidentiality, we do not comment on client work.”

Susan McAndrew, deputy director of health information privacy for OCR, wrote in an e-mail that “OCR cannot address KPMG’s involvement with the breach at St. Barnabas as this case is currently under investigation.”

Ellen Greene, vice president of public relations and marketing for the Saint Barnabas Health Care System, said the organization had no comment.

News broke last month that OCR hired KPMG, LLP to implement its HITECH-required HIPAA compliance auditing plan.

KPMG is assisting the government to implement the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by HITECH.

KPMG will end up auditing 150 entities varying in size by December 31, 2012. HITECH requires “periodic audits” of covered entities and business associates to ensure HIPAA compliance.

Asked if OCR considered the KPMG involvement on this 2010 breach at any level when considering it for the HIPAA audit contract, McAndrew only said, “the award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.”

The process to hire KPMG involved a Department of Health and Human Services (HHS) panel that reviewed and ranked all technical proposals and qualifications by “predetermined evaluation criteria,” McAndrew said.

“Evaluation criteria in the solicitation included responsiveness to the audit design requirements in the HHS statement of work, as well as past performance on other compliance audit programs,” McAndrew said. “Negotiations were conducted, and an offer was made.”

KPMG LLP is an audit, tax, and advisory firm and is the United States member firm of KPMG International, according to its website. KPMG International’s member firms have 137,000 professionals, including more than 7,600 partners, in 144 countries.

The Office for Civil Rights (OCR) is undecided whether to include business associates (BAs) in its HIPAA-compliance audit plans per a $9.2 million contract it awarded last month.

Susan McAndrew, JD, OCR’s deputy director of health information privacy, says the contractor, KPMG, LLP, will be developing protocols to support business associate audits.

However, “OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012,” McAndrew says.

KPMG is a consulting firm with a global network of professional firms that provides audit, advisory, and tax services. The contract calls for up to 150 audits of organizations varying in size before December 31, 2012.

McAndrew says the audit program will occur in three steps. OCR will work with KPMG to develop audit protocols and an initial round of audits to field test the program. If these test audits return positive results, OCR will launch a full range of onsite audits and an evaluation process.

OCR awarded Booz Allen Hamilton (the McLean, VA, consultant it originally hired to evaluate and compare different audit methods) a $180,000 contract to identify audit candidates.

HIPAA experts call for BA audits

BAs are involved in 57 of the 292 breaches affecting 500 or more individuals listed on the OCR website as of Thursday afternoon; that’s about 20%. The top two breaches include BAs (1,900,000 and 1,700,000 patients affected; see details at the end of this story).

The website list is required by HITECH and has been live since February of 2010, dating back to breaches that occurred on or after September 22, 2009.

Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, NY, says she “most definitely would encourage OCR to audit BAs, especially those of high priority/potential risk to the privacy and security of confidential information in that they work with the covered entity’s PHI and confidential information on a regular basis.”

Patrick cites examples such as IT vendors, billing companies, coding companies, accounting firms, and disposal companies (media, shredding, etc.).

Kate Borten, CISM, CISSP, president of The Marblehead Group in Marblehead, MA, says BAs play a “key role” in healthcare and should be looped in to OCR audits.

“Given the key role that many BAs play in healthcare—as well as the vast amount of PHI entrusted to BAs—it is very important that OCR also audit them,” Borten says.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says OCR should audit BAs in the next round and focus on covered entities now.

“In my mind, OCR auditing BAs is like climbing a falling tree: There may be some activity in trying to get somewhere, but at the end of the day, one really hasn’t gained any ground,” Ruelas says. “Historically, BAs have taken their direction from their client covered entities, so by OCR focusing on covered entities, I am confident any BA-related findings will be shared between the covered entity and the BAs it contracts with.”

Top business associate breaches
Per individuals affected, according to OCR website:


Covered entity: Health Net, Inc. (Shelton, CT)
Date of breach: January 21, 2011
Approx. individuals affected: 1,900,000
Type of breach: Unknown
Location of breached info.: Other
More information


Covered entity: New York City Health & Hospitals Corporation’s North Bronx Healthcare Network (New York, NY)
Date of breach: December 23, 2010
Approx. individuals affected: 1,700,000
Type of breach: Theft
Location of breached info. Electronic Medical Record, Other
More information


Covered entity: South Shore Hospital (Weymouth, MA)
Date of breach: February, 26, 2010
Approx. individuals affected: 800,000
Type of breach: Loss
Location of breached info. Portable Electronic Device, Electronic Medical Record, Other
More information

Federal regulators are “misguided” in their proposed HIPAA disclosures rule, disregarding what Congress intended through HITECH and failing to balance patient privacy rights with the technological capabilities of providers, the American Hospital Association (AHA) says in a letter released Monday.

The letter, submitted to Kathleen Sebelius, secretary of the Department of Health and Human Services (HHS), calls on the federal regulators to “significantly alter” their approach in the “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act.” The proposed rule was published in the Federal Register May 31.

Chiefly, AHA wants the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules under HHS, to withdraw from the rule its new “access report” provision; through the proposed provision, patients can request an accounting of who accessed their electronic health information in a designated record set, for any reason. It covers both uses and disclosures.

As the government tries to reduce administrative costs in healthcare—through health reform and new financial incentives to become a “meaningful user” of electronic health records (EHR)—the access report right is a step back, AHA says.

“The proposal … is misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals,” the AHA writes in the letter. “The proposal is based on a fundamental misunderstanding of the value to individuals of receiving the particular information that the access report would capture, as well as a misunderstanding about the capabilities of technologies available to and used by covered entities.”

AHA’s letter represented its official comment to OCR regarding the proposed rule; the comment period ended Monday. After OCR considers the comments, it is expected to issue a final rule.

Instead, OCR should first seek more information from the industry in order to determine “the needs of patients who seek to understand how their PHI is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so,” AHA writes.

AHA also included the following recommendations for OCR:
  • Clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions.
  • Maintain a 60-day response requirement and limit an accounting to three years.
  • Retract its HIPAA Security Rule preamble commentary in order to reflect longstanding department guidance.
  • Extend the access report compliance date and remove the requirement to name employees.
  • Reflect the statutory requirement that covered entities be permitted to direct individuals to a business associate
  • Make clear that a covered entity is not liable for unsecure transmissions requested by a patient
  • Provide at least 60 days for the provision of an access report

Fax to wrong number

Posted by: | Comments (6)
Email This Post Print This Post

If faxed information containing PHI is sent to an incorrect fax number, and it is realized that the wrong entity received the fax, does the unintentional notification need to be recorded on the patient’s disclosure record?

Categories : HIPAA Q&A
Comments (6)