Archive for October, 2011
HCPro is conducting a benchmarking survey on HIPAA compliance efforts, and we would appreciate your input. Please take a few moments to complete this survey.
Note: Please only participate in the survey if you are an HIM staff member, compliance professional, or a HIPAA privacy or security officer. If you are not, or do not hold a closely-related position, please forward the survey to one of your HIM colleagues.
The survey should take less than 5 minutes to complete. We appreciate your time!
The link below will take you to the survey's Web site; simply click on the link to answer the survey questions online. If the click-through does not work, please cut and paste the URL into the address bar of your browser.
Here's the link to the survey: www.zoomerang.com/Survey/WEB22DGNKXLCGW
Thank you for your time and assistance.
Andrea Kraynak, CPC
Senior Managing Editor
Medical Records Briefing
The number of large breaches reported to OCR continues to climb.
Close to 360 entities have reported breaches of unsecured PHI affecting 500 or more individuals, a spike of about one per day over the last month. On as late as September 23, the number stood at 330. It is 358 as of Oct. 28.
OCR began posting entities reporting the large breaches in February 2010, capturing breaches dating back to September 2009.
OCR has averaged about 18 entities per month on its list over the 20 months the website has been live.
Thousands of medical records were found along the side of a road in Detroit October 18, according to Detroit Local 4 news station. The records contained the names, addresses, and Social Security numbers of patients previously treated at the now closed Carpenter Health Center, previously located in Ann Arbor.
The records were placed in a storage facility and to his knowledge should have still been there, according to Irwin Lutwin, MD, whose picture was found among the files and who worked at the health center. The files are now in the custody of the city.
This is not the first time medical records have been retrieved from Detroit streets this year; in March the personal medical records of hundreds of patients from a now closed adult foster care facility were also found.
Read more on the Detroit Local 4 website
For those who may remember, I commented when the TRICARE breach started hitting the cyber airwaves that there would be more fallout after the breach’s announcement; further, TRICARE, in its breach response, did not offer anything more than information on how those affected could monitor credit reports and place an FTC fraud alert.
I am guessing that following this lawsuit filing…it is only a matter of time before politicians start getting involved.
Q. Our facility is a continuing care retirement community. Most residents get medications through a local pharmacy, and we have a HIPAA business affiliate agreement with that pharmacy.
Recently the pharmacy sent an independent resident a bill and a copy of the bill to her daughter. The resident was upset because she felt there was no reason for her daughter to be involved and, further, wants to know why we even provide her daughter’s name and address to the pharmacy. In principle we think she is correct, but did we actually violate HIPAA?
A. Your facility and the pharmacy violated HIPAA. Sharing the daughter's contact information with the pharmacy violates the minimum necessary standard defined in the HIPAA Privacy Rule. The resident provided the emergency contact information for your organization's use, not the pharmacy's.
The pharmacy is not a BA even though you have a BA contract with it. The pharmacy may dispense medication for your residents, but it is acting as a CE. The pharmacy violated the Privacy Rule by sharing the resident's PHI with an unauthorized individual. The pharmacy is also responsible for adhering to the requirements of the interim final breach notification rule. The unauthorized disclosure is a breach and is likely reportable.
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning.