HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for February, 2012

Q: Can a skilled nursing facility (SNF) display residents’ names and pictures on a plaque outside their doors?

A. Residents’ names and pictures can be displayed outside their doors only if the SNF obtains authorization from residents. If a resident is not capable of authorizing the display of his or her name and picture, the SNF would need to seek authorization from a personal representative of the resident.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question.

Categories : Compliance Monitor
Comments (0)

Q. What is the responsibility of the pharmacist if he or she dispenses a prescription for a minor for treatment of a sexually transmitted disease (STD) and the minor’s parent asks about the prescription?

A. This will often depend on state law. Many state laws protect certain classes of minor health information, and the treatment of STDs is often one of them. Remember that if state law does not specifically allow or require the release of the minor’s PHI to the parent or guardian, HIPAA requires that PHI be treated as if the minor were an adult.

Also, if the minor has reached the age of informed consent pursuant to state law, the minor must be treated as an adult in regard to the treatment he or she has consented to—unless state law specifically allows or requires the covered entity to provide the parent or guardian access to the minor’s PHI (45 CFR 164.502[g][3]).

Without a state law mandate that allows release of a minor’s PHI and the minor has reached the age of informed consent, the covered entity may answer a parent’s question about a minor’s health condition.

This means the covered entity may also elect not to release the PHI to the parent or guardian. Carefully review state law as it applies to the release of a minor’s health information to a parent or guardian.

State law can be complex, and the HIPAA Privacy Rule can be confusing. It is a good idea to seek legal advice before adopting practices relating to the release of a minor’s PHI without the minor’s authorization.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question.


Comments (0)

Privacy and security officers should watch one particular trend -- the growing number of hospital residency programs that are now equipping their physicians with mobile devices such as Apple iPads®.

For example, in July 2011, the anesthesiology residency program at Mount Sinai School of Medicine in New York City decided to purchase Apple iPads® for its 100 residents and fellows.

Adam I. Levine, MD, program director, got the idea to purchase tablet computers after some residents began using their own personal iPads on the job. After discussions about their use of mobile devices, he decided all of the residents and fellows could benefit from having an iPad.

“Residents were reporting that the iPad was becoming more useful to them the longer they used it. They told me it was almost to the point where they felt, ‘I can’t do without it,’” he says.

Editor’s note: This is an excerpt from the March 2012 edition of the HCPro, Inc. 12-page print newsletter, Briefings on HIPAA.


Comments (0)
Q: Our healthcare facility is requiring employees to get the flu shot or they will have to wear a mask when within 6 feet of patients. Is this not a violation of employee or patient privacy? A. The Privacy Rule only protects the privacy of patient, not employees. Requiring non-vaccinated employees to wear a respiratory mask to protect the health of patients does not violate the patient’s privacy and may prevent the spread of infection. Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of HIM at Scott & White Healthcare in Temple, TX answered this question in the February issue of Briefings on HIPAA. Brandt is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations.
Categories : Compliance Monitor
Comments (0)

CMS' Office of E-Health Standards and Services (OESS) has announced a 90-day period of "enforcement discretion" for compliance with the 5010 HIPAA transaction standards, but leading professional organizations say that is not enough, according to a February 6 HealthLeaders Media article.

Expressing serious concerns about the ability of physician practices and payers to make the conversion to the 5010 electronic transaction standards and ICD-10 (a new code set for medical diagnoses) in time, both MGMA and the AMA are calling for change. The two agencies say that the government needs to form a comprehensive contingency plan permitting health plans to adjudicate claims that may not have all the required data content; or the government needs to call an outright halt to the transition.

CMS has extended the 5010 compliance deadline to March 31, 2012. OESS announced that it is delaying compliance enforcement in order to allow more physician practices the opportunity to implement the new billing coding standard without incurring penalties. The 90-day delay did not affect the implementation date for the coding systems, which took effect January 1, 2012 (January 1, 2013, for small health plans).

Read more on the HealthLeaders Media website.

Categories : HHS
Comments (0)