Archive for April, 2012
A laptop stolen from a nurse practitioner in Georgia may compromise the personal information of more than 500 patients, according to a March 15 announcement by Georgia Health Sciences University on its website.
The nurse practitioner works at several sickle cell clinics in Georgia, including the Georgia Health Sciences Adult Sickle Cell Clinic. Someone stole the laptop from her home January 18.
Though the records contained on the laptop include names, dates of birth, diagnosis information, and an internal code associated with patients’ lab tests, none of the records included Social Security numbers, financial information, or addresses.
A spokesperson from Georgia Health Sciences University expressed regret at the theft and noted that the organization attempted to personally notify patients of the incident.
Q. During a recent webinar, a presenter indicated disclosure of PHI to business associates needed to be included in the disclosure accounting log. Aren’t disclosures of PHI to business associates considered disclosure for healthcare operations purposes?
A. The disclosure of PHI to a business associate does not need to be included in the disclosure accounting log as long as the disclosure is related to treatment, payment, and healthcare operations. Disclosures of PHI to a business associate are not necessarily classified as disclosures only for healthcare operations. As an example, if a health plan discloses PHI to a third-party administrator, the disclosure would likely be for payment purposes. However, a valid business associate contract or other written arrangement (government entities) needs to be executed before any PHI is disclosed to business associates.
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Q. When is Adult Protective Services (APS) entitled to copies of a patient’s medical record without a signed authorization?
An adult patient was transferred from a hospital to our skilled nursing facility for long-term care. Prior to transfer, the hospital social worker called APS with a concern that family members were neglecting the patient and using the patient’s money for their own benefit. APS then came to our facility asking to review the patient’s medical record.
A. APS and Child Protective Services have authority under state law to obtain the information they need to investigate cases under their jurisdiction. Because APS has an open investigation in this case, the caseworker has legal authority to review the patient’s medical record or obtain copies without authorization from the patient or the patient’s legal representative.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.
- Updates on HHS health information privacy and security initiatives
- OCR’s enforcement of health information privacy and security activities
- Integrating security safeguards into health IT
- Safeguards to secure mobile devices
- Removing sensitive data from the Internet
HIPAA in 2011. Those 365 days were more about bad headlines for organizations:
- Cignet Health fined $4.3 million in OCR’s first civil money penalty
- UCLA Health System pays $865,000 to settle HIPAA violation claims
- Massachusetts General Hospital agrees to pay $1 million for HIPAA breach
The headlines just kept coming.
In 2012, we want to keep the headlines going – but this year, we want to make more positive ones. HCPro, Inc., which publishes HIPAA Weekly Advisor and the 12-page, print newsletter, Briefings on HIPAA, wants to hear the good things that happen in the world of HIPAA compliance in 2012. We want to share your stories.
Have a good headline from your organization? Decreased your HIPAA breaches? Implement a successful training program? Let us know, and you and your organization could possibly be featured in one of our publications.
Please share your stories with senior managing editor Dom Nicastro.