HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for September, 2012


Who’s gonna be No. 500?

Posted by: | Comments (0)
Email This Post Print This Post

OCR, the HIPAA privacy and security enforcer, has reported 498 patient-information breaches affecting 500 or more individuals.

OCR added the breaches to its breach notification website. The total number of breach reports of this kind reached 477 as of early August.

OCR began posting the breaches per HITECH in February 2010. In two years and about seven months, OCR has reported an average of about 16 breaches per month, or one every other day. The breaches date back to September 2009 but began appearing online in February 2010.



Categories : Breach Notification
Comments (0)

United States attorneys have determined that HHS Secretary Kathleen Sebelius violated a federal act that prohibits federal employees from using their official authority or influence to affect the outcome of an election.

The U.S. Office of Special Counsel (OSC) concluded that Sebelius, whose department enforces the HIPAA privacy and security rules, violated the Hatch Act when she made “extemporaneous political remarks” advocating for the reelection of President Barack Obama in a speech delivered in her official HHS capacity February 25.

Sebelius, sworn into HHS in 2009, spoke at a Human Rights Campaign (HRC) Gala in Charlotte, N.C., according to an OSC report sent to the President. The HRC is a private, nonprofit civil rights organization that works to achieve equality for lesbian, gay, bisexual, and transgender (LGBT) Americans, and Sebelius was invited to deliver a keynote address in her official HHS capacity, OSC reports.

According to the OSC, Sebelius outlined some initiatives from HHS, but then “departed from her prepared outline” through the following statements:

This Administration is committed to keep working with you but I have to tell you, we have just begun, and a lot of what I have just explained could be wiped out in a heartbeat. So as Joe just said, one of the imperatives is to make sure that we not only come together here in Charlotte to present the nomination to the President, but we make sure that in November he continues to be President for another four years because this effort has just begun. I know there is an important election in early May here in North Carolina, and I think that it’s a great template to do what needs to be done to organize people and turn out people for November. North Carolina is hugely important in this next election, it’s hugely important to defeat Amendment One on the ballot in May, and it’s hugely important to make sure that we reelect the President and elect a Democratic governor here in North Carolina.”

She also recognized North Carolina Lieutenant Governor Walter Dalton, saying he “needs to be the next Governor of North Carolina.”

After the Secretary made the partisan remarks during her keynote speech, HHS reclassified the HRC event as political and reimbursed the government for any related travel expenses.

“The Secretary attended the Human Rights Campaign dinner in Charlotte to highlight the work of the U.S. Department of Health & Human Services on LGBT issues,” HHS reported, according to the OSC. “The trip included political components, and so the federal government will not be paying for it.”

In a September 7 letter to the OSC, Sebelius said she feels there should be no violation because of the reclassification of the event as political. She added that keeping her roles straight “can be a difficult task, particularly on mixed trips that involved both campaign and official stops on the same day.”

But the U.S. attorneys did not accept the reclassification-after-the-fact argument from Sebelius.

While the Hatch Act prohibits most employees from engaging in political activity while on duty, some employees appointed by the President and with consent from the Senate, may do so.

“However,” the OSC report says, “they must do so in their personal capacities, and the costs associated with their political activity must not be paid with money derived from the United States Treasury. HHS for this event in February sought and received reimbursement from the appropriate political entities for the travel-related costs of the Secretary’s appearance.”

Sebelius, in an interview with OSC during its investigation, said she “went off script” during her speech in Charlotte and attributed her references to President Obama’s reelection as “a mistake.” She stated that she “got a little caught up in the notion that the gains which had been made would clearly not continue without the President’s reelection.”

“I . . . regret the fact that I clearly made a mistake,” the HHS Secretary told OSC investigators. “I was not intending to use an official capacity to do a political event. I think it veered into political space at an official event, and I regret that it occurred.”

Congress has determined that violations of the Hatch Act be referred to the President for “appropriate action.”

OSC report to President Obama

HHS Secretary Sebelius response

Categories : HHS, HIPAA privacy
Comments (0)

The state of Kentucky is notifying clients of a potential breach of information related to e-mail, according to an announcement on the state department’s website.

The Cabinet for Health and Family Services September 18 posted a notice stating that approximately 2,500 clients’ information may have been unintentionally released because of an employee email account breach. The information was held by the Cabinet’s Department for Community Based Services (DCBS).

In July, according to the statement, a DCBS employee responded to a “phishing” e-mail sent by a hacker.

“Unauthorized activity on the account was identified within a half hour and the account was immediately disabled,” according to the statement. “While there is no evidence that the confidential contents of the e-mail account were accessed or viewed, the hacker did have access to the e-mail account for a brief period. Data about the individuals being notified was included in the National Youth Transition Database monitoring those in the process of or who have recently aged out of the foster care system.”

Rodney Murphy, executive director of the Office of Administrative and Technology Services for Kentucky, said “in all likelihood,” the hacker wanted to send spam e-mails across state government and “did not access or view client information.”

The Cabinet for Health and Family Services is home to most of the state’s human services and health care programs, including Medicaid, the Department for Community Based Services and the Department for Public Health.


The University of Miami Health System fired two University of Miami Hospital employees who it says inappropriately accessed patient information from registration “face sheets” and potentially sold the information to a third party, according to an announcement on the company’s website.

The health system reported is has no indication medical records are at risk. The hospital’s “face sheets” include name, address, date of birth, insurance policy numbers and a reason for the visit. The hospital noted that some social security numbers for patient records only include the last four digits, but some health insurance plans, like Medicare and Medicaid, continue to use social security numbers as policy numbers.

The face sheets do not include patient information like test results or other patient care or financial information, the health system reported.

Law enforcement notified the health system of the potential inappropriate access July 18, and the hospital didn’t announce the news until early this month.

“Law enforcement officials insisted that we delay a public announcement to avoid impeding their criminal investigation,” according to the website statement. “As soon as law enforcement authorized us to proceed, we began the notification process.”

The two employees admitted improper conduct. The investigation remains ongoing by law enforcement.

“We are reviewing our practices to determine if additional steps are necessary to avoid such incidents in the future,” according to the statement.

All patients who may have been affected will receive an individual notification letter, including information about credit monitoring services.


Comments (0)

Elvis’ medical records — still PHI?

Posted by: | Comments (2)
Email This Post Print This Post

I was watching “Pawn Stars” on the History channel when a customer came in with medical records for Elvis during his residency in Vegas in the 1970’s.

The TV show freely showed close-ups of his EKG with readings and doctor’s notes with his blood pressure reading and pulse. This customer wanted to sell them to the pawn shop.

When asked where he obtained them, the customer said someone was throwing out old records from a Vegas clinic and thought to keep them as a keepsake because they were Elvis’ records. He bought them from this person. The pawn shop declined to purchase them due to unknown value of these items.

I was very shocked by this. Is this compliant with HIPAA laws? How could the TV program broadcast a copy with results on television for the whole world to see? No matter how old records may be are they still protected by these laws?

Vicki Scott

Categories : HIPAA Q&A
Comments (2)