HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for August, 2013

The U.S. Department of Health and Human Services (HHS) and Affinity Health Plan, Inc., entered into a $1,215,780 settlement and corrective action plan over potential HIPAA violations, according to an August 14 HHS press release.

Affinity, a managed care company based in New York, filed a breach report with the HHS Office for Civil Rights (OCR) April 15, 2010. The report stated that a CBS Evening News representative notified Affinity that CBS purchased a photocopier that was once leased by the managed care company and PHI was found on the copier’s hard drive, according to the press release.

Approximately 344,579 people were impacted by the breach, based on an estimate by Affinity. OCR’s investigation revealed that Affinity impermissibly disclosed PHI by failing to erase patient information from hard drives of multiple photocopiers prior to returning the machines to the leasing company. OCR also found that Affinity neglected to include electronic PHI (ePHI) in its risk analysis, which is required under the HIPAA Security Rule, and failed to implement appropriate policies and procedures for returning the machines to the leasing agent, according to HHS.

An OCR corrective action plan requires Affinity to make an effort to retrieve all hard drives from leased photocopiers and take measures to safeguard ePHI, according to HHS.

Rocky Mountain Spine Clinic in Lone Tree, Colo., recently notified 532 patients of a HIPAA data breach, The Denver Post reported. A former billing department employee created a document containing PHI including patient names, third-party payer information, and surgical procedures. She sent the document to her personal email address with the intention of working at home, the newspaper reported.

A forensic specialist examined the employee’s personal computer and email account and determined that the document had been deleted. The employee was terminated, but no charges were filed, Joanna Smith, the clinic’s privacy officer, told the newspaper.

Health data breaches are becoming more targeted and malicious, according to a report by data security firm ID Experts. The firm examined of some of the largest breaches that occurred during the past decade and spoke with data security experts.

The target of these breaches has moved from personally identifiable information to PHI because it is easily obtained, according to an analysis of the report by Rick Kam, CIPP, founder and president of ID Experts. Healthcare data can be sold for $50 per record on the black market. This data is vulnerable not only because of its value but because of the increasing complexity involved in securing it. The frequency, severity, and impact of data breaches will become worse over time, according to ID Experts.

The number of annual identity theft victims has more than doubled over the last decade from 5 million in 20013 to 12.5 million in 2012, the report revealed. The majority (94%) of healthcare organizations surveyed by the firm experienced a breach in the past two years. The use of unsecured mobile devices, cloud computing, and electronic health records can increase the likelihood of a data breach.

Comments (0)

The Workgroup for Electronic Data Interchange (WEDI) and ASC X12 announced the release of their brief “ICD-10 Impact to HIPAA Transactions” August 7.

“[I]t is imperative to assure that ICD-10-CM and ICD-10-PCS codes are accurately passed from providers through to payers within the transactions required under HIPAA to exchange diagnosis and procedure information,” WEDI said on its website. The brief details these transactions and the placement of ICD-10 codes within them.

WEDI and ASC X12 developed the brief to help organizations and industry leaders determine where to focus their efforts with respect to transaction testing so they can make any necessary changes before testing and implementing ICD-10. The brief lists six transactions under the HIPAA Transactions and Code Sets Final Rule that will be affected by the implementation of ICD-10 and three transactions that will not be affected.

Download the brief from the WEDI website.

Categories : HIPAA News
Comments (0)

Savance Health’s patient check-in kiosks have helped Children’s Hospital of Central California (CHCC) avoid up to $50,000 per incident in HIPAA violation fees, according to a press release from the software solutions company. The touch-screen kiosks eliminate the need for paper sign-in sheets, which reduces the likelihood that PHI can be misplaced or viewed by the wrong person, according to Savance Health. The company said that its secure kiosks also ensure that patient data is accurate. To sign in using the kiosk, patients scan their driver’s license or enter their information manually.

CHCC has also implemented Savance Health’s family and waiting room displays, and patient tracking and flow software. All of the software is HIPAA-compliant, according to the release.