HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for September, 2013

Pennsylvania State University suspended part of its employee wellness program amidst objections from faculty members, according to a September 18 article in The New York Times.

The program, titled “Take Care of your Health,” sparked a debate among faculty members who claimed it was an invasion of their privacy, according to a September 14 article in The New York Times. The university originally planned to impose a $100 monthly surcharge on employees and their spouse or same-sex domestic partner (SSDP) who refused to participate in the program, The New York Times reported. The university suspended the surcharge September 18, according to the “Take Care of your Health” website.

The program requires nonunion Penn State employees and their spouse or SSDP to schedule annual physical exams with a physician and complete a WebMD wellness profile, according to the program website. The WebMD form asks employees about their jobs, marital status, finances, and plans for pregnancy, The New York Times reported. The program also requires employees to complete a biometric screening with a full lipid profile, according to the program website. The university designed the program to provide its employees and their spouse or SSDP with information about their health risks and resources for treating and maintaining their health, the program website said.


Categories : Uncategorized
Comments (0)

On September 19, the Office for Civil Rights (OCR) released guidance on the refill reminder exception included in the HIPAA Privacy Rule. Refill reminders are excluded from the definition of marketing under the privacy rule “provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication,” according to OCR.

The guidance provides insight on the following questions associated with the refill reminder exception:

  • Is the communication about a currently prescribed drug or biologic?
  • Does the communication involve financial remuneration, and if so, is it reasonable?

OCR posted frequently asked questions about the refill reminder exception as part of the guidance.

Categories : HHS, HIPAA privacy, OCR
Comments (0)

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) recently teamed up to develop model notices of privacy practices (NPP) for healthcare providers and plans. The models are available on the U.S. Department of Health and Human Services (HHS) website.

The NPP models reflect regulatory changes brought on by the HIPAA Omnibus Rule and should aid covered entities (CE) in complying with the requirements of the rule, according to OCR and ONC. CEs simply enter their information into the models and print or electronically post them.

The complimentary model NPPs are available to plans and providers in the following formats:

  • Booklet
  • Layered with a page-one summary and full content on subsequent pages
  • Full-page presentation with booklet design elements
  • Text only

The HHS website also includes questions and instructions for entering your information into each of models.

Learn more about NPP requirements under HIPAA.

Comments (1)

On September 19, the Office for Civil Rights (OCR) announced it would delay the enforcement of the HIPAA Omnibus Rule requirement that certain laboratories must revise their notices of privacy practices (NPP) by September 23. The delay exception applies to CLIA-certified and CLIA-exempt HIPAA-covered laboratories “that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B),” according to OCR. Laboratories operating as part of a larger entity are exempt from the delay exception.

CLIA-certified and CLIA-exempt laboratories originally needed to revise their NPPs first by September 23 to comply with the HIPAA Omnibus Rule and again by “the impending issuance of any CLIA-related amendment to the individual access requirements under § 164.524 of the Privacy Rule,” according to the OCR. The delay exception should lessen the burden and expenses associated with two NPP updates, OCR stated.

OCR will not take enforcement action or impose civil money penalties against these laboratories that do not have a revised NPP by September 23. OCR will release a notice at least 30 days prior to the end of the enforcement delay.

Categories : HIPAA News, OCR
Comments (1)

Patients often withhold health information from their healthcare providers because of privacy and security concerns, according to a study published in the Journal of American Medical Informatics Association.

The study examined the way Americans perceive the security of their PHI. Data from the first cycle of the fourth wave of the National Cancer Institute’s Health Information National Trends Survey was used to analyze concerns about PHI breaches. Approximately 12% of respondents said they withheld information from their healthcare providers because of security concerns.

The authors of the study said the findings highlight “the need for enhanced measures to secure patients’ PHI to avoid undermining their trust.”

Comments (0)