HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for October, 2013

Using a workplan template and a checklist together can minimize the risk of disclosing PHI during multi-site research, advises BMC Medical Informatics and Decision Making.

The workplan template serves as a guide for programmers involved in multi-site programming to communicate how the program should run, what output the program creates, and whether that outcome may contain PHI. The checklist ensures the output meets expectations and does not contain unallowable PHI, according to the article.

Conducting healthcare research across multiple sites can often increase the risk of a privacy or security breach, according to the article. The multi-site researchers who wrote the paper concluded that data privacy tools should do the following:

  • Allow for a range of permissible PHI
  • Identify types of data protected by HIPAA
  • Help analysts identify allowable PHI in a project and understand how they can protect that PHI during data transfer
Categories : HIPAA News, Unsecure PHI
Comments (0)

An October 24 U.S. House of Representatives hearing on HealthCare.gov sparked a debate over whether the Obamacare website violates users’ privacy, International Business Times has reported. During the hearing, Rep. Joe Barton, R-Texas, said a source code in the Obamacare website states that users have “no reasonable expectation of privacy about communication or data stored on the system,” the online newspaper reported. However, users of the website cannot view this portion of the source code. Barton alleged that the website violates HIPAA, according to the article.

Rep. Diana DeGette, D-Colo., said during the hearing that HealthCare.gov does not violate HIPAA because the only medical information users enter when using the site is whether they are smokers, International Business Times reported.

Comments (1)

Department of Veterans Affairs (VA) employees or contractors are responsible for 14,215 HIPAA privacy violations at 167 facilities from 2010 through May 2013, according to a recent Pittsburgh Tribune-Review investigation. The violations affected at least 101,018 veterans and 551 VA employees, the newspaper reported.

Reporters analyzed the VA Risk Management and Incident Response Resolution Team reports, which revealed a history of medical record snooping and the loss of sensitive data such as Social Security numbers. Since 2010, criminal investigators found 11 instances of VA employees stealing veterans’ identities or prescriptions, according to the report.

The newspaper uncovered the following information during its investigation of records from 2010 through May 2013:

  • The VA reported one in every 365 privacy violations to the OIG.
  • Providers violated the privacy of 2,856 veterans by illegally releasing patient information or failing to obtain patient consent for studies.
  • The VA compromised the PHI of 16,183 veterans by failing to encrypt data on electronic media that were lost or stolen.
  • VA employees compromised the PHI of 836 veterans and two VA employees when they lost paperwork in restrooms.
  • VA employees compromised the PHI of 1,118 veterans by faxing medical records to the wrong destinations.
  • The VA provided prescriptions or paperwork of 5,254 veterans to the wrong person. One in five of these incidents resulted in the disclosure of veterans’ birth dates, complete or partial Social Security numbers, or diagnoses.

A California appellate court recently dismissed a class-action lawsuit against the University of California , according to Payers & Providers. Patients filed a lawsuit against the university after a UCLA Health System laptop computer containing the PHI of 16,000 patients was stolen from a physician’s home. The laptop computer was encrypted, but thieves also stole an index card that listed the password, Payers & Providers reported.

The court ruled that providers should not be liable for stolen medical records unless a third party accesses the records, Payers & Providers reported. There was no evidence that the thieves or anyone else accessed the records on the stolen laptop, according to the report.

Read the ruling.

Categories : Unsecure PHI
Comments (0)

Last week, we discussed threats that unencrypted laptops can pose to the PHI, especially when those laptops are lost or stolen. This week, we take a look at mobile device security.

If you use your smartphone for business purposes, but are concerned about privacy and security, check out Lookout, Inc. The San Francisco company created apps that aim to protect the mobile data of individuals who use their smartphones for business purposes. The company’s apps were the subject of a recent article in The New York Times.

Nearly half of organizations with a “bring your own device” (BYOD) policy have experienced a breach,  the newspaper reported. The personal version of the Lookout app blocks malicious websites, scans all other apps, and protects against malware, according to Lookout’s website. The app also allows users to determine which other apps access their personal data. It includes features for wiping data and preventing phishing. If a person attempts to log in to someone else’s smartphone but fails to guess the r password, Lookout emails the smartphone owner a photograph of the alleged thief. The business version of this app helps organizations manage and secure employees’ mobile devices, the newspaper reported.

Categories : Uncategorized
Comments (0)