HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for May, 2014

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q. I realize that when determining whether a breach is reportable, an organization must determine whether the ePHI was secure. However, if a covered entity or business associate uses encryption to secure ePHI contained in zipped encrypted archives that are then sent via email, must the method of encryption be Federal Information Processing Standard compliant to obtain safe harbor?

A. If the zip file is encrypted at the level set by the National Institute of Standards and Technology (NIST) and the password for unencrypting the zip file is not sent in the same email, it falls within the NIST safe harbor. Generally if a file is encrypted at 128 bits, it meets the safe harbor standard. Ensuring that the file compression software used meets the NIST standard is a good idea. If the software does not meet this standard, it may lead to a reportable breach.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (1)
May
22

HIPAA Q&A: Disposing of PHI

Posted by: | Comments (0)
Email This Post Print This Post

 

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am concerned about whether my coworkers are properly disposing of paper documents that contain PHI. If data is shredded, is it acceptable for an organization to dispose of it in a dumpster? If not, can we hire a business associate to dispose of papers that contain PHI?

A: Shredding is appropriate if it is done with a cross-cut shredder. It may be hard to believe, but other types of shredders allow for putting the paper back together.

Remember, anything that contains PHI, (e.g., electronic media, prescription bottles, IV bags, copy machine drums, and printers) must be disposed of confidentially. Most organizations I have worked for hired business associates who come on-site to shred or burn information containing PHI. It is an investment that is well worth it, because OCR has imposed some significant fines upon organizations that left paper containing PHI in publicly accessible trash.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

 

A UMass Memorial Medical Center (UMMMC) internal investigation revealed that an employee gained unauthorized access to PHI over the course of as many as 12 years, according to a UMMMC statement. 

The employee no longer works at UMMMC, but had access to patient accounts that included patient names, dates of birth, Social Security numbers, and addresses from May 6, 2002, through March 4, 2014. UMMMC discovered the breach March 6, 2014, and suspects the former employee may have used the patient information to open credit card or cell phone accounts, according to the statement.

UMMMC plans to enhance its safeguards and reinforce employee training to decrease the likelihood that incidents such as this one will happen in the future, according to the statement.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I recently overheard a telephone call between a coworker who is a nurse practitioner (NP) and a patient’s husband who was requesting details about the patient’s care. At first, the NP said she could not disclose any information because the husband was not listed as an authorized person on the HIPAA forms. However, she eventually relented and read several visit summaries to the patient’s husband. Is this a HIPAA violation? Am I obligated to report what I overheard?

A: HIPAA does not prohibit sharing information with family members and even friends who are involved in the care of a patient, assuming that the practitioner believes it is in the patient’s best interest to do so.

The information shared should be the minimum necessary to permit the family member or friend to provide needed care or to navigate payment issues. If possible, you should always confirm that the patient wants particular individuals involved. Because of the level of domestic violence and disruption in society, a provider should not assume that a spouse has automatic rights to information. However, if the provider knows the situation and believes sharing information is in the patient’s best interest, it is within his or her purview to do so.

Determining whether it was appropriate to disclose the visit summaries would depend on the situation and whether the patient was able to consent to giving them to her husband. If the patient was unable to consent, the provider needs to consider whether the husband is also a caregiver and needs the information to provide proper care.

As for reporting this type of situation, all staff should raise issues they witness. While the patient’s information may have been properly shared in this instance, bringing the matter to the attention of your privacy officer will allow for a more in-depth investigation and corrective actions/education that may be needed.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

 

OCR recently dismissed a complaint that Walgreens’ “Well Experience” model violates the HIPAA Privacy and Security Rules, according to a letter from OCR.

In November 2013, HIPAA Update reported that a Change to Win (CtW) Retail Initiatives study revealed that Walgreens’ “Well Experience” posed a risk to patient privacy and medication security. In an effort to make pharmacists more accessible, the “Well Experience” model places them at a desk in front of the pharmacy counter.

Through its investigation, OCR concluded that Walgreens did not lack overall safeguards to prevent impermissible disclosures of PHI. However, OCR provided Walgreens with technical assistance to ensure future compliance with the HIPAA Privacy Rule. OCR also recommended additional training for employees at certain Walgreens locations, according to the letter.

Comments (0)