HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for May, 2014

OCR recently slapped two organizations with the largest monetary penalty for HIPAA violations to date: $4.8 million. New York and Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report to OCR in September 2010 following the unauthorized disclosure of ePHI of 6,800 patients, according to an HHS press release.

NYP and CU are separate covered entities (CE) that are often referred to jointly as New York Presbyterian Hospital/Columbia University Medical Center because many CU faculty members serve as attending physicians at NYP. The two have a shared data network and shared network firewall, according to HHS.

A CU physician accidentally made the ePHI of NYP patients publically searchable on the internet after deactivating a personally-owned computer server on the network, leading to the breach. The OCR investigation revealed that the server lacked appropriate safeguards.

Additionally, NYP and CU failed to take the necessary precautions to ensure the security of the server prior to the breach. Neither CE had recently performed a risk analysis and therefore did not have a risk management plan. NYP lacked necessary database access policies and procedures and did not comply with its information access management policies, according to HHS.

Each CE paid a portion of the total settlement, with NYP to paying $3.3 million and CU paying $1.5 million. Each CEs agreed its own corrective action plan (CAP) that highlights the need for performing a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and updating OCR as needed.

View the CAP for NYP.

View the CAP for CU.

 

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: At what point can an organization shred charts that have been completely scanned into its electronic medical record (EMR) system?

A: If your state considers electronic storage media legally acceptable for medical records, you can destroy the paper records as soon as they are scanned into the EMR and reviewed for quality. In this situation, you would define your legal medical record as your EMR and set a reasonable time to hold paper originals after scanning (e.g., 30–60 days). You could destroy paper originals immediately after scanning, but many organizations hold them for a short time before destroying them.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’sBriefings on HIPAA.

Categories : HIPAA Q&A
Comments (0)

 

Microsoft’s decision to discontinue technical support for users of its Windows® XP operating system could significantly affect information security in healthcare, according to The National Law Review.  

Microsoft stopped releasing security updates for Windows XP April 8, which could make users of this operating system vulnerable to hackers. This does not necessarily mean that covered entities and business associates that use Windows XP are not HIPAA compliant. Organizations that use this operating system should determine whether any ePHI in their systems pass through the operating system and should review current methods for protecting ePHI, according to The National Law Review.   

Categories : HIPAA security
Comments (0)

 

A vendor working with the Maryland Developmental Disabilities Administration (DDA) was recently caught in a HIPAA breach after failing to securely mail postcards to recipients of DDA services, according to a press release from the Maryland Department of Health and Mental Hygiene.

The DDA hired Inclusion Research Institute and its subcontractor M. Davis and Company to mail its annual quality-of-life survey to individuals who receive DDA services. M. Davis and Company mailed survey reminder postcards to approximately 2,200 individuals in February. The postcards indicated that DDA selected the recipients to take the survey because they received services from the department.

The healthcare services an individual receives is considered PHI. The postcards were not enclosed in envelopes, thereby disclosing to anyone who viewed them that the intended recipients received services from DDA. Therefore, this constitutes as a HIPAA breach, and the vendor is taking steps to notify affected individuals, according to the press release.

Comments (6)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am looking for any information that would help my organization determine how to define a credentials verification organization (CVO) under HIPAA guidelines. A CVO performs healthcare operations for a covered entity (CE) and must be HIPAA compliant, according to HHS. However, a CVO does not seem to fit the definition of healthcare provider, health plan, or clearinghouse.

A: If the CVO is an outside company that is providing services on behalf of your CE and needs access to PHI to do its job, the CVO is considered a business associate (BA) of your organization. You are required to have a BA agreement with the CVO, and it must meet the requirements of a BA agreement. If the CVO has access to provider information but not patient information, it does meet the definition of a BA.]

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA.

Categories : HIPAA Q&A
Comments (0)