HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for June, 2014

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: If a business associate (BA) commits a breach, should it notify OCR or should the covered entity (CE) do so?

A: CEs are responsible for reporting breaches to OCR. You can delegate the reporting, but you must do so in writing. If your BA fails to report the breach, OCR will call you and not the BA because it’s your regulatory responsibility. Also, the Breach Notification Rule requires BAs to report all breaches of unsecure PHI to CEs. CEs are responsible for completing a four-factor risk assessment to determine what must be reported. This also may be delegated, but it remains CEs’ regulatory obligation.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

Join us for a 90-minute webcast about HIPAA auditing at 1 p.m. (Eastern) Tuesday, July 29.

With HIPAA audits slated to resume and OCR monetary settlements steadily increasing, the risk of ending up on OCR’s “wall of shame” is greater than ever. OCR recently hit two covered entities with the largest HIPAA settlement to date: a combined $4.8 million penalty for alleged violations during a joint arrangement.

The first step to ensuring HIPAA compliance is developing an effective risk analysis and management process that identifies gaps, thereby keeping your organization off the government’s radar. Learn strategies for conducting an internal audit of your organization—before the government audits you.

During this program, HIPAA compliance experts Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, and Kathy Perkins-Smerdel, BS, CHC, will explain how to develop a thorough risk analysis process and implement an internal auditing program, offer audit preparation strategies,  and identify flaws in privacy and information security programs.

At the conclusion of this program, participants will be able to do the following:

  • Develop an effective, well-documented risk analysis process
  • Prepare for OCR/CMS audits
  • Identify privacy and information security program deficiencies

For more information or to place an order, call 800/650-6787 and mention Source Code EZINEAD or visit the HCPro Healthcare Marketplace.

Categories : HIPAA Compliance
Comments (0)

The hits just keep on coming. HHS announced June 23 that OCR entered into resolution agreement and $800,000 settlement with Parkview Health System, Inc., in Fort Wayne, Indiana, for alleged HIPAA Privacy Rule violations.

Parkview obtained the medical records of 5,000–8,000 patients while helping Dr. Christine Hamilton transition her patients to new providers upon her retirement. It was believed that the health system was interested in purchasing a portion of Dr. Hamilton’s practice. Parkview failed to safeguard the PHI of these patients when its employees left 71 cardboard boxes of these medical records outside the physician’s home while she was not there. The home is within 20 feet of a public road and is near a shopping center, according to the press release.

The resolution agreement provides that Dr. Hamilton filed the complaint against Parkview. The investigation revealed that when Parkview employees left the medical records at Dr. Hamilton’s home, they were aware that she was not there and had previously refused the delivery of the records.

Parkview’s corrective action plan states that it will do the following:

  • Develop, maintain, and revise written HIPAA Privacy Rule policies and procedures for its workforce with HHS approval
  • Distribute HHS-approved policies and procedures to members of its workforce
  • Ensure that new, approved policies and procedures provide for administrative, technical, and physician safeguards to protect PHI
  • Notify HHS in writing within 30 days of a violation of the new, approved policies and procedures
  • Provide general safeguards training for its workforce members who have access to PHI
Comments (0)

 

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: With the implementation of patient portals, there is concern over accessibility of certain information. My organization does not include minors’ records in its portal, but we are uncertain about whether to include other records. For example, is including incapacitated individuals’ information in the portal acceptable? If so, how do we determine who has access to these patients’ records? Can the portal include information pertaining to mental health, HIV, STDs, etc.? What can/should a CE restrict when storing patient information on a portal?

A: Making information on minors available through a patient portal can be rather complex with the overlay of state minor laws, so excluding the records of minors from your portal is acceptable. Generally, a patient signs up to access a patient portal. You do not need to limit the health information that can be accessed through the portal, even in instances of specially protected classes of information such as an HIV/AIDS diagnosis.

You may or may not know whether a patient is incapacitated. If you are aware that a patient is incapacitated and you receive a request from a personal representative to access the portal, obtaining documentation showing that the personal representative is authorized to access the portal is a good idea. For example, obtain a copy of the power of attorney before granting access.

It’s also a good idea to include a disclaimer stating that if a patient elects to share his or her password with others, the organization is not liable for damages. An organization is responsible for securing its portal, but not for the actions of patients. Be prepared to shut down access if a patient reports unauthorized access to the portal.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

 

Myth: Security is an IT function

Security involves safeguarding electronic information in various ways and by various means, including policies, processes, education, designation of security officers and managers, dedicating staff and monetary resources to providing technical tools and physical safeguards to protect systems. The Security Rule includes only two standards related to technical security—access controls and audit controls. Most Security Rule standards address administrative safeguards. The rule also includes several physical safeguard and documentation requirements.

IT professionals generally do not receive information security training. Information security is a distinct profession with specific bodies of knowledge and content that address all aspects of protecting an organization’s information assets. Many information security officers (ISO) do not report to IT. A conflict of interest may exist if an ISO reports to a chief information officer or other individual in an IT department.

Security and IT budgets should be separate. This requires an ISO to develop a security budget, justify proposed expenditures, and develop and communicate metrics to demonstrate the program’s success and activities.

Editor’s note: This article is adapted from theThe Complete Guide to Healthcare Privacy and Information Security Governance by Phyllis A. Patrick, MBA, FACHE, CHC. Click here to learn more about the book, published by HCPro, a division of BLR.

Comments (0)