HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for September, 2014

A former employee of Tri-City Medical Center in Oceanside, California, removed unauthorized ED logs containing the PHI of approximately 6,500 patients on August 8, according to a press release.

The former employee placed the records at the bottom of a cart he used when transporting his personal belongings from the hospital to his vehicle. The hospital used the logs in an onsite regulatory review the day prior to the theft, according to the medical center website. The former employee took the records to the San Diego Office of the California Department of Public Health, which oversees California hospital regulations. Tri-City Medical Center was in contact with the California Department of Public Health following the unauthorized removal of the logs from its premises, according to a breach notification letter sent to affected patients.

The paper logs contained the full names, dates of service, dates of birth, admitting physicians, medical record numbers, diagnoses and admit dates and times for patients admitted to the hospital or transferred to another facility from December 1, 2013 through May 13, 2014. The hospital alerted law enforcement officials of the incident, according to the press release.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am employed by an acute care psychiatric hospital. The hospital’s police department will sometimes take photographs of injuries patients have at the time of admission. The photos are not kept with the medical record; they are kept separately with our police department. If a patient asks for a copy of his or her medical record—including the photos—may we release copies of the photos along with the copy of the record? There is some debate about whether a court order is needed for the photos because a standard release signed by the patient is insufficient. Are there any HIPAA rules pertaining to this issue?

A: Under the HIPAA Privacy Rule, individuals have the right to access PHI in a designated record set. Generally, the designated record set includes medical and billing records. If you define your legal medical record to exclude these photographs, you are under no obligation to release them as part of your designated record set. You may release them if you choose, but you have the right to deny the patient access to the photographs if they are not part of your designated record set.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (1)

The September 22, 2014 deadline to revise business associate agreements (BAA) may have seemed like a date far into the future when the HIPAA omnibus final rule was released January 25, 2013. However, this compliance date is just around the corner as we continue to move along the road toward establishing and maintain compliance with the HIPAA privacy and security rules.

This date in September is notable because many organizations—both covered entities (CE) and business associates (BA)—find themselves dealing with the need to update or revise their BAAs. CEs were allowed to use existing BAAs for an additional year following the September 23, 2013 omnibus rule compliance date. Essentially, this meant that BAAs in place prior to January 25, 2013, which were not going to expire prior to September 22, 2013, could continue to be used until September 22, 2014. This gave BAs and CEs 18 months to determine what changes were needed to comply with the omnibus rule and then update or revise their BAAs accordingly. Despite the window of opportunity to address the issue of updating BAAs, it seems from my perspective that the majority of activity related to this task began occurring about a month or so before September 22, 2014.

HHS posted a sample BAA on its website January 25, 2013. In the second paragraph of the introduction, HHS lists 10 items that must be included in the written contract between a CE and its BA. Even though CEs and BAs may have recently updated their BAA in time for the compliance date, I believe it is worth the time to review these updated agreements and ensure they include the requirements identified in the HIPAA omnibus final rule.

Editor’s note: This post is adapted from an article written by Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, for HCPro’s Briefings on HIPAA (BOH). Look for the complete article in an upcoming issue of BOH. Ruelas is a BOH editorial advisory board member.