HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for December, 2014

Dec
31

HIPAA Q&A: HIPAA training

Posted by: | Comments (0)
Email This Post Print This Post

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: What is the most common practice for annual HIPAA training (e.g., videos, tests, online training)? I am responsible for training clinical and clerical staff annually. Do you have any recommendations for job-specific HIPAA training?

A: HIPAA doesn’t require a set style of training. At minimum, most industry experts recommend that organizations conduct new employee orientation training (including temporary staff members, students, interns, and volunteers) and annual refresher training for existing staff members. A number of good vendors on the market provide training tools, ranging from PowerPoint presentations to hosted webinars to interactive online training. Whatever your choice, track attendance. Administering a test to gauge knowledge retention is also a good idea.

Several reputable vendors offer role-based training (i.e., training customized specifically for IT staff, nurses, administrators, etc.). Providing that specialized training is wise, especially for employees who are entrusted with a high level of responsibility when it comes to PHI. For example, HIM staff should receive additional training given that these employees are the custodians of patient medical records.

Try to avoid using the same refresher training year after year because the training will no longer sink in after a while. Focus training on certain topic areas such as mobile device security and social media use. These are high-risk areas; the more employees know, the lower the risk of breaches and other adverse events.

Consider other laws that may also be applicable such as the Red Flags Rule, 42 CFR Part 2 (alcohol and chemical dependency) and state privacy and security laws. Few training packages available from vendors include this level of training. If you are subject to other federal and state privacy and security laws, add training material on these subjects to any vendor-provided training you may use.

Training does not need to be complex. Security reminders may be as simple as, “Don’t open the attachment if you don’t know the sender.” It can include articles in staff newsletters, fun posters, pop quizzes, and headlines of breaches that appear in the news. The more training you provide, the greater the staff retention and the lower the risk of noncompliance.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

DollarSignsMidwest Women’s Healthcare Specialists in Kansas City, Missouri, reached a $400,000 settlement agreement with attorneys representing the practice’s 1,532 patients whose PHI were compromised, according to KSHB 41 Action News.

In May 2014, Midwest Women’s Healthcare Specialists improperly disposed of its patients’ medical records in a dumpster outside of Research Medical Center. Midwest Women’s Healthcare Specialists and Research Medical Center are both part of HCA Midwest Health with headquarters in the same location, KSHB 41 Action News reported.

The settlement agreement, which is the result of a class-action lawsuit, must be approved by a judge in January 2015. The practice will provide credit monitoring services for affected patients. The incident is under investigation by the Office for Civil Rights, KSHB 41 Action News reported.

Categories : Breach Notification
Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: My organization conducts research. The research coordinators working on our project are hospital employees. The screening they use identifies candidates that meet study criteria. They do not share information with the research sponsor unless the patient enrolls in the study and completes an informed consent form that details the information that the organization will collect and with whom they will share it. We always include an institutional review board (IRB) waiver of authorization for our studies. Is the work the research coordinators do to find suitable candidates for a study reasonably considered part of operations under HIPAA?

A: Research does not fall under healthcare operations. De-identification of data and the creation of limited data sets does, but that would not necessarily include disclosing potential patient participant information to research coordinators. However, that doesn’t mean research coordinators may not seek candidates for approved research. What it does mean is the research project must be approved by the IRB or privacy board prior to seeking candidates to participate in the research. That all falls under the HIPAA research umbrella, not healthcare operations.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

securitycomputerClay County Hospital in Flora, Illinois, received an anonymous email November 2 from someone threatening to release PHI to the public if the hospital did not agree to a ransom, according to a press release.

The email contained the stolen PHI that the sender threatened to release. The sender obtained names, addresses, Social Security numbers, and dates of birth of patients treated at Clark County Hospital clinics prior to February 2012, according to the press release.

The hospital launched its own breach investigation, notified law enforcement, and began notifying all affected patients after learning that the PHI of its patients had been compromised. The investigation revealed that the hospital’s servers were not hacked, although the hospital plans to strengthen its security measures by implementing additional logging and auditing systems, according to the press release.

Categories : HIPAA Violations
Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements—other than to perform audits—that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?

A: There are no specific HIPAA Privacy Rule requirements related to privacy audits. The rule does require organizations to implement administrative, physical, and technical safeguards to protect PHI no matter the form. The Privacy Rule does not give specifics, so it’s a good idea to implement similar safeguards as the HIPAA Security Rule requires. This would include monitoring logs of access to PHI such as logs generated by ­EHRs and picture archiving and communication systems.

Information system activity review audits are just one of the four audit activities that covered entities (CE) should undertake to comply with the HIPAA Security Rule and, by default, the HIPAA Privacy Rule. Information systems activity review audits focus on firewall activity, patches applied to applications, data loss prevention report reviews, and so forth. Generally, these audits do not involve determining whether patient records are being accessed appropriately.

CEs and business associates should also review user login audit logs to check for repeated failed login attempts and to verify employees are not accessing systems or data at times when they are off work and have no valid reason to access systems.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)