HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for January, 2015

Jan
16

HIPAA Q&A: Employee snooping

Posted by: | Comments (1)
Email This Post Print This Post

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Is it considered a breach if an employee of an organization views his or her own records or the records of their family members (containing full name, Social Security number, diagnosis, medications, etc.) without a legitimate business need?

A: Accessing the records of family members without a legitimate business need may well be a breach, but a staff member accessing his or her own records may not be. If there is no legitimate reason for accessing family member records, that would be a breach of unsecure PHI.

A number of CEs have implemented policies requiring employees to access their own medical records in the same way as all other patients—by submitting a written request and having the record copied or setting up a time for the employee to view his or her own record. Having an employee view his or her own record is not a breach of unsecure PHI. However, it may be a violation in the CE’s policy and result in sanctions.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : Uncategorized
Comments (1)

rep02The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.

Categories : HIPAA privacy
Comments (0)
Jan
09

HIPAA Q&A: Misdirected faxes

Posted by: | Comments (0)
Email This Post Print This Post

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: The organization I work for often receives misdirected reports by mail or fax. Most of the reports contain the PHI of patients of national pharmacies or patients whom our facility does not see. Often, the reports are addressed to providers who no longer work for the facility. Does HIPAA require us to protect the PHI of these individuals although they are not our patients? Should we secure these misdirected reports?

A: If you receive documents that include the PHI of those who are not your patients, consider contacting the sender and informing the organization that the misdirected reports represent a breach of unsecure PHI. The sender’s organization has an obligation to follow the HIPAA Breach Notification Rule, conduct a four-factor risk assessment, and determine whether notification is required. Securely destroy the misrouted information after notifying the sender; no further retention is required.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

securitycomputerNorthwestern Memorial Healthcare in Chicago recently notified 2,800 patients of a breach that occurred when a password-protected, unencrypted laptop was stolen from an employee’s vehicle, according to a notice on the health system’s website.

The laptop may have contained the following patient information:

  • Names
  • Addresses
  • Dates of birth
  • Health insurance information
  • Billing codes
  • Dates of service
  • Physicians’ names
  • Medical record numbers
  • Diagnoses
  • Treatment information

In some instances, patients’ Social Security numbers may have been listed. The health system learned of the theft the date it occurred, October 21, 2014. It began sending letters to affected patients December 19, 2014.

The employee who had been in possession of the laptop contacted law enforcement officials after learning of the theft. The health system subsequently began its own investigation, according to the notice.