HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for February, 2015


HIPAA Q&A: Audit logs

Posted by: | Comments (0)
Email This Post Print This Post

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: As part of the audit control policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?

A: The short answer is yes. Covered entities (CE) need to maintain audit log reports for six years. If an external vendor is conducting the log review on behalf of a CE or an upstream business associate (BA), the CE or BA needs to request copies from the vendor or needs to ensure the contract with the vendor includes a requirement that log reports are retained for a minimum of six years.

Periodic review of the reports the vendor generates is another good idea. This extra due diligence ensures the vendor’s assessment of an actionable incident is on the mark.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

chklist_paperThe Office for Civil Rights (OCR) recently adopted a wizard format on its breach notification portal to allow for expanded functionality, according to The National Law Review.

The new version of the portal uses a wizard to guide users through a multistep process, whereas the previous version allowed users to enter responses to mandatory and optional fields on a single webpage. The steps are modified as users select the applicable answer.

OCR also made some previously optional fields mandatory in the latest update to the portal, according to the National Law Review. Updates include:

  • Breach end date and discovery end date are now mandatory fields
  • Users may select from a list of general options (e.g., Privacy Rule safeguards, Security Rule safeguards) rather than specific options (e.g., firewalls, encryption) when identifying safeguards in place prior to the breach
  • Users may select from a list of 15 specific options (e.g., revised business associate contracts, revised policies and procedures) rather than general options (e.g., mitigation, sanctions) when providing information about actions taken in response to a breach


The site states that it is still undergoing improvements that will be completed by April 30, 2015.

Categories : Breach Notification, OCR
Comments (0)

HCPro’s Medical Records Briefing (MRB) is conducting a benchmarking survey on HIPAA compliance, and we would appreciate your input. Please take a few moments to complete this survey.

To show our thanks, we will select one respondent at random to win a complimentary HCPro on-demand webcast of his or her choice. To enter to win, please include your contact information at the end of the survey once you have answered the questions. Entering your contact information will also enable us to email you the results of the survey along with commentary from industry experts. The results will also be featured in the April 2015 issue of MRB.

The link below will take you to the survey’s website; simply click on the link to answer the survey questions online. If the click-through does not work, please cut and paste the URL below into the address bar of your browser.

Here’s the link to the survey: https://www.surveymonkey.com/s/YVXV7M6.

Thank you for your input!


Jaclyn Fitzgerald
Editor, Medical Records Briefing

Categories : HIPAA Compliance
Comments (0)

securitycomputerHackers gained unauthorized access to Anthem’s information technology system and exposed the PHI of more than 80 million people who are currently or were previously covered by the insurance provider, according to The National Law Review.

Anthem set up a website that includes a letter from President and Chief Executive Officer Joseph R. Swedish and frequently asked questions about the breach. The letter states that the following current and former member information may have been compromised:

  • Names
  • Dates of birth
  • Medical identification numbers
  • Social Security numbers
  • Addresses
  • Email addresses
  • Employment information
  • Some income data


The attack also exposed the PHI of Anthem’s employees, including Swedish. Upon discovering the attack, Anthem worked to close the security vulnerability and contacted the Federal Bureau of Investigation. The insurer began working with cybersecurity firm Mandiant to perform an evaluation of its systems. Anthem will contact affected members and offer credit monitoring and identity protection, according to Swedish’s letter.

Categories : Breach Notification
Comments (0)

HIPAA Q&A: Identifiers

Posted by: | Comments (0)
Email This Post Print This Post

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I’m unsure whether a hospital room number should be considered an identifier under the definition of “individually identifiable information,” which includes information related to treatment and which could be used to identify the individual. It seems to me that if someone knows a patient’s room number, he or she would be able to determine the area of the hospital in which the patient is treated (e.g., all room numbers in the 400 range are on the cancer floor) or could use this information to look up the patient’s name.

A: A patient’s room number is not considered “identifiable” under the HIPAA Privacy Rule. PHI is considered identifiable if it contains any one of 18 specific identifiers of individuals and their family members, employers, or household members, including:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except for year) for birth, admission, discharge, and death
  • All ages over 89, including year
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Device identifiers
  • Biometric identifiers, including fingerprints and voiceprints
  • Full-face photographs


While a room number may help a facility’s staff to identify a particular patient, it’s unlikely that anyone outside the organization could identify a specific patient based only on the patient’s room number.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for the Central Texas Division of Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)