HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for April, 2015

rep02The HHS Office for Civil Rights (OCR) entered into a $125,000 resolution agreement March 15 with Cornell Prescription Pharmacy (CCP) in Denver for HIPAA violations.

OCR received a media report January 11, 2012, indicating that CCP disposed of PHI in a publicly accessible dumpster. OCR began investigating CCP January 13, 2012, and notified the covered entity of the investigation February 27, 2012. The resolution agreement states that CCP failed to do the following:

  • Reasonably safeguard PHI
  • Implement written policies and procedures for compliance with the HIPAA Privacy Rule
  • Provide and document HIPAA Privacy Rule training for workforce members since the compliance date of the rule

In addition to agreeing to the civil monetary penalty, CCP also agreed to do the following as part of the resolution agreement with OCR:

  • Develop, maintain, and revise written policies and procedures to comply with federal privacy standards
  • Provide copies of policies and procedures to OCR for review and approval
  • Adopt and implement policies and procedures within 30 days of OCR approval
  • Distribute policies and procedures to workforce members within 30 days of OCR approval
  • Require workforce members to sign policies and procedures indicating that they have read, understand, and will abide by them
  • Assess, update, and revise policies and procedures annually
  • Restrict workforce members from the use or disclosure of PHI if they have not signed the policies and procedures
  • Train workforce members on the new policies and procedures within 30 days of implementation
  • Notify HHS/OCR of any future reportable breaches within 30 days of conducting an internal investigation
Categories : Breach Notification, HHS, OCR
Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I recently went to see my primary care provider. He was running more than 30 minutes late and felt the need to offer me an explanation for his tardiness when he finally came into the exam room. He said, “Without violating HIPAA, I want you to know the reason I am late is because my last patient was very emotional because she was recently in a bad accident and is also mourning the loss of a close family member.” As an HIM professional, it struck me as odd that someone would offer this information. Is it a violation of HIPAA for a provider to share details about one patient with another?

A: I am guessing the provider was trying to engage with you because he knows you are an HIM professional, but the disclosure was awkward and unprofessional, if not a HIPAA violation. Even without names or specifics, he should not share this sort of information; putting the pieces of the puzzle together to determine the previous patient’s identity might not be very difficult. While I am sure the provider meant no harm, sharing even vague patient stories is not a best practice.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

security (2)The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.

The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.

The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.

Categories : Breach Notification
Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Can healthcare providers answer questions from other providers or patients when someone may possibly overhear the conversation? For example, I am an administrator at a provider-based clinic and notice that patients often ask the providers last-minute questions as they are walked back to the front desk after an appointment. This is an area where most staff members and patients can overhear conversations between the provider and patient, yet our providers often respond to a patient’s inquiry in this space rather than taking the patient into an office. Is this a violation of HIPAA?

A: Providers should not assume that the patient is OK with discussing the topic in the open area, even if the question was asked there. This is another example of an incidental disclosure, which HIPAA requires us to minimize. It would be better to bring the patient back into the office to discuss these last-minute questions when possible. Err on the side of caution and encourage your providers to ensure all conversations with patients are as private as possible.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A, Uncategorized
Comments (0)

security (2)The Health Information Trust Alliance (HITRUST) recently announced that it will conduct a study to analyze cyber threats in the healthcare industry. The goal of HITRUST Cyber Discovery is to identify cyberattack patterns and the sophistication of threats.

HITRUST is looking to recruit approximately 210 health plans and provider organizations to participate in the study. It will provide participants with free software and hardware to monitor and analyze networks for approximately 90 days.

There is no charge for participants. Registration closes May 10. Click here for more information or to register.

Categories : Uncategorized
Comments (0)