HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for May, 2015

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: A patient recently informed me that she was surprised to learn from a physician at our facility that her adult child had been prescribed blood pressure medication. Is it a HIPAA violation for providers to discuss the care of adult children with parents? Would it be considered a violation if the child was a minor?

A: Yes, it is a violation for a practitioner to share information about one patient with another without permission, even if the patients are related. The only exception would be if the mother is providing care to the adult child. In that case, it would be acceptable for the provider to share only the information necessary for the mother to provide care.

In most cases, it is acceptable and even required that practitioners share information with the parent(s) of minors. Exceptions to this might be information on mental health information, substance abuse treatment, sexually transmitted disease treatment, etc. Check your state statutes for specifics.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

The 21st Century Cures Act, a new healthcare bill that would relax portions of HIPAA privacy laws to further medical research and penalize health IT vendors that fail to comply with interoperability standards, has passed through the full House Committee on Energy & Commerce.

The bill would inject billions of dollars into medical drug research and innovative treatments, accelerate the entire process and clear away regulatory hurdles on various levels. One provision of the bill, however, requires HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.

The Privacy Rule currently allows healthcare providers to use PHI without authorization for treatment, billing and internal healthcare operations. Under the proposed law, however, those covered entities and their business associates would have the same unfettered access to those records to use in researching new drugs and treatments.

Read More→

Categories : HHS, HIPAA privacy
Comments (0)

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: Are HIPAA requirements different for college campus health centers than for larger facilities or private practices? For instance, would a college campus health center be permitted to disclose information about students who are patients to faculty members if the health center believed a student’s condition may affect his or her ability to come to class or complete assignments? What if the health center believed the student may be a danger to himself or herself, or to others?

A: Campus health centers are covered entities and must follow HIPAA. Information should not be shared with faculty without the patient’s written permission (this would not be a release for treatment, payment, or operations), although a note excusing a student from class or supporting an extension to a deadline (similar to a work note) would be appropriate (without details).

If there is an immediate concern that the patient is a danger to himself or herself, or to others, then there is a “duty to warn” exception that allows you to share information (again, minimum necessary). However, this would not include notifying the faculty unless the threat was against a faculty member. Even then, if your providers believe the threat is significant enough that faculty need to be notified, it would be appropriate to involve the police and to take whatever steps are indicated in your state to initiate a psychiatric hospitalization, either voluntary or involuntary.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (1)

CareFirst BlueCross BlueShield, a nonprofit health insurer that serves Maryland, Washington D.C. and northern Virginia, announced Wednesday it was targeted by a “sophisticated” cyber-attack, affecting 1.1 million people who are current or past members of CareFirst or who have done business with the company.

The May 20 statement on the CareFirst website explained the hackers “gained limited, unauthorized access to a single…database.” The intrusion was actually discovered in the midst of an exhaustive review the company was performing on its own IT security measures in the wake of recent cyber-attacks on other health insurers.

CareFirst said the review found cyber-attackers gained access to a database on June 20, 2014 that stores data members and other users enter to access CareFirst websites and online services. Only people who registered to use the online services before June 20 were affected.

Read More→

Categories : Data Breach
Comments (0)

Drug kingpin Stuart Seugasala was just convicted and sentenced on a string of federal charges that includes HIPAA violations in the course of running a violent drug trafficking ring in Alaska. Authorities said the trafficking ring imported and distributed illicit drugs, perpetrated armed home invasions, drive-by shootings, kidnappings, and sexual assaults.

securitycomputerThe Alaska U.S. Attorney’s Office said it was the state’s first HIPAA conviction and one of only a few such cases nationwide.

Seugasala, 40, was sentenced May 15 to three life terms in prison following his conviction on drug trafficking and kidnapping charges earlier this year, but separate from that sentence was another 20 years for unauthorized access to medical records of two victims he hospitalized in 2013.

Read More→

Comments (0)