HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Author Archive

Jul
22

OMG at the OMIG

Posted by: | Comments (0)
Email This Post Print This Post

An Office of the Medicaid Inspector General (OMIG) employee was accused of independently sending 17,743 Medicaid recipient records to his or her personal email account. The employee has been placed on administrative leave during the investigation.

After taking a peek at the OMIG press release, I am inviting folks to a conversation or discussion on particular aspect of this incident in answering the following question: What technical safeguard does your organization have in place that may have detected this type of activity?

My guess is that many folks do not have any such technical safeguard. I am guessing MANY folks have an administrative safeguard such as a policy that prohibits this type of activity, but I am looking to see what others have done in the technical range.

What I have done to detect such activity is to restrict the emailing of any messages and attachments to popular public email sites. Note that the objective here is certainly not to be able to capture all such outgoing activity, because that would be a very difficult task and one that I can easily show is impractical to catch all possibilities.

But this has worked well, given how many folks often use personal email addresses from sites such as gmail.com, hotmail.com, yahoo.com, live.com, msn.com, etc.

Since email servers easily can track all outgoing email addresses, I think most people would be very surprised to find out that if they pulled outgoing address data from their systems, they would realize just how many emails are going out from the organization to these more popular email domains.

I have installed several other technical safeguards, but I’d like to hear from other folks and hear their experience with these.

Categories : Unsecure PHI
Comments (0)
May
28

Yes…It’s OK to start purging

Posted by: | Comments (0)
Email This Post Print This Post

For a number of reasons, folks seem to be hesitant to purge hard-copy records that are greater than the six-year retention requirements for HIPAA (Security or Privacy).

Consequently, people are asking if they need to keep the original training sheets on file or can they scan them and get rid of the paper copies?

The answer is that certainly these hard copies can be kept on file indefinitely but there is not a requirement that prevents a covered entity from scanning and filing documents used to substantiate that it has trained its workforce such as class attendance roster sign in sheets.

There are a number of other common questions that are coming up given how long folks are keeping records on file but I wanted to share this one first because it seems to be coming up more and more.

Comments (0)

I was recently asked to complete a risk analysis on a priority and expedited basis for a covered entity. During the debrief with several folks I asked legal counsel for the involved covered entity for some reasons for the expedited request.

I was told by an employee the employer was required to comply with state and federal laws, meet accreditation standards which also reference state and federal laws, and that the employer was a covered entity and therefore subject to complying with HIPAA (and he threw in for good measure that he had recently worked with the OCR).

The current employer had policies and procedures that recognized the necessity (as in requirement) for completing the HIPAA Security Rule implementation specifications. Also, Section 164.308 was deficient for various reasons, including the risk assessment had not been done and that this had been communicated to administration for several years.

Long story short…

This was a clear example of a situation that could represent willful neglect on the part of the covered entity in complying with the regulations….etc, etc.

For good measure the employee even went so far as referencing the OIG Work Plan for 2012 and tied it in to his reasoning for the need to get the risk assessment done…and quickly. (These details I will hold close to the vest but I’m sure folks can likely deduce what some of these details include).

So what was my take away…

As I’ve done in the past and will make it a more distinct point in moving forward, if you are in a situation where you realize a risk assessment has not been done, either in your role as a member of the workforce or as an external resource such as a consultant or trainer, make sure you have communicated this observation clearly.

Just in case the proverbial you know what hits the you know where.

Onward we go!

Frank Ruelas
frank@hipaacollege.com

Categories : HIPAA security
Comments (1)

For those who may remember, I commented when the TRICARE breach started hitting the cyber airwaves that there would be more fallout after the breach’s announcement; further, TRICARE, in its breach response, did not offer anything more than information on how those affected could monitor credit reports and place an FTC fraud alert.

I am guessing that following this lawsuit filing…it is only a matter of time before politicians start getting involved.

Frank Ruelas
frank@hipaacollege.com

Comments (0)

It should be no surprise that those that reside in HIPAA-dom are now entering into the audit phase. It is only natural, in my view, that anxiety and concern will be amplified for a number of reasons.

One reason is that now there will be a government-sanctioned activity that will essentially identify if HIPAA compliance (privacy and security) has been achieved. In my view, this translates to ACCOUNTABILITY. Folks within organizations, some who have been their own self proclaimed experts on HIPAA, are now going to be taken to task.

So my suggestion is that folks keep a keen eye out for information related to the audits. This information may prove more useful than you may think…

Frank Ruelas
frank@hipaacollege.com

Categories : HHS
Comments (4)