HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Author Archive

Submit your HIPAA questions to Editoquestionr Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: If a psychiatric nurse is looking at an emergency department (ED) patient’s information as part of his or her job, and notices that a friend’s child is in the ED, can the nurse go visit this patient? 

A: No. The nurse must not use the information he or she obtains during the course of doing his or her job for anything other than work. In this case, the nurse discovered the information incidentally and should not use it to visit the child since doing so would not be related to the nurse’s work. On the ­other hand, if the friend notifies the nurse of the child’s ED stay, or if the nurse finds out the child is there in some other way that is unrelated to work, it would be acceptable to visit.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions

Categories : HIPAA Q&A
Comments (0)

securityA recent audit revealed six security vulnerabilities within HHS’ Health Resources and Services Administration (HRSA), according to a report from the Office of the Inspector General (OIG).

The OIG conducted a review of HRSA security controls in effect in December 2013, and release the corresponding report in April 2015. In addition to reviewing and testing controls, the OIG interviewed HRSA’s security and IT professionals and reviewed policies and procedures, according to the report.

The OIG noted in its report that HRSA failed to:

  • Effectively track and manage IT inventory
  • Effectively implement and monitor patch management controls
  • Effectively monitor the antivirus status of its assets
  • Consistently review active directory user accounts as outlined in its policies
  • Consistently apply encryption policies
  • Develop policies and procedures to secure USB port control access
Categories : HHS, OIG
Comments (0)

cadeucus-medicalIn an effort to prevent medical identity theft, new Medicare cards will not list the Social Security numbers of beneficiaries, according to an announcement from the Office of the Inspector General, Social Security Administration.

President Obama recently signed a bill instructing the Department of Health and Human Services (HHS) to issue new cards that do not display, code, or embed Social Security numbers. The new law also includes information about funding this costly endeavor along with instructions for HHS to update the cards within the next four years and distribute them within another four years, according to the announcement.

Senior citizens are advised to carry their Medicare cards at all times, but this leaves them vulnerable to medical identity theft as the cards currently list Social Security numbers, according to the announcement.

Categories : OIG
Comments (2)
May
08

HIPAA Q&A: Minimum necessary

Posted by: | Comments (0)
Email This Post Print This Post

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: You are reviewing a computer-generated insurance claim before it is sent to the insurance carrier, and you notice the patient’s name on the claim—it’s an old friend of yours. You quickly read the claim for the diagnosis. Is this a breach of confidentiality?

A: Yes, it is, unless you need to know that information to do your job. HIPAA requires us to access only the minimum we need to know to do our jobs. If you don’t need to know your friend’s diagnosis, you shouldn’t look at it.

If you do see it, remember that you may never share with anyone, including your friend, what you have seen. This knowledge can be a heavy burden, but it is our ethical and legal obligation not to share any ­information we obtain in the course of doing our work in healthcare.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA Q&A
Comments (0)

securityCriminal attacks on the healthcare industry have increased 125% since 2010, making these attacks the leading cause of data breaches in the industry, according to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare, sponsored by ID Experts®. The goal of the study is to determine what organizations are doing to protect the privacy and security of PHI and what challenges they may face in doing so, according to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

The study reports on the responses of 90 covered entities (CE), and for the first time includes responses from 88 business associates (BA). The Ponemon Institute conducts as many as 20 separate interviews with each CE and BA involved in the study, Dr. Ponemon says.

Although criminal attacks have been highlighted in the annual study for five years, 2015 marks the first year that these attacks were listed as the top cause of data breaches. Nearly half (45%) of healthcare organizations surveyed listed criminal attacks as the top cause of data breaches, compared to 39% of BAs. Medical identity theft not only has financial repercussions, but has the potential to compromise the accuracy of patients’ records, which can ultimately harm the patient, says Rick Kam, CIPP/US, president and co-founder of ID Experts.

More than 90% of CEs surveyed experienced a data breach, and more than 40% experienced one within the last five years. More specifically, 65% of CEs said they experienced security incidents within the last two years involving the exposure, theft, or misuse of electronic information. The majority of respondents (96% of CEs and 95% of BAs) have experienced an incident involving lost or stolen devices. The study revealed that the average cost of a breach at a healthcare organization is more than $2.1 million, whereas the average cost for BAs is more than $1 million.

Comments (0)