HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for Compliance Monitor

Q: A patient who presented with an order from the primary care physician for laboratory work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The patient said this violated HIPAA because the specialist did not need the laboratory test results. Did this violate HIPAA?

A: Pursuant to the HIPAA Privacy Rule [45 CFR 164.502(b)(2)(i)], the minimum necessary standard does not apply when sharing patient information for treatment purposes.
 
The ultimate question is whether the specialist needed to see the laboratory ­results with respect to the care being provided. If the answer is yes, the disclosure did not violate HIPAA.
 
If the specialist should not have ­received the laboratory results, a breach-although not necessarily a reportable breach-may have occurred. This merits investigation because it would constitute a security incident. All security incidents should be investigated, regardless of whether a breach occurred.
 
You should investigate this incident. You are not ­required to notify the patient or OCR if you ­conclude upon investigation that the patient will not experience significant harm. Refer to 45 CFR 164.402.
 
You must document the investigation. Responding to the patient complaint and explaining that you are taking steps to implement practices to prevent future similar occurrences is advisable.
 
Work with the laboratory to the extent feasible to prevent transmission of PHI to providers without a "need to know."
 
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which also appears in the July Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Categories : Compliance Monitor
Comments (1)

Q: A home health agency was informed by an assisted living facility that the home health agency may not leave its patient information book at the facility because doing so violates HIPAA. The patient information book does not include any PHI. The assisted living facility stated the home health agency could not see patients if it leaves the patient information book. State law requires the home health agency to distribute information contained in the patient information book. Does leaving the patient information book at the assisted living facility violate HIPAA?

A: No. HIPAA addresses protecting the privacy of individually identifiable health information or PHI. If state law requires making certain information available to residents of a long-term care facility such as an assisted living facility, the home health agency would be in violation of state law if the information was not made available to residents. Nothing prohibits leaving what appears to be educational material for residents to review.
 
If the purpose of the patient information book is marketing services provided by the home health agency, the gray area of HIPAA regulations that pertains to marketing requires examination. As long as the same information is available to all residents and is not used to target marketing to certain individuals with specific diagnoses, this practice does not violate the marketing provisions of HIPAA or HITECH.

Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May
Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Categories : Compliance Monitor
Comments (0)

Q: Our physician practice operates a satellite clinic. The practice does not use an electronic medical record. Charts are transported to a workforce member’s home at the end of the week and are transported to the satellite clinic Monday morning. Does this practice violate HIPAA? Also, who is responsible for the breach of patient PHI if someone steals the charts from a workforce member’s vehicle?

A:
HIPAA does not prohibit transporting charts temporarily to a workforce member’s home. Medical practices that do so must reasonably ensure that charts are secured while they are en route and temporarily stored at the workforce member’s home. Ideally, store charts in a locking file cabinet or safely in the workforce member’s home.

Exercise the same care that is necessary when transporting laptop computers. Don’t leave charts in plain sight in unattended vehicles. If it becomes necessary to leave charts in an unattended vehicle, lock them in the trunk or out of sight of passersby if there is no trunk. These practices (transportation and remote storage of charts) must be documented in policy and enforced.

If the charts are stolen, ultimately the practice is liable. The incident would be considered a breach of unsecure PHI, and the practice would be required to notify patients within a reasonable period of time and follow all requirements of the interim breach notification rule (45 CFR 164.400–164.414).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore., answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

 

Categories : Compliance Monitor
Comments (0)

Q: Is a physician who uses an answering service and receives unencrypted messages from an answering service in violation of the HIPAA Security Rule?

A: A physician who uses a  smartphone to contact an answering service is not in violation of the HIPAA Security Rule. This activity may represent a risk, but  mobile and landline telephone transmissions generally don’t require encryption unless the answering service is an automated service that stores messages on a server that is open to the Internet (e.g., cloud-based answering services).
 
Even then, encryption is not required, but it is strongly recommended. Conduct a risk analysis, identify risks such as those related to unencrypted PHI, and then determine whether those risks are acceptable.
 
Covered entities and business associates can elect to prohibit physicians and other workforce members from using smartphones to access messages from an answering service. However, this is a decision made at the entity level, and is not a HIPAA mandate.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Categories : Compliance Monitor
Comments (0)

Which of the following security vulnerabilities is your facility currently focusing on correcting?

  • Encryption of mobile devices
  • Adequate password protection
  • Refined and continuous privacy and security training
  • Other

Submit your response by selecting “Quick Poll” at HCPro’s Corporate Compliance website.
 

Categories : Compliance Monitor
Comments (0)