HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • HITECH Act updates
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • CD-Rom, books on privacy and security
  • Business associate training
  • Videos with real-life HIPAA scenarios

More»

Archive for Compliance Monitor

Nov
13

Q&A: How CMS responds to HIPAA complaints

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post

Q: How does CMS handle a Health Insurance Portability and Accountability Act (HIPAA) complaint once received?

A: Upon receipt of a complaint, CMS will notify the filed against entity of the complaint, and provide them with an opportunity to demonstrate compliance, or to submit a corrective action plan. CMS has the discretion to conduct compliance reviews or on-site evaluations of covered entities' procedures to verify that they are compliant with the standard transactions or use the national identifiers. CMS also has the authority to impose financial penalties on any entity that is not compliant and has failed to correct their systems.

This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.

Categories : Compliance Monitor
Comments (0)
Oct
28

Survey: “Red Flags” rule

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post
Is your facility compliant with the FTC “Red Flags” rule to protect against identity theft?
1. Yes
2. No
3. I don’t know

To submit your answer, go to “Quick Poll” at HCPro’s Corporate Compliance Web site.


Categories : Compliance Monitor
Comments (0)
Oct
28

Q&A: Notification of compliance breach

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post

 Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?

 A: The CE has sole responsibility for notifying individuals when required. The CE must notify HHS immediately if a breach involves 500 or more individuals and/or at the end of the calendar year with respect to all breaches, regardless of whether the CE or the BA caused the breach.
 
A review of the breach notification interim final rule, which is final and was published in the Federal Register August 24, is a good idea. Visit www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
 
Chris Apgar, CISSP, answered this question in the Octobert 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
Categories : Compliance Monitor
Comments (0)
Oct
14

Q&A: HIPAA certification compliance

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post

Q: Are we required to “certify” our organization’s compliance with the HIPAA Security standards?

A: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements.

The evaluation can be performed internally by the covered entity or by an external organization that provide evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that Health and Human Services does not endorse or otherwise recognize private organizations’ “certifications,” and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude Health and Human Services from subsequently finding a security violation. 

This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.

Categories : Compliance Monitor
Comments (0)
Sep
24

Build trust with the Notice of Privacy Practices

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post
Noncompliance with HIPAA regulations can result in several steep penalties. Misuse of patient information may result in a prison term and fines. Not only will reputations be compromised, but physician licenses are also at risk.
Organizations and covered entities must provide a written Notice of Privacy Practices to patients. This will serve as a reminder about the rules of compliance and build trust with the patient. The Notice should outline your facility’s privacy practices and patient rights. The notice must:
  • Inform patients of their rights and how they can exercise them
  • Disclose the organization’s privacy practices
  • Detail the organization’s responsibilities under the law
  • Inform patients of the uses and disclosures of protected health information (PHI) required or allowed by law
  • Explain how patients can access their medical records and modify their information
This tip was adapted from The Compliance Officer’s Handbook 2nd Edition. For more information about the book or to order your copy, click here.
Comments (0)