HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for HIPAA Compliance

OCR recently sent two annual reports to Congress that summarize 2011–2012 HIPAA breach and compliance activities as required by the HITECH Act.

OCR received 236 reports about breaches affecting 500 or more individuals in 2011, according to OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information. These breaches affected approximately 11,415,185 individuals. OCR received 222 reports about large breaches in 2012. Although the number of reportable breaches affecting 500 or more individuals in 2012 decreased only slightly, the overall number of individuals affected dropped to 3,273,735. Although OCR focused primarily on 2011–2012 breaches, it included some data as far back as 2009. In total, OCR received 710 reports affecting 22.5 million individuals from September 23, 2009, to December 31, 2012.

The top causes of 2009–2012 breach incidents include theft, loss, and unauthorized access/disclosure. For 2011 and 2012 only, the report cited six causes, including theft, loss, unauthorized access/disclosure, improper disposal, hacking/IT incident, and unknown/other. Theft was the leading cause of 49% of 2011 breaches and 52% of 2012 breaches. Unauthorized access/disclosure came in at second place for 2011 (19%) and 2012 (18%).

Healthcare providers submitted the majority of breach reports in 2011 (63%) just as they did in 2012 (68%). The majority of PHI that was exposed in 2011 breaches was on paper (27%) or laptop computers (20%). In 2012, breaches of PHI on paper and on laptop computers took the lead once again but this time with paper trailing behind at 23% and laptop computers in the top spot at 27%.

Since the end of 2013, OCR entered into resolution agreements with seven covered entities for the 458 breaches that occurred 2011–2012. These are the first OCR settlements brought about by investigations into reported breaches.

OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance provides enforcement data through 2012 with particular focus on 2011–2012. Since the 2003 HIPAA Privacy Rule compliance date, OCR received 70,259 complaints for alleged HIPAA violations and had resolved 91% of these complaints as of December 31, 2012. OCR issued corrective action for 66% of the 27,466 HIPAA complaints investigated since 2003. The number of new complaints rose to 9,022 in 2011 with 8,363 complaints resolved. This number peaked again in 2012 when OCR received 10,454 complaints and resolved 9,408.

The majority of issues investigated since the Privacy Rule compliance date were due to the following:

  • Impermissible uses and disclosures of PHI
  • Lack of safeguards of PHI
  • Denial of individuals’ access to their PHI
  • Uses or disclosures of more than the minimum necessary PHI
  • Lack of administrative safeguards of ePHI

Join us for a 90-minute webcast about HIPAA auditing at 1 p.m. (Eastern) Tuesday, July 29.

With HIPAA audits slated to resume and OCR monetary settlements steadily increasing, the risk of ending up on OCR’s “wall of shame” is greater than ever. OCR recently hit two covered entities with the largest HIPAA settlement to date: a combined $4.8 million penalty for alleged violations during a joint arrangement.

The first step to ensuring HIPAA compliance is developing an effective risk analysis and management process that identifies gaps, thereby keeping your organization off the government’s radar. Learn strategies for conducting an internal audit of your organization—before the government audits you.

During this program, HIPAA compliance experts Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, and Kathy Perkins-Smerdel, BS, CHC, will explain how to develop a thorough risk analysis process and implement an internal auditing program, offer audit preparation strategies,  and identify flaws in privacy and information security programs.

At the conclusion of this program, participants will be able to do the following:

  • Develop an effective, well-documented risk analysis process
  • Prepare for OCR/CMS audits
  • Identify privacy and information security program deficiencies

For more information or to place an order, call 800/650-6787 and mention Source Code EZINEAD or visit the HCPro Healthcare Marketplace.

Categories : HIPAA Compliance
Comments (0)

 

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: My organization is revising its HIPAA policies with the goal of consolidating current policies and making them more user-friendly overall without compromising or eliminating essential information. Is there a checklist or list of recommended policies required for an organization to be HIPAA compliant?

A: There is no specific list. However, you should ensure that your policies address all of the privacy, security, and breach notification requirements in the HIPAA rules. Various resources provide policy templates that organizations can use as a reference when simplifying policies. Ensure that templates are from a reliable vendor. Some associations have template resources that organizations can access and customize.

There is no set number of policies that organizations must implement. You can combine requirements in one policy. For example, all use and disclosure requirements (e.g., for treatment, payment, healthcare operations, required by law) can be combined in one policy.

When purchasing templates, customize them to meet the needs of your organization. Consider other applicable laws, such as state privacy laws and federal alcohol and chemical dependency laws. Policies must be current, accurate, and enforceable. Some templates may not apply to your organization, so it is wise not to use them.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Join us for a 90-minute webcast about HIPAA auditing at 1 p.m. (Eastern) Tuesday, July 29.

With HIPAA audits slated to resume and OCR monetary settlements steadily increasing, the threat of ending up on OCR’s “wall of shame” is greater than ever. OCR recently hit two covered entities with the largest HIPAA settlement to date: a combined $4.8 million penalty for alleged violations during a joint arrangement.

The first step to ensuring HIPAA compliance is developing an effective risk analysis and management process that identifies gaps, thereby keeping your organization off the government’s radar. Learn strategies for conducting an internal audit of your organization—before the government audits you.

During this program, HIPAA compliance experts Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, and Kathy Perkins-Smerdel, BS, CHC, will explain how to develop a thorough risk analysis process and implement an internal auditing program, offer tips on how to prepare for an audit, and identify flaws in privacy and information security programs.

At the conclusion of this program, participants will be able to do the following:

  • Develop an effective, well-documented risk analysis process
  • Prepare for OCR/CMS audits
  • Identify privacy and information security program deficiencies

For more information or to place an order, call 800/650-6787 and mention Source Code EZINEAD or visit the HCPro Healthcare Marketplace.

OCR announced in the February 24 Federal Register its plan to survey up to 1,200 covered entities and business associates to determine suitability for its HIPAA audit program.

The survey is intended to provide OCR information that will determine whether a respondent is suitable for an audit. Data collected through the survey will include the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

HHS is seeking comments on aspects of the Information Collection Request and the burden estimate, which is 600 total burden hours. Submit comments by email at Information.CollectionClearance@hhs.gov or by telephone at 202-690-6162.