HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • HITECH Act updates
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • CD-Rom, books on privacy and security
  • Business associate training
  • Videos with real-life HIPAA scenarios

More»

Archive for HIPAA Q&A

Oct
09

Encryption of data at rest

Posted by: mhart | Comments (1)
Email This Post Print This Post

Would the use of an OS with 128-bit encryption satisfy the encryption of data at rest?

Mimi Hart

HIPAA Research Analyst
Information Protection
Iowa Health System

Categories : HIPAA Q&A, HIPAA security
Comments (1)
Oct
07

Drug seekers

Posted by: tkolb | Comments (1)
Email This Post Print This Post

If a physician suspects a patient is a drug seeker, is it a HIPAA violation for that physician to contact the patient’s pharmacist or health insurance company and request a list of the patient’s prescribed drugs to determine if the patient is receiving narcotic prescriptions from other physicians?

Tina Kolb, CPC
Privacy Officer
Education & Compliance Dept.
Cooper Clinc, P.A.
Fort Smith, Arkansas

Categories : HIPAA Q&A, HIPAA privacy
Comments (1)
Sep
30

Q&A: Releasing information to non-care family member physicians

Posted by: mbrandt | Comments (0)
Email This Post Print This Post

Q: A patient admitted to the hospital has a close family member who is a physician with privileges at the same hospital. This physician is not involved in the patient’s care, but the patient has given permission for this physician to see his medical information. May the physician access the information electronically (i.e. via the hospital computer system)? Or is this a breach because he is not the attending physician? Must he contact the attending physician to access the information?

A: Competent adult patients may authorize release of their information to anyone they choose. If you have written authorization from the patient to release information to this physician, permission from the attending physician is not necessary. You may allow the physician to access the record electronically if the patient has authorized the physician to review his complete record. If the patient has limited the information that may be disclosed to the physician, paper copies of the information should be provided to meet minimum necessary requirements.

Mary Brandt, MBA, RHIA, CHE, CHPS, answered this question in the September 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
Categories : HIPAA Q&A, HIPAA privacy
Comments (0)
Sep
25

HIPAA Q&A: Do we need a contract?

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post

Q. I am the HIPAA privacy and security officer for an outpatient orthopedic surgery center. We often have difficulty obtaining preoperative cardiac clearance documentation from the nearby CV office.

We send patients there before surgery because we need the cardiac clearance, but at the time of surgery, the office states that HIPAA prevents it from providing any information. I know it would be easier if patients called to request this information.

However, we often can’t reach them, they don’t know what to request, or the surgeon believes that obtaining this information is our responsibility. Do we need some type of sharing contract? What can we do? All we want is to provide patients the best and safest care.

A. Unfortunately, this seems to be a common misinterpretation of the privacy rule, which allows disclosure of PHI without patient authorization for treatment purposes. You may start by contacting the privacy officer or the office manager at the CV office and explaining that releasing information for treatment purposes without patient authorization is permissible. Consider providing specific information from the OCR HIPAA Privacy Web site to support your position.

If that doesn’t work, simply asking patients to sign an authorization form to release the information to the surgery center may be easier. Patients could sign the authorization as part of their preoperative paperwork and take it with them to the CV office.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Categories : HIPAA Q&A
Comments (0)
Sep
22

Redisclosure

Posted by: jmonzo | Comments (4)
Email This Post Print This Post

Our facility has a hybrid record presently — electronic and paper. Presently, we still ask for a patient authorization from requestors for records — including treatment, payment, healthcare operations — when there is no relationship proven in our records (e.g., physician office calls since a referral has been made to them, and they want our patient records. We have no documentation anywhere of the referral in our records).

We realize the HIPAA Privacy Rule does allow disclosure of records without an authorization for TPO — except for alcohol, substance abuse, psychotherapy notes.

From a HIPAA compliant (security & privacy) and a CMS compliance perspective, what can we do and what needs to be in place to allow the information to be shared with the provider in these non-emergency situations? Also, in the case of records from another provider (re-disclosure), can this be accommodated in some fashion also?

Jenifer Monzo RN, BAS
Director of Organizational Compliance
McKenzie Memorial Hospital
Sandusky, Michigan

Categories : HIPAA Q&A, HIPAA privacy
Comments (4)
Next Page »

Search this site

Subscribe!

Get blog updates in your e-mail
Subscribe to our e-zine

Want to start a conversation?

Click here to learn how!

Links

Archives

Categories

Recent Comments

HIPAA Handbooks