HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for HIPAA Weekly Advisor

Elizabeth H. Johnson, Esq., has been keeping an ear close to the ground with respect to ongoing OCR HIPAA audits.

Healthcare organizations might be surprised by what auditors are requesting and focusing on, says ­Johnson, a partner at Poyner Spruill, LLP, a North Carolina law firm.
 
Johnson, whose practice in Raleigh focuses on privacy, information security, and records management law, listens closely to what those in the know are saying about the audit process. Her work with the KPMG audit team on a recent project offered ­additional insight into the process. KPMG is the company hired by OCR to ­conduct the HIPAA audits required by the HITECH Act.
 
KPMG has completed 20 initial trial audits and expects to conduct at least 95 more audits aimed at ­measuring HIPAA compliance at randomly selected healthcare organizations by the end of 2012. In a second wave of audits since the initial trial, HHS has sent another 25 ­notification letters to healthcare organizations.
 
Read more in the July issue of Briefings on HIPAA.
Comments (1)

Q: Are digital signatures permissible on custodian affidavit/declaration forms? Signing electronically instead of printing, signing, and scanning would streamline our process. We've never seen electronic signatures on these forms. Are they admissible in court? Some jurisdictions require original signatures, but we're uncertain what California requires. Are the ­federal e-Sign Act or California's e-Sign law applicable? Our ­organization has locations in 18 states.

A: Digital signatures on custodian affidavit/declaration forms generally are permissible. They meet the more stringent digital signature requirement eliminated when the HIPAA Security Rule was finalized in 2003. Consult legal counsel to determine whether your state allows use of digital signatures on these forms. Some state laws require that certain documents are signed physically, but this is not a HIPAA requirement.
 
Electronic and digital signatures differ significantly-legally and technically. Federal law and many state laws allow electronic signatures on some documents. Electronic signatures can be a picture of a signature, an agreed-upon string of characters, a symbol, a signature typed into a signature block in an ­electronic form, and other personal non-encrypted, agreed-upon identifiers.
 
A digital signature is an encrypted "hash" or tag that is registered to an individual and ­accompanies transmission of electronic data or forms signed via computer. They are much more reliable than electronic signatures because they allow recipients to validate senders and prevent repudiation at a later date.
 
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Comments (0)

Healthcare organizations face increasingly complex privacy and security issues as they cope with new technology, but many organizations are still struggling with the basics of establishing a compliance program.

A natural place to begin is a code of conduct, and policies and procedures, says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Ariz.
 
Compliance officers in small organizations may be responsible for compliance with all regulations. In larger organizations, one or more individuals may be specifically responsible for HIPAA compliance. Regardless of organization structure, basic principles apply.

Read more in the July issue of Briefings on HIPAA.       

Comments (1)

Q: A patient who presented with an order from the primary care physician for lab work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The patient said this violated HIPAA because the specialist did not need the laboratory test results. Did this violate HIPAA?

A: Pursuant to the HIPAA Privacy Rule [45 CFR 164.502(b)(2)(i)], the minimum necessary standard does not apply when sharing patient information for treatment purposes.
 
The ultimate question is whether the specialist needed to see the laboratory ­results with respect to the care being provided. If the answer is yes, the disclosure did not violate HIPAA.
 
If the specialist should not have ­received the laboratory results, a breach-although not necessarily a reportable breach-may have occurred. This merits investigation because it would constitute a security incident. All security incidents should be investigated, regardless of whether a breach occurred.
 
You should investigate this incident. You are not ­required to notify the patient or OCR if you ­conclude upon investigation that the patient will not experience significant harm. Refer to 45 CFR 164.402.
 
You must document the investigation. Responding to the patient complaint and explaining that you are taking steps to implement practices to prevent future similar occurrences is advisable.
 
Work with the laboratory to the extent feasible to prevent transmission of PHI to providers without a "need to know."
 
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Comments (0)

If you are a HIPAA privacy officer, it might be looking pretty scary out there, said Adam Greene, JD, MPH.

"We're really entering into a new era of enforcement," said Greene, a partner at Davis Wright & ­Tremaine, LLP, in Washington, D.C., and a former regulator at OCR, the government agency that enforces the HIPAA Privacy and Security Rules.

Greene, who until last year was OCR's senior health IT and privacy specialist, spoke at the 20th National HIPAA Summit March 26 in Washington, D.C. "This is the year to take the training wheels off of your HIPAA program," he told the audience. "Many organizations are still not riding that bike particularly well."
So what can organizations do in this era of increased enforcement?

Click here
to read more in the June issue of Briefings on HIPAA.
Comments (1)