HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for HIPAA privacy

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?

A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:

  • Demographic information about the individual
  • Date(s) healthcare services were provided
  • The department where service was provided
  • The name of the treating physician
  • Outcomes
  • Health insurance status

Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.

There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

rep02The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.

Categories : HIPAA privacy
Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements—other than to perform audits—that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?

A: There are no specific HIPAA Privacy Rule requirements related to privacy audits. The rule does require organizations to implement administrative, physical, and technical safeguards to protect PHI no matter the form. The Privacy Rule does not give specifics, so it’s a good idea to implement similar safeguards as the HIPAA Security Rule requires. This would include monitoring logs of access to PHI such as logs generated by ­EHRs and picture archiving and communication systems.

Information system activity review audits are just one of the four audit activities that covered entities (CE) should undertake to comply with the HIPAA Security Rule and, by default, the HIPAA Privacy Rule. Information systems activity review audits focus on firewall activity, patches applied to applications, data loss prevention report reviews, and so forth. Generally, these audits do not involve determining whether patient records are being accessed appropriately.

CEs and business associates should also review user login audit logs to check for repeated failed login attempts and to verify employees are not accessing systems or data at times when they are off work and have no valid reason to access systems.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)

guidelines01_53597356In light of the recent Ebola outbreak in the U.S., the Office for Civil Rights (OCR) released new guidance November 10 regarding the release of PHI in emergency situations.

According to OCR, covered entities (CE) and business associates should adhere to the HIPAA Privacy Rule standards when releasing PHI for treatment, to protect the nation’s public health, and for other critical purposes. CEs may disclose PHI without the patient’s consent for the following reasons:

  • To treat the patient or another patient, which includes coordination and management of care and services by one or more healthcare providers and others, or for consultation between providers, and referrals
  • To grant public health authorities (e.g., the Centers for Disease Control and Prevention) access to PHI that is critical to carrying out its public health mission
  • To provide information for the patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care
  • As necessary to identify or locate a patient and notify his or her family, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death
  • To prevent or lessen a serious and imminent threat to the health and safety of a person or the public

In addition, the HIPAA Privacy Rule permits the release of limited facility directory information if the patient has not objected to or restricted the release of such information. If the patient is incapacitated, CEs may disclose this information if it is believed to be in the best interest of the patient and is consistent with any prior preferences of the patient, according to OCR.

In most instances, CEs must make an effort to adhere to minimum necessary requirements by disclosing only that information that is necessary to care for the patient, except when providing patient information to healthcare providers. BAs may disclose the minimum necessary information when authorized to do so by a CE or BA to the extent outlined in a BA agreement, according to OCR.

CEs must implement reasonable safeguards to protect PHI against impermissible uses and disclosures and must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule for ePHI, according to OCR.

Comments (2)
Oct
10

HIPAA Q&A: Unencrypted email

Posted by: | Comments (0)
Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Are there any penalties for sending an unencrypted email containing PHI to the intended recipient? Would this just be a violation of the CE’s policy and not a privacy breach under HITECH?

A: HIPAA and HITECH tell us that every CE must perform a documented risk assessment (preferably annually) to determine the level of risk and how it will handle various privacy and security issues. (For more guidance visit www.hhs.gov/news/press/2014pres/03/20140328a.html.)

You should consider and document the risk of sending unencrypted PHI to patients via email in your risk assessment. More and more CEs are deciding that sending unencrypted emails to patients is not worth the risk it poses.

In addition to the security risk, there is the chance that the patient may email you in an emergency, and you may fail to respond in a timely way. There is also the possibility that email can be forwarded, copied, or altered. Email also presents retention issues as providers will not always print the email exchange for the actual patient record. Fortunately, many organizations are implementing patient portals that not only have encrypted messaging functionality but also retain the exchange in the record.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)