HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for HIPAA privacy

Feb
06

HIPAA Q&A: Identifiers

Posted by: | Comments (0)
Email This Post Print This Post

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I’m unsure whether a hospital room number should be considered an identifier under the definition of “individually identifiable information,” which includes information related to treatment and which could be used to identify the individual. It seems to me that if someone knows a patient’s room number, he or she would be able to determine the area of the hospital in which the patient is treated (e.g., all room numbers in the 400 range are on the cancer floor) or could use this information to look up the patient’s name.

A: A patient’s room number is not considered “identifiable” under the HIPAA Privacy Rule. PHI is considered identifiable if it contains any one of 18 specific identifiers of individuals and their family members, employers, or household members, including:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except for year) for birth, admission, discharge, and death
  • All ages over 89, including year
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Device identifiers
  • Biometric identifiers, including fingerprints and voiceprints
  • Full-face photographs

 

While a room number may help a facility’s staff to identify a particular patient, it’s unlikely that anyone outside the organization could identify a specific patient based only on the patient’s room number.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for the Central Texas Division of Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

A January 2015 report by the Federal Trade Commission (FTC) about the Internet of Things, which is an object’s ability to connect to the Internet for the purpose of sending and receiving data, highlights the need for updated HIPAA standards.

The report is based on the November 2013 FTC workshop, “The Internet of Things: Privacy and Security in a Connected World,” which was not initially geared toward healthcare. The report focused on security, notice, choice, and data minimization.

The report stated that general privacy legislation should focus on protecting customers’ data. During the workshop, participants pointed out that HIPAA is limited to protecting health information collected by certain covered entities. However, health applications increasingly gather data that is often unprotected by HIPAA. The FTC believes consumers should be aware of how their health information is used regardless of who collects it. The report calls for consistent standards that provide transparency about the use of protect health information regardless of who collects it.

Comments (0)

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?

A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:

  • Demographic information about the individual
  • Date(s) healthcare services were provided
  • The department where service was provided
  • The name of the treating physician
  • Outcomes
  • Health insurance status

Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.

There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

rep02The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.

Categories : HIPAA privacy
Comments (0)

questionSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements—other than to perform audits—that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?

A: There are no specific HIPAA Privacy Rule requirements related to privacy audits. The rule does require organizations to implement administrative, physical, and technical safeguards to protect PHI no matter the form. The Privacy Rule does not give specifics, so it’s a good idea to implement similar safeguards as the HIPAA Security Rule requires. This would include monitoring logs of access to PHI such as logs generated by ­EHRs and picture archiving and communication systems.

Information system activity review audits are just one of the four audit activities that covered entities (CE) should undertake to comply with the HIPAA Security Rule and, by default, the HIPAA Privacy Rule. Information systems activity review audits focus on firewall activity, patches applied to applications, data loss prevention report reviews, and so forth. Generally, these audits do not involve determining whether patient records are being accessed appropriately.

CEs and business associates should also review user login audit logs to check for repeated failed login attempts and to verify employees are not accessing systems or data at times when they are off work and have no valid reason to access systems.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (0)