Archive for HIPAA privacy
The Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information” April 13 to help organizations integrate federal health information privacy and security requirements.
The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.
The guide covers such topics as:
- Increasing patient trust through privacy and security
- Provider responsibilities under HIPAA
- Health information rights of patients
- Security patient information in EHRs
- Meaningful Use core objectives that address privacy and security
- A seven-step approach for implementing a security management process
- Breach notification and HIPAA enforcement
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com and we will work with our experts to provide the information you need.
Q: I’m unsure whether a hospital room number should be considered an identifier under the definition of “individually identifiable information,” which includes information related to treatment and which could be used to identify the individual. It seems to me that if someone knows a patient’s room number, he or she would be able to determine the area of the hospital in which the patient is treated (e.g., all room numbers in the 400 range are on the cancer floor) or could use this information to look up the patient’s name.
A: A patient’s room number is not considered “identifiable” under the HIPAA Privacy Rule. PHI is considered identifiable if it contains any one of 18 specific identifiers of individuals and their family members, employers, or household members, including:
- Geographic subdivisions smaller than a state
- All elements of dates (except for year) for birth, admission, discharge, and death
- All ages over 89, including year
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Device identifiers
- Biometric identifiers, including fingerprints and voiceprints
- Full-face photographs
While a room number may help a facility’s staff to identify a particular patient, it’s unlikely that anyone outside the organization could identify a specific patient based only on the patient’s room number.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for the Central Texas Division of Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
A January 2015 report by the Federal Trade Commission (FTC) about the Internet of Things, which is an object’s ability to connect to the Internet for the purpose of sending and receiving data, highlights the need for updated HIPAA standards.
The report is based on the November 2013 FTC workshop, “The Internet of Things: Privacy and Security in a Connected World,” which was not initially geared toward healthcare. The report focused on security, notice, choice, and data minimization.
The report stated that general privacy legislation should focus on protecting customers’ data. During the workshop, participants pointed out that HIPAA is limited to protecting health information collected by certain covered entities. However, health applications increasingly gather data that is often unprotected by HIPAA. The FTC believes consumers should be aware of how their health information is used regardless of who collects it. The report calls for consistent standards that provide transparency about the use of protect health information regardless of who collects it.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org, and we will work with our experts to provide the information you need.
Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?
A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:
- Demographic information about the individual
- Date(s) healthcare services were provided
- The department where service was provided
- The name of the treating physician
- Health insurance status
Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.
There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.
On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.
Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.