HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for HIPAA privacy

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: Is it considered a HIPAA violation for facilities and clinics to keep patient charts outside of exam rooms or at a patient’s bedside? Most providers prefer to have the charts handy to review just before seeing the patient; however, I am unsure of whether this would be an incidental disclosure, as anyone walking by could access the chart.

A: This practice is acceptable if you take steps to limit the amount of information available and limit those who have access. For example, a bedside chart should contain minimal information needed for that day’s care, such as an intake/output record, medication administration record, and nurses’ notes. The patient’s entire record should not be kept at the bedside for family members and visitors to access. Read More→

Categories : HIPAA privacy
Comments (0)

hosp01St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.

OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.

Read More→

The New York Giants reportedly didn’t even know their defensive-end Jason Pierre-Paul had one of his fingers amputated before his medical charts appeared in news reports July 8, but that’s a story for another audience.

ESPN reporter Adam Schefter isn’t in trouble for posting a picture on Twitter of what looks like Pierre-Paul’s medical chart—journalists aren’t covered by HIPAA—but staff members at Jackson Memorial Hospital in Miami and the hospital itself could be facing some stiff sanctions for releasing the records to a reporter.

Read More→

Comments (0)

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: Is it a HIPAA violation to post family satisfaction survey comments or family thank-you letters in all-employee work areas? What if the comments reference patient and caregiver names?

A: There are several things to consider in this question. What is the nature of your practice? (Thank-you notes to a psychiatrist or infectious disease specialist could require a higher level of protection.) Where will the notes be posted? Will members of the public see them, or are they in restricted areas? What is the content of the notes? Are they just to say thank you, or is more detailed PHI included? Can the identity of the note writer be redacted before the note is posted? If yes, that would be a strong mitigator.

Once you have assessed these issues (preferably in writing, perhaps in the context of HIPAA-related meeting minutes) you will have your answer. My advice would be to post the notes in employee areas only and redact the names.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

rep02If you’re leaving your job for a position at another medical practice, you can just take your patients’ files with you for future use, right? Wrong. It’s a breach of privacy under HIPAA.

A nurse practitioner did just that, however, when she left her job at the University of Rochester Medical Center (URMC) in Rochester, New York, for a position at a local outside practice, Greater Rochester Neurology.

The employee took a list with her containing information on thousands of her patients and then shared that list with her new employer, all without getting permission from the patients, according to a press release issued May 26 by URMC.

Read More→