HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for HIPAA privacy


HIPAA Q&A: Free-form notes

Posted by: | Comments (0)
Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: Within the pharmacy dispensing system at the facility where I am employed, we can enter free-form notes for certain records such as a patient record, prescription records, and physician records. The notes entered in the patient record are customer-service focused and not related to treatment or payment. Would these notes be considered PHI? Would there be a retention requirement concerning these notes?

A: If these notes contain patient-identifiable information, they would be considered PHI and must be protected from unauthorized use or disclosure under the HIPAA Privacy Rule. However, the Privacy Rule does not establish record retention requirements. Instead, state law/regulation establishes retention requirements for medical records and some other records.

Check your state law to see if there are any retention requirements for information in pharmacy dispensing systems. Your state board of pharmacy may be a good resource. Search “(state name) State Board of Pharmacy” into your web browser for more information (i.e., Texas State Board of Pharmacy).

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

HHS recently released guidance about HIPAA regulations affected by the Supreme Court’s 2013 United States v. Windsor ruling that found Section 3 of the federal Defense of Marriage Act (DOMA) unconstitutional. Section 3 of DOMA states that federal law would only recognize opposite-sex marriage.

The HIPAA Privacy Rule includes information about the role of family members in patient care. Section 45 CFR 160.10 of the rule includes the terms “spouse” and “marriage” under the definition of family member.

To maintain consistency with the United States v. Windsor ruling, the term spouse includes people in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction. However, same-sex marriages performed in a foreign jurisdiction must be recognized in the United States for a patient’s partner to be recognized as a spouse under HIPAA.

Similarly, the HIPAA Privacy Rule recognizes marriage between same-sex and opposite-sex couples and defines a family member as a dependent of a marriage. These definitions apply to people who are legally married whether the jurisdiction where they reside recognizes the marriage or not.

Under §164.510(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purpose, covered entities are permitted under certain circumstances to share PHI with a patient’s family member. Legally married same-sex couples are family members for the purpose of this provision regardless of where they reside.

The definition of family member also applies to §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes, which prohibits health plans with the exception of issuers of long-term care policies from using or disclosing genetic information for underwriting purposes. Plans are not permitted to make underwriting decisions about a patient based on his or her same-sex spouse’s genetic test results or manifestation of disease.

Comments (0)

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I am employed by an acute care psychiatric hospital. The hospital’s police department will sometimes take photographs of injuries patients have at the time of admission. The photos are not kept with the medical record; they are kept separately with our police department. If a patient asks for a copy of his or her medical record—including the photos—may we release copies of the photos along with the copy of the record? There is some debate about whether a court order is needed for the photos because a standard release signed by the patient is insufficient. Are there any HIPAA rules pertaining to this issue?

A: Under the HIPAA Privacy Rule, individuals have the right to access PHI in a designated record set. Generally, the designated record set includes medical and billing records. If you define your legal medical record to exclude these photographs, you are under no obligation to release them as part of your designated record set. You may release them if you choose, but you have the right to deny the patient access to the photographs if they are not part of your designated record set.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (1)

OCR recently sent two annual reports to Congress that summarize 2011–2012 HIPAA breach and compliance activities as required by the HITECH Act.

OCR received 236 reports about breaches affecting 500 or more individuals in 2011, according to OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information. These breaches affected approximately 11,415,185 individuals. OCR received 222 reports about large breaches in 2012. Although the number of reportable breaches affecting 500 or more individuals in 2012 decreased only slightly, the overall number of individuals affected dropped to 3,273,735. Although OCR focused primarily on 2011–2012 breaches, it included some data as far back as 2009. In total, OCR received 710 reports affecting 22.5 million individuals from September 23, 2009, to December 31, 2012.

The top causes of 2009–2012 breach incidents include theft, loss, and unauthorized access/disclosure. For 2011 and 2012 only, the report cited six causes, including theft, loss, unauthorized access/disclosure, improper disposal, hacking/IT incident, and unknown/other. Theft was the leading cause of 49% of 2011 breaches and 52% of 2012 breaches. Unauthorized access/disclosure came in at second place for 2011 (19%) and 2012 (18%).

Healthcare providers submitted the majority of breach reports in 2011 (63%) just as they did in 2012 (68%). The majority of PHI that was exposed in 2011 breaches was on paper (27%) or laptop computers (20%). In 2012, breaches of PHI on paper and on laptop computers took the lead once again but this time with paper trailing behind at 23% and laptop computers in the top spot at 27%.

Since the end of 2013, OCR entered into resolution agreements with seven covered entities for the 458 breaches that occurred 2011–2012. These are the first OCR settlements brought about by investigations into reported breaches.

OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance provides enforcement data through 2012 with particular focus on 2011–2012. Since the 2003 HIPAA Privacy Rule compliance date, OCR received 70,259 complaints for alleged HIPAA violations and had resolved 91% of these complaints as of December 31, 2012. OCR issued corrective action for 66% of the 27,466 HIPAA complaints investigated since 2003. The number of new complaints rose to 9,022 in 2011 with 8,363 complaints resolved. This number peaked again in 2012 when OCR received 10,454 complaints and resolved 9,408.

The majority of issues investigated since the Privacy Rule compliance date were due to the following:

  • Impermissible uses and disclosures of PHI
  • Lack of safeguards of PHI
  • Denial of individuals’ access to their PHI
  • Uses or disclosures of more than the minimum necessary PHI
  • Lack of administrative safeguards of ePHI
Comments Comments Off

Health system caught up in an $800,000 breach

Posted by: | Comments Comments Off
Email This Post Print This Post

The hits just keep on coming. HHS announced June 23 that OCR entered into resolution agreement and $800,000 settlement with Parkview Health System, Inc., in Fort Wayne, Indiana, for alleged HIPAA Privacy Rule violations.

Parkview obtained the medical records of 5,000–8,000 patients while helping Dr. Christine Hamilton transition her patients to new providers upon her retirement. It was believed that the health system was interested in purchasing a portion of Dr. Hamilton’s practice. Parkview failed to safeguard the PHI of these patients when its employees left 71 cardboard boxes of these medical records outside the physician’s home while she was not there. The home is within 20 feet of a public road and is near a shopping center, according to the press release.

The resolution agreement provides that Dr. Hamilton filed the complaint against Parkview. The investigation revealed that when Parkview employees left the medical records at Dr. Hamilton’s home, they were aware that she was not there and had previously refused the delivery of the records.

Parkview’s corrective action plan states that it will do the following:

  • Develop, maintain, and revise written HIPAA Privacy Rule policies and procedures for its workforce with HHS approval
  • Distribute HHS-approved policies and procedures to members of its workforce
  • Ensure that new, approved policies and procedures provide for administrative, technical, and physician safeguards to protect PHI
  • Notify HHS in writing within 30 days of a violation of the new, approved policies and procedures
  • Provide general safeguards training for its workforce members who have access to PHI
Comments Comments Off