HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for HIPAA privacy

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: Is it a HIPAA violation to post family satisfaction survey comments or family thank-you letters in all-employee work areas? What if the comments reference patient and caregiver names?

A: There are several things to consider in this question. What is the nature of your practice? (Thank-you notes to a psychiatrist or infectious disease specialist could require a higher level of protection.) Where will the notes be posted? Will members of the public see them, or are they in restricted areas? What is the content of the notes? Are they just to say thank you, or is more detailed PHI included? Can the identity of the note writer be redacted before the note is posted? If yes, that would be a strong mitigator.

Once you have assessed these issues (preferably in writing, perhaps in the context of HIPAA-related meeting minutes) you will have your answer. My advice would be to post the notes in employee areas only and redact the names.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

rep02If you’re leaving your job for a position at another medical practice, you can just take your patients’ files with you for future use, right? Wrong. It’s a breach of privacy under HIPAA.

A nurse practitioner did just that, however, when she left her job at the University of Rochester Medical Center (URMC) in Rochester, New York, for a position at a local outside practice, Greater Rochester Neurology.

The employee took a list with her containing information on thousands of her patients and then shared that list with her new employer, all without getting permission from the patients, according to a press release issued May 26 by URMC.

Read More→

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: A patient recently informed me that she was surprised to learn from a physician at our facility that her adult child had been prescribed blood pressure medication. Is it a HIPAA violation for providers to discuss the care of adult children with parents? Would it be considered a violation if the child was a minor?

A: Yes, it is a violation for a practitioner to share information about one patient with another without permission, even if the patients are related. The only exception would be if the mother is providing care to the adult child. In that case, it would be acceptable for the provider to share only the information necessary for the mother to provide care.

In most cases, it is acceptable and even required that practitioners share information with the parent(s) of minors. Exceptions to this might be information on mental health information, substance abuse treatment, sexually transmitted disease treatment, etc. Check your state statutes for specifics.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (0)

The 21st Century Cures Act, a new healthcare bill that would relax portions of HIPAA privacy laws to further medical research and penalize health IT vendors that fail to comply with interoperability standards, has passed through the full House Committee on Energy & Commerce.

The bill would inject billions of dollars into medical drug research and innovative treatments, accelerate the entire process and clear away regulatory hurdles on various levels. One provision of the bill, however, requires HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.

The Privacy Rule currently allows healthcare providers to use PHI without authorization for treatment, billing and internal healthcare operations. Under the proposed law, however, those covered entities and their business associates would have the same unfettered access to those records to use in researching new drugs and treatments.

Read More→

Categories : HHS, HIPAA privacy
Comments (0)

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: Are HIPAA requirements different for college campus health centers than for larger facilities or private practices? For instance, would a college campus health center be permitted to disclose information about students who are patients to faculty members if the health center believed a student’s condition may affect his or her ability to come to class or complete assignments? What if the health center believed the student may be a danger to himself or herself, or to others?

A: Campus health centers are covered entities and must follow HIPAA. Information should not be shared with faculty without the patient’s written permission (this would not be a release for treatment, payment, or operations), although a note excusing a student from class or supporting an extension to a deadline (similar to a work note) would be appropriate (without details).

If there is an immediate concern that the patient is a danger to himself or herself, or to others, then there is a “duty to warn” exception that allows you to share information (again, minimum necessary). However, this would not include notifying the faculty unless the threat was against a faculty member. Even then, if your providers believe the threat is significant enough that faculty need to be notified, it would be appropriate to involve the police and to take whatever steps are indicated in your state to initiate a psychiatric hospitalization, either voluntary or involuntary.

Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A
Comments (1)