HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for Policies and Procedures

In constructing your HIPAA risk assessment, involve individuals from all levels of your organization and all user groups, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal at HIPAA Boot Camp in Casa Grande, AZ. For example, data entry staff members, the manager of IT infrastructure, and the individual in charge of IT can all provide valuable input to the risk assessment.

Take a holistic approach with your risk assessment, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, president of Margret\A Consulting, LLC, in Schaumburg, IL. For example, HR managers may be able to provide input for developing policies about training your workforce.

Build and develop collegial relationships, says Ruelas. Physicians from one practice can consider working with trusted colleagues from another practice and conduct the risk assessment together, he says.

Editor’s note: The preceding is an excerpt of an article in the April 2010 issue of the HCPro, Inc. newsletter, Briefings on HIPAA. See next week's HIPAA Weekly Advisor for more tips.


Comments (0)

Audit log and breach log retention

Posted by: | Comments (8)
Email This Post Print This Post

Are there requirements or standards that advise how long a CE should retain audit logs of system activity (login, read, modify, etc.) and logs of security breaches? If not, what are other providers/hospitals doing?

Linda Kristie

Consider these factors during any internal HIPAA privacy breach investigation:

  • Intent. Were a staff member’s actions intentional or accidental? Was the breach a result of the staff member’s curiosity or concern? Was there personal gain or malicious intent? A staff member who accessed a patient’s medical record to sell information to a tabloid newspaper would incur greater sanctions than a colleague who inadvertently left information visible on a computer monitor.
  • Risk potential. Did a patient suffer financial, reputational, or some other type of harm? (HHS’ breach notification interim final rule includes guidance asks the same question using the concept of “harm threshold”). Did the organization suffer harm resulting in regulatory action, including penalties and fines, or licensing, legal, and reputational problems? “Even the simplest mistakes could result in harm to the organization,” said Nancy Davis, MS, RHIA, director of privacy/security at Ministry Health Care, an integrated healthcare system based in Wisconsin.

Editor’s note: These tips were adapted from an article in the March 2010 edition of the HCPro, Inc. newsletter, Briefings on HIPAA. Look for more tips next week.

Comments (0)

The U.S. Supreme Court’s involvement next year on a privacy case regarding text-messaging on work cell phones in the public sector could have implications for private companies like hospitals, experts told HIPAA Update.

The case involves text messages sent by members of a California police department—some of which were sexual in nature, according to The Tennessean—and whether or not the employees should have had a “reasonable expectation of privacy” through work cell phone use.

HIPAA privacy and security officers juggle compliance headaches each day because of text-messaging on work phones. Experts told HIPAA Update the California case serves as a good reminder for covered entities to treat cell phones and texting as they would any other device that includes protected health information (PHI):

  • Use appropriate safeguards to avoid breaches
  • Know HIPAA’s privacy and security rule
  • Consider a policy that prohibits personal text messages on work phones
  • Be clear that work devices alone do not guarantee the user’s privacy

“If text messaging is allowed, it will need to be encrypted and only be sent and received by people with a ‘need to know’ and within minimum necessary guidelines,” says John C. Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD.

Organizations must have “comprehensive, feasible, and well-written information on security and privacy policies, along with regular training and ongoing awareness communications,” says Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, an information privacy, security and compliance consultant, author and instructor for out of Rebecca Herold & Associates, LLC, in Des Moines, IA.

“Even though this case is specific to government agencies,” Herold adds, “the ruling will likely still be used as an example for all types of organizations with regard to what personnel can reasonably expect with regard to privacy of electronic communications, not only on equipment and systems owned by the organization, but also for non-company-owned equipment that is used for business purposes.”

Herold says compliance boils down to a hospital’s policy and training programs.

“Hospitals should ensure their policies cover the use of organization-owned computing equipment for non-work purposes, along with using non-organization-owned equipment used for business purposes,” Herold says, “and ensure their training and ongoing awareness communications effectively educate their personnel about the requirements and their responsibilities.”

Texting is “fairly common” between physicians when communicating about a patient, says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.

Apgar says he likens text messages sent from company-owned phones to e-mail messages sent via the company’s e-mail system.

“In both cases, the employer [covered entity or not] owns the device and, as it has been determined in the past with e-mail, I believe the same legal principle will hold true with text messages—the employer ‘owns’ the text messages, whether they are work related or not,” Apgar says. “The moral of the story is if an employee wishes to send a personal text, he or she should use his or her own mobile device and then, like Web messaging, the text message becomes ‘personal property’ of the employee or the sender.”

While many popular Web sites have strong privacy practices in place, there is no better time to analyze where, when, how, and if your personal health information (PHI) is circulating through these types of Web sites.

The Ponemon Institute and TRUSTe released its 2009 Most Trusted Companies for Privacy Award recently and ranked eBay, Verizon, the US Postal Service, WebMD, and IBM as the top five.

But health leaders must also beware of employees sending any PHI on the Internet. The last thing you want is to get burned because someone in your organization without authorization sent PHI across Yahoo!, Facebook, or similar sites.

It’s not common—though it’s possible—for healthcare workers to use these sites to intentionally and maliciously violate patient privacy laws. More often, healthcare workers sign on during breaks, or when they are off work, and vent about their day with friends without realizing that they share identifiable information and violate HIPAA.

Regardless of how you respond to these privacy and security vulnerabilities, education is crucial, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR and a HIPAA expert. “A lot of people are panicking,” Apgar says. “But one thing that’s not well understood is the danger related to all this.”

Transmission over an unsecure network is inevitable, particularly if the sender and the receiver don’t share a secure network, says Apgar. Combat this with these four education models:

  • New employee training (orientation)
  • Annual refresher training
  • Security reminders (weekly helpful e-mails; information in hospital newsletters; and flash reminders on staff computer monitors)
  • Communications policy—as with confidentiality agreements, require staff members to acknowledge in writing that they have read and understand it. Do this annually at staff performance reviews.

An article in the September issue of the Journal of the American Medical Association entitled “Online Posting of Unprofessional Content by Medical Students,” revealed that 60% of 80 medical school deans reported incidents involving unprofessional postings on these types of Web sites. Another 13% acknowledged incidents that violated patient privacy. Some of these violations resulted in expulsions from medical school, according to the article.

“These professionals are well educated, but that doesn’t mean they are savvy with security,” says Apgar. The finality of disclosures on these types of Web sites is what makes it so dangerous, says Apgar. “Once you put something out there, it’s out there, and it’s never coming back,” he says.

Simply banning these Web sites from the hospital network is one strategy that many organizations use, Apgar says.

Spring Harbor Hospital, in Westbrook, ME, doesn’t allow access to Web sites, such as Facebook, on facility computers, says Chris Simons, RHIS, who serves as the facility’s director of HIMS and privacy officer. “We also include it in orientation as a no-no,” she says. “We have had some issues with staff on Facebook saying inappropriate things about their managers, and have addressed that.”

Access to personal e-mail accounts is just as dangerous for many reasons, and organizations are beginning to ban this practice as well. A physician who logs onto a personal Yahoo! Mail account to send himself or herself a list of patients to access at home is one example of inappropriate use, Apgar says. That’s a breach of a lot of information, says Apgar. The hospital network may be encrypted, but the information won’t be on the other side once the physician opens the e-mail at home.

Freelancer Corey Goodman contributed to this report.