HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for Uncategorized

securitycomputerMedical identity theft has been on the rise for some time. In fact, medical identity theft incidents increased 21.7% between the Ponemon Institute’s 2014 survey and its “Fifth Annual Study on Medical Identity Theft” released in February 2015. All respondents were victims of some form of identity theft, while 86% were victims of medical identity theft.

While fraudulent credit card charges are often remedied by credit card companies, medical identity theft can actually cost the insured party a considerable amount of money. More than half (65%) of those responding to the Ponemon Institute’s survey revealed that they paid an average of $13,500 to resolve the crime. These costs are typically related to paying a healthcare provider, repaying the insurer for services obtained by the thief, or paying for identity protection or legal counsel.

Respondents listed reimbursement for costs associated with preventing future damages as the action most important following a medical identity theft incident. Victims who sought to resolve medical identity theft crimes spent an average of 200 hours doing so, according to the study.

Just 37% of respondents reported that their healthcare providers informed them of ways to prevent medical identity theft. More than half (67%) of those respondents said they do not feel confident that these measures will keep their records secure. However, half of all respondents agree or strongly agree that they would find another provider if they were not confident in the security practices of a provider. Similarly, 47% said if they would find another provider if their records were stolen or they were concerned about record security.

Categories : Uncategorized
Comments (0)

HCPro’s Medical Records Briefing (MRB) is conducting a benchmarking survey on HIPAA compliance, and we would appreciate your input. Please take a few moments to complete this survey.

To show our thanks, we will select one respondent at random to win a complimentary HCPro on-demand webcast of his or her choice. To enter to win, please include your contact information at the end of the survey once you have answered the questions. Entering your contact information will also enable us to email you the results of the survey along with commentary from industry experts. The results will also be featured in the April 2015 issue of MRB.

The link below will take you to the survey’s website; simply click on the link to answer the survey questions online. If the click-through does not work, please cut and paste the URL below into the address bar of your browser.

Here’s the link to the survey: https://www.surveymonkey.com/s/YVXV7M6.

Thank you for your input!


Jaclyn Fitzgerald
Editor, Medical Records Briefing

Categories : Uncategorized
Comments (0)

HIPAA Q&A: Employee snooping

Posted by: | Comments (1)
Email This Post Print This Post

questionsSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: Is it considered a breach if an employee of an organization views his or her own records or the records of their family members (containing full name, Social Security number, diagnosis, medications, etc.) without a legitimate business need?

A: Accessing the records of family members without a legitimate business need may well be a breach, but a staff member accessing his or her own records may not be. If there is no legitimate reason for accessing family member records, that would be a breach of unsecure PHI.

A number of CEs have implemented policies requiring employees to access their own medical records in the same way as all other patients—by submitting a written request and having the record copied or setting up a time for the employee to view his or her own record. Having an employee view his or her own record is not a breach of unsecure PHI. However, it may be a violation in the CE’s policy and result in sanctions.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : Uncategorized
Comments (1)

securitycomputerTwo thieves were recently indicted for using the stolen PHI of approximately 1,400 Detroit hospital patients to receive nearly $500,000 in false tax returns, according to The Detroit News.

Markitta Washington, 29, of Hampton, Georgia, allegedly obtained the PHI without authorization while working for Henry Ford West Bloomfield Hospital in West Bloomfield, Michigan, and DMC Harper Hospital in Detroit. Washington shared a home with Martez Lear, 29, of Farmington Hills, Michigan, who was also indicted for identity theft crimes. A search of the home uncovered the names, dates of birth, and Social Security numbers of 1,400 patients, according to The Detroit News.

Washington and Lear allegedly filed false returns for tax years 2011 and 2012 using the stolen information of at least 305 people, which resulted in them receiving approximately $489,000. Authorities also discovered re-encoded credit cards and gift cards during their search. The theft affected 141 patients who received impatient neurology or outpatient radiology services at Henry Ford West Bloomfield Hospital from January 1, 2012, through December 31, 2013. Both Henry Ford West Bloomfield Hospital and DMC Harper Hospital are offering credit protection and monitoring for affected patients, according to The Detroit News.

Categories : Uncategorized
Comments (0)


Wisconsin Governor Scott Walker signed Assembly Bill 453 (Act 238), also known as “HIPAA Harmonization,” into law April 8. This statute better aligns Wisconsin state law governing the uses and disclosures of protected health information with the HIPAA Privacy Rule, according to The National Law Review.

The new law addresses uses and disclosures of PHI in Wisconsin. The HIPAA Omnibus Rule redefined several HIPAA terms, and the new Wisconsin law similarly redefines the following terms so they more closely align with the Privacy Rule definitions:

  • Business associate (BA)
  • Covered entity (CE)
  • Disclosure
  • Healthcare operations
  • Payment
  • Protected health information
  • Treatment and treatment facility
  • Use

The state law also requires CEs that meet the definition of a treatment facility to comply with federal notice of privacy practices regulations.

Wisconsin law also provides that the restrictions in Wis. Stat. § 51.30 do not apply to use, disclosure, or request for disclosure of PHI by CEs and BAs if:

  1. The CE or BA makes the use, disclosure, or request for disclosure in compliance with 45 CFR 164.500–164.53
  2. The CE or BA makes the use, disclosure, or request for disclosure for the purpose of treatment, payment, or healthcare operations


Categories : Uncategorized
Comments (0)