Free Corporate Compliance e-Newsletters

APCs Weekly Monitor Compliance Monitor Healthcare Auditing Weekly HIPAA Weekly Advisor Medicare Weekly Update The RAC Report

HIPAA Weekly Advisor

This e-mail newsletter delivers how-to advice and breaking news on HIPAA regulations each week. Stay informed on timely topics, security news and regulations, and analysis of proposed and final HIPAA rules that will ensure patient information security.

2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001

HIPAA Weekly Advisor

Issue 47, December 20, 2004

• How do I know whether my security incident-response procedures will work?

  How do I know whether my security incident-response procedures will work?

• State hospital association asks hospitals to amend disclosure rules

  The Washington State Hospital Association (WSHA) requested Wednesday that all state hospitals...

• Healthcare Security Workgroup to release security guidance this month

  The Healthcare Security Workgroup-comprised of representatives from URAC, WEDI, and NIST-plan to...

• FEMA refuses to disclose information on elderly displaced by hurricane

  Assistance efforts by the Southwest Florida Area Agency on Aging have done little to get elderly...

Issue 46, December 13, 2004

• Who is entitled to access the information in our facility directory?

  Who is entitled to access the information in our facility directory?

• NPI headaches, confusion cause worry over impending start date

  Physicians can apply for their National Provider Identifiers (NPIs) beginning May 23, 2005, but...

• CA Cancer Registry regains access to cancer patients’ records

  A settlement between the University of California San Francisco Medical Center and the state...

• IndIndustry group offers 12 cyber security steps for Bush’s second term

  The Cyber Security Industry Alliance (CSIA) called on the Bush administration to strengthen the...

Issue 45, December 6, 2004

• Are there certain security policies we must have to ensure security compliance?

  Are there certain security policies we must have in place to ensure security compliance?

• CMS releases first of seven security white papers

  The Centers for Medicare & Medicaid Services (CMS) Thursday released one of seven guidance papers...

• HHS Secretary Tommy Thompson resigns

  Department of Health and Human Services (HHS) Tommy Thompson Friday submitted his formal...

• AHA supports GAO recommendation on accounting of disclosures

  In a letter to HHS, the American Hospital Association (AHA) strongly urged the government to...

Issue 43, November 22, 2004

• Which security tools will help me test my systems?

  Which security tools will help me test my systems now and during future security assessments?

• Study reveals risks of incorrectly handled e-mails

  E-mail can considerably damage an organization's reputation and pose significant liability risks if...

• ONCHIT releases RFI on national health information network

  The Office of the National Coordinator Health Information Technology (ONCHIT), part of the...

Issue 42, November 15, 2004

• What key players outside of IT should be on my HIPAA compliance team?

  What key players outside of IT should be on my HIPAA compliance team?

• Patients still confused about privacy rights under HIPAA

  Many patients still don’t understand their rights under the HIPAA privacy regulations despite...

• Defendant in first HIPAA case sentenced

  Judge Ricardo S. Martinez sentenced former healthcare worker Richard W. Gibson to 16 months in...

• HIMSS creates standard to improve medical device security

  To address the growing risk associated with medical devices and the transmission and storage of...

Issue 41, November 8, 2004 - VIEW THE FULL ISSUE

• Privacy, speed contribute most to patient’s satisfaction with hospital

  Patients report outstanding experiences at hospitals that work quickly and efficiently and whose...

• Attempts to notify patients of security breach not good enough, say CA lawmakers

  California lawmakers aren’t happy with the Department of Social Services’ (DSS) media...

• IOM report suggests Congress must help rural providers with IT

  Rural communities may be left off the IT bandwagon if Congress doesn’t help rural providers...

Issue 40, November 1, 2004

• What disclosures can we make about a patient we suspect has an abuse victim?

  What disclosures can we make about a patient we suspect has been the victim of abuse, neglect, or...

• HIPAA hinders charity work meant to help burn victims in CA

  The Burn Institute has $100,000 to use toward counseling, financial aid, and other support for the...

• CMS clarifies security rule, roundtable dates

  The final HIPAA security rule compliance date is April 20, 2005, not April 21, 2005 as many...

• Hospital personnel lack guidance on reporting to law enforcement under HIPAA

  HIPAA may impede the reporting of suspected public health emergencies down the chain of command...

Issue 39, October 25, 2004

• Can we post a patient’s picture or use it for in-house marketing?

  Can we post a patient’s picture in our facility or use it for in-house marketing?

• HIPAA limits release of information about injured soldiers

  When members of a Wisconsin-based National Guard unit sustained injuries in Baghdad in September...

• Breach threatens security of more than a million files

  A security breach of a computer that belonged to a University of California researcher put at risk...

• HIPAA complaints on the rise in 2005, SHARP says

  There’s no end in sight to HIPAA complaints. At least not according to the Southern HIPAA...

Issue 38, October 18, 2004

• Is anti-virus software enough to protect against malware?

  Is anti-virus software enough to protect against malware?

• FDA-approved implantable chip raises privacy concerns

  The Food and Drug Administration (FDA) Wednesday approved an implantable chip that could provide...

• Court rules seizure of Limbaugh’s medical records lawful

  The Fourth District Court of Appeal in West Palm Beach, FL ruled that county prosecutors acted...

• GAO looks at first-year experiences under privacy rule

  For most providers and healthcare plans, first-year implementation of the privacy rule regulations...

Issue 37, October 11, 2004

• Is a patient authorization required to use or disclose psychotherapy notes?

  Is a patient authorization required prior to using or disclosing psychotherapy notes?

• RI hospitals will not accept grants for care of immigrants

  Three Rhode Island hospitals-Rhode Island, Miriam, and Newport hospitals-plan to refuse federal...

• Patient ID biggest challenge for national electronic medical record initiative

  Opposition in Congress and no consensus on a single, useable national patient identifier could slow...

Issue 36, October 4, 2004

• Privacy regs slow investigation

  St. Paul, MN’s Regions Hospital would not provide police with details about a patient’s...

• HIPAA causes hospital to refuse to provide info to federal judge

  Even federal judges must adhere to the HIPAA privacy regulations, as U.S. District Judge Garrett...

• Patient privacy strains patient-doc confidentiality

  When a patient has an inherited disease or mutation that could potentially afflict other family...

Issue 35, September 27, 2004

• Does my facility have to have malware protection?

  Because the specification regarding malware (malicious software) is addressable, does my facility...

• Healthcare orgs use learning management solutions for HIPAA training

  Healthcare orgs use learning management solutions for HIPAA training

• New group to create transactions requirements

  The newly formed HIPAA Transactions Convergence Project-comprised of industry groups such as the...

• Summer 2005 goal set for preliminary EHR requirements

  The American Health Information Management Association (AHIMA), Healthcare Information and...

Issue 34, September 20, 2004

• HIPAA privacy law hinders clinical research

  Under HIPAA, researchers can no longer review medical records to look for suitable patients for...

• HHS extends HIPAA enforcement rule

  The Department of Health and Human Services (HHS) September 15 announced a one-year extension to...

• Hospital employees suspended after trying to access Clinton's medical record

  Columbian Presbyterian Medical Center in New York suspended 17 workers-including a doctor, several...

Issue 33, September 13, 2004

• Do payment activities include disclosures to collection agencies?

  Do payment activities include disclosures to collection agencies?

• Hospital could face criminal charges for protecting

  If Spartanburg (SC) Regional Medical Center does not back down from its stance of protecting...

• WEDI offers three new security rule white papers

  The Workgroup for Electronic Data Interchange (WEDI) Thursday released white papers on risk...

• Florida hospitals factor HIPAA into patient rooming

  Soon, any patients treated at 618-bed Tallahassee Memorial Hospital or the 180-bed Capital Regional...

Issue 32, September 6, 2004

• Are there existing standards on inactivity timeouts we can reference?

  Our doctors complain that the 15-minute inactivity timeout is too short. They want us to change it...

• OCR releases guidance on state public record laws

  The privacy rule allows a covered entity to use and disclose PHI as required by other laws...

• Tenet subpoenaed under provisions of HIPAA

  The U.S. Attorney’s Office in San Francisco issued a subpoena to Tenet Healthcare Corporation...

• Police reports exempt from privacy law, attorney general rules

  Kentucky Attorney General Greg Stumbo ruled that the HIPAA privacy rule does not apply to the names...

Issue 30, August 23, 2004

• What security tools or items should be included in an incident response toolkit?

  What security tools or items should be included in an incident response toolkit?

• Seattle court bangs gavel on first ever HIPAA conviction

  A Seattle court convicted Richard Gibson August 19 of wrongful disclosure of individually...

• Advocacy group releases recommendations

  The Cyber Security Industry Alliance (CSIA) published 10 recommendations to ensure the creation of...

• Innovative HIPAA training pays off for Texas health system

  Texas Health Resources (THR) was one of three winners awarded the American Hospital...

Issue 29, August 16, 2004

• Are assisted living facilities (ALFs) considered "providers" under the privacy r

  Are assisted living facilities (ALFs) considered "providers" under the privacy rule?

• CD-ROM medical record does not violate HIPAA

  Patients who receive treatment at the Nebraska Medical Center can now receive their medical records...

• Indian outsourcer enforces strict compliance with HIPAA, Sarbanes-Oxley

  Patni Computing Systems, an IT provider and software developer, is working to comply with the HIPAA...

• Healthcare IT leaders form group to accelerate adoption of e-prescribing

  Nine healthcare IT solution providers including Allscripts Healthcare Solutions and the National...

Issue 28, August 9, 2004

• What policies should we adopt for security incident response?

  What policies should we adopt for security incident response?

• Newspaper Association of America lobbying to tweak HIPAA

  The Newspaper Association of America (NAA) is asking Congress to convince the Department of Health...

• FL Hospital cracks down after sale of hijacked patient information

  An employee at Orlando Regional Hospital copied patient information and attempted to sell that...

Issue 27, August 2, 2004

• Where can I find information on HIPAA violations?

  Where can I find information on organizations fined or penalized for HIPAA violations?

• Lawsuit filed against Texas Attorney General

  Texas open records laws and HIPAA are going head to head over requests for release of information...

• Guards privy to inmate medical treatment don’t violate HIPAA

  Corrections officers present during medical care of an inmate does not violate HIPAA, a Tennessee...

• Implantable microchips arouse FDA suspicions of potential privacy threat

  Imagine a microchip no bigger than a grain of rice injected under your skin for identification...

Issue 24, July 12, 2004

• HIPAA privacy standard

  My question concerns penalties for noncompliance with the HIPAA privacy standards. I understand the...

• Password management and the security rule

  I have some physicians arguing that they want computer accounts for which the passwords never...

• Kansas law guarantees patients access to their medical records

  Under House Bill 2813, which passed last week, the state of Kansas can now ask a district court to...

• Companies that linked privacy, security efforts more prepared for deadline

  Insurance companies that included security provisions in their HIPAA preparation for the privacy...

Issue 22, June 28, 2004

• Emergency mode operation plan v. the disaster-recovery plan

  How does the emergency mode operation plan implementation specification differ from the...

• Abortion clinic requirements violate patient privacy, rules federal court

  A federal appeals court declared unconstitutional Arizona laws that require abortion clinics to...

• HIPAA compliance included in new guidance

  More extensive discussions of risk and recommendations for HIPAA compliance and reduction of risk...

• HIPAA v. the greater good: TB case stirs debate

  The death of a Chesapeake, VA nurse from tuberculosis on June 12 is reason enough to forgo HIPAA...

Issue 21, June 21, 2004

• Business associates and HIPAA compliance

  What are our obligations for monitoring business associates for HIPAA compliance?

• Medical staff have loose lips when it comes to patient info, study claims

  Indiscrete conversations between clinicians in hallways, elevators, and over the telephone are...

• Policeman confused by HIPAA destroys evidence

  A Greenville, SC police officer flushed a bag suspected to be marijuana down the toilet under the...

Issue 20, June 14, 2004

• Protecting reporters of abuse from retaliation

  I'm the privacy officer for a health department in rural NC, where we are required by law to report...

• Hospital settles suit over disclosure of HIV patients’ identities

  An Oregon hospital settled a breach of privacy case in which a hospital employee allegedly...

• Flagging resident sex offenders to other patients violates HIPAA, claims nursing

  Patients at a Minneapolis nursing home weren’t aware of the sex offenders living in their...

• Web site gives families access to patient information, doesn't violate HIPAA

  After their experience caring for their severely ill son, a Chicago couple developed a Web-based...

Issue 19, June 7, 2004

• Access to the designated record set

  Are patients entitled to all of the information in the designated record set?

• HIPAA opponents appeal judge's decision

  The Appeal for Patient Privacy Foundation challenged the dismissal of the Citizens for Health suit...

Issue 18, May 31, 2004

• How much is enough when it comes to HIPAA training?

  I train all present and incoming staff at a behavioral health facility for children. How often...

• Police union files law suit against use of trooper medical records

  A police union recently filed a law suit that challenges a policy requiring New York state troopers...

• High-profile infanticide case prompts HIPAA-related law suit

  An Iowa couple is suing the Family Health Center of Storm Lake, IA, for releasing the wife’s...

• Authorities, victims criticize HIPAA delay in drunk driving case

  HIPAA restrictions kept Frank Parrish, North Caroline District Attorney, waiting an entire year for...

Issue 17, May 17, 2004

• Have there been any changes to HIPAA?

  It’s been one year since the privacy rule kicked in. Are there any changes to the rule? Do I...

• CMS helps covered entities understand new HIPAA edit requirements

  Come July 1, your claims will be held to different requirements as specified by HIPAA. In an effort...

• New privacy laws could be in the works

  A proposed amendment to the "Jumpstart Our Business Strength" (JOBS) legislation includes privacy...

• Two Maryland hospitals report few patients exercise privacy rights

  Fewer than 1% of patients at North Arundel Hospital in Glen Burnie, MD, opt out of the patient...

Issue 16, May 3, 2004

• Information from alternative locations

  As a healthcare provider, are we required to honor requests from individuals to send communications...

• Direct and indirect treatment relationships

  Would a covered entity providing services to individuals over the Internet constitute a direct or...

• DOJ bows out of abortion-records battle

  Before the judge had a chance to make a ruling, the U.S. Department of Justice (DOJ) backed down on...

• Bush to kick start EMR development

  President Bush announced his intentions to upgrade most Americans’ medical records to...

• California considering privacy law for autopsy reports

  California coroners may soon have to ask permission from the deceased’s family to release...

Issue 15, April 26, 2004

• Get upper management on board with the security rule

  Is there a way to convince management that security-rule compliance is just as important--if not...

• Separate waivers for research companies

  A few of our providers in a specialty clinic have created a clinical research company. Will they...

• Court still mum on government attempts at abortion medical records

  A court of appeals has still not made a decision about whether New York Presbyterian Hospital will...

• Judge blocks Kobe’s shot at accuser’s medical record

  The Judge presiding over the case of basketball star Kobe Bryant said the defense will not be...

• Qwest employee revealed as identity thief

  An employee of Qwest Diagnostics, one of the nation's largest diagnostic laboratories, has been...

Issue 14, April 19, 2004

• Disclosures in cases of abuse

  If we believe that a patient is the victim of abuse, neglect, or domestic violence, what...

• What do you do when a business associate misuses PHI?

  What are our duties, if any, if we believe that one of our business associates has misused...

• Survey shows 23% of respondents’ are fully HIPAA-compliant

  In honor of HIPAA’s first birthday the American Health Information Management Association...

• Nursing home accidentally posts PHI on Web

  A technical hiccup on a Florida-state government Web site allows unauthorized individuals to view...

Issue 13, April 12, 2004

• Minimum necessary requirement

  Does the minimum necessary requirement apply to all PHI disclosures?

• HIPAA causing trouble for Veterans

  HIPAA is blocking a veterans' interest group from providing necessary outreach programs, reports PR...

Issue 12, April 5, 2004

• Tip from an alert reader

  HIPAA Weekly Advisor reader Kathy Zeitz, corporate compliance officer of Methodist Health System in...

• HIPAA and disaster relief

  Are there any limits to our ability to disclose PHI for disaster relief purposes?

• Get the low down on policy and procedures

  Do the rules require us to prepare and maintain policies and procedures? Specifically, for which...

• As one man tries to put a chink in HIPAA's armor, NCVHS recommends changes

  A Seattle man who spent 29 hours probing hospital officials for information on his hospitalized...

• Privacy rule cooks up pricey research, lowers participation

  HIPAA-compliant consent forms for research caused rates of participation in one study to slump from...

• AHA backs software company with shaky background

  The American Hospital Association (AHA) endorsed software from Computer Associates International...

• HIPAA prompts CMS to alter data requirements

  The Centers for Medicare & Medicaid Services told providers and fiscal intermediaries that changes...

Issue 11, March 15, 2004

• Whistleblowers retaliation and HIPAA

  The regulations prohibit retaliation or intimidation against any person for several reasons.

• Three patient-request scenarios

  Test your expertise with these three patient-request scenarios.

• Plain-English HIPAA guidance

  Five brief instructional texts published in February by the Centers for Medicare and Medicaid...

• Nurse enforcing HIPAA slapped with obstruction-of-justice charge

  A nurse at a Wisconsin hospital, who snubbed a police officer in an attempt to protect a...

• Payers to fix claims by hand

  If your Medicare secondary payer (MSP) can't process your claim, the payer may have to make the...

• HIPAA takes center stage in controversial abortion case

  HIPAA is prompting federal judges to refuse to comply with Justice Department mandates for the...

Issue 10, March 8, 2004

• Medical billing from home

  If my office manager or administrator consents to my bringing patient charts home for billing, is...

• How do you convince management that Security Rule compliance is important?

  Q: Is there a way to convince management that Security Rule compliance is just as important, if not...

• Claims issues hold up payments

  Iowa hospitals last month cited missing claims and information disappearing from claims as two...

• Consumer group sues Kaiser Foundation over patient privacy violations

  The California Consumer Health Care Council (CCHCC) filed a representative-action lawsuit March 15...

• Why claims are rejected

  A new Medicare program transmittal contains more reasons why claims processors might send your...

Issue 9, March 1, 2004

• Authorizations for organ donation

  Covered entities can disclose PHI without individual authorization to organ procurement...

• Clearinghouses need improvement

  Clearinghouses have had a hard time producing HIPAA-compliant claims, according to a group that...

• Transmittals address claims

  Two new transmittals from the Centers for Medicare and Medicaid Services (CMS) should help you...

Issue 8, February 24, 2004

• Working at home

  Can you give me any information on working from your home, and obeying all the HIPAA rules and...

• Health Care Security Workgroup White Paper

  It may not be an all-inclusive guide to the privacy and security rules, but this new white paper...

• Vote on electronic health records

  Group releases draft electronic health record (EHR) descriptors.

Issue 7, February 16, 2004

• Data user agreements

  A data use agreement between you and the party receiving the data must contain the elements listed...

• Common HIPAA mistakes for EMS personnel

  Fire Engineering Magazine narrows down the nature of compliance obstacles to five main areas.

Issue 6, February 9, 2004

• When may a provider disclose PHI to medical device representatives?

  Providers can disclose PHI to medical device companies without authorization for treatment...

• HIPAA auditing tools: tests

  When you prepare an audit of your security and privacy procedures, you’ll need to narrow the...

• Disclosures to law enforcement

  A new guidance document may help improve relations between caregivers and law enforcement.

Issue 5, February 2, 2004

• Verifying the identity of public officials

  You may rely on certain forms of identification when you disclose PHI to a public official or a...

• Coordination-of-benefits transactions

  CMS may conduct provider education on data requirements under HIPAA.

• Privacy solutions

  Patients and caregivers at a Kansas City, KS, hospital have gotten used to compliance practices...

Issue 4, January 26, 2004

• Do we need written authorization policies?

  This specification should be met with something in writing, even if minimal.

• Claims compliance increases

  Compliance with HIPAA claims standards has risen to 50%.

• National provider ID released

  CMS unveils system that lets providers use the same ID regardless of how many health plans they...

Issue 3, January 19, 2004

• Whistleblowers liabilities

  The rules provide protection to a covered entity for whistleblower actions.

• Know your state regulations

  When it comes to federal and state privacy rules, even your state’s attorney general may not...

• Clinton to file EHR bill

  Senator Hillary Rodham Clinton (D-NY) mulls legislation calling for the creation of a nationwide...

Issue 2, January 12, 2004

• Auditing and monitoring for privacy compliance

  I think now, it's certainly very appropriate to institute your monitors.

• Disease outbreaks and confidentiality

  Hospitals and public health officials are facing a test of their ability to balance the public's...

• NY doctor sued

  George Harrison estate charges oncologist of violating Harrison's right to privacy.

Issue 1, January 5, 2004

• Q&A: HIPAA and patient directories

  A helpful approach to interpreting the rule in real life situations is to consider the...

• New authorization form

  New CMS memo lays out necessary elements for HIPAA-compliant authorization form.

• New authorization form

  New CMS memo lays out necessary elements for HIPAA-compliant authorization form.

• TCS compliance delays

  Covered entities request an extension on complying with HIPAA’s transactions and code sets...

Issue 44, November 29, 2004

• Can we sanction an employee who discloses PHI as a whistleblower?

  Can we sanction an employee who discloses protected health information as a whistleblower?

• Limbaugh case goes to FL Supreme Court

  Despite an October ruling that prosecutors did not violate radio personality Rush Limbaugh’s...

Issue 36, October 4, 2004

• What are our duties if we believe a BA misused our PHI?

  What are our duties, if any, if we believe that one of our business associates or limited data set...

Issue 28, August 9, 2004

• Yankees star relying on HIPAA to keep condition private

  There is much speculation circulating around the condition and diagnosis of Yankees’ first...

Issue 26, July 26, 2004

• Are there any limits on our ability to disclose information for disaster relief

  Are there any limits on our ability to disclose information for disaster relief purposes?

• WebMD pushes for HIPAA rollout plan

  The HIPAA regulations have so far not accomplished the government’s promises of...

• TCS causes greatest compliance difficulty, survey reveals

  Only 65% of providers, 62% of payers, and 64% of clearinghouses meet full compliance with the HIPAA...

• HIPAA halts grandparents in their tracks

  The Telegraph Herald in Iowa used to print birth announcements after receiving phone calls or...

Issue 25, July 19, 2004

• Maintenance of accounting of disclosures

  Our organization is still struggling to fully understand when we must maintain an accounting of...

• NSBA spells out HIPAA requirements for school districts

  A school district must meet all applicable HIPAA privacy rule requirements if "it has a...

• Companies monitor outbound e-mails to meet regulations, avoid exposure

  Thirty-one percent of companies with 1,000 or more employees employ at least one staff member to...

• Bankruptcy regulations hold medical records hostage

  When Sight Resource, the parent company of Vision Plaza’s 15 eye-care centers in Louisiana...