Free Corporate Compliance e-Newsletters

APCs Weekly Monitor Compliance Monitor Healthcare Auditing Weekly HIPAA Weekly Advisor Medicare Weekly Update The RAC Report

HIPAA Weekly Advisor

This e-mail newsletter delivers how-to advice and breaking news on HIPAA regulations each week. Stay informed on timely topics, security news and regulations, and analysis of proposed and final HIPAA rules that will ensure patient information security.

Subscribe »

2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001

HIPAA Weekly Advisor

Issue 51, December 19, 2005

• Disclosures to law enforcement if the death resulted from a criminal act

  A covered entity can disclose to a law enforcement official protected health information (PHI...

• CMS pushes for bulk enumeration of NPIs

  The Centers for Medicare & Medicaid Services (CMS) is pushing for emergency approval of bulk...

• Committee recommends process for claims attachment changes

  The Department of Health and Human Services (HHS) should provide an easier process for adding to...

• Connecticut HMOs forced to release information

  Health maintenance organizations (HMOs) that oversee state-funded Medicaid plans must allow the...

Issue 50, December 12, 2005

• How should we evaluate business associate security?

  How should we evaluate business associate security?

• New York hospital to use smart cards

  A new "patient smart card" program at Mt. Sinai Hospital in New York City will provide patients...

• HL7 to release new set of standards

  Health Level Seven (HL7) will release a new set of standards to its members that will provide a...

• Minnesota computer security lacking

  Members of Minnesota's Legislative Audit Commission testified to the state legislature that the...

Issue 49, December 5, 2005

• What should we do if one of our business associates misuses PHI?

  If a covered entity knows that a business associate or limited data set user is committing a...

• Hospital group advises CMS to issue ICD-10 rules before final claims attachment

  The claims attachment proposed rule would introduce elements that are not a part of the current...

• AMA issues recommendation on foreign business associates

  Physicians must conduct due diligence with foreign vendors and include appropriate HIPAA items in...

• Kansas issues HIPAA compliance grant to small hospital

  The Kansas Department of Health and Environment (KDHE) awarded an $8,600 grant to Pratt Regional...

Issue 48, November 28, 2005

• What does it mean to properly dispose of ePHI?

  In a nutshell, electronic PHI (ePHI) can be easily recovered off of hard drives, CD-ROMs, and other...

• HHS extends comment period for electronic claims attachments proposed rule

  The Department of Health and Human Services (HHS) has extended the public comment period for the...

• Proposed bill guards against identity theft

  A new bill would eliminate the use of Social Security numbers as patient identifiers and remove...

• Americans worried about healthcare privacy at work

  A recent survey finds that Americans are concerned about their privacy rights, especially at work.

Issue 47, November 21, 2005

• What options do we have for disposing of fax cartridges?

  We're not comfortable disposing of fax cartridges for fear of someone sifting through the garbage...

• Delaware lawmakers look to get around HIPAA privacy

  State legislators in Delaware are looking for ways to get around the HIPAA privacy rule so they can...

• DC emergency vehicle ride-alongs violate HIPAA

  The federal government recently prohibited Washington, DC, from operating a "ride-along" program...

• Government awards health information grants

  The government recently awarded $18.6 million in grants to develop a nationwide system for...

Issue 46, November 14, 2005

• Are there limits on our ability to disclose information for disaster relief purp

  Under certain conditions, covered entities can disclose information for disaster relief purposes.

• Microsoft backs new privacy rule

  Microsoft put its support behind a federal privacy rule that supersedes current federal and state...

• TransUnion loses data for 3,600 consumers

  One of the three major credit reporting companies in the nation, TransUnion, LLC, reported the...

• OCR posts Medicare FAQ

  Medicaid state agencies and Medicare Advantage plans may share protected health information (PHI...

Issue 45, November 7, 2005

• HIPAA allows disclosures of PHI without authorization when such disclosures are

  The regulations define "required by law" as a mandate contained in a law and enforceable by a court...

• House bill would establish new privacy standard

  A House bill introduced by Nancy Johnson (R-CT) would require the Department of Health and Human...

• Survey: Half of companies lack security procedures

  There are significant gaps in corporate data security, including a startling lack of security...

• House approves VA technology reorganization bill

  The House unanimously approved a bill that would give the chief information officer (CIO) of the...

Issue 44, October 31, 2005

• What will happen if a complaint is filed against us with HHS?

  What will happen if a complaint is filed against us with HHS?

• Interoperability commission argues for IT adoption

  In an October 25 report, the Commission on Systemic Interoperability (CSI) urged the federal...

• HIMSS forms RHIO federation

  The Health Information and Management Systems Society (HIMSS) established the HIMSS Regional Health...

• Hawaii hospital loses data for 130,000 people

  Wailuku, Maui-based Wilcox Memorial Hospital (WMH) lost a computer data drive containing 12 years...

Issue 43, October 24, 2005

• Can we ever deny a request for an accounting?

  Requests can only be denied when made by the personal representative of the individual and under...

• Tennessee officials use HIPAA privacy to shield hearings from media

  Tennessee state officials cited HIPAA privacy when they refused to disclose the names of people...

• HIMSS awards three practices for health information technology

  The Health Information and Management Systems Society (HIMSS) honored three physician practices for...

• HHS fails to report malpractice claims from 1997 to 2004

  The Department of Health and Human Services (HHS) failed to report to the National Practitioner...

Issue 42, October 17, 2005

• Colorado mental treatment case highlights privacy rule

  A hospital cited HIPAA and other state and federal privacy laws when it told the parents of a...

• Q: Do the regulations specify what ’mitigation’ means in the context of an impro

  No. The commentary to the regulations states that the Department of Health and Human Services (HHS...

• Survey: Small, rural facilities aren’t adopting IT

  Most community hospitals are committed to adopting information technology (IT), though small...

• Americans support EHRs but have security concerns

  Most Americans support electronic health records (EHRs) as long as they are secure and private...

Issue 41, October 10, 2005

• How do we know if information is deidentified?

  How do we know if information is deidentified?

• University Hospital faces class-action lawsuit over disclosures

  A University of Missouri facility must defend itself against a class-action lawsuit brought on...

• Survey: Laptops most stolen at the office

  A survey by Credant Technologies found that the most common place laptops are stolen is at the...

• HHS announces three health IT contracts

  The Department of Health & Human Services (HHS) awarded three contracts to public and private...

Issue 40, October 3, 2005

• Is the JCAHO considered a health oversight agency that we can disclose informati

  No. The definition of health oversight agency does not include private organizations, such as...

• CMS releases evaluation version of Vista-Office®

  The Centers for Medicare & Medicaid Services (CMS) released an evaluation version of Vista-Office...

• Groups gather Katrina evacuees’ medical information

  A group of pharmacies and providers have compiled medical information on Hurricane Katrina evacuees...

• Children’s records stolen from CA treatment center

  Sensitive patient information was stolen from the Children’s Health Council (CHC), a Palo...

Issue 39, September 26, 2005

• Kaiser Permanente discloses ID numbers for almost 200,000 members

  Kaiser Permanente accidentally printed member identification numbers on a mailing label for the...

• HHS publishes proposed rule for electronic health care claims attachments

  HHS published a proposed rule adopting standards for electronic health care claims attachments in...

• Do we need to verify identity for prescription pickup?

  Prescription pick-up.

Issue 38, September 19, 2005

• Privacy officer necessary for subsidaries?

  Our organization has many subsidiaries. Are we required to designate a separate privacy officer for...

• HHS extends expiration date for interim final enforcement rule

  The Department of Health and Human Services (HHS) extended the expiration date for HIPAA's interim...

• HHS names new interoperability committee members

  HHS Secretary Mike Leavitt recently selected commissioners for the American Health Information...

• OCR issues enforcement bulletin for Katrina

  The Office for Civil Rights (OCR) issued a September 9 bulletin explaining how it will enforce...

• Hospitals address bracelet concerns

  Medical bracelets, which often contain personal information such as the patient’s Social...

Issue 37, September 12, 2005

• Unsure about "opt-out" rule?

• HHS issues HIPAA advisory in wake of Katrina

  The Department of Health and Human Services (HHS) issued a September 2 advisory that clarified the...

• WEDI posts NPI presentations

  The Workgroup for Electronic Data Interchange (WEDI) posted presentations from the 2005 WEDI NPI...

• OCR posts new FAQ on PHI disclosure

  The HHS Office for Civil Rights (OCR) posted a new frequently asked question on its Web site.

Issue 36, September 5, 2005

• Is an authorization ever required for underwriting purposes?

• Blue Cross exposes PHI of close to 200 policyholders

  Blue Cross and Blue Shield of Florida last month inadvertently disclosed the Social Security...

• CMS postpones NPI Roundtable

  CMS has postponed the September 14 HIPAA National Provider Identifier (NPI) Roundtable. The program...

• WEDI posts NPI whitepapers

  The Workgroup for Electronic Data Interchange (WEDI) posted two new whitepapers August 25 on the...

Issue 35, August 29, 2005

• Can the compliance officer and ISO be the same person?

• OCR pushing for publication of final enforcement rule

  With HIPAA's interim enforcement rule set to expire September 16, an extension is a definite...

• Central Ohio Women's Center claims investigation violates HIPAA

  The Central Ohio Women's Center (COWC), in Columbus, OH, filed a federal lawsuit August 22 to block...

• OCR posts FAQ on disclosing PHI for retiree drug subsidy

  Group health plans and health insurance issuers can disclose PHI to plan sponsors for the retiree...

Issue 34, August 22, 2005

• What are our liabilities if one of our employees or business associates disclose

• Study shows HIPAA compliance hurts pediatric coverage

  HIPAA has inadvertently resulted in reduced Medicaid coverage for child development services...

• CMS releases new security paper on risk analysis, management

  Organizations looking for additional guidance on risk analysis and management can find a new...

• NIST to help identify security vulnerabilities

  Before you buy that new software, you may want to check the National Institute of Standards and...

Issue 33, August 15, 2005

• Should I consider encrypting the hard drives of all my systems to ensure the saf

• Impermissible use of PHI, lack of adequate safeguards top list of privacy compla

  In the more than two years since most organizations first had to comply with HIPAA's privacy rule...

• AHA provides guidelines for releasing PHI to law enforcement

  The privacy regulations allow covered entities to disclose PHI to law enforcement officials only...

• CCHP pushes for stronger enforcement

  In order to better enforce the HIPAA regulations, HHS needs to launch a public education campaign...

Issue 32, August 8, 2005

• What are "data aggregation" activities that a business associate may provide?

• Survey shows compliance efforts still lagging

  Even though the security rule's compliance date passed several months ago, more than half of...

• CMS to cease processing of noncompliant transactions

  Organizations not ready to submit HIPAA-compliant electronic Medicare claims will be out of luck as...

• Texas courts to debate preemption

  A Texas trial court ruled that a state law ensuring public access to government records doesn't...

Issue 31, August 1, 2005

• What's the best way to encrypt e-mail?

• Computers stolen from hospital's business associate

  Two computers storing files with patients' names, dates of birth, and medical account numbers were...

• School district posts former students' PHI online

  The medical, family, and behavioral histories of 56 former students were posted on the Willamette...

• WEDI working to bring providers and payers together

  The Workgroup for Electronic Data Interchange (WEDI) is working to enable providers and payers to...

Issue 30, July 25, 2005

• What is a plan sponsor?

• Civil monetary penalties for HIPAA violations to be made public

  Organizations that are found guilty of HIPAA violations and handed civil monetary penalties will...

• OHS changes name

  Those looking for HHS' Office of HIPAA Standards (OHS) will have a hard time finding it. The OHS...

• Americans believe e-records are more secure

  More than half of Americans are concerned about the privacy and security of paper medical records...

Issue 29, July 18, 2005

• What should we do if someone outside our organization hacked into our computer s

• PHI stolen from insurer

  The PHI of 57,000 patients was stolen from an Arizona managed care company June 29, when someone...

• SHARP to hold enforcement teleconference

  Organizations wondering what to expect from the pending final HIPAA enforcement rule may get some...

• CMS posts transcript of NPI roundtable

  CMS recently posted the transcript of its June 22 National Provider Identifier (NPI) roundtable.

Issue 25, June 20, 2005

• How often should we use tools to test our system’s vulnerability?

  How often should we use tools to test our system’s vulnerability?

• CMS creates plan to transition to NPIs

  If you’re worried about switching over to the National Provider Identifier (NPI), worry no...

• Health plan alleges computer hackers stole company data

  Medica Health Plans alleged that two former employees stole confidential information from the...

• OCR posts FAQ on disclosing PHI to a Protection & Advocacy system

  The Office for Civil Rights (OCR) posted to its Web site Wednesday a new frequently asked question...

Issue 24, June 13, 2005

• What activities are considered to be related to the quality, safety, or effectiv

  What activities are considered to be related to the quality, safety, or effectiveness of an...

• DOJ limits privacy-related prosecutions

  Although HIPAA's privacy rule allows the government to prosecute healthcare organizations for...

• HHS provides NPI instructional tool

  May 23rd brought the beginning of the National Provider Identifiers (NPI) application process and...

• CMS posts new security papers

  Organizations looking to further understand HIPAA's security rule can find five new papers posted...

Issue 21, May 23, 2005

• How long must we provide access to patients who ask to see their PHI?

  How long must we provide access to patients who ask to see their PHI?

• National Provider Identifiers now available

  Beginning today, May 23, 2005, providers-including physicians, dentists, pharmacists, hospitals...

• HIPAA-related objection causes stir in court

  In a child-abuse hearing in Idaho last week, the attorney for the defense incorrectly used HIPAA to...

• Law enforcement recovers stolen computers, charges former medical worker

  Law enforcement officials in San Jose, CA recovered recently stolen disks and computers containing...

Issue 20, May 16, 2005

• Is IM to communicate at work an acceptable practice under HIPAA?

  Is instant messaging (IM) to communicate at work an acceptable practice under HIPAA?

• CMS issues NPI ’Dear Provider’ letter

  CMS May 6 issued a letter to healthcare providers detailing the requirements and steps providers...

• Hospitals will increase spending to comply with HIPAA, research reveals

  Sixty percent of small- to medium-sized hospitals that participated in recent research by...

• CMS answers WEDI concerns regarding NPI

  CMS Monday responded to the Workgroup for Electronic Data Interchange’s (WEDI) concerns...

Issue 19, May 9, 2005

• What measures should we take to reduce inappropriate access to PHI of VIPs?

  What special measures should we take to reduce the likelihood of inappropriate access to PHI of...

• CMS releases FAQs on HIPAA security

  The Centers for Medicare & Medicaid Services (CMS) posted on its Web site Thursday five new...

• HIPAA causes more healthcare facilities to secure patients records off site

  Spending on information-technology systems nationally will likely reach $417 billion this year and...

• CA bill requiring providers to name HIV patients worth privacy risk

  A bill pending in the California legislature would require healthcare providers (including doctors...

Issue 18, May 2, 2005

• What are our documentation responsibilities with respect to NPPs?

  What are our documentation responsibilities with respect to NPPs?

• Tenet agrees to release documents about physician relocation

  Tenet Healthcare Corporation agreed Friday to cooperate with a subpoena for documents concerning...

• Stolen computers contain data of 16,000 TX hospital patients

  The PHI of 16,000 patients may have been compromised when two computers were stolen from Gateway...

• Law firm in Vioxx case calls for full disclosure of documents

  Beasley, Allen, Crow, Methvin, Portis & Miles, P.C.-the national law firm taking the first Vioxx...

Issue 17, April 25, 2005

• How often must we give the same patient an NPP?

  How often must we give the same patient an NPP?

• HHS publishes NPRM on HIPAA enforcement

  The Department of Health and Human Services (HHS) published in Monday’s Federal Register a...

• Fight over release of medical records moves to court

  Last month, Planned Parenthood of Indiana filed suit to block the Indiana attorney general from...

• SC hospitals ready for HIPAA deadline

  Unlike many organizations still scrambling to meet the HIPAA security deadline that went into...

Issue 16, April 18, 2005

• Is an authorization required before we make a disclosure about child abuse?

  Is an authorization required by anyone before we make a disclosure about child abuse?

• AHA requests clarification, guidance on NPI

  Without clear guidance and a central authority to answer questions, the National Provider...

• Survey reveals compliance numbers for privacy, security on the rise

  Forty-five percent of hospitals and health systems that responded to an American Health Information...

• Lawmakers to introduce bill protecting patient, consumer privacy

  Senator Hillary Rodham Clinton (D-NY) and Representative Edward Markey (D-MA) Thursday announced...

Issue 15, April 11, 2005

• When can we deny a request from a patient to amend PHI?

  When can we deny a request from a patient to amend PHI?

• Hospital bills fly off truck, onto streets of Cleveland

  Three thousand itemized hospital bills from Lakewood and Marymount hospitals, both part of the...

• Impromptu visit to health department raises privacy concerns

  A visit in late March to the new location of the Hartford (CT) health department by elected city...

• CMS to host HIPAA roundtable

  The Centers for Medicare & Medicaid Services (CMS) will host a National HIPAA Security Roundtable...

Issue 14, April 4, 2005

• What are our duties when we receive a subpoena for records or other PHI?

  What are our duties when we receive a subpoena for medical records or other protected health...

• CMS releases process for filing nonprivacy-related complaints

  CMS released guidance last Friday for filing complaints with HHS regarding incidents of...

• NIST issues special publication on HIPAA security

  The National Institute of Standards and Technology (NIST) released last week a special publication...

• CMS publishes third HIPAA security white paper

  CMS published last week the third white paper in its HIPAA security series. This paper touches on...

Issue 13, March 28, 2005

• What is an organized healthcare arrangement (OHCA)?

  What is an organized healthcare arrangement (OHCA)?

• News team discovers documents containing PHI near dumpster

  On the ground behind a dumpster at Guadalupe Medical Center, a Las Vegas news team discovered 40...

• ’Diva of Disgruntled’ ordered to stop posting patient info online

  Superior Court Judge James Richman on Wednesday ordered former Kaiser employee Elisa Cooper-more...

• Majority of SMBs not yet HIPAA-compliant, according to ITSPA

  Only 18% of small- and medium-sized businesses (SMBs) including healthcare providers and 30% of...

Issue 12, March 21, 2005

• Do we need authorization prior to disclose patient location?

  Do we need authorization prior to disclosing information regarding the location of a patient?

• Newspapers sue for release of 9-1-1 tapes

  Louisiana’s Gannett newspapers and the Louisiana Press Association Wednesday sued the East...

• ’Diva of Disgruntled’ posts confidential patient information in Weblog

  A disgruntled former employee of Kaiser Permanente-a woman who calls herself the "Diva of...

Issue 11, March 14, 2005

• What is a healthcare clearinghouse?

  What is a healthcare clearinghouse?

• Philadelphia appeals court hears challenge to HIPAA privacy law

  The Federal Appeals Court in Philadelphia heard a challenge Wednesday to the HIPAA privacy...

• OCR posts two new HIPAA FAQs

  The Office for Civil Rights (OCR) posted on its Web site Tuesday two new frequently asked questions...

• Pharmacists in CA worry new credentialing program violates HIPAA

  A new pharmacy credentialing program by CalOptima, a health management organization in California...

Issue 10, March 7, 2005

• Does HIPAA require any specific statements in our fundraising material?

  Does HIPAA require any specific statements in our fundraising material?

• KY to create HIPAA-compliant electronic health network

  The Kentucky state government passed a bill Thursday that authorizes the creation of a statewide...

• State promises solution to payment problems from HIPAA-compliant billing system

  Providers in Maine who have been treating Medicaid patients for two months without receiving...

• Software solutions company to test Medicare claims attachments

  This spring, NextGen Healthcare Information Systems, Inc., a company that provides electronic...

Issue 9, February 28, 2005

• Must we black out other patient names on EOBs when billing secondary insurer?

  Must we black out other patient names on Medicare EOBs when billing a secondary insurer for only...

• Worry about privacy risks associated with EMRs could impede process

  Forty-seven percent of U.S. adults say risks to the privacy of their medical information outweigh...

• KS abortion clinics ask state Supreme Court to intervene

  Two Kansas abortion clinics have asked the state Supreme Court to step in against Attorney General...

• E-mail error reveals names of 6,500 AIDS/HIV-positive patients

  A Palm Beach (FL) County health department statistician e-mailed Thursday a highly confidential...

Issue 8, February 21, 2005

• Are collection agencies our business associates?

  Are collection agencies our business associates?

• Less than one-quarter of providers ready for HIPAA security, survey reveals

  Despite less than two months to go before the HIPAA security deadline, only 18% of providers and...

• Group asks for modifications to HIPAA privacy rule

  The Confidentiality Coalition-a group founded to advance effective patient confidentiality...

• Experts suggest focus on patient safety, quality with HIT

  At the recent HIMSS annual conference, Dr. Carolyn Clancy, Agency for Health Quality and Research...

Issue 7, February 14, 2005

• Do we need authorization before using a patient’s PHI for marketing?

  Do we need authorization before using a patient’s PHI for marketing?

• HIPAA appears on top 10 list of ways to avoid litigation

  Employers who separate medical records and personnel files and refrain from discussing...

• Alliance ’steps up’ e-prescribing efforts in MD

  Twenty-seven healthcare organizations in Maryland joined to form the Safety Through Electronic...

• State attorney general opinions differ on information disclosure in emergencies

  In Mississippi, Attorney General Jim Hood ruled that the health information of victims in...

Issue 6, February 7, 2005

• Are the security controls mandated by HIPAA security enough to protect ePHI?

  Are the security controls mandated by the HIPAA security rule enough to protect ePHI?

• Study shows HIPAA privacy negatively affects research recruitment

  HIPAA privacy regulations have caused recruitment for research to decrease by half, according to...

• NY Supreme Court allows defense to question treating physicians

  In a malpractice case in New York state, the state Supreme Court granted the request of defendants...

• Snail pace of IT adoption could harm healthcare industry

  Thirty-eight percent of healthcare executives say the slow adoption of information technology (IT...

Issue 5, January 31, 2005

• How can I tell whether someone has hacked into my network?

  Sometimes, a slow computer or network performance, modified data, missing data, or critical log...

• Collaborative seeks input on healthcare claims attachments

  Using three surveys broken down by provider type, a group consisting of the Association for...

• EHNAC seeks comments on healthcare network registry criteria

  The Electronic Healthcare Network Accreditation Commission (EHNAC), a group that accredits entities...

• President Bush highlights benefits of healthcare IT

  During a speech at the Cleveland Clinic on Friday, President Bush demonstrated his support of more...

Issue 4, January 24, 2005

• Under HIPAA, can we still report vital statistics such as births and deaths?

  Under HIPAA, can we still report vital health statistics such as births and deaths?

• OCR answers unresolved questions on PHI disclosure and litigation

  The Office of Civil Rights (OCR), the HIPAA privacy rule enforcement agent within the Department of...

• Groups offer recommendations for national HIT network

  In response to a Request for Information (RFI) issued by the U.S. Office of the National...

• VeriChip VP offers assurance on privacy of RFID technology

  In a presentation to the Subcommittee on Privacy and Confidentiality of the National Committee on...

Issue 3, January 17, 2005

• Is a BA agreement always required when disclosing patient info for healthcare?

  Is a business associate agreement always required when disclosing patient information for...

• New IT program helps CEs meet HIPAA standards

  Enterprise Configuration Manager/HIPAA IT is the latest tool developed by Configuresoft to address...

• Physicians’ use of iPods may impact patient privacy

  Medical professionals have begun using the iPod to store and manipulate medical images; however...

• Healthcare Suite aids facilities with admin capabilities

  Without forcing facilities to alter systems they already have in place, Healthcare Suite, a new...

Issue 2, January 10, 2005

• Are the JCAHO and other accrediting agencies health oversight agencies?

  Are the JCAHO and other accrediting agencies considered health oversight agencies such that we can...

• Boxer sues over unauthorized release of medical records

  Heavyweight boxer Joe Mesi is suing a New York medical clinic and the New York State Athletic...

• Group claims newspaper series violated HIPAA

  The nonprofit organization Friends of King Drew filed a complaint against the Los Angeles Times and...

• HIMSS, URAC team up on marketing effort to help members comply with HIPAA

  The Healthcare Information and Management Systems Society (HIMSS) and the nonprofit accreditation...

Issue 1, January 3, 2005

• What are our duties when we receive a subpoena for medical records or other PHI?

  What are our duties when we receive a subpoena for medical records or other protected health...

• HHS releases final rule on access to group health coverage

  HHS issued Wednesday a final regulation on access to group health coverage, setting limits on the...

• Filth at Denver VA hospital hinders patient care, privacy

  A federal investigation by the Office of the Inspector General (OIG) at Denver’s Veterans...

• NC group to research national health information network

  Responding to a request for information from David Brailer, national coordinator of health...