Free Corporate Compliance e-Newsletters

APCs Weekly Monitor Compliance Monitor Healthcare Auditing Weekly HIPAA Weekly Advisor Medicare Update for Physician Services Medicare Weekly Update The RAC Report

HIPAA Weekly Advisor

This e-mail newsletter delivers how-to advice and breaking news on HIPAA regulations each week. Stay informed on timely topics, security news and regulations, and analysis of proposed and final HIPAA rules that will ensure patient information security.

Subscribe »

2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001

HIPAA Weekly Advisor

Issue 49, December 11, 2006

• Can a physician's office give test results directly to a patient over the phone?

  Giving test results to a patient during a telephone conversation is fine, as long as you know...

• Wisconsin hospital employee charged with identity theft

  The patient liaison at a Wisconsin hospital faces felony charges after allegedly using PHI to apply...

• Michigan considers identity theft bill

  Michigan may become the latest state to require business and government agencies to notify victims...

• Employers consider PHRs, face privacy concerns

  Three big companies-Wal-Mart, Intel, and British Petroleum-are collaborating on a plan to provide...

Issue 48, December 4, 2006

• When calling patients regarding appointment times, how much information can we l

  To comply with the privacy rule's "minimum necessary" standard, you should leave the least amount...

• AHIC workgroup focuses on privacy

  The American Health Information Community (AHIC) should create policies to require consumer...

• Women’s records disappear from Indiana cancer program

  Thieves stole two computers that contained the health records of more than 7,500 women patients of...

• New FAQ addresses NPI

  Institutions should include their own national provider identifiers (NPI) in the "attending...

Issue 46, November 20, 2006

• Is it a HIPAA violation for physicians to take patient charts home?

  The privacy and security rules do not explicitly prohibit a provider from taking charts off site...

• Security breach threatens patients, donors

  Akron Children's Hospital on September 6 discovered security breaches involving two databases that...

• Ohio University upholds dismissals

  Ohio University Provost Kathy Krendl upheld the dismissal of two information technology...

• Data-level security takes center stage

  Security controls at the data-level are the new concern for information technology (IT...

Issue 45, November 13, 2006

• Must we create a notice of privacy practices if we don’t bill patients or transf

  If your EMS unit does not bill patients electronically or transmit other covered transactions...

• NIST report outlines proper information security management

  Information security policies should include a clear and distinct section devoted to requirements...

• CMS produces, fixes noncompliant transactions

  CMS' October 2, 2006 Fiscal Intermediary Shared System (FISS) release introduced error conditions...

• Man sentenced for stealing hospital computers

  A federal judge in Madison, WI, sentenced a man on October 31 to 18 months in prison and ordered...

Issue 44, November 6, 2006

• Is it a HIPAA violation to have a patient sign-in sheet at the front desk?

  No. However, you should evaluate your current practices in light of HIPAA's minimum necessary rule.

• Another VA computer missing

  A computer containing the information of 1,600 veterans disappeared from the New York campus of the...

• Lawsuit cites HIPAA violation

  A man is suing The Sisters of St. Francis Health Services Inc., an Indiana-based hospital system...

• UK health data plan raises privacy concerns

  Privacy groups in the United Kingdom (UK) are criticizing the government's plan to upload the...

Issue 43, October 30, 2006

• Is it a HIPAA violation when the name of our radiology practice appears on patie

  No. HIPAA does not require you to block the name of your radiology practice.

• Workgroup weighs user authentication standards

  The Confidentiality, Privacy, and Security Workgroup is considering whether to recommend a standard...

• Medical center employee steals PHI

  Seattle-based Swedish Medical Center is sending letters to 1,100 patients to warn them about...

• Thieves take laptop from car

  Minneapolis-based Allina Hospitals & Clinics is alerting patients that thieves stole a nurse's...

Issue 42, October 23, 2006

• Is it secure to house the health information management (HIM) department with an

  This arrangement is insecure if the HIM department simply shares a large, open office space with...

• NCVHS to advocate expanding HIPAA protections

  HHS should extend the privacy and security requirements to cover exchanges of information by...

• Survey: More providers obtaining NPIs

  Almost 67% of providers have applied for their national provider identifiers (NPIs), up from 39% in...

• One-third write down passwords

  Approximately one-third of enterprise computer users write down their passwords, according to a...

Issue 41, October 16, 2006

• Is it reasonable for a BA to include a statement that security isn’t guaranteed?

  Your business associate (BA) is only being realistic. Information security can never be guaranteed...

• HIPAA privacy case may continue

  A HIPAA privacy case that the United States Supreme Court recently declined to hear may not be dead...

• CMS offers information about NPI, Medicare

  Providers using paper claims to bill Medicare must obtain an NPI and use it by the May 23, 2007...

• Stolen laptop didn’t contain patient information

  A stolen laptop that hospital officials believed contained data from 257,800 patients did not...

Issue 40, October 9, 2006

• What can we do to build security into our business associate agreements?

  Include language that requires the BA to implement reasonable and widely accepted security...

• Supreme Court refuses HIPAA consent case

  The United States Supreme Court on October 2 refused to hear a HIPAA privacy case that could have...

• Providence reaches data breach settlement

  Providence Health System must continue to provide 12 months of free credit monitoring to patients...

• NIST releases security guides

  Organizations should develop policies that clearly define requirements for security log management...

Issue 39, October 2, 2006

• What software can we use to erase information off disks for disposal?

  There are many tools that can perform Department of Defense-level sanitization, including X-Ways...

• Facility uncovers inappropriate access

  The New York City Health and Hospitals Corporation (HHC) will discipline 39 employees of Woodhull...

• CMS: If you don’t transmit, you’re not a covered entity

  A provider that receives health information electronically but does not transmit any electronic...

• CMS provides NPI guidance

  To ensure payment of claims while CMS tests software developed to handle the NPI, providers should...

Issue 38, September 25, 2006

• Must we verify the identity and authority of law enforcement officials?

  Yes.

• GAO: HHS lacks strong security program

  HHS has significant weaknesses in controls designed to protect the confidentiality, integrity, and...

• Missing VA computer recovered

  Authorities recovered a desktop computer stolen from the office of a Department of Veterans Affairs...

• AMIA urges national solutions to secondary data use

  The access to and use of aggregated data is an increasing challenge as electronic health records...

Issue 37, September 18, 2006

• What should we do if a business associate (BA) misuses our PHI?

  If you know the BA has violated its contract, you must take reasonable steps to mitigate the breach...

• DOJ charges two under HIPAA

  Florida prosecutors have indicted two people for charges that include a criminal violation of HIPAA...

• McClellan resigns as CMS administrator

  Mark B. McClellan, MD, PhD, administrator of the Centers for Medicare & Medicaid Services (CMS...

• AHIMA issues recommendations on state-level HIE programs

  The federal government should make a clear stand in support of all effective state-level health...

Issue 36, September 11, 2006

• Can employees with computer privileges access their own PHI?

  This represents two issues. Employees can access their own PHI. There are no provisions in the...

• GAO report: CMS should standardize privacy breach reporting

  More than 40% of federal contractors and Medicaid agencies responding to a Government...

• NIST releases forensics guide, draft publications

  Organizations should include clear statements addressing all major forensic considerations in their...

• NPI training modules available

  Healthcare organizations do not have to be covered entities under HIPAA in order to apply for an...

Issue 35, September 4, 2006

• Must we honor individual requests for restrictions on uses or disclosures?

  No. HIPAA clearly states that you are not required to agree to restrictions. The HHS commentary...

• Must we honor individual requests for restrictions on uses or disclosures?

  No. HIPAA clearly states that you are not required to agree to restrictions. The HHS commentary...

• NIST provides media sanitization guide

  Media sanitization is vital to ensuring information security, according to the recently released...

• States to examine role in HIT adoption

  State governments' role in health information technology (HIT) adoption is the topic of a...

• Stolen laptop contains PHI

  A laptop computer recently stolen from Washington-based Compass Health contains PHI, the mental...

Issue 34, August 28, 2006

• Can we notify the fire department if we treat a child for burn injuries?

  You could consider children playing with matches to be victims of neglect, but you would then be...

• CMS provides NPI guidance

  If you plan to retire in April 2007 but will not be submit some claims until after the May 23, 2007...

• Federal agencies fail to meet OMB security deadline

  Federal agencies are having trouble complying with a recent memo from the Office of Management and...

• Stolen laptop recovered

  Michigan-based Beaumont Hospitals has recovered a laptop taken during the theft of a home...

Issue 33, August 21, 2006

• Can I track down patients with rare blood types and ask them to donate?

  The privacy rule allows you to use PHI without authorization for treatment, payment, and healthcare...

• CMS to require taxonomy codes on claims

  As part of NPI implementation, CMS will require providers submitting claims for their primary...

• VA to use encryption on all computers

  All agency computers will be upgraded with data security encryption immediately, the Department of...

• Information for 6,000 patients stolen

  More than 6,000 patients of Bellingham, WA-based Madrona Medical Group are at risk for identity...

Issue 32, August 14, 2006

• When should we voluntarily tell patients about privacy breaches?

  Many organizations have struggled with this issue, trying to balance protecting the patient from...

• Second VA computer disappears

  The information of approximately 38,000 patients may be at risk after a Department of Veteran...

• Democrats call for VA secretary’s resignation

  Senate Democrat Harry Reid (NV) called on Department of Veterans Affairs (VA) Secretary Jim...

• CMS provides NPI guidance for Medicare DME suppliers

  CMS will link Medicare provider numbers with NPIs and require Medicare durable medical equipment...

Issue 31, August 7, 2006

• Can we notify police when our hospital discharges a patient who is a suspect?

  HIPAA allows you to disclose limited information to law enforcement officials to help them identify...

• HIMSS, Internet2 partnership to develop secure health information network

  Developing a secure, reliable, and advanced health information network is the aim of a new...

• Data companies challenge state disclosure law

  A New Hampshire law that restricts access to physicians' prescription information is being...

• Georgia insurers offer personal health records

  Two of Georgia's major insurers, Blue Cross and Blue Shield of Georgia and Kaiser Permanente, are...

Issue 30, July 31, 2006

• How should we verify identity during a phone request to change a password?

  Develop a policy and procedure that include types of identifying information the individual must...

• CMS: NPI applicants should include all legacy numbers

  Providers should include both Medicare and non-Medicare legacy identifiers on their NPI...

• NCVHS calls for evaluation of transaction/code set ROI

  The Department of Health and Human Services (HHS) should work to improve the return on investment...

• E-prescribing pilot suspended after data breach

  Washington, DC-based Georgetown University Hospital (GUH) suspended an electronic prescribing...

Issue 29, July 24, 2006

• Are confidentiality disclaimers a way to comply with HIPAA?

  The confidentiality notices that are appended to e-mail (and often to confidential faxes) do not...

• VA scraps credit monitoring

  The Department of Veterans Affairs (VA) will halt individual credit monitoring for data breach...

• CMS and SHARP provide free teleconferences

  The Southern Healthcare Administrative Regional Process (SHARP) and CMS Regions IV and VI are...

• OMB revises incident reporting policy

  Federal agencies must report all security incidents involving personally identifiable information...

Issue 28, July 17, 2006

• Should we make employees request their medical record from HIM?

  No. Most organizations require members of the work force (e.g., physicians, employees, temporaries...

• VA Inspector General blasts agency’s actions, policies

  Information security officials at the Department of Veterans Affairs (VA) acted with "indifference...

• CMS to end contingency plan for 835 transaction

  CMS' contingency plan for HIPAA transaction 835, or Electronic Remittance Advice (ERA), will expire...

• PCI standard updates to focus on new threats

  Updates to the Payment Card Industry (PCI) data security standard might include a new focus on...

Issue 27, July 10, 2006

• Can we notify a person who’s been exposed to a communicable disease?

  You can disclose PHI without authorization to a person who may have been exposed to a communicable...

• OMB: Agencies must ensure remote security

  Federal departments have 45 days to ensure their security procedures meet the recommendations of...

• Report claims breaches have minimal effect on share price

  Although companies risk liabilities, fines, and loss of reputation, sales, and partnerships from...

• CalRHIO to study privacy/security, interoperability

  California's regional health information organization (CalRHIO) and the California Office of HIPAA...

Issue 26, July 3, 2006

• Can we disclose information sensitive PHI to a payer?

  The privacy rule does not offer special protections for sensitive information, such as treatment...

• FBI recovers VA laptop

  The Federal Bureau of Investigation (FBI) recovered the laptop at the center of a Veterans Affairs...

• CMS, WEDI provide NPI guidance

  CMS is offering the following NPI events, sponsored by the Workgroup for Electronic Data...

• OCR offers emergency planning disclosure resource

  A covered entity may disclose the minimum necessary PHI to a protected health authority for the...

Issue 25, June 26, 2006

• Should we prevent family members from entering the emergency department?

  The privacy rule requires you to take reasonable steps to limit incidental disclosures, including...

• Clinton pushes for comprehensive privacy law

  A privacy bill of rights that better enforces medical privacy protections and sets clear rules on...

• Texas public information laws override HIPAA

  State health authorities cannot use HIPAA to withhold information covered by public information...

• Theft exposes data for 9,800

  The personal information of 9,800 prospective and actual organ recipients is at risk after a thief...

Issue 24, June 19, 2006

• Can we use patient information to demonstrate operational processes?

  Yes.

• VA secretary calls for stronger penalties for civil service

  HIPAA should be a model for tougher penalties for federal employees who mishandle or misuse...

• GAO: VA still failing to protect information

  Steps the VA has taken to combat information security lapses after its recent data breach "have not...

• AIG server stolen

  The personal information of approximately 930,000 prospective beneficiaries is at risk after a...

Issue 23, June 12, 2006

• What does HIPAA say about handling a friend’s/relative’s PHI?

  The employee's role depends on his or her relationship with the patient.

• CMS to continue voluntary compliance policy

  CMS will "for the foreseeable future" continue to seek voluntary compliance with the security and...

• Gartner: Data protection costs less than breach cleanup

  Paying for cleanup after a data breach is more than five times as expensive as using tools-such as...

• Humana faces HIPAA scrutiny over data security lapse

  Personally identifiable data for approximately 17,000 Medicare beneficiaries enrolled in a health...

Issue 22, June 5, 2006

• Does HIPAA require us to keep the server room locked at all times?

• Privacy group calls for immediate review of VA breach

  HHS Secretary Mike Leavitt should immediately conduct a full compliance review of the U.S...

• Less than one year remaining until NPI deadline

  May 23, 2007, is the date most providers must begin using their NPIs to identify themselves in...

• HIMSS, AFEHCT form information systems initiative

  The Healthcare Information and Management Systems Society (HIMSS) and the Association for...

Issue 21, May 29, 2006

• Can a complaint be filed with HHS without first notifying the covered entity?

  Yes. The HHS commentary states that requiring complainants to first notify the covered entity would...

• VA data breach affects 26.5 million veterans

  The personal information of over twenty-six million veterans was compromised after a thief stole...

• States to study health information privacy and security

  Twenty-two states have received grants to participate in a study of privacy and security concerns...

• HHS seeks input on personal data emergency system

  HHS is seeking feedback about how to organize a voluntary system that would store personal data for...

Issue 20, May 22, 2006

• Must we agree to all PHI amendment requests?

  No.

• New CMS enrollment applications include NPI

  CMS introduced revised CMS 855 Medicare provider enrollment applications on May 1. The...

• AHIC recommends creation of privacy/security subcommittee

  The formation of a privacy and security subcommittee was among 28 recommendations unanimously...

• Stolen computers found on eBay

  Twenty-five laptop computers for sale on eBay appear to have come from Des Moines, IA-based Iowa...

Issue 19, May 15, 2006

• How much information should we provide when complying with a subpoena?

  Minimum necessary requirements do not apply in this situation. However, you should only disclose...

• AHA report: State laws, not HIPAA, are obstacles to information exchange

  HIPAA provides "parameters but not roadblocks" to health information exchange (HIE) projects...

• Hacker pleads guilty to attacking computers at Seattle hospital

  A man pleaded guilty on May 5 to attacking a series of computers at a Seattle hospital and at a US...

• Wells Fargo computer goes missing

  Des Moines, IA-based Wells Fargo Home Mortgage announced May 5 that a computer in the possession of...

Issue 18, May 8, 2006

• Will SSO technology help us meet certain security rule requirements?

  An SSO solution-either a third-party product or an internal directory service (e.g., Active...

• NPI bulk enumeration begins

  Healthcare organizations can begin submitting applications for national provider identifiers (NPI...

• Hackers compromise Tricare files

  Hackers compromised information stored in Tricare Management Activity's (TMA) public servers, the...

• NIST releases draft security log guidance

  The National Institute for Standards and Technology (NIST) recently released for comment a draft...

Issue 17, May 1, 2006

• When patients request access to their information, must we provide information h

  Yes. The HHS commentary notes that to meet the requirements for providing access, you must not only...

• Privacy groups criticize HHS agreement to access DHS data

  Privacy advocates and airline associations are attacking a data-sharing agreement that HHS and the...

• Companies shift security focus to data loss

  New corporate security spending in 2007 will shift to data protection and away from network...

• Thieves steal data about 38,000 Aetna members

  Thieves stole a laptop that contained personal information about 38,000 Aetna health plan members...

Issue 16, April 24, 2006

• What does HIPAA require us to do when we receive a complaint?

  The purpose of the complaint process is to allow your organization to resolve complaints and...

• Study: Percentage of noncompliant facilities grows

  A drop in the number of facilities that report they are fully or mostly HIPAA-compliant should warn...

• Brailer resigns from health IT post

  David Brailer, the national coordinator for health information technology (IT), announced that he...

• Unauthorized copies of insurance records put Hawaiians at risk

  More than 43,000 Hawaiians are at risk for identity theft after unauthorized users made copies of...

Issue 15, April 17, 2006

• Should we include wireless keyboards and mice in our vulnerability assessments?

  Although wireless keyboards and mice are less risky than wireless networks, include them in your...

• OCR to continue voluntary compliance policy

  Although the new enforcement rule formalizes the use of civil monetary penalties (CMPs), voluntary...

• CMS issues NPI guidance, revised resources

  Submit legacy identifiers for all payers-not just Medicare- when applying for an NPI, CMS advised...

• Thief steals laptop containing deidentified information

  A thief stole a laptop containing the records of 1,500 patients of Canada-based Saskatchewan...

Issue 14, April 10, 2006

• How should we dispose of ePHI?

  Many people believe that simply deleting files or formatting drives is sufficient to keep ePHI out...

• Privacy groups seek protections in HIT legislation

  Any health information technology (HIT) that Congress adopts should include strong patient...

• Thieves steal patient records, attempt to auction them

  Thieves stole patient records from now-defunct Danvers State Hospital in Massachusetts and posted...

• OCR posts complete administrative simplification text

  The OCR has made available an unofficial version of HIPAA's administrative simplification sections...

Issue 13, April 3, 2006

• Can we sanction whistleblowers who disclose PHI to the government?

  If the employee's actions are protected whistleblower disclosures, HIPAA's sanction requirements do...

• Texas woman pleads guilty to selling medical information

  A Texas woman pleaded guilty on March 6, 2006, to wrongfully using a unique health identifier with...

• Mark your calendars for Health Information Privacy and Security Week

  Health Information Privacy and Security Week will be held April 9-15, 2006. The American Health...

• CMS outlines HIPAA section of its Web site

  CMS recently issued guidance about using its Web site to obtain information about HIPAA. On the CMS...

Issue 12, March 27, 2006

• GAO report faults HHS’ security

  "Significant weaknesses in information security controls" increase the risk of a data breach at...

• Ohio Supreme Court rules state disclosure law supersedes HIPAA

  The Cincinnati Enquirer can obtain copies of lead-contamination notices issued to Cincinnati...

• Thief steals laptop containing Fidelity Investments customer data

  A thief stole a laptop computer containing information about 196,000 Fidelity Investments...

• Must someone certified in security perform our HIPAA security assessment?

  HHS does not require the person assessing your security to have these credentials.

Issue 11, March 20, 2006

• Privacy experts recommend broader protection for information

  Experts urged the federal government to couple plans for a national electronic health record (EHR...

• OCR posts new FAQ on releasing PHI to people acting on behalf of others

  The privacy rule allows a health plan-or other covered entities-to disclose PHI to a person who...

• WEDI/SNIP creates new claims attachment group

  The Workgroup for Electronic Data Interchange (WEDI) announced March 8 the creation of a new claims...

Issue 10, March 13, 2006

• Are we required to undergo HIPAA certification?

• OCR posts new FAQ on health plans' notices of privacy practices

  The privacy rule requires health plans to notify enrollees about the availability of their notices...

• CMS provides three new NPI resources

  Those looking for more guidance on national provider identifiers (NPIs) can find three new...

• Survey: Organizations still behind in compliance efforts

  It's been almost three years since the compliance date for HIPAA's privacy rule, and many...

Issue 9, March 6, 2006

• What can we disclose to a friend/family member involved in the patient’s care?

  You can disclose PHI that is relevant to the friend’s or relative’s involvement in the...

• Four employees leave Providence in wake of data breach

  Oregon-based Providence Health System fired one employee and had three employees resign in the...

• ASC X12N releases free claim attachment guide for comment

  The Accredited Standards Committee (ASC) X12N recently released the ASC X12N Health Care Claim...

• Robber steals laptop containing information on 4,000 patients

  The PHI of almost 4,000 patients is at risk after a thief stole a laptop containing insurance...

Issue 8, February 27, 2006

• How can we verify public officials’ identities when they request PHI?

  An in-person request accompanied by an agency identification badge, official credentials, or other...

• Robber steals laptop containing HIV information

  A thief stole a laptop containing the HIV test results of almost 2,000 clients of the Sacramento...

• Survey: Consumers skeptical of EHR privacy and security

  Consumers think privacy and security are the top obstacles to healthcare providers establishing...

• Blue Cross contractor steals corporate data

  Florida authorities are investigating a Blue Cross Blue Shield Florida contractor after he...

Issue 7, February 20, 2006

• What are the benefits of establishing an organized healthcare arrangement?

  By designating as an OHCA, all participants in your organized healthcare arrangement can share...

• Free CMS audioconference to address NPI questions

  Learn what questions to ask as your organization completes its national provider identifier (NPI...

• Hacker gains access to sensitive data for 18 months

  A hacker who had the opportunity to access business and patient data for 18 months after hacking...

• Survey: Privacy compliance remains a problem

  One-fifth of healthcare providers remain non-compliant with privacy rule standards, according to a...

Issue 6, February 13, 2006

• What is an indirect treatment relationship?

  An indirect treatment relationship is a relationship between an individual and a healthcare...

• Boston hospital faxed patient information to bank for six months

  Boston-based Brigham and Women's Hospital mistakenly faxed patient data to a local investment bank...

• Bulk enumeration approaching

  Healthcare organizations will soon be able to apply online to conduct electronic file interchange...

• Patient billing information faxed to Canadian company

  US-based Prudential Financial agreed to buy a Canadian toll-free fax number after faxes containing...

Issue 5, February 6, 2006

• Why should we separate psychotherapy notes from the rest of the medical record?

  The Department of Health and Human Services states in the commentary to the privacy rule that...

• HHS names new head of OCR

  Winston Wilkinson replaced Richard M. Campanelli as the director of the Office for Civil Rights...

• Providence offers credit services to victims of data breach

  After losing the records of 365,000 patients when thieves stole unencrypted data from the car of an...

• CMS issues new guidance on subpart NPIs

  A covered healthcare organization’s subpart must obtain a national provider identifier (NPI...

Issue 4, January 30, 2006

• Should we put a notice of privacy practices on our Web site?

  Yes.

• Thief steals data for 365,000 patients from car

  A thief stole the medical records of 365,000 patients, smashing the window of a van that contained...

• MGMA letter: Claims attachment rule should give providers extra time

  The Centers for Medicare & Medicaid Services (CMS) should stagger the compliance deadlines for the...

• Nurse finds 1,000 passwords in parking lot

  A former Adventist Health System nurse claims to have easily obtained over 1,000 Web site passwords...

Issue 3, January 23, 2006

• Q: Can we disclose psychotherapy notes when there is a health/safety threat?

  You can without authorization use or disclose psychotherapy notes to prevent or lessen a serious...

• Governors to compete for funds to study privacy, security

  State governors can submit proposals for participation in the Health Information Security and...

• British study: Medical advances compromised by privacy restrictions

  Advances in medical research are inhibited by bureaucratic and unnecessary privacy restrictions...

• Facilities offering Internet access to patients, visitors

  Some covered entities are offering patients and visitors the opportunity to access the Internet via...

Issue 2, January 16, 2006

• Q: Should we obtain authorization for disclosing a patient’s location to family?

  If the patient is present and has the capacity to make healthcare decisions, the covered entity may...

• New CMS Web site provides NPI info

  The Centers for Medicare & Medicaid Services' (CMS) new Web site includes a redesigned section...

• NAHIT report: Paper records are more vulnerable

  Paper health records are more vulnerable to a variety of security threats-including loss, theft...

• HIPAA privacy featured in Louisiana case

  A Louisiana appeals court upheld a decision that tapes made of Louisiana Secretary of State Fox...

Issue 1, January 9, 2006

• What records are not part of the designated record set?

  Only documents containing medical records and billing information about an individual that are used...

• HHS issues industry call to action

  The healthcare industry should assess the proposed standards for electronic healthcare attachments...

• Robbery exposes data for 700 patients

  Robbers stole six computers from a Squirrel Hill, PA-family medical practice, exposing the personal...

• New tech attacks target key employees

  A new security threat targets employees that have easy access to credit card, bank, and other...

Issue 50, December 28, 2006

• Aide found guilty of theft

  Aide found guilty of theft