Free Corporate Compliance e-Newsletters

APCs Weekly Monitor Compliance Monitor Healthcare Auditing Weekly HIPAA Weekly Advisor Medicare Weekly Update The RAC Report

HIPAA Weekly Advisor

This e-mail newsletter delivers how-to advice and breaking news on HIPAA regulations each week. Stay informed on timely topics, security news and regulations, and analysis of proposed and final HIPAA rules that will ensure patient information security.

Subscribe »

2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001

HIPAA Weekly Advisor

Issue 6, February 23, 2009

• Q&A: prescription records

  Q. May a spouse obtain the prescription records of an incarcerated spouse without written...

• CVS to pay $2.25 million settlement for potential privacy breaches

  CVS will pay the price for potential privacy breaches on millions of patients’ records.

Issue 5, February 16, 2009

• New HHS Web site

  HHS launched a new Web site including content on HIPAA regulations under a user-friendly format.

• Tip: Get your 'board' on board

  Most providers will need to present an idea to their board of directors. Here’s one tip to...

• Q&A: Notices of privacy practices

  Q. Do notices of privacy practices (NPP) apply to business associates of a covered entity, such as...

• Economic stimulus bill set to arrive on Obama's desk

  The only step left to approve a $787 billion economic stimulus bill is President Barack...

Issue 4, February 9, 2009

• Q&A: Pacemaker manufacturers seeking information

  How do you deal with getting information about a pacemaker -- within the realm of the HIPAA privacy...

• Tip: Take these steps after encrypting your data

  You probably want to start encrypting your data to protect it from breaches. We can give you a...

• Data breaches getting more costly

  Use this as a head-start to get ready to encrypt your data and protect it from privacy breaches.

• US Chamber: Do not pass stimulus bill

  Slow down, Congress. The stimulus money planned to go to HIPAA will just help lawyers&rsquo...

Issue 3, February 2, 2009

• Report: HIPAA privacy rule negatively affects research

  The healthcare industry needs to be better on research. We can start by revising the HIPAA privacy...

• VA agrees to pay $20 million to settle identity theft suit

  The VA must pay its veterans -- $20 million. The department settled a class-action lawsuit by five...

• HHS releases final medical identity theft report

  The consumer should be the key focus for consideration of prevention, detection, and remediation of...

• Q&A: Overhead paging

  Q. Is overhead paging a patient by name back to a clinic or hospital area a HIPAA violation? Learn...

• Tip: Make HIPAA training fun

  Want to make your HIPAA training a little more fun? Use the example of this facility and bring...

Issue 2, January 26, 2009

• Insurer must show policy to prevent PHI breach

  BlueCross sent “explanation of benefit” forms to members in November that also featured...

• WV health department warns patients of identity theft

  A West Virginia town’s health department officials identified a former temporary billing...

• Renovations

  Should contractors working in a hospital get HIPAA training? It may not hurt.  

• Tip: Use these agenda items for office training

  You can never have enough HIPAA privacy and security training at your facility -- especially your...

Issue 1, January 19, 2009

• Tip: Avoid these pitfalls at physician practices

  Physicians’ offices are not bereft of HIPAA compliance issues.

• Q&A: HIPAA violation hot line

  Cell phone use and HIPAA violations. Can you take calls on a cell phone from patients reporting...

• HHS releases update to Surgeon General's 'New Family Health History Tool'

  Consumers will be happy with this update as far as sharing their family health history.

• NIST releases guide to protect confidentiality of PII

  Get your information on protecting the confidentiality of PII from NIST via its new release.

Issue 44, November 16, 2009

• HIPAA Update hot posts

  See the posts that get your HIPAA colleagues talking.

Issue 43, November 16, 2009

• New HIPAA whitepaper!

  Check out our new whitepaper, our third on HITECH-related regulations and laws.

• TIP: Avoid vague education on communication devices, Web sites

  You can protect your organization by investing in communication devices such as BlackBerry®...

• HIPAA Q&A: Returned mail with patient records

  Learn the answer to this tough HIPAA compliance question.

Issue 42, November 9, 2009

• New HIPAA whitepaper!

  Check out our latest HIPAA white paper regarding provisions in the HITECH Act.

• Red Flags Rule enforcement delayed to June 1

  The previous delay announcement—from August 1 enforcement to November 1—came in July...

• Guidance on HIPAA implications of H1N1

  “Many of these documents help clear up questions on whether the subsequent 1135 waivers...

• HIPAA Q&A: Diagnostic test results

  Learn the answer to this HIPAA compliance question.

Issue 41, November 2, 2009

• Enforcement interim final rule published in FR

  The interim final rule becomes effective November 30. HHS has invited public comments on the...

• Add your feedback on HHS 'harm threshold'

  Want to add your feedback on HHS' new harm threshold?

• Small healthcare entities need Red Flags the most

  The House of Representatives unanimously passed a bill October 22 that would exempt a healthcare...

• BA contract addendum

  Does anyone have a sample of an addendum that can be added to our BA agreement that puts us into...

• HIPAA Q&A: Red Flags Rule

  Learn the answer to this tough compliance question.

Issue 40, October 26, 2009

• Experts: exemption from Red Flags Rule not necessary

  The House of Representatives filed a bill October 8 that would exempt a healthcare practice with 20...

• Speaking of HIPAA ...

  See what your HIPAA privacy and security colleagues are talking about on the HIPAA Update blog.

• Ask these questions in your harm threshold risk assessment

  Ask these questions during your risk assessment to determine the level of harm to victims of a...

• HIPAA Q&A: Anticoagulation clinics

  Learn the answer to this challenging HIPAA scenario.

Issue 39, October 19, 2009

• Small healthcare entities may be exempt from Red Flags Rule

  The Red Flags Rule, which will be enforced beginning November 1, requires healthcare entities...

• Add your feedback on HHS 'harm threshold'

  Add your feedback to a hot-button issue -- HHS' HIPAA harm threshold in the interim final rule on...

• Thousands of doctors' information on stolen laptop

  Lisa Martinelli, Highmark, Inc.'s chief privacy officer, told the Tribune-Review the information...

• HIPAA Q&A: Fundraising

  Learn the answer to this challenging HIPAA compliance question.

Issue 38, October 12, 2009

• Beware the dangers of social networking

  The Ponemon Institute and TRUSTe released its 2009 Most Trusted Companies for Privacy Award in...

• HIPAA Update hot posts

  What's hot on HIPAA Update?

• Congressmen disagree with HHS 'harm standard'

  The Congressmen say this concept was explicitly rejected when they crafted the American Recovery...

• HIPAA Q&A: Letter to patients

  Q. How would you construct a letter to inform patients about stolen PHI?

Issue 37, October 5, 2009

• HHS posts forms for breach notification

  HHS releases the step-by-step reporting form for breach notification.

• Lawyer: Providers not ready for HITECH compliance

  “People are shell-shocked,” says Blustein, partner and co-chair of Garfunkel Wild &...

• New rules protect patients' genetic information

  In part, the rule ensures that genetic information is not used to deny healthcare coverage and will...

• HIPAA Q&A: Taking PHI home

  Q. Several weeks ago, some security specialists indicated that their staff members take paper PHI...

Issue 36, September 28, 2009

• HIPAA Update hot posts

  What's hot on the HIPAA Update blog?

• Tip: Build trust with the Notice of Privacy Practices

  Don't forget to dish out those Notice of Privacy Practices.

• Breach notification compliance deadline has passed

  The compliance date on HHS' interim final rule on breach notification has passed. Are you ready to...

• HIPAA Q&A: Hospice and home health staff members

  Learn the answer to this important HIPAA compliance question.

Issue 35, September 21, 2009

• Lawyer on HIPAA 'harm threshold': 'huge weakness'

  Perhaps his most telling comment came about the new “harm threshold” in the HHS interim...

• Feds unsure over HIPAA enforcement practices

  It seemed as if they were serious about enforcement. After all, it took them less than 24 hours to...

• Parmigiani earns HIPAA Summit award

  Parmigiani served as a co-chair of Wednesday’s session. He is the former director of...

• HIPAA Q&A: Do we need a contract?

  Learn the answer to this challenging HIPAA compliance scenario.

Issue 34, September 14, 2009

• HIPAA Update top views

  See where your colleagues are clicking the most on our HIPAA Update blog.

• New OCR director inherits great HIPAA responsibility

  Verdugo takes over at a crucial time for OCR. The agency July 27 inherited the role of enforcing...

• Munch on these numbers from HHS

  HHS released numbers on who's covered by HIPAA.

• HIPAA Q&A: Information on ID badges

  Learn the answer to this challenging HIPAA scenario.

Issue 33, September 7, 2009

• Get to know encryption, destruction of documents

  Some of these HHS encryption layers were not specified in the draft guidance released in April...

• Who creates the agreement -- BA or CE?

  Who handles the business associate contract at your facility now? The game will change come...

• HIPAA Update hot posts

  See what's got your HIPAA privacy and security colleagues talking.

• Q&A: Collecting tissue in the pathology department

  Learn the answer to this tough HIPAA compliance question from your colleague.

Issue 32, August 31, 2009

• Set timetable for breach notification interim final rule

  Know these two important dates regarding HHS' interim final rule on breach notification.

• HIPAA's new harm threshold -- good news or bad?

  Covered entities and their BAs will perform a risk assessment to determine whether individuals...

• Business associates -- who are you?

  Business associates need to know who they are regarding HIPAA rules. Covered entities do, too.

• Q&A: Contacting patients by mail

  Learn the answer to this tough HIPAA compliance question.

Issue 31, August 24, 2009

• HHS finalizes breach notification guidelines, defines unsecure PHI

  They're out -- final HHS breach notification guidelines and an update to its draft guidance on the...

• FTC issues final breach notification rule for electronic health information

  The rule was issued under the mandate from Congress in the American Recovery and Reinvestment Act...

• Huge identity theft case in New Jersey

  Albert Gonzalez of Miami, 28, and two unnamed conspirators are charged with attempting to...

• Q&A: Tracking BA agreements

  Learn the answer to this HIPAA compliance questions about business associates.

Issue 30, August 17, 2009

• Check out our new HIPAA Update blog!

  You will find all these training resources on our new blog, HIPAA Update.

• Your HIPAA privacy and security colleagues want your advice

  Time to mingle with your colleagues on our HIPAA Update.

• HIPAA compliance starts in the C-Suite

  Our experience shows that the more executive management and the board of directors are engaged in...

• Q&A: PHI on employees' home computers

  Learn the answer to this tough HIPAA compliance question from your peers.

Issue 29, August 10, 2009

• Check out our new HIPAA Update blog!

  Welcome to our new HIPAA Update blog -- your one-stop shopping for HIPAA privacy and security...

• Tips regarding business associates and new HIPAA laws

  Contract language should require the BA to notify the covered entity within five days of a breach.

• Business Associate compliance with HIPAA

  Business associates have a lot to know about complying with the HIPAA Security Rule.

• OCR: The HIPAA enforcer?

  Now that OCR has the HIPAA Security Rule under its umbrella, does that mean more enforcement?

• Q&A: E-mail communication

  Learn the answer to this challenging HIPAA scenario.

Issue 28, August 3, 2009

• Red Flags Rule deadline pushed back again

  Red Flags was supposed to go into effect on November 1, 2008, but it was pushed back to May 1...

• KP Bellfower unsure if it will appeal second fine connected to Octomom

  The hospital was also hit with a $250,000 fine on May 15 for similar privacy violations against...

• Q&A: Keeping a record of HIPAA training files

  Learn the answer to your tough HIPAA privacy and security questions.

Issue 27, July 27, 2009

• Tips to get your business associates to comply with HIPAA

  The language in your business associate agreement should require the BA to notify the covered...

• Q&A: Consent on having family members in the exam room

  Learn the answer to your tough HIPAA compliance questions.

• Health information exchanges see 40% growth from previous year

  In 2009 and 2010, HIEs are expected to see new opportunities with the American Recovery and...

• Plan for the future and trust that your revamped policies are sound

  New technology overwhelming you? You don’t have to know about everything at once. Instead...

Issue 26, July 20, 2009

• Hospital slapped with second six-figure fine -- again

  This hospital did not learn from its first privacy mistake.

• HHS hiring health information privacy specialists

  HHS is hiring privacy specliasts. What does this mean for enforcement?

• Tips to get your business associates to comply with HIPAA

  Business Associates need to comply with the HIPAA Security Rule by February 18, 2010. Here are two...

• Q&A: Active duty members on the move

  The answers to your toughest HIPAA questions.

Issue 25, July 13, 2009

• Tips to comply with HIPAA

  Ho also offered advice for fellow HIPAA privacy and security officers in a time of changing laws...

• Canadian health system has 12,000-patient privacy breach

  Hackers have done it again -- this time 12,000 patient records may be affected.

• HIPAA and business associates: Free white paper

  Until President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA) into law...

• Q&A: Billing office

  The answers to your most challenging HIPAA-related healthcare scenarios.

Issue 24, July 6, 2009

• Physician resistance remains obstacle to EHRs

  Now that hospitals have a draft of the meaningful use criteria that the Health Information...

• HIPAA and business associates: Free white paper

  HITECH, specifically Title XIII of ARRA, requires BA to comply with the Security Rule in its...

• Hospitals should review their HIPAA sanctions policy

  Your internal sanctions policy related to HIPAA may need some freshening.

• Q&A: Sexually active minors

  Your answers to the tough HIPAA compliance questions.

Issue 23, June 29, 2009

• Many business associates not ready to comply with HIPAA

  Are business associates ready to comply with HITECH? Do you know who your BAs are? Some covered...

• HIPAA 5010 requires IT to do more with fewer resources

  HIPAA 5010 is part of a growing laundry list of chores for providers out there today.

• Q&A: Hospice scenario

  Get your answers to the toughest HIPAA questions from your colleagues.

• CMS issues fact sheet on HITECH Act

  Want to know all about the HITECH? CMS has a fact sheet for you.

Issue 22, June 22, 2009

• Meaningful use first draft could guide final definition

  The final definition of "meaningful use" could be quite different when CMS issues a...

• HIPAA and HITECH topics to tackle now

  All is quiet on the HITECH front in terms of HHS regulations. But it should not be quiet at your...

• Q&A: X-ray results

  The answers to your tough HIPAA compliance questions.

• Sneak peek: White paper examines HIPAA and business associates

  What do you and your BAs need to know about new HIPAA laws? Here's a small slice.

Issue 21, June 15, 2009

• Health Information Exchange will allow patients to share medical information

  Rhode Island patients can share their information with their state -- if they want to.

• HIPAA 5010 is one small, but necessary step toward ICD-10

  Before ICD-10, there's the HIPAA Version 5010. And you must be ready to comply.

• Q&A: Workers compensation

  Another answers to one of your toughest HIPAA questions.

• TIP: Include Red Flags requirements in any new BA agreement

  Here's a tip on complying with the Red Flags Rule: Get it into your contract with a business...

Issue 20, June 8, 2009

• Virginia warns more than 500,000 of possible records breach

  Virginia officials have begun to notify affected parties about potential breaches of privacy.

• Red Flags Rule: Comply now, avoid lawsuit later

  Red Flags Rule -- comply today. Be thankful you avoided public scrutiny tomorrow.

• CVS works on patient privacy improvements following fine

  CVS promises it is working diligently on protecting patients' privacy.

• Q&A: Billing department

  The HIPAA privacy rule addresses disclosure of PHI for treatment and payment purposes and permits...

Issue 19, June 1, 2009

• Tenet employee charged with theft, HIPAA violations

  A Tenet Healthcare Corp. employee faces charges of access device fraud, criminal HIPAA violations...

• TIP: Put plan into action to comply with HITECH

  Here's a few ways to get started with compliance of HITECH.

• HITECH UPDATE: HIPAA enforcement promises, but lacks specifics

  HHS has issued a report on what it's done since the American Recovery and Reinvestment Act of 2009...

• Q&A: Airlines calls

  Your answer to a HIPAA compliance question.

Issue 18, May 18, 2009

• HIPAA and the HITECH Act: Strategies for success

  All you need to know about the HITECH Act.

• REMINDER: Make your comments heard by HHS

  Let your thoughts be heard about unsecure PHI with HHS.

• Q&A: Retention of medical records

  The answers to your tough HIPAA questions.

• Hackers breach college database

  Another breach of PHI by computer hackers has a university scrambling to notify people of 160,000...

Issue 17, May 11, 2009

• Review new AHIMA practice brief on sanction guidelines for privacy and security breaches

  AHIMA's article discusses how to categorize sanctions according to the nature of the privacy or...

• Hacker asks for $10 million for records

  Millions of patient records in Virginia could be in the wrong hands.

• Q&A: HIPAA acknowledgments

  Your answer to a challenging HIPAA question.

• Training, identifying discrepancies are key in Red Flags Rule

  Don't delay because of red flags delay.

Issue 16, May 4, 2009

• HIPAA and the HITECH Act: Strategies for success

  Here is all you need to know about the HITECH Act regarding HIPAA laws.

• HHS issues progress report

  HHS issued a report of its progress during Obama's first 100 days.

• HITECH UPDATE: EHRs, meaningful use get spotlight

  The industry is getting closer to definitions of "meaningful use" users of EHRs.

• Q&A: Family accounts

  Under HIPAA regulations, can we give this information to spouses without the written consent of the...

• Red Flags Rule enforcement delayed until August 1

  Red Flags Rule has been delayed by the FTC -- again.

Issue 15, April 27, 2009

• Groups oppose HHS Secretary nominee

  Senators are scheduled to vote on President Barack Obama's nomination for Secretary of HHS early...

• Business associates: HIPAA survey

  How should your business associates be trained? We want to know.

• HITECH UPDATE: Check your current system against HHS draft guidance

  Miss HHS' draft guidance on securing PHI? We've got it.

• Q&A: Patient photographs

  How do you comply with HIPAA working with patient photographs?

Issue 14, April 13, 2009

• HITECH UPDATE: How should business associates train staff members?

  How are business associates going to train staff members in light of the new HIPAA laws?

• Comment on security breach notification rule that targets personal health records

  The FTC will publish an interim final regulation no later than August 17, which is 180 days after...

• Q&A: Accessing your own information

  Learn the answer to this important HIPAA compliance question.

• How should business associates train staff members?

  Business associates must be trained on the HIPAA Security Rule. We want to know what you think is...

• Q&A: Diagnostic test results

  Learn the answers to your toughest HIPAA questions.

• HITECH UPDATE: HHS misses deadline for definition of unsecured PHI

  Looking for a new definition of unsecured protected health information?

Issue 13, April 6, 2009

• Q&A: Text messaging

  Are you text messaging information about patients? Know the answers regarding HIPAA concerns.

• HIPAA and the HITECH Act: Get your breach notification ready

  The HITECH calls for breach notification requirements for covered entities and business associates...

• TIP: Review your 'hospice' signs for cars

  Any time you have a car with a sign that mentions you volunteer at a hospice, it could affect a...

• Red Flags Rule guidance published

  Red Flags Rule compliance is May 1. Here's a report the FTC released to get you on track.

• Employees fired for viewing mother of eight's records

  Here's what happens when a few staff members get nosey with a patient's record.

• Tip: Use OCR privacy and security guidance as a framework

  Organizations should use these OCR principles to better understand how they can exchange...

Issue 12, March 30, 2009

• Q&A: State-prison patients

  After a person is released from prison is it a HIPAA violation to release the patient’s...

• HIPAA and the HITECH Act: Know all the provisions

  Know the major provisions in the HITECH Act? How about these, too?

• TIP: Know the basics of data encryption

  If you are looking to encrypt your data on patient records, here are some basic things to know.

• Report: 1.5% of hospitals have EHRs

  Patients must have EHRs by 2014. About only 1.5% of hospitals have them, a new study says.

Issue 11, March 23, 2009

• Q&A: Funeral homes

  Funeral homes can call your covered entity with requests for patient information. How do you handle...

• HIPAA and the HITECH Act: Mark these important dates

  Mark these important dates down on your HIPAA calendar.

• Security breach exposes 1,000 SSNs

  An electronic security breach may have exposed 1,000 Social Security Numbers.

• TIP: Educate patients on HIPAA rights

  Use these tips to help educate your patients on their privacy rights.

Issue 10, March 16, 2009

• Q&A: Working with police

  Does your facility come in contact with police warning you about patients who are addicted to...

• HIPAA and the HITECH Act: Know the level of penalties

  The federal goverment changed the penalties for privacy breaches. Here's how the break down.

• Google admits to privacy breach

  Google made a mistake you do not want to at your facility regarding software and patient records.

• TIP: Provide ongoing contract maintenance with your BA

  Business associates have new compliance requirements regarding the HIPAA Security Law. Here are a...

• Got a HIPAA case study?

  Got a success story regarding your HIPAA compliance or training program? Let us know.

Issue 9, March 3, 2009

• HITECH UPDATE: Rewrite your BA contracts

  sssss

• Obama looks to Kansas governor to lead HHS

  U.S. President leaned toward Kansas to find his pick as for the new head of HHS.

• Stimulus on your mind?

  Sasa

• The results are in!

  And the HIPAA survey says? Find out what your peers think about the new laws in the American...

• Q&A: Incarcerated spouse

  Learn the answer to this HIPAA question from one of our readers.

• TIP: Check out new FAQs about disposing PHI

  Got PHI questions? The Office for Civil Rights (OCR) may have your answer.

Issue 8, March 2, 2009

• Q: Do patients need to renew HIPAA acknowledgements every year?

  Q: Do patients need to renew HIPAA acknowledgements every year?

• Report issued on privacy protections applicable to electronic information

  The economic stimulus package approved on Feb. 17 included billions of dollars for health...

• Reno judge says HIPAA doesn't prevent physician from sharing PHI

  HIPAA doesn’t prevent attorneys from questioning physicians about their patients&rsquo...

• Tip: Comply with PCI DSS to help ensure the security of your patients' financial information

  The Payment Card Industry Security Standards Council updated its Payment Card Industry Data...

Issue 6, February 23, 2009

• Tip: Get your 'board' on board by being prepared

  At some point, you will need to present an idea to your board of directors. Here’s one way to...

• Understand the economic stimulus package's effects on HIPAA

  U.S. President Barack Obama signed into law last week an economic stimulus Act that has major...

Issue 1, January 12, 2009

• TIP: Keep an eye on legislation in new Congress

  The Obama era begins this month. You should begin watching his Congress now.

• Privacy/security job titles

  You need to know if the roles of your privacy and security officers are compliant. Find out here.

• Officials to launch PHR Choice program this week

  Americans want more of a choice with healthcare, and HHS is ready to give it to them.

• Data privacy in 2009: Expect stepped up red-flag enforcement

  Red flag -- get ready for red flag identity theft rules, which are mandatory May 1, 2009.

Issue 54, January 5, 2009

• Status of deceased patient

  Q. Many of our patients and visitors get to know each other over the course of their treatment and...

• TIP: Tighten your HIPAA security policies and procedures

  Editor’s note: This is a continuation from last week’s HWA, where we provided tips to...

• NH hospital package missing, contains patient information

  A package bound for a New Hampshire hospital and containing medical information about 1,500...

• News station discovers un-shredded documents

  A Florida news station received several pages of un-shredded medical documents from an unknown...