HIPAA

Q . Are HIPAA policies and training required regardless of the number of employees at a facility? For example, must a three-provider clinic provide HIPAA training?

Ask HIPAA privacy and security officers what they dread most and an OCR investigation will be high on their list.

When Shallie J. Bryant, CHC, CHPC, went to work at CaroMont Health in North Carolina more than two years ago, her biggest challenge was creating a culture of patient privacy.

It's the season of giving and in that spirit, BOH asked some privacy and security officers to share their best tips to help others.

UK HealthCare's Chief Compliance Officer R. Brett Short knew he was in for a rough day as soon as he saw the email from his organization's privacy officer.

Encryption. Encryption. Encryption. It's almost impossible to listen to a HIPAA security expert talk about healthcare security and not hear that word.

I am updating the notice of privacy practices and accounting of disclosures policy for my organization. Do any of the new, finalized rules indicate that the accounting of disclosures covers disclosures for treatment, payment, and healthcare operations?

Q. My email remains encrypted until it is opened. I have received two requests-via email and certified letter-from the patient's parent requesting records be sent by email or mail. I know legally a person may request this, but we must provide this service when we can ensure that the person requesting is who he or she says he or she is. Does a certified letter with recognizable signature or email from a known email address of a parent qualify as verification of the parent's identity?

Although it hasn't released many details yet, OCR plans to resume its audits to assess compliance with HIPAA privacy, security, and breach notification requirements in 2014. The government agency also plans to expand the audit focus to include business associates (BA).