Editor's note: The following is adapted from the HCPro book The HIPAA Omnibus Rule: A Compliance Guide for Covered Entities and Business Associates, by Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, Mass. To learn more about the book, go to www.hcmarketplace.com.
Who would have thought that buying gas with a credit card or wearing a pacemaker could leave a person's information exposed? Yet highly sophisticated credit card skimming devices at gas stations are stealing from consumers, and healthcare organizations are concerned about the potential for malicious tampering or the theft of PHI from wireless medical devices such as pacemakers. Hidden vulnerabilities lie in everyday activities like these, and some of those vulnerabilities can expose PHI and put healthcare organizations at risk.
The HIPAA omnibus rule provides greater protection for PHI by imposing more stringent requirements and limits on a covered entity's (CE) use and disclosure of that information when it comes to functions such as marketing, sales, and fundraising.
Q. We are a claims repricer and maintain a secure claims department. When outside vendors, such as building maintenance people, enter the secure area, are they required to sign a logbook indicating what time and date they entered and exited the claims department?
In a time when so much attention is focused on issues such as cyber security and the dangers posed from evolving technology, it's easy to forget the HIPAA basics, such as the need for workforce members not to gossip or chitchat about patients with other staff members or people in the community.
Q. If an organization’s human resources officer is also the plan administrator for the organization’s group health plan (self-insured), does that individual have the right under HIPAA to access records of high-dollar pharmacy/medical claims for the purpose of targeting the insured for wellness programs or other alternative treatment plans?
