Ask the Expert

Q. Is it a HIPAA violation if a hospital receives a faxed Healthcare Effectiveness Data and Information Set (HEDIS) request and the hospital cannot ­identify the patient by full name, last name, or date of birth? These requests contain name, date of birth, provider, and the HEDIS Measure (Chlamydia screening, cervical cancer screening, cholesterol management, etc.) and last date of service of the patient. Typically, these faxed requests are from business associates of the patient's health insurance, but occasionally they come directly from the insurance company.

Q. A long-term care facility has deployed laptops that connect to a file server and are password ­protected. The laptops are not used to store PHI or other confidential data and are not removed from the facility. Do the laptop hard drives need to be encrypted?

Q. I was told I would be "terminated" if I did not sign a release of medical information. Is this a valid authorization?

Q. Can paper patient records be kept in a public storage unit? The storage company we are considering has a digital entry at the main gate. We would also have a keyed lock on the storage unit door.

Q. How can you track or prevent the use of USB drives in a hospital setting?

You have questions about HIPAA; we have answers.

You have questions; we have answers.

Q. Please explain in an understandable way for nontechnical individuals what level of encryption is needed for e-mail to be considered secure as defined in the interim final breach notification rule.

Q Is it permissible to fax PHI to a long-term care ­facility that also operates an independent living facility and an assisted living facility?

Test staff knowledge of HIPAA with these questions.