Dena Boggan, CPC, CMC, CCP, chuckled when someone recently suggested that her staff audit some patient records.
“I wish I had a staff,” laughed Boggan, HIPAA privacy/security officer at St. Dominic Jackson (MS) Memorial Hospital.
However, this is fairly typical in many healthcare settings, where HIPAA privacy and security officers often are the only individuals who are responsible for compliance.
The HIPAA Security Rule requires covered entities (CE) to conduct periodic evaluations of their information security programs.
However, Phyllis A. Patrick, MBA, FACHE, CHC, wonders how many organizations have completed the kind of evaluation the Security Rule standard requires.
On July 8, HHS released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.
The HITECH Act includes new privacy requirements that allow for stronger individual rights to access electronic health records (EHR) and restrict the disclosure of certain PHI.
Incidents involving paper records and desktop computers are second and third most common on the growing list of privacy breaches reported on the OCR website. (The No. 1 reason for privacy breaches re-mains the loss or theft of laptop computers and other portable devices. Briefings on HIPAA looked at ways to prevent those types of privacy breaches in the June issue.)
When it comes to release of information (ROI), it may seem that exceptions are the rule. But you must know when you can and cannot release information to protect the privacy of your facility’s patients.
