Q: As part of the audit controls policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?
Preventing readmissions is a hot topic these days. CMS has imposed new financial penalties for organizations that don't successfully prevent 30-day readmissions for patients with certain medical conditions, and organizations are always looking for new strategies to ensure patients are successfully able to move to the next level of care.
Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility's CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients' names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?
Q: I work at a pediatric practice, and we receive a lot of holiday cards from our patients, many of which feature family photos. We hang them up because the patients love to see themselves displayed in our lobby. We have reached out to a HIPAA security officer at a nearby hospital who told us it is not a HIPAA violation to display holiday cards received from patients. Is this accurate?
Q: I am currently working on a social media usage policy for the organization where I work. I often notisce that some of my friends in the healthcare industry will post about patients on social media website.
