Q: If my medical waste includes PHI, do I need a BAA with our waste management vendor?
A: Yes. For example, clinics and hospitals contracting with bio-waste disposal vendors that dispose of IV bags execute a BAA with the bio-waste disposal vendors. It's no different than the requirement to execute a BAA with a document shredding vendor. If the vendor will come in contact with PHI, a BAA is in order.
Editor's note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Hackers and malware are routine threats for most healthcare organizations, but this year saw criminals add a devastating tool to their arsenal: ransomware.
Although the dramatic increase in ransomware attacks against healthcare organizations is largely a recent phenomenon, ransomware itself is not new. According to the FBI, it's been around for several years, but the agency began to see an uptick in ransomware attacks in 2015, particularly against organizations. Early this year, the Department of Defense specifically warned healthcare organizations that they are a top target for ransomware. As ransomware continued to grab headlines and lawmakers called for official action, HHS released ransomware response and prevention guidance for healthcare organizations (www.aha.org/content/16/160620cybersecransomware.pdf).
State and federal lawmakers took notice as well. At a March 22 joint hearing of the House of Representatives subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules, some lawmakers suggested HIPAA should be modified to specifically require covered entities and business associates to report ransomware attacks.
Security officers must act now to protect their organizations, and in turn, organizations must be prepared to invest in security and carefully follow related policies. The price for failing to do so could be high.
Q: I am a certified case manager working in an acute care hospital. As part of our job requirements, when working in the emergency room (ER), we are asked to problem solve throughout the day. We often get requests for information on patients seen in the ER who have since been discharged.
Q: Is it permissible to take pictures of patients for identification purposes as a part of the registration process? Do the patients need to sign a consent form before their picture can be taken?
A: It is permissible to take pictures of patients for identification purposes if the patient agrees to it. Since the Privacy Rule considers full-face photographs to be a patient identifier, it is a good practice to get the patient's written consent to take a photograph and file it with the patient's electronic record. The patient should be allowed to opt out of the photograph if he or she chooses.
Editor's note
Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Information systems activity review is a fancy way of saying you need to monitor your network and your applications including who is looking at and manipulating your patient information. That can be an expensive, or even almost impossible, proposition when it comes to regular monitoring of access to patient information stored in electronic health records (EHR). Two of the well-known automated audit logging tools on the market, FairWarning and Iatric, are well outside the budget for small- to medium-sized covered entities (CE). The manual option, checking audit logs by hand, is slow and ineffective.
