Email encryption, file sharing, and mailbox security
by Chris Apgar, CISSP
Q: We are in the process of building a new office. Would it be HIPAA compliant to have an outside locked mailbox for our general postal mail and therapist paperwork that is dropped off at night? If not, would a mail slot on our front door work better?
A: An outside locked mailbox will suffice to secure incoming mail and therapist paperwork. Ensure that the mailbox is secure and not easily broken into. If the mailbox is secured with a key, it's a good idea to implement a solid key management program so it's known who has a key. Keys should be recovered when an employee resigns or is terminated. If an employee leaves without returning his or her key, it's wise to re-key the lock on the mailbox.
Editor's note
Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
OCR and HIPAA audits. Give you chills, don't they? Most covered entities (CE) naturally fear getting the letter from the HIPAA privacy and security enforcers saying that they're coming?or that they want something. "Something" usually means your policies and procedures, risk analysis, and mitigation efforts if you've suffered a breach. Bottom line: CEs want to avoid OCR unless they need to go to the agency for information on the HIPAA Privacy, Security, or Breach Notification rules
Subpoenas are a sometimes-unwelcome fact of life for privacy officers. They can be complicated, requesting broad amounts of information that is time-consuming to gather. They can be written in dense legal language that takes time and finesse to decipher. If a subpoena requests PHI, it can also raise privacy concerns and questions about how to honor the subpoena while releasing only the necessary information. Some subpoenas may request information that an organization considers sensitive for other reasons. It can be all too easy to put off dealing with a subpoena until the last minute, then rushing to react without taking the time to really read and understand what it says.
In February 2016, just four months after ICD-10 go-live, sister publication HIM Briefings (formerly Medical Records Briefing) asked a range of healthcare professionals to weigh in on their productivity in ICD-9 versus ICD-10.
The new modifier -PO (services, procedures, and/or surgeries furnished at off-campus provider-based outpatient departments [PBD]) and the alternative payment provisions under the Bipartisan Budget Act Section 603 are both related to off-campus PBDs but define "off-campus PBD" slightly differently.
