HIPAA

Q.As part of its fundraising effort, Hybrid ­Entity's cancer center wants to send a ­patient list ­(demographic information only) to Hybrid's ­development office, which is not ­designated as a healthcare component of Hybrid. Is this permissible? 

Paula Moran, MEd, and Jennifer Edlind, JD, CHC, know what they're talking about when they say having an incident response team in place when a data breach occurs is important. Moran is privacy and security manager at Massachusetts General Hospital (MGH) in Boston. Edlind is director of privacy and compliance operations at University Hospitals Health System (UH) in Cleveland.

Mobile devices-thumb drives, smartphones, external hard drives, tablets, and laptop computers-are creating risks for PHI exposure.

It may not be the proverbial keys to the ­kingdom, but OCR's recently published audit protocol for its ­current privacy and security audits gives healthcare ­organizations an inside look at the inspection process.

Education is giving people the knowledge they need. Training helps them develop the skills that allow them to put that knowledge to use.

Q What is your opinion on providing extra protection for the medical records of staff who are also patients in an organization?

If HIM professionals needed another reason to be ­concerned with protected health information (PHI) ­outside of paper records, a surgery center in Arizona ­provided one in April.

Too many healthcare organizations are receiving ­failing grades for HIPAA compliance, an analysis of OCR's first 20 initial audits reveals.

The initial 20 OCR HIPAA audits offer insight with respect to privacy and security compliance.