HIPAA

Q. We are an MRI facility, and our services are referral- based. Faxing MRI reports to referring providers after radiologist review is our standard procedure. Patients can schedule follow-up appointments with referring providers to obtain results of their MRI scans. Patients regularly request a copy of the report at the time of their MRI scans or within several days of the scan when they pick up a copy of MRI films. 

Does HIPAA require us to provide patients a copy of the report even when the provider has not interpreted the report and image?

The privacy breach at Griffin Hospital in Derby, CT, raises red flags for healthcare organizations (see related story on p. 6).

If staff members in your healthcare organization use laptop computers, you’ve just identified a major risk factor for privacy breaches.

HIM staff members have a lot on their plates right now, but one more looming deadline needs to be on their radar—the Federal Trade Commission (FTC) will begin to enforce its Red Flags Rule June 1. Hospitals must have an identity theft prevention program in place by that date.

Security breach notification requirements, according to Briefings on HIPAA's HIPAA and HITECH February survey of healthcare providers. Most of the nearly 600 respondents were HIPAA compliance officers and HIM directors.

Breach notification was the top challenge for 39% of respondents, followed by amending and creating business associate (BA) contracts at 18%. The response took Chris Simons, RHIA, by surprise. Simons serves as director of utilization management and HIM and privacy officer at Spring Harbor Hospital in Westbrook, ME.

As with laptop and desktop computers, smartphones are also the target of malware that can damage devices and lead to the theft of PHI.

Many healthcare organizations have pondered these questions. Now OCR has turned its attention to this topic, and healthcare organizations need to prepare for compliance.

Account numbers reported to the state are considered patient-identifiable information. Therefore, you must include them in an accounting of disclosures in response to patient requests.

Jaspinder Grewal is a self-described "techie" who knows that developing cost-effective techniques to ensure HIPAA compliance is important for healthcare organizations.

Grewal, who is project lead for application services at Mount Sinai Hospital and Medical Center in Chicago, shared his ideas during the 18th National HIPAA Summit, held February 2–5 in Washington, DC.

Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc., for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees. The health-care insurer also failed to promptly notify consumers endangered by the security breach, according to a press release from Blumenthal’s office.