Completing a risk analysis can be a tall order for most organizations. A significant amount of work is required before the risk analysis can even be started—and more work must be done afterward to address the vulnerabilities identified by the risk analysis.
Q: Does a hospital need to obtain the patient's written consent before obtaining physician office notes? Can I contact the physician office and request the needed information without obtaining a written consent from the patient? The office notes are needed for payment purposes.
Healthcare organizations are facing challenging times. Shifting reimbursement models and the uncertainty surrounding federal programs may cause organizations to tighten their spending. Every department—from clinical to security—can feel the pinch as leadership prepares to weather the bumpy road ahead.
Q: Is it necessary for organizations to provide HIPAA training for all workforce members, even those who are not involved in patient care? Does that include cafeteria staff, workers employed through a temp or staffing agency, etc.?
Even going out of business doesn’t protect an organization from HIPAA requirements. The Office for Civil Rights recently announced it reached a $100,000 settlement with the receiver liquidating the assets of Filefax, Inc., a Northbrook, Illinois, medical records company that shut down during an investigation of HIPAA violations.
Q: Are we required to explain why a vulnerability was not addressed or was deemed low priority in the risk management plan? If so, are there any examples of acceptable ways to document this per OCR?
Partners HealthCare System, Inc., notified more than 2,000 patients on February 5 that their protected health information may have been affected by a breach in 2017.
Q: I work at a marketing company, and we are trying to figure out what exactly we can put on a postcard. What is required, per HIPAA regulations, to be fully compliant if we were to do things like dental patient reminders? We would have patient information from the offices. How would we need to handle that information? What are we allowed to include in our designs?
