Briefings on HIPAA

Q Can a mental health and alcohol and chemical dependency treatment health center e-mail and text PHI between healthcare providers and between field caseworkers and patients? We have implemented a secure messaging solution, but it is the organization's policy to prohibit sending PHI via e-mail or text.

Q Is it permissible to fax PHI to a long-term care ­facility that also operates an independent living facility and an assisted living facility?

The dice were rolled and, surprise, you got a letter in the mail from the OCR. You were selected for a HIPAA compliance audit-one of 150 the OCR will conduct in 2012 via its contractor KPMG, LLP.

HIPAA privacy and security officers often spend a lot of time and effort protecting their healthcare organization from the threat posed to its PHI by outsiders. Most organizations do a pretty good job of recognizing the threats to critical assets from outside their own perimeter. However, they must also not ignore the threat that comes from those inside the organization, said Randall F. Trzeciak, who spoke at the Fifth HIPAA Summit West in September in San Francisco.

They call William R. Braithwaite, MD, PhD, "Doctor HIPAA" for a reason.

Briefings on HIPAA has obtained a copy of the $9.2 million contract with KPMG, LLP, the company OCR hired to conduct HIPAA compliance audits. The contract reveals some details about what healthcare organizations can expect when the audits begin.

Before HITECH, covered entities (CE) could pretty much say, the government was all bark and no bite when it came to HIPAA enforcement.

Patients may have easier access to laboratory results under an HHS proposed rule, "CLIA Program and HIPAA Privacy Rule: Patients' Access to Test Reports," released in September.

Q A patient signed an authorization form eight months ago, and her attorney is now submitting it to obtain a copy of her medical records. Is this authorization still valid, or do we need to get the patient to sign a new authorization?