• All
  • Emergency Preparedness
  • HIPAA Tips
  • Privacy
  • RHC
  • Security
  • Video

Target Trouble Areas with HIPAA Training

A little oversight can lead to a lot of trouble. Employees who aren’t prepared to securely handle patients’ protected health information (PHI) can accidentally cause breaches and leak tens to millions of private records. Why does this happen? In many cases, managers fail to train their staff in HIPAA compliance. HIPAA compliance training shouldn’t simply check the box and call it a day. Training must be ongoing, detailed, and tailored for each department. With regular training, managers can address risk areas as they arise, from a lack of breach preparedness to improper use of the nurse’s station white board. Detailed […]

HIPAA Compliance Efforts: Planning for the Worst and Hoping for the Best

Planning your HIPAA success is probably the last thing on your mind. As a busy healthcare professional, you deal with multiple roaring fires all day long every day. Because you are so busy, it is easy to put off HIPAA compliance and simply hope for the best. What you may not realize is your burning compliance ember can quickly become an uncontrollable forest fire. Hoping for the best with your HIPAA compliance program has several problems: The Office of Civil Rights (OCR) is conducting audits to ensure compliance Healthcare breaches are on the rise resulting in costly fines It is […]

Is Your ePHI Encrypted?

You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems? The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently: Theft of an unencrypted laptop from a private residence of an employee Two losses of unencrypted USB thumb drives Because of these violations, MD Anderson was […]

How to Secure Your Workstations

A vital step to protect patient information is to secure the tools you use to access, store, and transmit that information. Workstations are a major access point to your organization’s electronic protected health information (ePHI). Therefore, if you don’t properly secure your workstations or train your staff to use them securely, your workstations could become a liability. Set Workstation Safeguards You can secure your workstations with a few simple steps: Enable access control to restrict who or what can access ePHI. Set workstations to logoff or switch to screensavers in 15 or fewer minutes. Patch software regularly to improve security, […]

Password Security – HIPAA Tip

Password security is the bane of most healthcare organizations’ existence! Employees and providers groan every time they are required to change their passwords. Remembering complex passwords is also difficult, especially when you have multiple passwords to remember for all the programs and networks required to manage patient care. Writing passwords down and sharing passwords are common temptations to ease the pain of password management. However, not taking password security seriously is leaving your patients’ information vulnerable. The Password Security Conundrum Many organizations struggle with password security. Providers and nurses often share login credentials with staff to make it their workflows […]

Can I Text or Email Patient Information?

Sending texts and emails is a part of everyday life. Most organizations use one or both to communicate inside the organization and with clients. But when you handle electronic protected health information (ePHI), texting and emailing may be risky. Regardless, 73% of healthcare professionals use text messaging to send ePHI, and 98% rely on email to communicate internally and externally. Texts and emails are easy and convenient, but are they legal? Is Texting/Emailing Patient Information Ever OK? Texting or emailing patient information is a legal gray area in many cases. HIPAA requires you to securely transmit and store ePHI, and […]

How to Safely Manage Your Mobile Media

Mobile devices are commonplace in modern offices. As a covered entity (CE) or a business associate (BA), you will undoubtedly have mobile devices and media to manage. Electronic protected health information (ePHI) is not only on your desktop computer but may be on many devices, from laptops to thumb drives and from smartphones to external hard drives. However, these smaller devices can easily leave the building, sometimes by accident. This puts your organization at risk of a privacy breach. As a CE or BA, you are responsible for maintaining the confidentiality, integrity, and availability of ePHI. Therefore, you must be […]

Understanding PHI Disclosures

Understanding PHI disclosures is challenging. Throughout your normal day, you are disclosing PHI internally and externally. Knowing when you can share PHI without an authorization from a patient is important in order to avoid a HIPAA breach. Patient information can be shared internally and with your vendors with a Business Associate Agreement for treatment, payment, and health care operations (TPO). TPO disclosures do not require an authorization from the patient. Treatment Disclosures Many healthcare organizations overcomplicate treatment disclosures, because it is human nature to err on the side of caution. HIPAA recognized that requiring authorization for some disclosures would create […]

HIPAA and Personal Devices

Most healthcare organizations, of all sizes, allow employees to use their personal devices to access or transmit protected health information. This is commonly referred to as Bring Your Own Device or BYOD. With the increasing popularity of BYOD, HIPAA privacy and security are not always fully addressed. HIPAA Considerations Although BYOD is extremely convenient, there are some HIPAA concerns when allowing personal devices in your organization. Encryption: Most BYOD devices are not encrypted. This is likely because they are not viewed as work devices. Personal devices should be encrypted prior to allowing the device to access or transmit PHI. It is simple […]

Cybersecurity Awareness: Multi-Factor Authentication

As a HIPAA-covered organization or business associate, you should set basic safeguards around your electronic protected health information (ePHI) so that it stays private and secure. Therefore, to celebrate National Cybersecurity Awareness Month (NCSAM), we will continue to focus on the basics of security. The last post covered patch management tips and showed how failing to patch software can lead to a major breach. Multi-factor authentication (MFA) is another important safeguard you can easily use to secure your data. What is Multi-Factor Authentication? MFA is when you use two or more credentials to access your information. The three types of credentials […]

Cybersecurity Awareness: Patch Management

It’s National Cybersecurity Awareness Month (NCSAM), which means it’s time to go back to the basics of HIPAA privacy and security. The last post gave tips for managing your passwords. Now you’ll learn why patch management is one of the most important things you can do. In May of 2017, hackers exposed the data of over 145 million people using Equifax to monitor their credit. According to Wired, hundreds of thousands of credit card and social security numbers were stolen. Why did this happen? Simply put, Equifax failed to patch a vulnerability in their software. If you handle people’s private […]

Cybersecurity Awareness: Password Management

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has made October the National Cybersecurity Awareness Month (NCSAM).  Why? Healthcare companies are falling prey to hackers, resulting in huge privacy breaches, and the problem is only getting worse. Therefore, HHS wants healthcare organizations to go back to the basics of privacy and security. It’s more critical now than ever for you, as a covered entity or business associate, to secure your electronic protected health information (ePHI). The easiest security step you can take is to put a good password management system in place. What is Password […]

Incidental Disclosures – Train Your Staff

In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying.  This case is about incidental disclosures and only using the minimum necessary to accomplish a job. In this scenario, the nurse was helping other technicians prepare for a medical procedure.  She told them to wear gloves […]

Building Your Emergency Preparedness Plan (RHC and FQHC): Communications Plan

In our last blog, we wrote about the policies and procedures you needed to develop for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC).  The policies and procedures are developed after you have conducted your all-hazards risk assessment.  CMS wants you to have at minimum, policies for: Safe Evacuation Shelter in Place Preservation of Medical Documentation Using Volunteers Your next step is to develop your communications plan.  This is critical as “communication” is often severely hampered during an emergency.  This can be a personnel problem caused by lack of training and preparation, or it can be a […]

Building Your Emergency Preparedness Plan (RHC and FQHC): Policies and Procedures

By now you are well into developing your Emergency Preparedness Plan for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC).  You conducted an all-hazards approach to your risk assessment.  That is, you identified all probable hazards and developed response procedures for each type of hazard which include natural, man-made, and/or facility emergencies.  Additionally, as you conducted your risk assessment, you took a facility-based approach.  You concentrated on risks specific to your facility and your region; for instance, you developed plans for a blizzard in Colorado or a tidal wave in Hawaii.  You may have also decided to […]

Building Your Emergency Preparedness (RHC and FQHC): Risk Assessment

We know many of you are currently rushing to meet the November 16, 2017 deadline for developing your Emergency Preparedness Plan for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). As you do so, the Centers for Medicare & Medicaid Services (CMS) wants you to keep in mind these three key essentials for maintaining access to healthcare during disasters and emergencies; Safeguarding human resources Maintaining business continuity Protecting physical resources In addition, your emergency preparedness plan will be made up of these four sections; Emergency Plan (including risk assessment) Policies and Procedures Communication Plan Training and Testing […]

The Three Exceptions to A Breach

Soon after implementation of the HIPAA privacy rule, some staff members would conclude that a violation had occurred because a doctor and a nurse were overheard speaking about a patient’s PHI, or a technician called out a patient by their actual name in the waiting room, or a white board at a nursing station contained PHI of patients on the Intensive Care Unit.  Staff had yet to learn about the “Incidental Disclosure” rule that allows for incidental uses and disclosures that occur as a by-product of a use or disclosure permitted by the privacy rule, as long as reasonable safeguards […]

Don’t Take The Bait

Phishing is the name of a method which entices you to give up your personal or financial information to people or organizations masquerading as a legitimate source.  The bait is the request from a source you are familiar with, but is in fact, a replication or a phony.  Phishing attacks may occur to your personal account, or they may involve your medical organization.  In any event, knowing how to recognize them and not take the bait is the key to preventing a successful phishing attack. Phishing attacks try to obtain valuable information from you such as your: Credit card number […]

The Importance of an Information System Asset Inventory

When thinking about your information system asset inventory, it is easy to focus solely on the compliance elements. When doing so, many smaller healthcare organizations will opt not to keep an inventory, as it is not explicitly required in HIPAA. Although not specifically required in the HIPAA Security Rule, there are indicators in the Security Rule that an accurate and up-to-date information systems asset inventory will support several of the requirements within the Rule such as Risk Analysis, Risk Management, Information Systems Activity Review, Device and Media Management, and Audit Controls. An information system asset inventory is more than just […]

Don’t Get Caught Without a Business Associate Agreement

The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place. Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI. Settlement […]

Fees For Medical Records

Medical record requests from attorneys, insurance companies, and everyone in between can be challenging to keep up with. You are trying to balance patient care with operations and getting paid for treatment. At HIPAAtrek, we frequently get asked how clinics and hospitals can charge for certain records requests. HHS issued clarification for permissible fees in May of last year: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/clarification-flat-rate-copy-fee/index.html There is no maximum charge for copied medical records. The flat rate not to exceed $6.50 option was meant for organizations who did not wish to calculate the actual or average cost for the copies. There are three options for charging […]

Accepting Patient Information on Your Website

Patients are looking for easy ways to communicate with their providers that don’t require a phone call. Hold times and constraining office hours to make an appointment, request records, pay a bill, and other patient communications are often cited as frustrations by your patients. To help resolve this, you look to technology to streamline your patient communications. Technology is a perfect solution to solve many of these more tedious communications. Technology can make your patients and your staff a lot happier. Patients can send communication requests at their convenience and your staff isn’t tied up on the phone to respond […]

My EMR Makes Me HIPAA Compliant, Right?

No, having an EMR/EHR does not make your organization HIPAA compliant.  This is a compliance mistake many organizations unknowingly make.  As I visit facilities and ask the privacy officer how their HIPAA compliance program is working, they often respond that all is well because they have an EMR/EHR that keeps them compliant.  The truth is the EMR/EHR itself may be HIPAA compliant, but that has no bearing on the compliance level of the entire organization.  Let’s dig deeper into this issue to understand what I am saying. When a vendor implements an EMR/EHR solution, all the compliance activities surround the […]


Whether you back up your data with a cloud service provider, on your local server, or a physical hard drive, the question of whether to secure it via encryption should be answered.  We begin with the basic premise that the HIPAA Security Rule requires you as a Covered Entity or a Business Associate to protect the confidentiality, integrity, and availability of the Protected Health Information in your possession. This responsibility also extends to your backed-up data. Under the Technical Safeguards and access control standard of the rule, you are asked to determine if encryption and decryption should be implemented to […]

Are Your Audit Controls Enabled? (Are you reviewing the reports?)

On January 13, 2017, OCR published a Cyber Awareness Newsletter about understanding the importance of audit controls.  OCR stated Covered Entities (CE) and Business Associates (BA) should make sure that they appropriately secure audit trails, and they use the proper tools to collect, monitor, and review those audit trails.  Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to hide their electronic tracks and cause harm to your organization. The HIPAA Security Rule under the Audit Controls standard, requires the CE and BA to implement hardware, software, and/or procedural mechanisms that record activity in the electronic […]

When Should I Conduct A Security Risk Analysis?

The HIPAA security rule asks covered entities (CE) to conduct a risk analysis under the security management plan. However, there is some confusion as to how often this analysis should be accomplished and to what level.  For the purposes of this article, lets stipulate that the term risk assessment means the same as risk analysis since the two terms are often interchanged. Per the HHS website, the security rule does not specify how frequently to perform the risk analysis a part of a comprehensive risk management process.  The Security Management Process standard in the Security Rule requires organizations to implement […]

Update on Joint Commission Texting of Patient Orders

On December 22, 2016, The Joint Commission (TJC) published clarification regarding the use of secure text messaging for patient care orders for organizations subject to TJC accreditation.   TJC sees this approach as not acceptable at this time.  The implementation of secure text orders was discussed with industry experts and the pros and cons were reviewed and weighed.  Both The Joint Commission and CMS concluded the impact on patient safety remains unclear.  Three main points were made against secure texting for patient care orders: The implementation of an additional mechanism to transmit orders may lead to an increased burden on nurses […]

CAN I DISCLOSE PHI FOR Treatment, Payment and Operations?

This seems to be a common question asked by staff members.  In fact, what often happens is that staff become “paralyzed” by HIPAA and refuse to use or disclose protected health information (PHI) when it is allowed or permitted by the rule itself. This paralytic condition frequently causes disruption to work flow and aggravation to staff and patients alike.  A better approach is to educate your workforce so that “no” is not the default option.  So, let’s look at three basic situations where you can answer “yes” and use or disclose PHI without an authorization from the patient. Treatment, Payment, […]

Risky Business: Rental Storage Units For Document Storage

Every business, regardless of size, has document management and storage concerns. Medical organizations have even a greater difficulty in determining proper document management strategies, since they have to comply with HIPAA as they store both their paper and electronic records.   Many small to medium sized healthcare organizations seek to solve this document management problem with their local public storage company. Rent is inexpensive and the records are easily accessed when needed by an employee of the practice. But, is this the best solution? Below are a few issues to consider when determining whether your organization should utilize a public […]

Top 5 HIPAA Compliance Myths

Many untrained people, including healthcare providers and their business associates have incorrect information about HIPAA compliance and I wanted to take this opportunity to debunk some of those myths.

Social Engineering: A Hacking Story

Typically when we think of hacking, we think of technical hacks. Some hooded, socially rejected fiend sitting in the dark corners of the world pumped up on way too much caffeine plotting the demise of your systems through some cleverly thought out computer virus. Although these types of hacks do occur, at a surprisingly high prevalence in the healthcare industry, the scarier type of hack is social engineering. This is a real threat that is often not addressed in staff training sessions or our operating procedures. And that is just how the social engineers of the world want it. So […]

8 Easy Steps to Enhance Cyber Security

In 2014, over 95% of all security incidents were the result of human error. In the health industry this is particularly alarming as not only are security incidents potentially harmful to the organization’s reputation, it is also quite costly as fines and penalties of breaches are reaching an all time high. Exploited electronic health care records can endanger the patient’s health as well as their privacy and security. In 2013, the calculated cost of medical identity theft was $12B, along with patient safety in terms of misdiagnoses, delayed treatment, or incorrect prescriptions. Costs are likely to increase as more breaches […]

Do Janitorial Services require a Business Associate Agreement?

Many physician offices are struggling to determine which of their vendors are business associates and which are not. It can be a daunting task. One of the most frequently asked questions we receive is whether or not janitorial or cleaning services are business associates or not. Like all things regulatory – it depends. I know everyone hates hearing this answer, so allow me to elaborate to help you determine if your cleaning crew is a business associate or not. Cleaning and janitorial services in general are not business associates as defined by the privacy rule, and therefore, a business associate agreement […]

HIPAA Compliance Efforts: Planning for the Worst and Hoping for the Best

As a busy healthcare professional, you are dealing with multiple roaring fires all day long every day. It is easy to view HIPAA compliance efforts as a barely burning ember, at best. The problem is that ember can quickly become an uncontrollable forest fire if it is not tended to. We so often put the task of HIPAA compliance off thinking that nothing will ever happen to us. We are simply hoping for the best. The problem is, we have not sufficiently prepared for the worst. There are several problems with this failure to plan: The Office of Civil Rights […]

Be Proactive! Why Passive Compliance with HIPAA is NOT a Good Idea

Although, your healthcare practice administrator has “downloaded” forms and procedures from the Internet or hired a “consultant” to implement a procedure you don’t understand, you are not compliant without taking the full HIPAA journey to complete compliance and peace of mind. The Office of Civil Rights (OCR) began Phase 2 audits in fall of 2014 that will continue well into 2015-2016. Be prepared by making sure you carefully conduct due diligence and have your office procedures in place. OCR’s Phase 2 audits will focus on covered entities and the following three areas:  Security risk analysis and management, Breach notifications, and […]

Do I REALLY need to update my windows server?

Many professionals in the healthcare industry and the business world in general are expected to cut costs wherever possible in their department.  Furthermore, practice administrators are often buried under an enormous to-do pile with limited time to devote to HIPAA compliance. Therefore, it is likely that thinking about how using outdated technologies may influence their HIPAA-related data security, is one of the LAST things on the minds of many who have access to protected health information (PHI). However, this is one seldom-thought-of concern that simply cannot wait. It turns out that using outdated technologies, including Windows server 2003, is a […]

10 Common Questions about the HIPAA Privacy Rule

One recurring segment that HIPAAtrek’s Blog will contain are a series of posts devoted to answering some of the most commonly asked questions about a HIPAA-related topic. Since our last post covered the basics of HIPAA in a nutshell, we thought a good place to start would be to answer some common questions about a specific part of HIPAA – The HIPAA Privacy Rule. 1. Q:  What exactly IS the HIPAA Privacy Rule? A: The HIPAA Privacy Rule that was modified in 2002 set national standards for providers and business associates with the goal of protecting patient’s medical records and […]

What is HIPAA Compliance, Anyway???

While an article containing general information about the basics of HIPAA Compliance might seem simplistic, it is incredible how many professionals, especially business associates, don’t have basic working knowledge of compliance. Along with this lack of general knowledge, many, including some covered entities and their business associates are in the dark about why the HIPAA privacy rules might apply to them. In turn, this lack of information puts them at risk for HIPAA breaches, which often result in steep penalties. For example, the most recent HIPAA breach in 2004 saddled New York Presbyterian Hospital and Columbia University with a $4.8M […]