E is for Encryption

Computers & Data Breaches
Safeguarding ePHI

HIPAA Security Rule

The HIPAA Security Rule allows the transmission of electronic PHI (ePHI) as long it is safeguarded. It is up to the healthcare provider to decide on the use of encryption based on the results of its risk assessment.

The encryption standard is confusing because it is defined as an addressable requirement which should be implemented if it is a reasonable and appropriate safeguard for the protection of ePHI.

No Specific Requirements

When the Security Rule was enacted, it was recognized that due to rapid advances in technology it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards that could be soon outdated.

Alternative to Encryption

Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate and present their alternative to protect ePHI or it may decide to do neither and determine the standard may otherwise be met.  The provider should document its reasons for its decision.

D is for Disclosures

See our video

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible.

HIPAA permits disclosures to law enforcement in certain situations. It is always okay when there is a signed authorization from the patient or their legal representative.

When to Respond

Disclosures are permitted when required by law, for example to respond to subpoena’s and court orders when specific requirements are met.  Also, for investigation of a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law reporting may be required by law for reports of child and adult abuse and neglect, and for certain injury and disease reporting.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA and, in that case, state law is followed.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.  Follow us on Facebook and Twitter.


C is for Complaints

Mary Lopez presents HIPAA ABCs

Today’s letter is C, “C is for Complaints.”


A covered entity must have a procedure for individuals to file a complaint regarding its privacy practices or for an alleged violation of the Privacy Rule.71 The Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information and should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.

On behalf of the covered entity the Privacy Officer responds to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation

Under the HIPAA Rules there is a no retaliation for making a privacy complaint.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.  Follow us on Facebook and Twitter.



B is for Breaches

Today’s letter is B

B is for Breaches.  A breach is an impermissible use or disclosure of protected health information or PHI that compromises its privacy or security.  This is presumed to be a breach unless the covered entity or business associate can demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. The unauthorized person to whom the disclosure was made.
  3. Whether the PHI was acquired or viewed.
  4. The extent to which the risk to the patient was mitigated.

Paper Breaches

Examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.

All of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

For more information about breaches or about HIPAA please contact us.  Follow us on Facebook or Twitter.

S is for Social Media

Watch Our Video  

Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others, offering education, and services.  It is an essential communication and marketing tool and part of strategic marketing plans.  In their role as employer, organizations turn to social media to communicate with their employees.

Authorization to use PHI

However, it is possible to violate HIPAA Rules and patient privacy while using social media if not managed correctly.  It is important for health care organizations to disclose protected health information or PHI only with patient authorization for interviews, photographs and marketing communications.

The Risk of Social Media

For employees posts of PHI will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts aren’t a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember in order to de-identify PHI all 18 identifiers must be removed and there must be low risk it could be used to identify the patient. This includes removal of facial images, and other identifiers such as tattoos.

Preventing Risk

To prevent risk Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy and monitoring of social media activity.

P is for Permitted Uses and Disclosures

HIPAA in the work place
HIPAA in the work place.

Key Disclosures

A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures.  It is always permitted to use and disclose PHI for treatment, payment and health care operations.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.



A is for Authorization

Today’s letter is A, “A is for Authorization”

An authorization signed by an individual whose PHI is to be used or disclosed is frequently required.  No authorization is needed if PHI is used for treatment, payment or healthcare operation purposes or when another law requires the use or disclosure

An example of when an authorization is needed is for disclosure to an attorney’s office, and to a life or disability insurance company.

An Authorization must be obtained to disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office.

An example of when an authorization isn’t required is when there is a court order signed by a judge from a court with jurisdiction.  Another is for a state law required report of an Infectious disease.  No authorization is required if PHI is disclosed for research if an IRB (Institutional Review Board) grants a waiver of authorization.

The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic. Follow us on Facebook and Twitter.

A is for Access

Mary Lopez presents HIPAA ABCs

A is for access to Protected Health Information or PHI.  An individual has the right to have access to their PHI electronically at a reasonable fee, asap and no longer that 30 days from the date of their request.

When a covered entity is capable of readily producing records in an electronic format it must do so. If unable, it must deliver in a format mutually agreed upon by the parties within the 30-day timeframe. There is an exception that permits a one-time extension if the paper records must be retrieved from storage.

An access request must be in writing and signed by the patient.  A signed authorization is not required.  A third party, at the individual’s request may send the access request on the individual’s behalf and it must be complied with in the same manner as if personally requested.

The permissible fee for an access request is limited to the cost to cover: labor for copying the PHI requested, whether in paper or electronic form; supplies for creating the paper or electronic copy; and postage. State fees that exceed this amount cannot be charged for access requests.

When a third-party submits a request for records on its own behalf with an authorization and cites HITECH fees as the highest that may be charged, they are in error.  The access fee limits don’t apply.


C is for Cybersecurity

Mary Lopez presents HIPAA ABCs

Cybersecurity is a key feature of HIPAA.  Electronic protected health care information or EPHI is at increasing risk from many sources:

  • Foreign hackers looking for data to sell – usually on the dark web
  • Ransomware attacks that lock up data until a ransom payment is received
  • Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
  • Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.

To protect EPHI against threats:

  • Know how to spot phishing emails
  • Use strong passwords, two factor authentication and encryption
  • Have policies, procedures and safeguards in place to protect EPHI and
  • Know who to report an incident to in your organization

Remember in the event of a cyberattack it is critical to comply with breach reporting requirements.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic. Follow us on Facebook and Twitter.


T is for Texting


T is for Texting

Welcome to HIPAA ABCs.   We are going to help you understand HIPAA from A through Z.

The Office for Civil Rights or OCR  with HIPAA oversight  has not produced the long awaited guidance on texting. At a Health Information Management Conference in March the OCR director said healthcare providers could text message their patients with PHI as long as the provider warns the patient that SMS texting is not secure and obtains and documents patient authorization to receive texts.

The Centers for Medicare and Medicaid Services or CMS has oversight of the Conditions of Participation and Conditions for Coverage and has issued a memo on healthcare provider texting on December the 18th of 2017.  The takeaways are:

1. Texting patient information among members of the health care team is permissible if accomplished through a secure platform that encrypts messages in transit.

2. Texting of patient orders is prohibited regardless of the platform utilized and

3. Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

Keep posted for our next HIPAA ABC.