Friday, March 02, 2007

Easy Does It

Here is what happens when HIPAA training happens in a calm and sensible manner:

Although people might complain about HIPAA requirements I no longer feel that they have a leg to stand on. There is nothing outrageous in these requirements (except maybe one or two really quirky things) and the only real problem will be the way that the auditors interpret the HIPAA standards and how they are applied within an organization. Of course this is true of any standard. There will always be a negotiation of the level of protections compared to the risks involved. My personal feeling is that through HIPAA we have a standard, a overall policy, that is applicable to these specific organizations. We can point to these standards to when the organization fails to adequately protect the sensitive information with which they are entrusted.


See? It wasn't that difficult, now was it?

3 comments:

Anonymous said...

Anyone, please point me to right direction. My niece married to a doctor who later turned out to be a jerk. My niece finally gave up and filed for divorce. While the divorce is still pending he disclosed some very sensitive health information of her wife to like half of the town. Somebody told us to file a HIPAA complaint but we are not sure if it falls under that law? where to start from and what should we expect from HIPAA's end?
Thanks in advance for your help.
Regards
Ray

Anonymous said...

Here are some point that I would like to mention that is needed by any health care organizations to be followed according the HIPAA rules and regulation.

Security Management Process: Describes processes the organization implements to prevent, detect, contain, and correct security violations relative to its ePHI (Electronic Protected Health Information).

Risk Analysis: Discusses what the organization should do to identify, define, and prioritize risks to the confidentiality, integrity, and availability of its ePHI.

Risk Management: Defines what the organization should do to reduce the risks to its ePHI to reasonable and appropriate levels.

Sanction Policy: Indicates actions that are to be taken against employees who do not comply with organizational security policies and procedures.

Information System Activity Review: Describes processes for regular organizational review of activity on its information systems containing ePHI.

and there are few more points that you can get here
http://training-hipaa.net/template_suite/SP_template_components.htm

According to the HIPAA all the healthcare organization like hospital, clinics, nursing home, etc and other organization related to healthcare has to strictly follow these rules in order to keep the privacy of any individual's health information and if they fails you certainly can file a HIPAA complaint

Anonymous said...

My friend works for a large health insurance company and her daughter works at one of the insurance company's key accounts. The daughter sent the mother an email one day asking for some information about a key account coworker. The mother replied that the daughter's request, which had the last name and date of birth of coworker, tripped the PHI filter on the email and the mother had to delete the request. The daughter resends the request with the information 'hidden' within a song of silly words and asks if the stupid filters caught the last name and date of birth that time. The mother replies that it didn't. The mother fabricates a response to the daughter so she would stop asking for this information. A day later the mother was fired from her job because human resources said that she had violated HIPAA. How can HIPAA be violated when the mother did not use the name and date of birth and fabricated her response? HR will not look up the key account woman's information because they claim they would be in violation of HIPAA based on the reason that they have no need to know if real/false medical information was given because their perception of what the mother did is more than necessary for them to have fired her. Is this really how HIPAA works or is someone misreading the rule? Thank you in advance for helping.