Search This Blog


Wednesday, September 2, 2015

New HIPAA training toolkit on Cyberthreats is now available!

A timely new HIPAA training toolkit has just been released by Hurley Makes It Happen!  This product, called Cyberthreats, Breaches, and their Laws, will tackle a lot of today’s cybersecurity issues that confronts many computer users.  Briefly, some of the topics include (1) typical cyberthreats and hacker gimmicks; (2) tips for best practices for users to avoid cyberattacks (3) what happens when there is a breach; and (4) the laws related to data breaches.

This material is presented with 33 PowerPoint slides and enhanced by audio clips recorded by the author, Brenda J. Hurley, CMT, AHDI-F.  This presentation has been preapproved by the Association of Healthcare Documentation Integrity for 2 medicolegal continuing education credits for its credentialed professionals.

The toolkit includes the PowerPoint file, a 20-question quiz, answer key for the quiz, a certificate of completion template, a pdf file of the PowerPoint file for quick reference, and instructions for how to use these toolkit items.

The special price for this newly released toolkit is only $500.  As with other training toolkits developed by Hurley, once you buy a toolkit product you have the unlimited use of it within your organization. You are only restricted from copying it and/or sharing it with others outside of your organization.

To order this new training toolkit, contact Brenda at

Friday, July 31, 2015


Two major components of HIPAA compliance for your business include training of your workforce and written HIPAA Policies & Procedures (P&Ps).  Hurley has products that are easy to use and can help you succeed with achieving and maintaining these HIPAA compliance requirements for your organization.  Unlike so many other HIPAA products available on the market, all of these products are specific for medical transcription services and for independent contractors.

WORKFORCE TRAINING:  There are 3 different training toolkits available for purchase; a description of each is below.  Each toolkit consists of a PowerPoint file with audio clips inserted throughout the presentation, a test on the material presented, the answer key for the test, a certificate for proof of training, a PDF file of the PowerPoint slides for quick reference, instructions for how to use these items, and a folder with Microsoft PowerPoint Viewer software for those who do not have PowerPoint software.

HIPAA training products to consider: Each training product has been preapproved by AHDI for 1 ML credit.

1.  HIPAA has Changed - are you Compliant?  If you have not provided any HIPAA training for the last 5 years, this is a product you should consider as it discusses the changes from the “original” HIPAA to the “new” HIPAA that has evolved from the enactment of the HITECH Act and Final Rule.  This toolkit is $500.

2.  HIPAA on the Job!  This training tool is a good reminder for the MT workforce as it offers many of the common situations that occur on the job and applies HIPAA principles for resolution.  Some examples of topics discussed include destruction of hard drives with PHI, home office security tips, hidden risks with samples reports, faxing of PHI, and more!  This toolkit is $500.

3.  HIPAA in Action!  This training toolkit is an excellent refresher with examples from published HIPAA breaches, solutions for avoiding violations, dangers of social media, snooping, and several important “what if” scenarios with ways to be HIPAA smart. This material is consistent with the changing HIPAA landscape. This toolkit is $500.

Note: The above 3 products are priced so that you can use them for all your workforce members, there is no per person license fee or use fee.  Once you buy a product for $500 you have unlimited use of it within your organization. You are only restricted from copying it and/or sharing it with others outside of your organization.

4.  Online HIPAA training is available at $35 per person. All 3 training products (described above) are online. The participant would select which presentation, purchase it, then view the presentation and listen to the audio clips online.  Once done with the presentation, the test will be automatically directed to the participant. When the participant passes the test, a certificate will be issued. This would be an affordable training solution for small MT services, or for individuals.

Written HIPAA P&Ps for MT companies:  This product includes a packet of 51 HIPAA P&Ps, their accompanying forms/templates, and a complete table of contents, all customized for your organization.  Some of the key policies include business associate agreements (for clients, vendors, and subcontractors), nondisclosure agreement, faxing of PHI, social media participation, de-identification of PHI, physician updates for system access, and lots more! This customized packet is only $500.

Written HIPAA P&Ps for ICs:  This product includes a packet of 21 HIPAA P&Ps, their accompanying forms/templates, and a complete table of contents, all customized for the independent contractor (subcontractor) who is also a HIPAA business associate.  Special rate for this packet only is $200.

Contact Brenda at for purchasing these products or any questions related to them.

If you need more than compliance products – contact me about consulting services!

Sunday, February 15, 2015

Hope to see you there! 


Thursday, October 3, 2013

Windows XP Computers


Microsoft has announced that they will no longer support Windows XP (and Office 2003) as of April 8, 2014.  This sunset of XP along with the increased security regulations under the HIPAA Final Rule will create a logistical and budgetary challenge for many MT businesses, healthcare organizations, and MT subcontractors.

Windows XP is often the preferred platform for enterprise-wide applications and individual users in the medical transcription industry.   Even with a VPN connection, there are at a minimum temporary files stored on the local PC that a good hacker can get at.   Configuration of the VPN login/logout process can be set so that all temporary files are deleted upon exiting the VPN which could help with security concerns.

Upgrading a PC from XP to Windows 7 is not for the faint of heart.   The hard drive must be completely wiped before the upgrade.  All data files must be saved to another location (jump drive, external hard drive, network drive, etc.).  Then after the upgrade all software will need to be reinstalled from original media so those CDs or access information will need to be gathered up prior to upgrading.   While IT experts are equipped to handle this, many others would find this to be quite challenging. 
Norton has taken a “wait and see” approach before committing to post demise of XP.   They have stated that they will continue to support their program.  However, they have qualified that “Symantec Support may not be able to provide full threat resolution on XP systems due to a lack of Microsoft security patches.”  See these links for those formal announcements.

It will be an unknown element as to how at risk PCs are without support from Microsoft or how soon that risk will be increased after the official sunset date of April 8, 2014.   Traditionally, however, hackers have taken advantage of this vulnerability so there is clearly the potential for high risk.   With the guarantee of no support from Microsoft and the limited ability of vendors such as Norton to commit to security on Windows XP computers after April 2014, the risk to PHI outweighs the benefit of utilizing out-of-date and technically unsupported hardware.  
We recommend that healthcare organizations, MT services, and MTs take a proactive approach to this issue.  If you are using a Windows XP computer you will need to evaluate your PC to determine if it has the potential for upgrading to Windows 7; if it does then have it upgraded. If it does not, purchase a Windows 7 (NOT a Windows 8) computer. 

You will want to be to be fully operational on a Windows 7 computer before April of 2014, but why wait until the last minute, do it sooner rather than later to improve your selection of Windows 7 computers available for purchase.  
If you have any questions related to this notification, contact Brenda at   

Friday, June 28, 2013

Frequently Asked Questions about HIPAA
Brenda J. Hurley, CMT, AHDI-F
·    Are breaches limited to only protected health information (PHI) that is electronic form? 
Response:  No, breaches can occur when unsecured PHI, in any form or medium, is accessed by an unauthorized person.  
·      The doctor dictated the patient’s phone number in the Plan section of the report.  Should the MT transcribe it as dictated, flag it or ignore it?
Response:  The first thing you should do is review the facility’s policy for use of personal identifying elements (such as the patient’s phone number) within the body of the report.  Facilities vary greatly as to their ‘rule’ or ‘policy’ for how this should be done. If you are unsure as to how to handle this, flag the report or contact your supervisor, whatever is the policy that you follow for when you have questions related to a report. Many believe that HIPAA does not allow these personal identifying elements within the body of the report; however, this is not true. The report is protected health information because it has to include patient demographic information in order to be attached to or uploaded in the correct patient chart. We often forget about this because we seldom see the viewable “final” report; we just see the sections that we are involved with, such as the body of the report being transcribed or edited. So the healthcare report is already protected under HIPAA, the inclusion or exclusion of the patient’s identifying elements within the report does not make the report more protected or less protected in the eyes of HIPAA.   
Healthcare organizations constantly struggle with this issue when establishing a policy related to allowing PHI elements within the body of the report or to restrict the personal identifying elements only to the demographic section of the report. There are pros and cons on both sides of this issue.  As just one example, the report that has limited the PHI elements only in the demographic sections can be easily ‘scrubbed’ of all PHI elements if that report would ever need to be de-identified in the future. Complete and thorough de-identification, however, becomes a very labor-intense and cumbersome process when PHI elements are allowed within the body of the report.  The healthcare organization must weigh all of the pros and cons when establishing their policy for the use of personal identifying elements within healthcare reports.
·      Can an intern or a nurse practitioner share the same dictation ID number with their attending physician? 
Response: No. Critical to the transcribed report is the proper identification of the author of the dictation.  An assigned number for each individual dictator provides a level of assurance that each report they dictate will be accurately matched to them for authentication and for inclusion within the legal medical record.  Technology provides the ability to assign unique identifiers for dictators to facilitate their individual user identification within the dictation process.  The HIPAA Security Rule has established requirements for technical safeguards for electronic protected health information (ePHI) in section 164.304 of the Rule.  Both Covered Entities and Business Associates must follow the rules established in these technical safeguards. One of the required safeguards is access control.  Unique user identification is a requirement established in the HIPAA Security Rule.  
·      Can Business Associates be audited by HHS? 
Response:  Yes.  Under the HITECH Act the provision for audits was established for both Covered Entities and for Business Associates.  HHS (Health and Human Services) contracted with KPMG Associates to create a protocol for performing audits and to create guidance tips from lessons learned from actual audits. Those audits were performed late in 2011 and continued through 2012. Audits resumed in 2013 and since that time Business Associates have been included in the audit program.  
·      As an MT independent contractor, am I a Business Associate to the MT service that I do work for? 
Response: Yes.  The HIPAA Final Rule in January 2013 made this change. You are now a Subcontractor Business Associate to the MT service who is a Business Associate to their clients who are Covered Entities. This was changed so that all of those who receive the downstream handoff of PHI will share the responsibilities and obligations of securing the PHI entrusted to them.  
·       What is a common breach that has occurred within the medical transcription?  
Response: There is no real “data” specific to medical transcription breaches, but from my experience it is from faxing unsecured documents with PHI. The good news is that when this happens it is usually 1 report at a time; the bad news is that it happens far too often. 
·       There are secure ways to deliver reports with PHI, so why are faxes still being used?  
Response:  Again, there is no real “data” as to why faxes are still being allowed to be used, but it has been my experience that clients (i.e., hospitals, clinics, etc.) have continued to request (require) fax delivery of reports to physician offices despite the potential risks of breach associated. Often these physician offices are not able to receive secure electronic delivery of their reports, so faxing is the easiest way to accomplish report distribution (although not a secured method).   
·       Is all encryption software considered “acceptable” for securing PHI?  
Response:  No.  The definition of “secure” is established by HHS and currently is 128-bit or 256-bit encryption algorithm that is in compliance with standards established by NIST (  
·       Does HIPAA now require encryption to be used?  
Response: The short answer is ‘no’ it is not required; however, if PHI was breached when unsecured per the guidelines established by HHS (secured is appropriately encrypted), then all notification requirements for that breach would need to be immediately implemented.  When appropriate encryption of PHI is used, if it was received by a wrong recipient it could not be accessed, read, or used (because it was encrypted); therefore, it would not be considered a breach. Although HIPAA does not require encryption, it is your best defense against a breach.  
·       Do reports that have been de-identified of PHI elements need to be encrypted?  
Response:  No. Reports that have been appropriately de-identified are no longer considered PHI, so they do not require the same protections that documents that include PHI.  De-identified reports and voice files have many uses in our industry such as sample reports, training, and testing.  
·       Are there specific rules for destroying documents with PHI?  
Response: Yes. Destruction of PHI needs to follow the guidelines established by NIST in its publication (800-88) on media sanitation. 
·       What type of shredder should I buy to destroy PHI?  
Response:  The answer depends on the media that needs to be destroyed.  The NIST publication 800-88 recommends using a cross-cut shredded for paper and for microfilm to a size such that it is reasonable to assure that the data cannot be reconstructed. Optical disks (CDs, DVDs, etc.) need to be pulverized to the point that the residue is no larger than a 25 mm squared surface area.  High-end shredders or commercial shredders can accomplish this. 
·       As a medical transcription service, a Business Associate, is our client (the Covered Entity) responsible for the HIPAA training of our workforce 
Response:  No.  There could be some circumstances, however, where the client will want to train certain members of your workforce, such as on software applications, but they are not responsible for training your workforce on their obligations and responsibilities related to HIPAA.  
·       I am an employee of an MT service, if there is a problem with privacy can I be personally liable?  
Response: HHS has made it clear that individuals can be criminally liable in some limited circumstances. Generally these are individuals who have intentionally breached patient’s information for personal gain or incidents of willful neglect.  HIPAA has become recognized as the standard of care for protected health information and when it has not been followed some patients have filed civil suits for privacy breaches of their information.  With that said, as long as you are acting within the scope of your duties and comply with all established P&Ps, your personal risk would be greatly minimized. 
·       As a medical transcription service, a Business Associate, do I follow the FTC security regulations or the HHS security regulations?  
Response:   Medical transcription services would follow the HHS security regulations.  The FTC (Federal Trade Commission) rules and its security regulations would apply to PHR (personal health record) vendors.  
·       Do breach notification obligations apply if only one patient’s information is breached?
Response:  Yes. The number of patients involved is only relevant to the type of notifications required.  
·       As an MT service, a Business Associate, if we faxed a report in error to a local pizza shop, do we notify the Covered Entity (our client)?  
Response:  You must provide certain information to the client (the Covered Entity) from where the report/dictation originated.  You will also need to investigate the breach and its cause, immediately mitigate significant risk when possible, and fully document your findings as well as the steps implemented to prevent future occurrences.  
·       I bought a new computer; what should I do with the PHI on my old computer?  
Response:  The easiest way to accomplish this is to remove the hard drive from the old computer and have it pulverized.  Commercial shredding companies offer this service.    
·       As an MT service, a Business Associate, if we fax a report in error to the wrong doctor’s office is that a breach?  
Response:  It depends.  It is possible that these two organizations (your client and the office that received the fax) may have what HIPAA calls an Organized Health Care Arrangement (OHCA). If this is the case, then there is no breach because they are allowed to share PHI between their facilities.  Misdirected faxes that go to another covered entity are often interpreted by HIPAA experts differently. Some consider it a simple/minor disclosure (not a breach), while others take a stricter view and label it as a full breach. Either way all experts do agree that it has to be investigated, mitigated, and documented.  The final decision of a simple disclosure or a full breach is the client’s (the Covered Entity) decision to make since they will know the relationship of all parties involved. Business Associates need to fulfill their obligation by investigating it, mitigating significant risk, implementing new safeguards for prevention, documenting and reporting it to their client (the Covered Entity).  
·       Is HIPAA training required for all of our workforce members as well as our subcontractor business associates?   
Response:  Yes, all members of your workforce and your subcontractor business associates who have access to PHI need to receive HIPAA training.  
·       Is there any requirement for periodic retraining on HIPAA privacy and security?   
Response:  HIPAA requires updating the training when making changes to privacy and security policies and/or processes. Most organizations offer periodic reminders and refreshers at least on an annual basis for their workforce members and subcontractor business associates to reinforce a culture of compliance.


Thursday, March 28, 2013

Saturday, February 16, 2013

The HIPAA Final Rule is Here!

In the medical transcription (MT) industry, the most anticipated proposed change was that related to subcontractors.  The newly expanded definition in the Final Rule for BAs also directly addressed subcontractors.  It states “A Business Associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  This change will greatly impact a large number of the MT workforce since there are many MT subcontractors (independent contractors) who work for MT services. Their new obligations as HIPAA BAs will be numerous and for a single practitioner these new obligations could be overwhelming. 

Here are some of those key HIPAA BA requirements that all subcontractors who handle PHI will now need to follow:

·       A written BA agreement.  This agreement would be between the subcontractor and the BA they perform services for, such as an MT service. Just as the MT service has been required since the implementation of HIPAA to have a written BAA with the Covered Entity (CE) they provide services for, now the subcontractor must also have a written BAA with the BA they provide services for. The BA must, of course, comply with all of the requirements outlined in the BAA.  HHS posted an updated sample of a BAA consistent with the Final Rule on their website at:

·       Comply with the HIPAA Security Rule.  This includes the administrative, physical and technical safeguards for PHI, as well as a designated HIPAA Security Officer.

·       Maintain written HIPAA policies and procedures.

·       HIPAA training and proof of it.

·       Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its use.

·       If a subcontractor uses the services of a subcontractor, and they handle PHI, subcontractor A will need to have a written BAA with subcontractor B.

·       Comply with all notification requirements related to the Data Breach Rule.

·       Comply with the contractual Privacy Rule requirements (e.g., termination, HIPAA training, etc.).
The scope of liability has also expanded for the BA to include the actions of their subcontractor BAs.  Penalties for willful neglect have increased to as high as $50,000 per violation with a maximum of $1.5 million in a calendar year.

BAs should immediately review their use of subcontractors/independent contractors, contact them regarding their new obligations as a HIPAA BA, and execute an updated BAA with each subcontractor.  Because of your expanded liability related to their actions under HIPAA, you may want to require them to provide you with a copy of their written P&Ps and proof of their HIPAA training for your records.  BAs will also need to review and update their own P&Ps related to the use of subcontractors/independent contractors to reflect these new changes.
You cannot fix this new challenge by ignoring it or deciding not to establish a BA agreement between the BA and their BA subcontractor.  The Final Rule clearly states that even if there is no written BAA, the subcontractor to the BA is subject to the same legal obligations as a BA regardless of whether they have or have not entered into a written BAA.

The effective date for the Final Rule is March 26, 2013, with the compliance (enforcement) date of September 23, 2013.  The only exception to this would be for business associate agreements (BAAs) which are currently in place, and that deadline is September 23, 2014.  When existing BAAs are renewed or revised before September 22, 2014, they must then confirm to the Final Rule.  New BAAs will be required to follow the Final Rule so that all BAAs by September 23, 2014, are in full compliance with the Final Rule.
For those who are BAs and you think that no one will notice if you skimp on your path to HIPAA compliance, the Office of Civil Rights (OCR) announced in late 2012 that the random HIPAA audits will continue in 2013 and will be expanded to include BAs.  There is no place to hide, if you handle PHI, you have major steps to follow to achieve and maintain HIPAA compliance as mandated in the Final Rule.

There is no time to wait, HIPAA compliance is not an option.