Subscriber Login

  1. Students
  2. Administrators

"This was a helpful review both for work and my clinical lab class. Thanks."


Earn CE with MediaLab's online courses. Get immediate access to over 70 hours of P.A.C.E. continuing education (CE), including this course and 40 other courses designed for clinical and medical laboratory professionals. Learn more about individual and laboratory subscriptions to MediaLab's customizable online courses and learning management system.

HIPAA Privacy and Security Regulations

Debbie Sabatino, Director for Privacy, MDS Laboratory Services, Inc. and Paul Fekete, MD, Medical Director, MediaLab Inc.

This course, using examples specific to the clinical laboratory, covers the HIPAA privacy regulations and treatment of protected health information (PHI) in a succinct manner. Content is directed at laboratory staff, from desk personnel to phlebotomists to medical technologists. Includes numerous interactive case studies. Appropriate for annual HIPAA training for laboratory staff. Key areas covered include technical and physical safeguards, minimum necessary standard, administrative requirements, and authorization.

Continuing Education (CE) Credits

A subscription to MediaLab includes all 42 courses. Laboratory subscriptions feature the MediaLab Learning Management System that allows you to assign and track required training, generate and print detailed reports and statistics, delegate administrative powers to shift supervisors and safety officers, customize MediaLab courses for your laboratory, and build your own courses.

HIPAA Privacy and Security Regulations Objectives

  • Understand the impact of the HIPAA Privacy and Security Regulations in your WORKPLACE.
  • Be able to apply HIPAA Privacy and Security Regulation requirements to your daily CLINICAL responsibilities.
  • Develop a basic understanding of the HIPAA Privacy and Security Regulations.

HIPAA Privacy and Security Regulations Outline

  • Overview of HIPAA
      • What is HIPAA?
      • Who does HIPAA apply to?
      • Which of the following entities are covered by HIPAA?
      • Importance of Privacy - An Example
      • Privacy is Your Responsibility.
      • HIPAA Enforcement
      • Relevant Components of HIPAA
  • HIPAA Privacy Regulation
      • What is the HIPAA Privacy Regulation:
      • What Information is Protected?
      • The HIPAA Privacy Regulation:
      • Administrative Requirements include the following:
      • Safeguards
      • Physical Safeguards
      • Administrative Safeguards
      • Technical Safeguards
      • Case Study: Incidental disclosures and safeguards. As a MANAGER, you guided a group of high school students through your CLINICAL LABORATORY during a field trip. You did not explain the LABORATORY's privacy policy to the teacher and students, because you thought they would have little access to PHI. However during the tour, the students overheard names of patients and BLOOD tests, saw LABORATORY reports laying on desks, and viewed test results on computer screens. This is acceptable under the HIPAA Privacy Regulation since these were incidental disclosures that could not reasonably be prevented.
      • HIPAA Provides for the Following Rights:
      • Case Study: Accessing PHI: You are answering the office phone today. A person claiming to be a patient, whose voice you do not recognize, calls demanding all his test results for the past 6 months. He threatens to complain to the government if you won't immediately read him the results over the phone. Under the HIPAA Privacy Regulations, you must immediately give the patient the requested information over the phone, regardless of your office policy as it pertains to release of patient results.
      • Notification
      • AUTHORIZATION
      • Case Study: AUTHORIZATION You are working in a PHYSICIANS office. The DOCTOR orders LABORATORY and other DIAGNOSTIC tests on a patient with suspected ALZHEIMER's DISEASE. He then asks you to give the patient's name and contact information to the local ALZHEIMER support group without getting permission from the patient or his legal guardian. Does the DOCTOR need AUTHORIZATION from the patient or his legal guardian to do this?
      • Limiting Use and Disclosure of PHI
      • Case Study: Limiting Use & Disclosure of PHI You are the customer service representative in a CLINICAL LABORATORY. You get a call from someone at a local GASTROENTEROLOGIST's office, with whom you are personally familiar, requesting that you fax results on a patient, which the referring PHYSICIAN's office had failed to provide. The DOCTOR needs the test results immediately. Under the HIPAA Privacy Regulations the you can comply with this request, without getting written AUTHORIZATION from the patient.
      • Case Study: Limiting Use & Disclosure of PHI A NURSE from the Winterhaven Outpatient Facility calls requesting an HIV test result on a patient, concealing the fact that she had received a NEEDLE STICK injury from that same patient. You provide the NURSE with the HIV test result. The NURSE's request was appropriate.
      • Minimum Necessary Use and Disclosure
      • Case Study: Minimum Necessary Use and Disclosure You are a ward clerk responsible for inserting LABORATORY reports into patients' medical records (charts). You open the chart directly to the LABORATORY tab, insert the report, and avoid "paging through" the entire medical record. "Paging through" and browsing the medical record to satisfy your curiosity would be a violation of the privacy regulations.
      • Case Study: Minimum Necessary Use & Disclosure You are a PHLEBOTOMIST at a specimen collection center. A patient arrives with an order for a BLOOD GLUCOSE test, and a LIPID profile. You get the patient's address, phone number, HEALTH INSURANCE coverage, and ask how long ago he ate his most recent meal. You then ask him about his recent auto accident, his wound INFECTION, and his family. You write down all the extra information. Under the HIPAA Privacy Regulations, which of the following information requests is acceptable?
      • Business ASSOCIATE Agreement
      • Case Study: Business ASSOCIATE Your HOSPITAL hired a consulting firm to help review and update its HIPAA privacy program. The firm has submitted a proposal that will require limited access to records containing PHI. The HOSPITAL must have a business ASSOCIATE agreement in place before the consultants begin working.
      • DE-IDENTIFIED HEALTH Information
      • Case Study: DE-IDENTIFIED HEALTH Information. You work in a LABORATORY MICROBIOLOGY department which provides a local NURSING home with information about the effectiveness of various ANTIBIOTICS it uses to treat INFECTIONS. You print the requested information, including complete patient IDENTIFICATION, BACTERIAL ORGANISMS identified, and their SENSITIVITY to various ANTIBIOTICS. What information should you provide to the NURSING home?
      • Fax Machines
  • HIPAA Security Regulation
      • What is the HIPAA Security Regulation?
      • What is Electronic PHI (ePHI)?
      • Security Officer
      • Safeguards
      • Administrative Safeguards
      • Case Study: ADMINSTRATIVE Safeguards You are the technologist in charge of the HEMATOLOGY section in a HOSPITAL LABORATORY, and you are reviewing BLOOD count results for 100 patients as part of an internal quality assurance project. You review the CLINICAL findings in the electronic medical record to correlate with the LABORATORY results. The following week get a call from your HOSPITAL security officer. She says that a routine computer system audit has revealed that you accessed the records of 100 patients and she would like to know why. You tell her:
      • Physical Safeguards: Access Controls
      • Physical Safeguards: Storage and DISPOSAL of Media
      • Case Study: Physical Safeguards You are a SUPERVISOR of a HEALTH clinic. During orientation of a new employee, you instruct him to keep the door leading from a patient area to a computer work area locked at all times. On several occasions, he forgets to make sure the door is locked as he leaves. Which of the following are true regarding this situation?
      • Technical Safeguards: System Access Control
      • Technical Safeguards: Passwords
      • Protection Against VIRUSes and Malicious Software.
      • email Security
      • Case Study: Technical Safeguards You are given several sets of logins and passwords to access various information systems. The login is your own first initial and last name, but you have difficulty remembering the passwords, so you write them down on a STICKy pad which you keep on your desk. This is not a good idea, because:
  • Conclusion
      • Follow your own Facilities' Policies and PROCEDURES.

HIPAA Privacy and Security Regulations Keywords

Click on a term below to see its use in this HIPAA Privacy and Security Regulations course and other available MediaLab courses.