California HIPAA training for small businesses

Legal Consultations

Legal Consultations

Darnall Law Office is uniquely qualified to serve small businesses within California. Karen Darnall and Carol Mack, RN have worked in a wide variety of healthcare settings. They understand the nuances of medical privacy law.

Video Tutorials

This site includes 24 lessons on HIPAA compliance. Each lesson includes a dramatization to show how the regulations play out. Videos are demonstrative and should not to be regarded as legal advice.

Organizing Responsibilities

We help you understand HIPAA's organizational requirements and help you bring your policies and procedures up to date. If you have problems disciplining your staff, we can provide legal advice on retraining or terminating employees.

Our video tutorials will help you identify regulations and learn to interpret the code yourself. We focus on Title 45, Parts 160 and 164 and California laws affecting medical information.

HIPAA Privacy Officer

Organizational Documents

CEs and business associates (BAs) must develop written policies and procedures for training workforce members.

CEs must develop a Notice of Privacy Practices (NPP) that explains the entity's rules for HIPAA compliance and informs patients about their rights.

Using and Disclosing PHI

Misunderstandings of the law can lead to overzealous HIPAA enforcement and inefficient office practices.

We can help you understand how the "minimum necessary" rule applies to informal disclosures of PHI.

We can provide legal opinions on how to deal with unusual situations involving disclosures of PHI.

Disclosing health information to patient's wife

Authorization Forms

A signed authorization form that conforms to HIPAA and California law is the safest way to disclose PHI.

If the authorization form is signed by a patient representative, a description of the representative's authority to act for the patient must also be provided.

Securing Electronic PHI

We can help you select EHR vendors and review contracts for software applications, hardware and IT services.

We can help you identify security risks before the BA contract is signed.

We can help you negotiate severance agreements. It is important eliminate a former-employee's access to electronic PHI.

Patient is wearing a Tee-shirt that says he is a Hacker

BA Contracts

The 2013 HITECH Act requires business associates (BAs) to designate a security official and written policies and procedures to enforce the Security Rule.

BA contracts are speficially required for health information organizations, e-prescribing gateways and agents that need "routine access" to electronic PHI.

Responding to Requests

We can help you create a system for managing patient requests for extra privacy protection including PHI restrictions and requests for confidential communications

We can provide legal advice when your professional judgment, circumstances and the law suggest a patient should not have access to highly sensitive information.

We can help you deal with denials of patient requests, such as requests for restriction and requests to amend PHI.

Husband and wife request access to records

Documenting Requests

Healthcare providers must have policies and procedures for denying requests for access to PHI. For example, a caller may falsely assert that he or she is a family member.

Providers must document when PHI is sent to a surrogate that is designated by the patient.

Investigation and Reports

We can help you investigate security incidents and determine whether an incident is also a breach.

We can help you revise policies and procedures after the incident investigation and help you deal with the aftermath.

We can draft breach notifications so that the letter includes only relevant and required information.

Female doctor looks accusingly at male doctor

Incident Reports & Breach Notifications

The Security Rule requires providers and BAs to respond to security incidents but does not require reporting to HHS or any other government agency. The incident and the outcome must be documented internally with the provider.

A practice must notify the OCR of any breach affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

    © Darnall Law Office 2015