Health Information Compliance Alert

Published on Thu Jun 19, 2008 PDF

You could be next, OCR official threatens.

If you've been letting HIPAA concerns languish on the back burner, it's time to bring them front and center.

The HHS Office for Civil Rights has made its first big settlement over Health Insurance Portability and Accountability Act violations and it's an example for other providers, warns attorney Robert Markette, Jr. with Indianapolis-based Gilliland & Markette.

Seattle-based health system Providence Health & Services will pay $100,000 and enter into a three-year Corrective Action Plan over highly publicized privacy breaches at Providence Home and Community Services and Providence Hospice and Home Care, OCR reports in a release.

In 2005 and 2006, the hospital-based agencies had patient data stolen out of home care employees' cars. In one case the theft was of computer disks and tapes containing unencrypted backed-up file information for 365,000 patients. In the other case, the theft was of a home care worker's laptop with unencrypted patient information.

The settlement is "a shot across the bow for providers," says attorney Jim Pyles with Powers Pyles Sutter & Verville in Washington, DC.

"The enforcement tone is about to change," Markette predicts. "HIPAA enforcement is going to get some teeth."

The feds often will issue a big first penalty as an example to other providers to get their act together about a certain enforcement issue, Markette tells Eli. A typical pattern is to "let it lie for awhile while helping providers to comply, then hammer an egregious violator," he notes. Then authorities will "settle into a more traditional enforcement pattern."

OCR received 30 complaints from patients about the Providence breaches, it says.

Practices that provide in-home nursing or therapy services such as home health agencies are at high risk of HIPAA problems because they send numerous workers out into the community with protected health information (PHI) every day, notes Washington, DC-based health care attorney Elizabeth Hogue. And that risk is intensified due to providers' increasing reliance on laptops and other personal devices, Hogue cautions.

"For HHAs, the problems are real and everyday," says attorney Ross Lanzafame with Harter Secrest & Emery in Rochester, NY. "Staff frequently carries PHI in PDAs, laptops and other transportable media."

While electronic record systems may increase agencies' productivity and efficiency, they have a hidden HIPAA danger, Pyles warns. That's because the volume of patient data that can be stolen is so much higher with electronic versus paper records.

For example, look at the theft of Providence's 365,000 patients' data. "You'd have to have a pretty good size tractor trailer to get away with those records" if they were on paper, Pyles notes.

The liability potential for electronic records is exponentially higher, he warns. That's especially true because providers' penalties for stolen patient data won't stop with HIPAA. Public relations damage and lawsuits from patients are also threats.

Under the lax HIPAA enforcement environment, many providers have adopted "laissez-faire HIPAA compliance," Lanzafame observes. They have a HIPAA compliance system in place, but it isn't complete (such as not having data encrypted) or they don't check up to make sure employees follow it.

But those days should end -- and soon, the legal experts urge.

Who's next? "We are committed to effective enforcement of health information privacy and security protections for consumers," OCR director Winston Wilkinson says in the release. "Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action."

Many providers will need to reprioritize where to put their compliance resources, moving HIPAA to the top of the list, Markette suggests. "If you've been neglecting HIPAA compliance, now's a good time to address it," he exhorts.

Note: The resolution agreement and plan between Providence and the OCR is at http://www.hhs.gov/ocr/privacy/enforcement.