Home Health & Hospice Week

Don’t let harsher enforcement catch you by surprise. Home care providers that have let their HIPAA compliance policies and procedures gather dust for years may soon be sorry, since the HIPAA honeymoon has come to an end. The Health Insurance Portability and Ac-countability Act is about to get a lot tougher, experts predict (see related story, p. 202). Surviving the HIPAA scrutiny from regulators and your own patients will likely require a thorough overhaul of your pertinent operations. The HIPAA settlement with Providence Health & Services "confirms that effective compliance means more than just having written policies and procedures," says Centers for Medicare & Medicaid Services Acting Director Kerry Weems in a release. "To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features." Follow these expert tips on revamping your HIPAA policies, procedures and other operations:   1. Evaluate your P&Ps. Have you even looked at your HIPAA policies and procedures since 2003 when they first were required, let alone updated them? Take stock now of what you have on the books and what you’ll need to do to update that.   2. Figure out what’s reasonable. Technol-ogy has come a long way in the past five years, notes HIPAA expert Robert Markette, Jr. with Indiana-polis-based Gilliland & Markette. You might find more electronic security is now considered "reasonable," as required by the regulation. For example: The HHS Office for Civil Rights, which enforces HIPAA rules, mentions several times that Providence’s patient data was unencrypted. For most providers, encryption is probably a necessary feature of an electronic records system. Tip: Make sure your HIPAA plan covers any new technology you’ve started using since the plan was last updated, Markette recommends. Ask yourself the following kinds of questions when revamping your P&P, recommends attorney Ross Lanzafame with Harter Secrest & Emery in Rochester, NY: "Are [portable electronic records] devices password protected? Do they have automatic log-out? How and where are they secured during the workday? How and where are they secured at the end of the workday?" You can take your cues from OCR’s settlement documents with Providence, suggests Wash-ington, DC-based health care attorney Elizabeth Hogue. "I urge agency managers to read the Resolution Agreement and Corrective Action Plan in this case with an eye toward implementing similar safeguards," she says. Paper records need protection too, reminds Denise Bonn of the National Association for Home Care & Hospice’s Center for Health Care Law. "Paper records should be carried in locked containers," Bonn notes in NAHC’s online newsletter.   3. Train employees. "Have your [...]