Home Health & Hospice Week

HIPAA:

Home Care Provider Slapped With First HIPAA Settlement -- And It's A Big One

You could be next, OCR official threatens.

If you've been letting HIPAA concerns languish on the back burner, it's time to bring them front and center.

The HHS Office for Civil Rights has made its first big settlement over Health Insurance Portability and Accountability Act violations and it's an example for other providers, warns attorney Robert Markette, Jr. with Indianapolis-based Gilliland & Markette.

Seattle-based health system Providence Health & Services will pay $100,000 and enter into a three-year Corrective Action Plan over highly publicized privacy breaches at Providence Home and Community Services and Providence Hospice and Home Care, OCR reports in a release.

In 2005 and 2006, the hospital-based agencies had patient data stolen out of home care employees' cars. In one case the theft was of computer disks and tapes containing unencrypted backed-up file information for 365,000 patients (see Eli's HCW, Vol. XV, No. 6). In the other case, the theft was of a home care worker's laptop with unencrypted patient information.

The settlement is "a shot across the bow for providers," says attorney Jim Pyles with Powers Pyles Sutter & Verville in Washington, DC.

"The enforcement tone is about to change," Markette predicts. "HIPAA enforcement is going to get some teeth."

The feds often will issue a big first penalty as an example to other providers to get their act together about a certain enforcement issue, Markette tells Eli. A typical pattern is to "let it lie for awhile while helping providers to comply, then hammer an egregious violator," he notes. Then authorities will "settle into a more traditional enforcement pattern."

OCR received 30 complaints from patients about the Providence breaches, it says. Home Care Most Vulnerable To HIPAA Violations Home care organizations are at high risk of HIPAA problems because they send numerous workers out into the community with protected health information (PHI) every day, notes Wash-ington, DC-based health care attorney Elizabeth Hogue. And that risk is intensified due to providers' increasing reliance on laptops and other personal devices, Hogue cautions.

"For HHAs, the problems are real and everyday," says attorney Ross Lanzafame with Harter Secrest & Emery in Rochester, NY. "Staff frequently carries PHI in PDAs, laptops and other transportable media."

EHR land mine: While electronic health record systems may increase agencies' productivity and efficiency, they have a hidden HIPAA danger, Pyles warns. That's because the volume of patient data that can be stolen is so much higher with electronic versus paper records.

For example, look at the theft of Providence's 365,000 patients' data. "You'd have to have a pretty good size tractor trailer to get away with those records" if they were on paper, Pyles notes.

The liability potential for electronic records is exponentially higher, he warns. That's especially true because providers' penalties for stolen patient data [...]
You’ve reached your limit of free articles. Already a subscriber? Log in.
Not a subscriber? Subscribe today to continue reading this article. Plus, you’ll get:
  • Simple explanations of current healthcare regulations and payer programs
  • Real-world reporting scenarios solved by our expert coders
  • Industry news, such as MAC and RAC activities, the OIG Work Plan, and CERT reports
  • Instant access to every article ever published in your eNewsletter
  • 6 annual AAPC-approved CEUs*
  • The latest updates for CPT®, ICD-10-CM, HCPCS Level II, NCCI edits, modifiers, compliance, technology, practice management, and more
*CEUs available with select eNewsletters.