Advanced Search

Home Health & Hospice Week

HIPAA:

SECURITY RULE CRACKDOWN COULD STRIKE YOU

Published on Mon Mar 26, 2007

Hospital lands audit number one.  Is home health next?

A low-key approach to keeping tabs on those laptops in the field may leave you with a costly compliance headache.

New development: In March, the HHS Office of Inspector General made its first move to audit a health care provider for compliance with the HIPAA security rule, which regulates protected health information (PHI) stored or transmitted electronically. The OIG's first provider target is Piedmont Hospital in Atlanta.

"This is the government's first systematic hands-on examination of compliance with any HIPAA regulation," says Rebecca Williams, attorney and partner with Davis Wright Tremaine in Seattle.

Similar audits for home health agencies could be on the horizon, especially given a few headline-attracting security breach cases involving HHAs in the past year (see Eli's HCW, Vol. 16, No. 5).

Background: The HHS Office for Civil Rights enforces the privacy rule of the Health Insurance Portability and Accountability Act--and has been doing so for several years. The agency acts primarily on complaints, however, and then either helps cooperative covered entities correct their violations or refers egregious cases to the Department of Justice for potential criminal prosecution. The Centers for Medicare & Medicaid Services enforces the security regulation, which until now hasn't been routinely enforced.

ID your vulnerabilities: Home health agencies should be especially vigilant about complying with a related guidance released late last year, the HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information.

The guidance addresses the use of a variety of mobile devices, notes Williams. These include laptops, personal digital assistants, smart phones and flash drives, among other devices.

Focus here: HHS highlights three key areas of concern for remote use of and access to electronic protected health information, Williams tells Eli: access, storage and transmission.

"Everyone affected should be looking over this document carefully," says Williams, adding that HHAs are especially vulnerable to scrutiny and claims of noncompliance given the nature of their work.

Required reading: Though the document is called a "guidance," it carries more weight than other documents in the same category.
In issuing the guidance, HHS emphasized that the feds "may rely upon this guidance document in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity and availability of [electronic PHI], and it may be given deference in any administrative hearing" under the HIPAA enforcement rule. Step Toward Compliance HHAs can employ a number of strategies to protect electronic PHI, according to experts familiar with the guidance. Consider these strategies:

• Lock down laptops. Require a locking mechanism for unattended laptops.

• Consider encryption. HIPAA's rule doesn't require this, but the guidance puts the strategy in a positive light.

• Invest in flash drives. Prohibit [...]
You’ve reached your limit of free articles. Already a subscriber? Log in.
Not a subscriber? Subscribe today to continue reading this article. Plus, you’ll get:
  • Simple explanations of current healthcare regulations and payer programs
  • Real-world reporting scenarios solved by our expert coders
  • Industry news, such as MAC and RAC activities, the OIG Work Plan, and CERT reports
  • Instant access to every article ever published in your eNewsletter
  • 6 annual AAPC-approved CEUs*
  • The latest updates for CPT®, ICD-10-CM, HCPCS Level II, NCCI edits, modifiers, compliance, technology, practice management, and more
*CEUs available with select eNewsletters.

Other Articles in this issue of

Home Health & Hospice Week

View All