Home Health & Hospice Week

You know that you must keep your patients' protected health information safe from prying eyes, but that obligation just increased.

New: If a privacy or security breach affects more than 500 patients, you must alert those patients, the Department of Health and Human Services' secretary, and the media, according to a new interim final rule published by HHS in the Aug. 24 Federal Register.

The interim rule also demands that your  business associates let you know immediately when a privacy or security breach occurs on their end.

However, if a breach affects fewer than 500 patients, you only must report it to the HHS secretary on annnual basis.

Reasoning: The new rule will ensure that "covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," explains Robinsue Frohboese, acting director and principal deputy director of HHS' Office of Civil Rights. "These protections will be a cornerstone of maintaining consumer trust as we  move forward with meaningful use of electronic health records and electronic exchange of health information," she notes.

The regulation will also ensure that patients are promptly warned about breaches that pose significant risks for financial, reputational, or other harm, the National Association for Home Care and

Hospice points out. Ample warning gives patients enough time to mitigate the effects of the breach, including monitoring their credit reports and changing their contact numbers.

Shortcut: You can circumvent the need for reporting -- but you'll need to do some extra work up front. In the interim rule, HHS specifies how you can encrypt and destroy confidential information to render it unusable, unreadable, or indecipherable to unauthorized viewers.

If you take those steps, you won't have any PHI for the wrong people to access, HHS believes. The agency plans to update its guidance annually to stay on top of tech trends.

HHS wants all treatment providers to help their patients avoid any problems that might result  from privacy and security breaches, but there are a few other exceptions to the interim rule's reporting requirement, including:

• when a staff member or person acting under the authority of an agency or business associate unintentionally acquires, accesses, or uses patients' protected health information (PHI),

• when staff members who are authorized to  access PHI inadvertently disclose confidential health information to others at your agency who are not authorized, and

• when staff members disclose patients' PHI to unauthorized persons who wouldn't reasonably be able to retain the information.

Strategy: Your agency has likely worked hard to streamline your policies to protect your patients' confidential data from privacy and security breaches. But now's the time to remind and re-educate your team, says Peter Cizik, founder and CEO of BridgeFront, an online education site. Start by "examining all compliance policies and procedures and make sure they are up to date," Cizik suggests.

Deadline: The rule goes into effect on Sept. 23, 2009, and implements provisions of the Health Information Technology for Economic and Clinical Health Act and the Health Information Portability and Accountability Act. HHS says it won't impose sanctions for failure to follow the new requirements until after Feb. 22, 2010.

Next step: Share your questions and concerns about the interim final rule. HHS is accepting comments on the rule's provisions until Oct. 23, 2009. Read the rule at

http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.