Eli's Hospice Insider

Published on Wed Oct 19, 2011 PDF

Hospices face special privacy risks.

With HIPAA enforcement looking to ramp up in the near future, now's the time to make compliance with the patient privacy regulation a priority for your hospice.

HHS Secretary Kathleen Sebelius' recent appointment of a former Department of Justice official to the top HHS Office for Civil Rights spot may indicate that providers can expect HIPAA enforcement to be on the rise, experts indicate. Former state and federal prosecutor Leon Rodriguez was chief of staff and deputy assistant attorney general for the DOJ Civil Rights Division before becoming OCR director. (OCR is in charge of enforcing HIPAA requirements.)

And the health care reform law increased penalties for HIPAA violations, notes attorney John Gilliland with The Gilliland Law Firm in Indianapolis. The law also gave state attorneys general the right to enforce the patient privacy regulation.

"There's no question that HIPAA enforcement is increasing," Gilliland observes.

Hospices may have a right to be nervous about increased enforcement, because they face HIPAA risks greater than those of facility-based providers. Home care providers are more vulnerable to breaches "because protected health information (PHI) is being taken outside the agency's office with its controlled access," Gilliland says. "The opportunities for breaches are more likely than when the PHI remains at one physical location with controlled security."

"The most serious breaches these days are caused by the loss or theft of laptops and portable devices such as CDs and memory sticks," points out Jim Sheldon-Dean, director of compliance services for information security consulting firm Lewis Creek Systems in Charlotte, Vt. "Home care providers tend to use a lot of portable data and devices, so their risks are greater."

Watch out: "It seems stolen laptops are becoming one of the most common breaches even though it is not difficult to avoid," Gilliland laments.

Breaches via social media like Facebook are also a risk for home care providers, legal experts warn, since staff may develop close personal relationships with patients and forget to protect their PHI (see related story, p. 78).

Hospices face a double risk. "A home care provider has PHI in its office ... plus PHI being taken outside the office in conjunction with patient care," Gilliland tells Eli.

Don't forget: HIPAA violations also can occur from unforeseen places, as one California hospital recently found out. Stanford Hospital in Palo Alto discovered that the names and diagnosis codes of 20,000 emergency room patients were posted on a commercial website, according to the New York Times.

The detailed spreadsheet that contained PHI was posted by a billing contractor to a website that allowed students to solicit help with schoolwork, along with a question asking how to convert the data into a bar graph. The attachment, which included six months worth of patient data from 2009, remained on the site for nearly a year until a patient discovered it and reported it to the hospital, which then removed the post and reported the breach.