Long-Term Care Survey Alert

Published on Mon Mar 28, 2011 PDF

It could happen, says HIPAA expert.

Willful neglect violations can lead to some humongous fines. And one of a nursing facility's biggest vulnerabilities may be portable devices containing unsecured PHI, say experts (see the front page article).

"HHS hasn't formally made a determination that a lost or stolen laptop [or other device containing unencrypted PHI posing a significant risk of harm to an individual] represents willful neglect," observes consultant Abner Weintraub in Orlando, Fla. "If HHS made such a finding, it would likely be that not encrypting the data would constitute the 'willful neglect.'"

That could happen considering that "HIPAA is a reasonableness standard," Weintraub says. "Covered entities are supposed to take reasonable precautions against reasonably anticipated risks." And that includes the potential for what have been widely reported thefts of laptops containing unencrypted PHI, he points out. "Laptop thefts are probably second to cell phone theft."

Don't be one of these: "If you look at research and surveys related to data and device thefts, a lot of organizations still don't encrypt health data or mortgage data, etc., that could harm individuals if it fell into the wrong hands," cautions Weintraub.