The eighth of the 10 risks facing home health agencies today, highlighted by the Texas Association for Home Care and Hospice and Liles Parker PLLC, is HIPAA Privacy Breach Liability.
HIPAA, the Health Insurance Portability and Accountability Act, was passed by Congress in 1996 and, among other things requires the protection and confidential handling of protected health information (PHI).
In 2006, the U.S. Department of Health & Human Services (HHS) Enforcement Rule set civil money penalties for violating HIPAA rules, while at the same time establishing procedures for investigations and hearings for HIPAA violations. Initially, few violations were prosecuted, but this rapidly changed as violations escalated.
In January 2013, HIPAA was updated and expanded. The greatest impact of the expanded requirements is that it includes business associates, whereas it originally only covered entities.
Additionally, ‘significant harm’ to an individual in the analysis of a breach of information was updated to provide stricter standards, with the intent of disclosing more previously unreported breaches. Originally, an organization needed proof that harm had occurred, whereas now, harm is assumed and the onus is on the organization to prove that harm did not occur.
The timeframe for PHI has also changed from indefinite to 50 years after death, and more severe penalties for violation of PHI privacy requirements have been approved.
As of March 2013, the HHS had investigated more than 19,000 cases that have been impacted by the changes in privacy practice or corrective action. If noncompliance is determined by HHS, then entities must apply corrective measures.
Advice to Agencies
- Document Disposal: Implement safe document removal of your PHI materials to a shredding company and procure a valid business associate agreement with the shredding company. Partner with a company that sends the shred truck to your office and allows a staff member to supervise the destruction of materials. Most companies provide a certificate verifying materials have been properly shredded.
- Office Compliance Standards: Ensuring patient safety is critical. For example, if an employee shares a picture of a newly decorated workstation on social media and PHI material is viewable on a monitor in the photo, and then notices and removes the picture at a later date but neglects to inform the agency of the violation, the agency could be liable if the patient becomes a victim of identity theft and reports it months later.
- Secure Data: Use encryption software for all laptops and tablets containing the PHI of all patients, so that in cases of theft or loss of company property patient documents are secure.
As with other areas of regulatory compliance, training and education on HIPAA are essential to avoid a breach of PHI or an individual’s financial information.
In part nine, we will take a deeper dive into various social media issues and how they can impact your organization.
