Home Health & Hospice Week

HIPAA enforcement is heating up, and you don't want to end up forking over a million-dollar fine due to an accidental breach.

Home care providers can learn from the HHS Office for Civil Rights (OCR)'s recent $1 million fine to the General Hospital Corporation and Massachusetts General Physicians Organization Inc. in Boston over an incident where a Mass General employee left files on a subway train that were never recovered (see Eli's HCW, Vol. XX, No. 9, p. 68).

What happened: According to the medical center's resolution agreement with OCR, an employee "while commuting to work on the subway ... removed the documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the ... employee left the documents on the subway train and they were never recovered." The documents included patients' diagnoses, some of which were HIV/AIDS diagnoses, according to HHS.

Lesson learned: "Anyone who has people who as a part of their function take paper files containing PHI in their cars or to other off-site locations should consider the need to tighten their PHI safeguards," says Dallas attorney Cynthia Stamer.

"Organizations should have a policy stating that documents with PHI taken offsite should be in a locked container, such as a briefcase," says Jim Sheldon-Dean, principal and director of compliance services with Lewis Creek Systems in Charlotte, Vt. The briefcase or container should also include clear identification on the front to allow someone who finds it to return it to the organization, he adds. "And the policy should indicate that staff should not open the containers and remove the files until they are in a physically secure area where the files won't be lost or there won't be anyone able to look over their shoulder."

Of course, "you always have the threat of someone being careless and violating policy," Sheldon-Dean says. You can, however, conduct audits where someone observes whether people tak ing PHI offsite leave the premises with the files in a locked briefcase or container, he advises.

Keep in mind: "Under the breach law," says Sheldon-Dean, "redacting is excluded as a means of de-identifying information. So even if you lost redacted files, you'd still have to report that as a breach."

On the other hand: Lost or stolen files that had been properly de-identified wouldn't be a breach, Sheldon-Dean adds. But you'd have to remove all the identifiers detailed in the privacy rule, as well as other identifiers in the data, he stresses. "Using only initials or reverse initials should be sufficient, so long as it's not easy for someone else to figure out what the initials mean by cross-referencing with publicly available information."

Driving the point home: "One way to get staff to understand what can happen is to share what we call 'the wall of shame,'" which is the government's website that lists the covered entities that had to report a breach, advises William Oravecz, chief analyst for HITECH Answers, and managing partner of WTO Associates, a healthcare technology and IT solutions company. "You can see what places have been cited and for what."

Oravecz says he thinks that if more organizations knew of that website, they might say: "That's the last thing we need to be on." (The listing is at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.)