Home Health & Hospice Week

You may be relieved to find a consultant who is willing to take over the sometimes overwhelming task of helping you protect the privacy of your medical records -- but keep in mind that not all outsourced privacy protection companies are the same.

The Federal Trade Commission recently settled with LifeLock Inc., a company that offered identity protection services. "According to the lawsuit, LifeLock claimed its service would protect consumers against all forms of identity theft, when, in fact, LifeLock offered only limited protection against only some forms of ID theft," the FTC's statement noted regarding its $11 million settlement with LifeLock.

Consider these tips before you outsource any of your privacy needs:

1. The government does allow HIPAA consultants. Home care providers that are gun-shy about asking for HIPAA help should know that there are no laws against hiring a consultant to protect your patients' privacy. "The HIPAA law does permit covered entities to use a consultant for hire as their privacy officer or to generally advise them on HIPAA-related matters," says Abner E. Weintraub, who helped produce the original HIPAA Compliance Extension Plan for the Department of Health and Human Services and is now the president of HIPAA Group Inc., in Orlando, Fla.

2. HIPAA requires ongoing upkeep. Some HIPAA consultants may come to your organization, evaluate your needs, and get you HIPAA-compliant, but your work isn't done at that point. "Because the entire purpose of HIPAA is to protect patient information, it's impossible to be a one-stop, one-time visit or relationship," Weintraub says. "It's the front-line employees who deal with patient information day in and day out," Weintraub continues. "So even if a consultant comes in, wraps up a nice bundle of policies and procedures, and does everything HIPAA requires, all that is a snapshot in time."

Bottom line: "As soon as the consultant leaves, it's up to the employees to protect the patient information from hackers, accidental disclosures, etc.," Weintraub says.

3. Be wary of cookie-cutter contracts. If your company employs 400, but the HIPAA consultant's contract offers standard training for 10, consider someone different.

Consultants should look at your organization's overall needs depending on your size, services, processes, and setup, and tailor your privacy plan to your needs.

4. Don't forget the scope of identity theft. Your patients' personal health information (PHI) includes clinical records as well as billing records, Social Security numbers, drivers' license copies, etc., leaving patients open to a risk of identity theft. "Medical records have cash value to criminals, and there are underground marketplaces where PHI is bought and sold 24/7," Weintraub says.

"Even L.A.'s notorious gangs have moved into the identity theft marketplace because it's slow to track and investigate."

5. Consider tracking and monitoring services. Once your HIPAA plan is in place, you might want to consider adding another layer of protection to ensure that you are covered if a breach ever occurs.

Even if you think a security breach could never happen at your company, keep in mind that not all breaches are deliberate. For example, "I had a client who sent a fax that included PHI, and the fax went in error to the wrong place," says Barbara J. Cobuzzi, president of CRN Healthcare Solutions in New Jersey. The provider contracted with a service that performs not only identity theft monitoring, but also takes the legal and investigative steps required to restore credit if it's been stolen. The provider offered the service to the patient whose privacy had been breached."Certain companies, such as Identity Theft Shield, will give you the legal defense necessary to restore credit in these situations," Cobuzzi says. "I'd recommend ... providing that type of coverage for all ... employees, and then if there's a breach, to provide it for the patient(s) whose security was breached."