Home Health & Hospice Week

HIPAA:

SECURITY RULE CRACKDOWN COULD STRIKE YOU

Hospital lands audit number one.  Is home health next?

A low-key approach to keeping tabs on those laptops in the field may leave you with a costly compliance headache.

New development: In March, the HHS Office of Inspector General made its first move to audit a health care provider for compliance with the HIPAA security rule, which regulates protected health information (PHI) stored or transmitted electronically. The OIG's first provider target is Piedmont Hospital in Atlanta.

"This is the government's first systematic hands-on examination of compliance with any HIPAA regulation," says Rebecca Williams, attorney and partner with Davis Wright Tremaine in Seattle.

Similar audits for home health agencies could be on the horizon, especially given a few headline-attracting security breach cases involving HHAs in the past year (see Eli's HCW, Vol. 16, No. 5).

Background: The HHS Office for Civil Rights enforces the privacy rule of the Health Insurance Portability and Accountability Act--and has been doing so for several years. The agency acts primarily on complaints, however, and then either helps cooperative covered entities correct their violations or refers egregious cases to the Department of Justice for potential criminal prosecution. The Centers for Medicare & Medicaid Services enforces the security regulation, which until now hasn't been routinely enforced.

ID your vulnerabilities: Home health agencies should be especially vigilant about complying with a related guidance released late last year, the HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information.

The guidance addresses the use of a variety of mobile devices, notes Williams. These include laptops, personal digital assistants, smart phones and flash drives, among other devices.

Focus here: HHS highlights three key areas of concern for remote use of and access to electronic protected health information, Williams tells Eli: access, storage and transmission.

"Everyone affected should be looking over this document carefully," says Williams, adding that HHAs are especially vulnerable to scrutiny and claims of noncompliance given the nature of their work.

Required reading: Though the document is called a "guidance," it carries more weight than other documents in the same category.
In issuing the guidance, HHS emphasized that the feds "may rely upon this guidance document in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity and availability of [electronic PHI], and it may be given deference in any administrative hearing" under the HIPAA enforcement rule.

Step Toward Compliance

HHAs can employ a number of strategies to protect electronic PHI, according to experts familiar with the guidance. Consider these strategies:

Lock down laptops. Require a locking mechanism for unattended laptops.

Consider encryption. HIPAA's rule doesn't require this, but the guidance puts the strategy in a positive light.

Invest in flash drives. Prohibit staff from putting PHI on laptops or other hard drives, advises Michael Roach, partner with Meade Roache Consulting in Chicago. Password-protected flash drives are the way to go, he advises.

• Focus on training. Policies and procedures, no matter how well designed, will not be effective un-less the workforce receives appropriate training, re-minds Williams.

Bottom line: As CMS itself admonishes in the guidance: "Affected covered entities capable of implementing all of the [recommended] strategies . . . are strongly encouraged to do so."

Resource: To access the guidance, go to www.cms.hhs.gov/SecurityStandard/.