Inpatient Facility Coding & Compliance Alert

Key: Make sure your business partners are on the up-and-up.

How far does your facility go in policing your business partners' HIPAA information security practices? Check out this lesson from one Connecticut provider, and see if you need to take additional steps.

The situation: VNA HealthCare in Hartford, Conn., and its parent Hartford Hospital, learned that a laptop was stolen from the home of a contractor's employee, according to a news statement from Hartford Hospital. The violation? The employee was working on hospital readmission data analysis. The laptop contained unencrypted data on more than 7,400 VNA patients and 2,000 hospital patients, they reveal.

The data included patients' names, addresses, dates of birth, marital status, Social Security numbers, Medicaid and Medicare numbers, medical record numbers, and certain diagnosis and treatment information. Having such unencrypted data on the employee's laptop was a violation of the contractor's policy, the VNA and hospital note in the July 30, 2012 release.

The HIPAA breach isn't technically the VNA's fault. The providers "go to great lengths to ensure that data transmitted or transported by their employees are fully encrypted to prevent unintended disclosure," VNA notes in the release.

But the VNA and hospital still are left holding the bag when it comes to dealing with the fallout from the breach.

"We profoundly regret this incident happened. Integrity and safety are two core values of both Hartford Hospital and VNA HealthCare," they say. "We take very seriously our stewardship of this information, which is central to our roles as healers and caregivers."

In addition to apologizing, they are offering two years of free credit report monitoring for patients whose data was affected by the breach.

Remember HIPAA at Contract Time

"It might surprise you how often this happens," notes HIPAA expert Robert Markette, Jr., with Benesch Friedlander Coplan & Aronoff in Indianapolis. "Your business associates may not be as compliant as you think."

But how far do you want to go in policing your business associates? They already are subject to direct HIPAA penalties under the HITECH Act, Markette points out.

"How do you verify no data has been placed on a contractor device?" Markette asks. You can require that contractor employees don't take data home, but monitoring compliance would be a logistical challenge. Additionally, procedures like random audits or programs that log data access and copying can be cumbersome.

Remember: The HITECH Act (Health Information Technology for Economic and Clinical Health Act) of 2009 places direct liability for uses and disclosures of PHI (protected health information) on business associates. As of February 17, 2010, many HIPAA standards also apply directly to business associates and those business associates are subject to the same civil and criminal penalties as covered entities.

Try this: Consider including penalty provisions in your associate contracts, Markette suggests. "Instead of putting the business associate on the hook for costs, have additional contractual penalties for breaches." Provisions to include in your contract might include use of limited access to data sets when possible, compliance with individual requests to restrict health plan disclosures, and concrete timeframes for notifying the facility of potential breaches.

Editor's note: Look for more coverage of privacy issues and how to keep your facility above-board in future issues.