Long-Term Care Survey Alert

Published on Fri Apr 13, 2007 PDF

New HHS concerns about electronic PHI could have CMS on your trail.

HIPAA is back on CMS' radar screen, so watch out for privacy lapses resulting from electronic protected health information. The U.S. Department of Health & Human Services recently issued security guidance warning providers of "security incidents" involving portable devices that store electronic protected health information (EPHI).

In fact, nurses taking laptops to the hospital to collect preadmission MDS data could result in the types of problems that the guidance warns providers against.

HHS says it prepared the guidance document "with the main objective of reinforcing" some ways a "covered entity" can protect EPHI when staff accesses or uses it outside the organization's "physical purview."

Beware: The Centers for Medicare & Medicaid Services has authority to enforce the HIPAA Security Standards, says HHS in the document. And it "may rely on the guidance" to determine if the facility's actions are "reasonable and appropriate" for safeguarding EPHI.

Here's What to Do

Facilities can implement simple strategies to prevent laptops and other portable devices from saddling the facility with a HIPAA disaster:

Implement policies prohibiting people from taking home laptops or other portable devices, such as PDAs, or CDs with PHI on them in any form, advises Peter Arbuthnot, regulatory analyst with American HealthTech in Jackson, MS.

Prohibit staff from putting PHI on laptops or hard drives, suggests HIPAA expert Michael Roach, MHSA, JD, partner, Meade Roach Consulting in Chicago.

"You can purchase a flash drive that requires a password" to store the information, he says. "Those are on the market now" and hold much more data than a disk, he says.

Don't leave yourself open to this tough question: "If a nurse or other facility staff person were using a non-protected flash drive and it got into the wrong hands, the government could reasonably ask why you didn't spend a couple dollars more to buy password-protected flash drives," Roach points out.

Another option: Perhaps the nurse collecting preadmission information at the hospital could transmit the resident-specific information to the facility using a secure portal with encryption, so the data does not remain on the laptop, says Arbuthnot.

More Suggestions From HHS

In addition to password protecting portable devices and files storing EPHI, the HHS guidance suggests you require use of lock-down or other locking mechanisms for unattended laptops and password protecting files. Also require that all portable or remote devices that store EPHI employ encryption technologies of the appropriate strength, suggests the HHS advisory.

Use Secure Connections Offsite

Facilities should have strict IT guidelines about how staff use portable devices or offsite computers to connect to the facility's system, says Arbuthnot. "This secured connection is sometimes a WEP (Wired Equivalent Privacy) connection." The "types of connections that travelers are accustomed to seeing in hotels is exactly the non-secured type of connection" that HHS is warning users about in the security guidance.

The HHS HIPAA security guidance suggests prohibiting "transmission of EPHI via open networks, such as the Internet, where appropriate" and the use of "offsite devices or wireless access points (e.g., hotel workstations) for nonsecure access to e-mail." "If the MDS nurse or physician has to communicate with the facility in a way that involves PHI, he or she could do so by telephone," suggests Joy Morrow, RN, PhD, senior clinical consultant with Hansen, Hunter and Company PC in Beaverton, OR.

Also keep in mind that PHI is patient's health information that can be tied to him through his name, birth date, Social Security number, etc., says Morrow. Thus, "a nursing facility could develop a way to identify residents through a numbering or other system when e-mailing and faxing PHI with physicians."