Here's how to head off the potential for a serious privacy breach. Picture this: A contract rehab therapist puts long-term care residents' confidential treatment records in her briefcase, which a thief steals from her parked car at another location. The facility notifies the residents and families about the stolen personal health information, and one family threatens to sue. If that sounds like a tale designed to stir up interest in a HIPAA seminar, it isn't. Attorney Joseph Bianculli in Arlington, VA, recently dealt with the case. What transpired: The therapist in question violated the therapy company's policies prohibiting therapists from taking patients' treatment records offsite. The company is now rethinking its policy of allowing therapists to carry billing information from the place of service. Instead, therapists may start faxing that information from the facility to the corporate billing office, reports Bianculli. The case gets to the "root of the perils of transporting PHI," comments Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems LLC in Charlotte, VT. "Every day you hear more stories about lost laptops or hard drives containing patients' medical information that someone took home and were stolen or given away." There isn't a private cause of action under HIPAA, Bianculli says, but it's a pain for the facility to have to deal with the threat of lawsuits. Good question: Could the U.S. Department of Health & Human Services' Office for Civil Rights penalize the facility for the contract therapist's snafu or a similar privacy breach, especially where lost PHI resulted in identity theft or reputational harm in the community for a resident(s)? A covered entity is not liable for a breach by a business associate unless it doesn't have an appropriate business agreement in place -- or fails to take action if it finds the business entity has a pattern of HIPAA medical privacy violations, says Michael Roach, a HIPAA compliance expert with Meade & Roach LLP/Aegis Compliance & Ethics Center LLP in Chicago. 3 Must-Do Rules for Protecting Your Facility Rule No. 1: Check to see that your facility has an "appropriate" business agreement with its therapy company and other business associates with access to PHI. Roach notes that an appropriate business associate agreement is "one that has all of the provisions required by the Privacy Rule and the Security Rule in it and that does not permit the business associate to do something that would be a violation of HIPAA by the covered entity itself." Rule No. 2: Verify the contractor's compliance with the business associate agreement and HIPAA. You will need access to the contractor's HIPAA policies and procedures, and you'll need documentation of compliance activities, such as training records and risk assessments, Sheldon-Dean advises. Rule No. 3: Ensure that independent contractors in the building -- in this case, therapists -- have a good understanding of what they can and cannot do with residents' PHI, Sheldon-Dean recommends. "Contract health providers function as part of your workforce, so you need to provide them with the same level of security awareness and training as you do your other workforce members." Latest compliance alert: HHS recently issued a security guidance warning providers of "security incidents" involving portable devices that store electronic protected health information (EPHI). HHS says it prepared the guidance document "with the main objective of reinforcing" ways a covered entity can protect EPHI when staff accesses it outside the organization's physical purview. For details, see "Don't Let HIPAA Breaches Trip Up Your Facility" in Vol. 9, No. 5 and 6 of Long-Term Care Survey Alert available through the free Online Subscription Service. Editor's note: If you haven't signed up for online access to the current and all past issues of the newsletter, call 1-800-847-9180. You will still receive paper copies of the newsletter.