Posted on: April 17, 2017 by Will Norris
The Office for Civil Rights (OCR) under the HIPAA 2017 Audit Program is in the process of completing 167 desk-based audits, the results of which will be released publicly later in the year. The objective of these audits is for the OCR to determine whether HIPAA policies and procedures have been implemented five years after the first audits, and to identify potential risks and vulnerabilities that threaten the confidentiality, integrity and availability of electronic Personal Health Information (PHI). According to the HIPAA Journal, “the audits will highlight potential threats to electronic PHI that the OCR and the government would not otherwise be aware of until a data breach occurs or a complaint is submitted.” Desk audits require selected covered entities to submit a wide range of documentation to the OCR to demonstrate compliance with the HIPAA Privacy, Security and Breach Notification Rules.
Although the likelihood of a desk-based HIPAA audit by the OCR for healthcare organizations, including for home health care providers, is relatively small due to the low number of audits being conducted for 2017, there is no room whatsoever for becoming lax when it comes to HIPAA compliance. Even if covered entities and business associates have not been selected to undergo a desk audit, they may be chosen for a full compliance audit later in 2017. Additionally, if a data breach should occur, the OCR will investigate.
The OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules.
Non-compliance can be costly for organizations in the home health industry, with failure to safeguard a patient’s protected health information (PHI) coming at a high price. Lincare Inc., for example, learned this lesson the hard way when it was hit with a $239,800 civil penalty for HIPAA privacy rule violations back in early 2016. This serves as an important reminder to home care organizations of the consequences patient PHI misuse can result in.
The Health Insurance Portability and Accountability Act, better known as HIPAA, was passed in 1996 to improve portability and continuity of health care coverage and work against injustices within the industry, according to the Centers for Medicare and Medicaid Services. This protective measure ensures the security and privacy of patient’s PHI, and that those within violation of patient’s rights to privacy will be punished accordingly. HIPPA civil penalties range depending on severity and can be issued for up to $50,000 per violation and $1.5 million annually. Penalties of this magnitude can be crippling to the success of home health care providers if not prevented.
In the case of Lincare, the OCR concluded that a company employee had removed a large quantity of patient’s PHI from the office, left the information exposed and then abandoned it, holding 278 patients at risk, according to a U.S. Department of Health and Human Services press release. Their investigation also uncovered other infractions, including policies not effective in keeping PHI safe and Lincare’s substantial lack of effort in correcting policies.
The details of this violation highlight the unique level of discretion home care agencies must operate with in regards to sensitive materials like PHI. Employees working in patient’s homes often will move physical or electronic device records to and from the office as part of their work. This brings about a new level of risk, something organizations must prepare for in advance with well-planned procedures and safekeeping measures.
When a patient’s private information or any form of sensitive material is misused or falls into the wrong hands, a number of things happen. First, an organization is liable under HIPAA laws and forced to pay substantial fees, something that can potentially alter the future of the home care agency if significant enough. Perhaps more importantly, the organization’s credibility and reputation is immediately at stake. Current patients may fear for the safety of their information and move elsewhere, and it may prove difficult to find clients in the future. Taking the extra steps to ensure that your confidential information remains secure is the main way to ensure violations like this never occur.
Moreover, a close examination of a home care agency’s insurance program is necessary to ensure that coverage is in place for HIPAA exposures, including expenses involving proceedings, fines and penalties. Manchester Specialty provides a total insurance solution for the home health care industry, including Professional Liability insurance that includes HIPAA-related coverage. For protection against HIPAA and other types of losses, you or your local agent/broker can contact us at 855.972.9399.
Posted in: Home Healthcare Providers