Homecare, Hospice, and HIPAA. The Road to Compliance.
The road to HIPAA compliance is not straight and narrow, nor is it free of cracks, pot holes and obstructions. Oh, on the contrary, it goes without saying that most healthcare organizations have a little trepidation when attempting to manage the overwhelming requirements of regulation that’s often lumped together under the banner of “protecting health information”
Home health agencies are especially susceptible to issues with HIPAA given their structure; for example, by the very nature of their being, these organizations are designed so that caregivers come and go from multiple patient locations and, in so doing, must transport protected health information with them on devices and in paper records, potentially exposing health information carried in their automobile, on their person and even into their homes.
This is quite a responsibility.
Because of this, home health agency leaders have a real burden to bear, especially considering how many moving parts there are for them when faced with a breach or a breach action. So, when monitoring these actions and creating policies and procedures to manage the flow of protected information, you need to be diligent, and careful. And, if anyone is giving you information about these policies – a partner or consultant, for example – you need to ensure that the information received is good, obviously. Less obviously, though, is your understanding that in actuality, there’s a lot of bad HIPAA information floating in the ether.
During a recent webinar in the DeVero Expert Webinar series, Roger Shindell from Carosh Compliance Solutions presented a road-map to HIPAA compliance.
Why HIPAA should be on your radar
HIPAA is ubiquitous with all things related to protecting privacy and identity of information in healthcare. But, you should be concerned about it, now more than ever. The reason being that HIPAA enforcement is growing, and there are a great many number of potential breach points that should be causing you to be more aware of your surroundings. For example, there are some obvious pain points like identity theft, medical identity theft; and civil liabilities for breach. Additionally, HIPAA is being used in litigation as the standard of care for privacy of health information; and ethical and professional standards — and having a proper plan in place to ensure HIPAA compliance is just good business.
There are a number of home health agencies that learned this the hard way. For example:
Pruitt Health Hospice of Beaufort, SC, saw 1,437 health records compromised after thieves entered through a window and broke into some filing cabinets. No files were taken, but access to the paper medical charts was gained, and, therefore, a breach occurred. Fines may still be forth coming, as the typical HIPAA audit following an incident can take between two and three years to complete, according to Roger Shindell, CEO of Carosh Compliance Solutions.
Another example of a records compromise can be found at the Indian Territory Home Health and Hospice (DBA as Aspire Home Care and Hospice), Shindell said during a recent webinar hosted by DeVero. In this case, a hacking incident likely occurred through a phishing email. Information that was impacted by the breach included patient names, dates of birth, addresses, telephone numbers, Social Security numbers, insurance information, prescription information, patient ID/medical records numbers and clinical information. Two others include: Amedisys Hospice of Tennessee – where medical records were found on the side of a highway because an employee charged with destroying them simply threw them out; only 17 records were found – and Hospice of the Chesapeake – where an employee emailed spreadsheets containing PHI to a personal email account, which could have led to a potential breach.
The examples abound and home health agencies must prepare for all case scenarios. It’s worth noting, though, that the Office Civil Rights concludes that “virtually all breaches occur because of lack of training,” Shindell said. And, fines for breaches are not accessed on the number of records disclosed, but rather on how the company is complying with the regulation.
There’s no way to stop all breaches
Despite the overabundance of caution that is pushed about organizations protecting from possible breach, it’s worth noting that ONC understands that you can’t keep all breaches from occurring, but when they do happen, you need to remediate them as soon as they occur. And, if you can demonstrate that you have done everything possible to keep information secure, there’s a good probability that you won’t face fines for the breach.
How do you prepare and protect yourself from HIPAA breaches?
There is plenty advice about how to protect your organization from breach, but the basic components of compliance include:
• Conducting risk assessments;
• Create a remediation plan – and demonstrating that you are making meaningful progress through the plan;
• Correcting any deficiencies;
• Auditing and managing the processes – and conducting internal audits;
• Developing a privacy plan and how you are going to implement it; and
• Creating a training program for managing protected health information.
When creating assessment and remediation plans, home health leaders should follow NIST SP800-30 protocols, and ensure that the plans are updated regularly – like annually, whenever there is a security incident, or whenever you make as change to operation, IT or security framework. Part of the plan must detail that the vulnerability has been remediated and the remediation has been approved by a source within the agency. Plus, you need a target date for when the problem will be remediated. This is because you must have a timeline in place to prove to auditing agencies that you have a meaningful plan for remediation.
When formulating a HIPAA compliance plan, you must list a purpose for the plan, who is responsible for the implementation — usually the chief privacy officer (this person must be designated within the organization and notified of such designation), as well as the scope of the policy, and the detailed policy itself. This includes the steps you will take to make sure you are addressing everything in your scope then the procedures that you will define step by step through the policies.
Also of importance, Shindell said, is that all policies should be categorized by their appropriate regulation number. These policies may be for the organization as a whole or for a specific department. List this information, plus you’ll want to keep a version history. When an audit is being conducted, you can be asked for every version of a specific policy to be presented to them for the last six years. Each version should archived, available and ready in the event you need to produce it. You should also list a “reviewed” by” a “prepared by” and when the content was changed.
During your process and improvement plans, ensure that you have an ongoing auditing and monitoring program for HIPAA privacy and security. To do so, detail what you are going to monitor; how you are going to do the monitoring; and when. Are the audit policies being complied with as written? This is especially important since a lot of organizations simply buy a cut-and-paste audit policy then put their name on it and they think they are protected, but this won’t protect the organization from compliance issues. Policies, procedures and safeguards need to be customized. When this is done, create review cycles. For example, every three years, annually or more so as appropriate.
HIPAA due diligence for business associates
Finally, to fully protect yourself from HIPAA violations, there’s a very important area that you must not overlook – your business associates. Due diligence doesn’t end at the edge of your organization; it also goes for your business associates. How do you conduct your due diligence for these actors?
Well, since the posting of the 2012-2013 final omnibus rule, business associates (BA) must be able to reasonably participate, identify and protect the integrity of your information. If the BA is not compliant with HIPAA, you are required to end your agreement with this BA, if feasible.
When conducting due diligence, you must identify whether they have policies and procedures up to date, and verify if they provide training, conduct a risk assessment, and if they have a monitoring program in place. If they are not doing these things, at least at a high level, there’s a pretty good chance that they are not HIPAA compliant. On the other hand, if they are documenting such things, they are likely compliant.
As a home health agency leader, you have a responsibility to develop and follow policies and procedures for HIPAA compliance. To protect yourself, you must develop a robust privacy security policy. Make sure all of your partners in the care continuum have a robust privacy and security program, get them to attest to such, and make sure business associates also are in compliance.
The following steps will go a very long way toward protecting your agency and remaining HIPAA compliant:
• Evaluate your security and privacy program
• Complete required security risk assessments
• Produce your remediation plan
• Introduce comprehensive HIPAA policies and procedures
• Prepare for a breach of protected health information
• Train your workforce regularly on policies and procedures, and HIPAA compliance
Much must be done, that’s clear, but there’s a great deal of help available, such as the experts at Carosh Compliance Solutions and DeVero.
For additional insight about maintaining HIPAA compliance, please review DeVero’s webinar, “Homecare Hospice and HIPAA,” found here: https://www.devero.com/resources/webinars/free-webinar-homecare-hospice-agencies-hipaa/.