Untimely access to health information, data breaches and just being completely unprepared can leave home-based care companies vulnerable to HIPAA compliance failures, operational efficiencies and hefty legal consequences.
One of the big questions surrounding HIPAA is if it applies to providers in the home-based care space, specifically personal care agencies.
Angelo Spinola, co-chair of the home health, home care, and hospice practice at Polsinelli, noted that many personal care providers, assisting with ADLs, assume that HIPAA doesn’t apply to their organization when it does.
In general, HIPPA applies to organizations that are paid for health care in the normal course of business.
Additionally, health care is broadly defined under HIPAA and includes preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, as well as counseling, assessment, or procedure and more.
Under HIPAA, the government has the right to bring enforcement actions against providers.
“With enforcement actions under HIPAA, there can be both civil, and kind of scary, criminal fines and penalties,” Allison Dressel, counsel — specializing in health care, HIPAA, health information and privacy and security — at Polsinelli, explained during a recent webinar.
The webinar was co-hosted by Polsinelli and the software company enCappture.
In general, a number of recurring compliance issues lead to HIPAA compliance failure. This includes things such as Protected Health Information (PHI) Access Rights, according to Dressel.
“HHS, OCR, the people who enforce HIPAA, they are really interested in making sure that patients have access to their protected health information,” she said. “Under HIPAA, there are certain timelines that you have to meet. If a patient or client of yours, says, ‘Hey, I want to see my medical record, you have to be able to provide that.’”
Dressel noted that OCR has brought several enforcement actions against both large and small providers for not ensuring patients’ access to their protected health information in a timely manner.
Another recurring HIPAA compliance issue involves business associate agreements.
In other words, if a provider is working with other third parties organizations who have access to sensitive information they need to make sure that they have the correct contractual provisions in place to ensure these downstream vendors also comply with HIPAA.
“That’s one area of a lot of confusion with providers,” Spinola said. “Sometimes the vendor that you’re working with that is housing the PHI of your client has a breach, or a problem with that data. That can blowback on the provider, because the data is considered the provider’s data.”
Spinola pointed to last year’s Change Healthcare cyberattack as a recent and high-profile example.
One other big area for HIPAA compliance failure relates to the law’s Security Rule, which includes risk analysis. This means that a provider needs to make sure that all of the company’s security protocol and administrative safeguards are appropriate for the type of data they’re storing.
Other aspects of staying on top of the HIPAA Security Rule include failure to manage identified risk, and lack of transmission security.
After a risk is identified, the provider is responsible for attempting to manage and mitigate this. While transmission security means making sure that data transmitted electronically is protected, an example of this would be sending encrypted emails instead of standard ones.
“If there’s a lack of transmission security, a third party could easily infiltrate and get access to that information,” Dressel said.
Improper disposal is another common HIPAA compliance issue. Dressel noted that a few OCR cases involved pharmacies throwing out prescription bottles that had PHI.
“Whenever you need to dispose information, you have to make sure it’s securely destroyed,” she said.
Another recurring HIPAA compliance issue has to do with information data backup and contingency planning.
“You want to make sure that you have procedures in place for data integrity,” Dressel said. “If, for example, there was some sort of outage at your facility, that doesn’t mean that patients lose all of their information.”
One issue that’s always looming is insider threats. Dressel pointed out that this doesn’t always mean nefarious bad actors at the company. Sometimes it means an employee posting a video on TikTok where they are sharing sensitive information.
Broadly, four major rules apply under HIPAA, the privacy rule, the security rule, the enforcement rule and the breach notification rule.
Organizations can focus on a few things to stay on the right side of HIPAA compliance. One of these things is data mapping.
“We always advise our clients to get a handle of what data that they have, and we just call it data mapping,” Dressel said. “Try to figure out what data [your organization has], where is it coming from, where [it’s being held], who you’re giving it to. Understanding the data flow will help you understand what you need to have in place.”
This could mean anything from having vendor contracts in place to finding out the organization needs to improve its security safeguards. Providers need to also have a strong understanding of exemptions. This means really understanding what laws actually are in play, according to Dressel.
The post Home-Based Care Providers Vulnerable to HIPAA Compliance Issues appeared first on Home Health Care News.
