Oh, yes, they ARE paying attention to your HIPAA efforts
James M. Berklan
Like a kid who's staying up past his bedtime right in front of his parents' noses, long-term care operators for years have been enjoying a pass when it comes to HIPAA enforcement and crackdowns.
At least that's what the LTC fraternity has quietly surmised while trying to suppress grins.
Well if that was ever the case, it sure ain't true now. Yes, health plans, hospitals and the occasional doc's office have been the subject of most the HIPAA-enforcement headlines in past years. It might have given other providers a false sense of security. (To be fair, readers have always been pretty strongly attracted to our HIPAA stories.)
We're not big enough potatoes. We're not leaving potentially dangerous personal health records exposed. Our people won't really care. Nobody's checking us or enforcing anything anyway.
False, all of these suppositions.
And we have the not-so-subtle $650,000 clue to prove it.
As our Phil Brahm wrote in yesterday's Daily Update, a nursing home operator had a phone stolen that contained health records for 400 residents. It wasn't tens of thousands of unsecured government emails, but it was enough to provoke a federal investigation.
You never know where those might end up. Just ask former House Speaker Dennis Hastert.
This time, researchers from the Department of Health and Human Services' Office of Civil Rights unraveled a growing mess. An illegal mess. All thanks to something as ubiquitous as a cell phone. Don't happen to have one of those, do you?
As a result, the offending party, which has since sold the offending nursing home and a handful of others, must pay the aforementioned eye-popping bill and enter into a two-year corrective action plan. It also has to carry out risk analyses for all of its e-health record systems, create a trail of paperwork showing compliance AND form policies and procedures to prevent further incidents.
Policies and procedures that should have already been in place, mind you.
If you think this is an instance of authorities making an example of a player with shady connections, think again. The busted group in this is Catholic Health Care Services of the Archdiocese of Philadelphia.
No one is too poor or too well connected to avoid coming into compliance. That's the message federal authorities seem to be beaming out 20 years after Congress first passed the Health Insurance Portability and Accountability Act.
The other big message being flashed?
Follow James M. Berklan @JimBerklan.