Proof HIPAA stakes may be higher than you think
James M. Berklan
Like a kid who's staying up past his bedtime right in front of his parents' noses, long-term care operators have been enjoying a pass for at least a few years when it comes to HIPAA crackdowns.
At least that's what the LTC fraternity has quietly surmised while trying to suppress grins.
Yes, health plans, hospitals and the occasional doc's office have been the subject of most of the HIPAA-enforcement headlines in past years. It might have given other providers a false sense of security: We're not big enough potatoes. We're not leaving potentially dangerous personal health records exposed. Our people won't really care. Nobody's checking us or enforcing anything anyway.
All of these suppositions? False. We have the not-so-subtle $650,000 clue to prove it. That's the size of a federal settlement a nursing home operator agreed to after a cell phone with medical records of more than 400 of its nursing home residents was stolen.
The theft led to a damning investigation by the Department of Health and Human Services Office of Civil Rights that unraveled a mess. One shouldn't be surprised that a federal investigation unexpectedly and quickly went from bad to worse. Just ask former House Speaker Dennis Hastert how that can go.
The nursing home's snafu was all due to something as ubiquitous as a cell phone. As a result, the offending party, which has since sold the offending nursing home and a handful of others, must pay the aforementioned eye-popping bill and enter into a two-year corrective action plan. It also has to carry out risk analyses for all of its e-health record systems, create a trail of paperwork showing compliance and form policies and procedures to prevent further incidents. Policies and procedures that should have already been in place, mind you.
If you think this is authorities making an example of a player with shady connections, think again. The busted group in this is Catholic Health Care Services of the Archdiocese of Philadelphia.
No one is too poor or too well connected to avoid coming into compliance. That's a key message federal authorities seem to be beaming out 20 years after Congress first passed the Health Insurance Portability and Accountability Act.
The other big message?