Elizabeth Newman

If there’s an upside to spending a large part of holiday vacation sick in bed, it’s that I was able to catch up on some reading. (For those of you looking for a fresh approach to a father-with-Alzheimer’s book, I recommend Rachel Khong’s “Goodbye, Vitamin.”)

There was television, too. (My favorite joke was from an episode of “The Mindy Project,” when physician Mindy Lahiri refers to “Hippo” as a reason she can’t talk about one of her patients. Another doctor corrects her by saying “You mean HIPAA,” and Mindy responds with, “Um, I’m pretty sure it’s ‘Hippo’ because everyone’s hungry, hungry for medical secrets.”

The line made me laugh out loud, but it also reminded me of how much we still misunderstand HIPAA (the Health Insurance Portability and Accountability Act). But given that the law is now in its 22nd year — and 15th year of providers having to become compliant — the government long ago began to step up enforcement and isn’t shy about civil monetary penalties.

Witness 21st Century Oncology, which agreed last week to pay $2.3 million to the Department of Health and Human Services to settle potential violations. Authorities say that in 2015, the FBI notified the provider twice that patient information was being “illegally obtained” by unauthorized third parties. Someone hit the provider’s database and received unauthorized access to more than 2.2 million patients, which included names, Social Security numbers, diagnoses and more. OCR said the company didn’t conduct an accurate assessment of potential risks and disclosed health information to third-party vendors without a business associate agreement.

As the National Law Review points out, those bigger settlements may be what trigger larger interest, but we also need to keep an eye on smaller settlements. It points out that in April, the Office for Civil Rights announced an agreement with a children’s health provider because it failed to enter a business associate agreement with a paper medical records storage vendor. That lack of paper and diligence resulted in a $31,000 settlement. While that number might not kill a provider, it’s not a number to sneeze at.

The NLR isn’t alone in reminding providers of what’s at stake, and what’s being twisted. Modern Healthcare quotes one expert as noting how providers become confused by HIPAA to the point where they simply use it to get out of certain tasks or obligations.

“Sometimes I think people default to that as an excuse for not doing things they don’t want to do,” one source said. That echoes what Alice Bonner, Ph.D., a former Centers for Medicare & Medicaid Services official and current Secretary of Elder Affairs in Massachusetts, said in 2015. She noted that HIPAA “is invoked incorrectly every day.”

Bonner pushed providers to speak up and challenge those who cite the law incorrectly, especially because people may be mispeaking out of fear. For example, the Modern Healthcare piece notes that email isn’t forbidden as a way to discuss a patient, as long as the email is going to the correct person and everyone is using a third-party HIPAA compliant email provider. HHS also released guidance in 2016 on cloud computing.

It’s imperative to train employees on what they can and can’t use, say or do with regard to protecting health information of residents.

If some of this seems old hat, it’s likely due to living with a law that, if it were a person, would be old enough to legally drink alcohol. But we can’t forget how many new employees will enter the ranks of long-term care in 2018, nor how new technology — specifically texting and other new ways of communication — can increase confusion.

Amid all the focus on new rules for nursing homes, we can’t forget the old ones and the need to audit, train and document.

Follow Senior Editor Elizabeth Newman @TigerELN.