Home Health HIPAA Privacy Breach

Rarely do you ever hear about a data breach associated with a home health agency.  But, the luck of the draw has caught up with agencies.  Last month, in July, one occurred in Vermont.  Caledonia Home Health and Hospice notified patients on August 6 that a data and privacy breach occurred.  As per HIPAA guidelines, the agency, which is part of the Northern Counties Health Care system, performed the obligatory and necessary steps of notifying and outlining what patients should do to monitor their credit and banking relationships. 

How did it happen?  The agency reports through its letter sent to patients that a netbook, which is a smaller version of a laptop, was stolen during a robbery at a staff member’s house on July 20.  The netbook contained HealthWyse’s home health clinical software PalmWyse along with the associated database.  Contained within the database was patient data for the entire agency.  Although the netbook and patient database had two levels of password protection, an experienced and determined hacker could potentially obtain access.

What does this mean for you and your agency? Taking this opportunity as a learning exercise, you should review IT policies and HIPAA compliance with your staff.  Field staff as well as office staff should all be made aware of the procedures and policies for securing patient information and any devices used by staff that contains patient protected health information (PHI).

Most newer software packages such as Kinnser, HomeCare HomeBase, HealthcareFirst, and others do not require a database to be installed on each device used by field staff.  Instead, an internet connection is all that is required to access patient data that resides on secure servers.  While this type of software has its own associated risks, the potential for a breach is mitigated due to its design.  Web based software is usually much more secure than traditional systems that require patient data to reside on clinical staff’s laptop or tablet.

When selecting software for your agency, this should be an important consideration:  how safe is patient data, and where does PHI get stored?  Database systems such as McKesson, HealthWyse and many others require that patient information be stored on the device being used, potentially opening agencies up to breaches like this one in Vermont.

As most home health agencies are now reliant upon electronic record systems, protecting data is becoming an important part of operations.  Since HIPAA require the utmost protection, a violation could result in serious penalties and fines.  Additionally, states across the country have implemented their own laws and regulations for use of PHI and basic personal data.  Any infraction can cause severe financial penalties to those who are involved in a data breach.  

Avoiding breaches and being compliant with HIPAA policies is going to be essential.  This coming September, all healthcare providers and their business associates will be required to have an updated, stricter policy and agreement in place for sharing patient data.  The new Business Associates Agreements impose strict standards and penalties for violations.

Also coming this fall is the test pilot for HIPAA audits.  Much like a state survey or an OIG audit, HIPAA auditors will descend upon your agency without notice.  The purpose of this audit is to examine your policies and procedures. But these auditors will take it one step further and test staff to make sure policies are followed and understood.  Part of the process is to even inspect your shredding methods and examine your shredder. (If you have a strip shredder, you are not compliant. A cross cut shredder is required and pieces need to be less than 1 inch long!)

Don’t be worried, be prepared and be ready!  HIPAA compliance begins with education of all employees and staff.  But in today’s world, it goes much beyond education and enforcement.   You must include planning for ‘what if’ scenarios and testing your policies to make sure they work.  We can help you get ready and put in place policies, document policies and provide your agency with the educational tools to be in compliance.  You do not want to be like Caledonia Home Health and Hospice who was not known outside of Vermont, but is now known nationally for a data breach.  You would like to be known nationally for being a model and example of excellence!

Give me a call, 978-388-5500, or email me, lance@tortolanoandco.com, so we can discuss your current compliance and education structure, but also how these policies and procedures can be improved.  Fines, penalties and credit monitoring are expensive.  So, this is one operational area that should not be neglected. 

Here is a link to see the letter issued to patients who have been affected by the data breach:
(You will need Adobe Acrobat or a similar PDF reader to open the link.)

Lance Tortolano
Tortolano & Company
(978) 388-5500
Home Health’s Partner In Success!