Have you ever decided to catch up on a little paperwork after hours or on a weekend, shoved a few resident medical or billing records into your briefcase or downloaded them onto your iPad or laptop? Sure you have. But you might want to think twice about that for yourself and your employees, or at least tread carefully.
In February 2016, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services slapped Lincare, a national provider of respiratory care, infusion therapy and medical equipment for in-home patients, with a $239,800 fine for an employee who took patient charts containing protected health information home, then changed residences and just left the records behind. The records were discovered by an unauthorized individual. OCR charged Lincare with violations of the Health Insurance Portability and Accountability Act (HIPAA) and, for only the second time in history, used civil fines, not education or other sanctions, to make its point.
Lincare defended the allegations before a federal administrative law judge, arguing the employee stole patient records. Lincare lost. The ALJ upheld OCR’s allegations on all counts, finding that Lincare knew employees routinely took patient records home, had an unwritten policy requiring employees to store patient records in their vehicles for extended periods of time and, as to the theft defense, even if true, then Lincare had inadequate policies and procedures governing employee removal and storage of patient charts and against theft of them. The OCR also alleged, and the ALJ agreed, that even after learning of the complaint about the abandoned records, Lincare took only minimal efforts to correct its policies and strengthen procedures to ensure HIPAA compliance.
To be sure, providers of in-home goods and services face a tougher time ensuring HIPAA-compliant protection of patients’ Protected Health Information (PHI). But the issue isn’t limited to home care providers or vendors. We handled a case last year involving the storage of resident PHI on an employee’s personal, unencrypted cell phone, and the Centers for Medicare and Medicaid Services jumped all over it, requiring a multi-layered Directed Plan of Correction.
So what to do? Ensure that you have robust policies and procedures governing when employees may remove charts or copies of charts from the facility or business premises; how those must be stored, whether in hard-copy format or electronically; how they can be used and return protocols. Also ensure that all employees transmit and/or store PHI only on work-approved or -issued, encrypted electronic devices. Your policies and procedures have to address these and other issues where work practices potentially permit the unauthorized disclosure of residents’ confidential health or financial information.
The OCR, in its press release, served notice that it’s more than willing to prosecute complaints of unauthorized disclosure of PHI, and to use civil money fines to enforce the law.