How a Cell Phone Cost a Skilled Nursing Provider Over a Half Million

Posted by Kelly Braun on October 13, 2016 at 11:00 AM
How a Cell Phone Cost a Skilled Nursing Provider Over a Half Million

With advanced technology and new digital systems in place at most long term care facilities today, it’s imperative that HIPAA policies and procedures are understood, in place and followed. A breach of the law could cost you thousands and thousands, just as it did for a skilled nursing facility in Pennsylvania.

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) in June 2016 agreed to a $650,000 settlement and corrective action plan stemming from a discovery of Health Insurance Portability and Accountability Act (HIPAA) violations.

According to HHS, a look at the skilled nursing facilities HIPAA policies began after the theft of an employee iPhone that was unencrypted and not password protected. The phone provided access to Social Security numbers, medical diagnosis, treatment and procedures, medication, names of legal guardians and more for hundreds of their residents.

The phone theft, which occurred in 2014, sparked an investigation that found CHCS had no policies addressing the removal of mobile devices containing Protected Health Information (PHI) from its facilities nor what to do in the event of a security incident. The organization also did not have a risk analysis nor risk management plan in place.

While it’s often frustrating when the federal government tells us “what to do,” but not “how to do it,” it is essential to stay up to date with HIPAA laws and audit procedures. Being proactive is always better than reactive. 

 

Common Uses for Mobile Devices in a Clinical Setting

  • Patient contact information
  • Test results
  • Surgery schedules
  • Procedure lists
  • Prescriptions

 

What Must You Do for PHI

  • Entities must put in place safeguards to protect resident health information and ensure that information is not used or disclosed improperly.
  • Entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Entities must have procedures in place to limit who can view and access resident health information as well as implement training programs for employees about how to protect health information.
  • Business associates also must put in place safeguards to protect health information and ensure they do not use or disclose health information improperly.

 

Tips for Healthcare Providers

  • Use protective software. Personal health records should be safeguarded by encryption software. Cell phones and mobile devices should also be encrypted and password protected.
  • Have facility-wide HIPAA compliance guidelines in place and ensure all staff understand and follow.
  • Train new employees and have regular sessions for updating existing employees. Staff confusion about compliance procedure is not uncommon.
  • Never leave a computer unattended. Make it facility policy that computers must be logged off before walking away.
  • Ban selfies by staff. It's possible that a photograph, taken by a staff member, could inadvertently feature other individuals in the background, could then surface on social media and violate HIPAA. While these complaints may be rare, some organizations are banning staff from taking photos as a precaution.

 

Marketing Essentials is an inbound marketing agency focused on results. Our clients see us as a strategic partner and an extension of their sales and marketing team. We strive each day to make your experience with us enjoyable and profitable.

Grow census