Home care and hospice providers received a warning Wednesday that the Department of Health of Human Services (HHS) is cracking down on rules covering patient privacy and access to health records.  

Attorney Madison Pool from the Atlanta, GA-based law firm of Arnall Golden Gregory waved the red flag during a webinar sponsored by the National Association for Home Care & Hospice (NAHC) about recent developments in the Health Insurance Portability and Accountability Act (HIPAA).

While HHS has relaxed some HIPAA provisions during the COVID-19 pandemic, it has been stepping up enforcement of patient rights, according to Pool. She said a primary focus has been patient access to records, which requires providers — including home care and hospice agencies — to respond to patient record requests within 30 days. 

Madison Pool

“There have been 19 resolution agreements that have been entered into in just the past 18 months, which is really significant,” Pool said. “Generally in a given year, about 10 total would be a standard year for resolution agreements.” 

Pool said another area of focus has been security as it relates to electronic record keeping. She advised home care and hospice agencies to conduct risk assessments and put in safeguards to ensure personal health records (PHI) can be transferred safely across various platforms.

“That might be personal devices, servers, fax, emails, (electronic health records) — all of the ways PHI is held electronically. The covered entity has to go through and identify that. Once that’s done the covered entity must identify the threats and vulnerabilities that are applicable to the e-PHI,” Pool said.

HIPAA is a 25-year-old federal law that covers the way personally identifiable information must be maintained by healthcare providers and health insurers. The law was designed to protect patient information from fraud and theft.