Amedisys Hospice to be Investigated for Potential HIPAA Violation

The discovery of documents containing the Protected Health Information of 17 patients of Amedisys Hospice, Tennessee has triggered an investigation over the potential HIPAA violation.

Earlier this week, Sandra Rambo was walking with her daughter when she came across paperwork on the side of the highway. The pair noticed that the records contained information on patients, one of whom was the deceased husband of one of her neighbors.

The information contained in the paper documents included private patient details such as identification numbers, medical conditions, information about previous hospice visits as well as personal details of patients who had visited the hospice according to a report on local radio station, WHHL.

Rachel Seeger, Spokesperson for the US Department of Health and Human Services explained that in cases such as this, the DHHS works with the healthcare provider to resolve HIPAA violations and enters into a resolution agreement to ensure that the entity in question implements an action plan. That action plan must correct any privacy and security issues affecting HIPAA-covered data.

If compliance issues are discovered when the Office for Civil Rights conducts an investigation they are detailed in the resolution agreement with the require actions that must be taken; such as applying stricter data access controls or retraining the staff. The action plan usually lasts for a period of three years, during which time regular reports must be provided to the OCR to ensure continued compliance. When violations are discovered, a financial penalty is also usually also applied.

The potential HIPAA breach has been attributed the actions of a former employee who was tasked with shredding documents before disposal, in what appears to be an isolated event. According to a spokesperson from Amedisys, the healthcare provider has taken HIPAA regulations seriously and has implemented controls to protect patient data and has “strict policies regarding patient records and the proper procedures in retaining and storing this information,” according to the Amedisys spokesperson. It was also pointed out that “Amedisys began utilizing encrypted, password protected electronic medical files to ensure patient’s privacy in 2012.”

The healthcare provider explained that shredding documents is company procedure and the employee in question failed to follow company policy. As a result of this discovery the hospice will be providing further training to all members of staff to mitigate any damage caused and to prevent further errors from exposing patient data. The hospice has also offered credit monitoring services to all patients affected and it has recovered all of the missing records and no further threat remains.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.