How Home Health Companies Struggle with HIPAA Compliance & What They Can Do About It Today

How HIPAA disproportionately impacts the bottom line for Home Health companies

Home health companies in particular struggle to erect safeguards, as they typically deal with tighter budgets than hospitals and in-patient facilities and often don’t have the resources to implement and provide higher levels of security and compliance. In addition, providing services through a remote workforce poses unique security challenges. Hackers and data criminals are aware of these logistical struggles, and target their attacks on home health care companies.

One particularly risky area hackers focus on is a company’s distributed communications infrastructure. When home health workers use their personal devices to exchange PHI, a company's ability to provide necessary protections and enforce security policies becomes incredibly difficult; without addressing the technological needs of their distributed workforce, mitigating the risk of HIPAA violations and ensuring compliance proves burdensome and costly.

There are measures that home health companies can take to prevent violation penalties that can cost up to $50,000.

Provide secure solutions that help prevent HIPAA violations

Every home health company must meet 4 HIPAA Privacy Rule requirements:

1. Protect & Store Patient Health Information (PHI)
2. Securely Transmit Health Care Records to Insurance Providers & Approved Third Parties
3. Reduce Fraud in the Health Care System
4. Standardize Information for Electronic Billing and Health Care Information

Implementing communications infrastructure that supports the Privacy Rule is more difficult than it sounds, especially when companies have weak or nonexistent mobile device policies. With nearly 60% of medical professionals now using their personal mobile devices, there is a considerable risk of patient health records being accessed by unauthorized personnel.

Technical requirements in the HIPAA Security Rule

HIPAA's Security Rule details multiple technical requirements that companies must address to ensure compliance. Prominent examples include:

• PHI must be encrypted upon transmission and storage
• Access to PHI must be authenticated and re-authenticated on a periodic basis
• Credentials must not be shared, and can be used for uniquely identifying access requests for PHI

Traditional means of communications cannot adequately cover these three simple requirements, let alone the more rigorous requirements detailed in the HIPAA Security Rule. When data is sent back and forth via traditional means (phone calls, text messages, or emails), PHI cannot be securely protected.

Avoid costly device investments & choose secure communication software

One way home health providers can meet the various technical and security challenges that HIPAA exposes is to provide home health workers with secure devices and/or software for communication. Having a mobile device management policy that includes secure hardware and/or software can streamline and protect PHI in the home health field.

Investing in secure hardware and provisioning this out to your remote staff is expensive, difficult to oversee and maintain, and is an outdated approach. Finding a hardware and software vendor that meet the specific regulatory requirements set forth by HIPAA and HITECH can be difficult to find, assess, and afford.