New HIPAA Rules a Game Changer for Assisted Living

Data privacy and security are not new issues to senior living operators, and many have made serious headway in protection of protected health information (PHI) with the onset of technology advances. But recent changes to the The Health Insurance Portability and Accountability Act of 1996 (HIPAA) are causing providers to revisit, refresh and in some cases overhaul their policies when it comes to PHI.

For national providers, it has been a months-long and in some cases years-long process in getting up to speed on the newest rules under HIPAA implemented September 23, which now assume that any PHI that is lost or stolen or otherwise compromised is considered a breach unless proven otherwise.

“Under the old HIPAA rule you had to prove someone had used the lost or stolen data, now the data is presumed used and reportable unless you can prove it wasn’t and proving data was not used is much harder than proving it was,” says Scott Ranson, Chief Information Officer for Brookdale Senior Living.


Cyber insurance companies use the example of a community executive director driving to work, who leaves her laptop in the car while stopping for coffee. The laptop is stolen, leaving PHI for hundreds of the community’s residents, as well as personal or financial information out in the open.

Such has been the case for several communities that have made headlines in recent years, namely nursing homes, which have always been subject to HIPAA.

But another product of the changes is that assisted living communities are more apt to fall under HIPAA as it has redefined its terms regarding business associates who are covered under the law.


“When I first saw this, I was a little taken aback by the severity of it,” says Frank Russo, vice president of risk management for Silverado Senior Living. “This is a game changer for assisted living. It’s a monumental change for how assisted living handles privacy and PHI.”

The implementation has been two-pronged, providers say, as they implement change both to the technology used to transmit and protect PHI as well as the training and internal processes in place to handle it.

The double edged tech sword

While technology has made sharing information easier and more accessible in the host of mobile devices and software platforms now available to manage electronic health records including PHI, the technology advancements can sometimes be a hindrance to HIPAA compliance.

Processes from logging off a community computer to restricting access to PHI except for those who absolutely need it have been implemented at Silverado.

Minimal access is one cornerstone, but Silverado also instructs employees not to leave PHI access in plain view, such as the case of a cell phone on a cafeteria table; not to have any verbal PHI discussions that could be overheard; ensuring password protection or the ability to wipe a device completely and not storing PHI on a flash drive or portable device.

Providers are also utilizing third-party vendors as well as internal processes and procedures to adhere to the change.

“Encrypted communication is important and most common,” Russo says. “We had to increase encryption software.”

The key to data security is ensuring all PHI data is encrypted so it cannot be used by someone who is unauthorized. The same goes for data that might be sent via email or other electronic transmission, so that it can’t be intercepted or otherwise compromised.

“There’s a lot of technology that should play a part in helping to protect companies from having data breaches,” Ranson says. “Having the data encrypted is one of the best things a company can do because if you can prove it is encrypted, you are protected.”

If the company can prove the data is encrypted, it is the best defense in a data breach, Ranson says.

“It’s not a 100% guarantee, but it goes a long way,” he says.

Getting all parties involved

While technology can help in becoming HIPAA compliant, senior living providers say it’s only one part of the equation. Having compliance processes in place and training all staff on them is also essential.

It also involves explaining why access is limited and how errors can happen from human authentication—whether a person says who he is—to human error, such as having a conversation in the open that involves PHI.

“Gain the buy-in of staff,” Russo says. At Silverado, it involved a lengthy document annotation HIPAA and laying out what the company needed to do. Implementation took several months including research, updating notices of privacy practices, updating business associate agreements for any vendors that work with PHI, updating the company’s breach policy, privacy manuals and associate education and training of all staff nationwide.

“This is a new subject matter,” Russo says. “Privacy is not, but this is.”

The first step is figuring out whether a community is covered. Brookdale went through a process of determining which communities are now subject to HIPAA, since some are covered entities and others are not.

“If you’re going to spend a lot of money as an organization to make sure loved ones get their medicines and the physical care they need, you should put in just as much to make sure there’s no way to steal their identity or net worth,” Ranson says. “We were able to make the changes pretty quickly. My fear is most [providers] will take longer because they weren’t where they needed to be before the regulations changed. For organizations, this can take years if they don’t have the right policies, procedures and processes in place before training and getting people to work.”

Written by Elizabeth Ecker

This article is sponsored by the Assisted Living Federation of America (ALFA) as part of its efforts to advance excellence and explore topics impacting the future of senior living. For more information about ALFA, visit

Companies featured in this article:

, ,