Safeguarding the Medical Records& Confidentiality of Clientsin Adult Day ProgramsBy Mary K. Warren, Technology Chair, North Carolina Adult Day Services Association
Is every client record locked up when the center is closed to prevent anyone with access to the building after hours (such as janitorial staff) from accessing client information? What systems are in place to ensure that faxes regarding confidential client information are transmitted to the intended person? Is it a policy and procedure that everyone who has access to the participant’s medical record must be recorded or logged?
Healthcare professionals hold a very general philosophy that patient information is confidential and therefore must be securely maintained and stored. However, when asked for specifics, most have vastly different views of what is considered secure and to whom that applies. Under federal guidelines—HIPAA, adult day centers must establish procedures to ensure that participant’s medical records may only be made available to those with a need to know.
What is HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. It is federal legislation that aims to improve efficiency in the delivery of health care services and to enhance privacy and patient's rights. This legislation is not new, but aspects have been phased in over time. Full compliance with the legislation, including the privacy rules is expected by 2003.
Who does HIPAA affect? HIPAA regulations apply to all health care providers and associates, including those administering health care plans, authorizing services, coordinating benefits or payment, providing direct health care services, providing information services related to service delivery and so forth. In short, everyone connected with the delivery of health care services either directly or indirectly is affected. Adult day services, especially adult day health programs will be accountable for implementing the HIPAA rules and guidelines.
What will be the impact of HIPAA on Adult Day Services? The full impact of this legislation on our industry is hard to predict. Broadly, HIPAA will impact centers in: · Operational policy and procedures · Staff training and orientation programs · Information technology systems · Community collaboration and networking · Finances.
More specifically, HIPAA will require organizational change for many programs. The privacy requirements will affect how adult day centers share information internally and externally, bill for services and utilize technology within their operations. Program staff will need to understand and implement these requirements at all levels. Failure to implement HIPAA's privacy requirements will leave a center at risk for legal action and civil penalties. Implementation will bring additional costs for staff training, computer upgrades and so forth. It will also affect those with whom your center does business and vice versa.
Can you give some examples? Here are just a few possibilities to consider: · Most of us store participant information in paper records and on computers. Policies will need to address access to this information. For example, if a volunteer has access to your office, how will you insure that this volunteer cannot access your files? Your computer files may be controlled with a password, but what will you do if an employee who knows the password is terminated? · Some larger organizations network computers. How do you prevent someone else on the network from accessing your participant's confidential information? If your computer is connected to the Internet, how do you prevent someone in cyberspace from accessing this private information? · Have you ever received an application for enrollment by fax or email? Many institutions label such transactions "private" and request notification and return in case of misdirection. In the future, you will need safeguards to ensure that electronic transmissions do not fall into the wrong hands. Centers will need to consider secure networks and encryption software for electronic transactions. · Answering machines are one way to relay information to working family members. But leaving personal and medical information on an answering machine isn't a good idea because anyone with access, like the sitter or housekeeper, could listen to the message. HIPAA addresses the oral sharing of information as well as in other ways. Along those lines...Is your office private or could someone easily overhear conversations about personal details? · HIPAA calls for the use of a single identifier for health care transactions. This means that your center and funders/insurers will need compatible information systems in order to process payments. · Before exchanging information with third parties, client consent or authorization will be needed. Likewise, if you use a third party vendor to process payment or deliver participant services, then you must be sure that they are implementing HIPAA privacy requirements too.
Obviously, this is a complicated issue and will require extensive planning and training in order to insure compliance.
How does my center begin to address these requirements? Here's how to get started: u Build an organizational awareness of HIPAA and its impact. u Assess your organization's informational security systems, policies and procedures. u Identify potential security and confidentiality weaknesses. u Develop an action plan and budget to respond to those identified areas. u Upgrade necessary information systems hardware, software or security controls. u Make employee adherence to medical confidentiality compliance a condition of employment. u Implement new policies and procedures. u Train staff and enforce the use of the new policies. u Conduct ongoing monitoring and audits to evaluate compliance.
How can I learn more about HIPAA? You can obtain information online at · http://aspe.hhs.gov/admnsimp/Index.htm · http://www.wedi.org · http://www.hipaadvisory.com · www.hhs.gov/ocr/hipaa · Www.hhs.gov/news/press/2001press/01fsprivacy.html
In closing, while your staff has a need to know information, they also are required not to reveal anything to anyone who does not have a need to know. Security programs must be tailored to fit the individual needs of each organization. By implementing an effective security plan, an adult day center will demonstrate a strong commitment to maintaining the confidentiality and integrity of patient information.¥
Reprinted from The Information Source for Adult Day Centers®, May 2002 |