Towards HIPAA Compliance

 

Content in this article has been adapted from the sample policy for HIPAA Training that was distributed by the National Adult Day Services Association to its members to assist them in ensuring HIPAA compliance in their organizations.

 

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a new law which keeps the identifiable health information about our participants confidential. It includes what must be done to maintain this privacy and punishments for anyone caught violating participant privacy. The Office of Civil Rights of the U.S. Department of Health and Human Services is the agency authorized to enforce HIPAA’s privacy regulations. The regulations took effect on April 14, 2003.

 

 WHAT IS CONFIDENTIAL?

All information about participants should be considered private or “confidential”, whether written on paper, saved on a computer, or spoken aloud. This includes their name, address, age, Social Security number, and any other personal information. It also includes the reason the participant is sick, the treatments and medications he/she receives, caregiver information, any information about past health conditions, future health plans and why the participant attends the adult day center.

 

Spoken communication runs the gamut from conducting participant interviews, paging participants, whispering in corridors, to talking on telephones. Written communication includes the hard copy of the medical record, letters, forms or any paper exchange of information. Electronic communication includes faxes, computerized medical records, electronic billing and e-mail.

 

If staff or volunteers reveal any of this information to someone who does not “need to know” it, they violate a participant’s confidentiality and have broken the law.

 

Consequences of Breaking the Law

In addition to the consequences established by your organization, the Center and its employees will also be fined by the government if they are found to be in non-compliance with HIPAA regulations. The Center and its employees can receive civil penalties of a $100 fine per violation per person, up to $25,000 for the same violation. The Center and its employees can also receive criminal penalties; up to a $50,000 fine and one year in prison, or both, for anyone who knowingly releases information; up to a $100,000 fine, five years in prison, or both, for releasing information under false pretenses, and up to a $250,000 fine, ten years in prison, or both, for using information for commercial or personal gain or malicious harm.

 

The Significance of Privacy

and Confidentiality

Participants need to trust the staff before they will feel comfortable enough to share any personal information. In order for us to provide quality care, we must have this information. They must know that whatever they tell staff will be kept private and limited to those who need the information for treatment, payment and health care operations. (Health care operations are activities such as conducting medical record reviews, training staff and state inspections.) Participants will have control over who else will be told any personal information about them with their written permission.

 

The “Need to Know” Rule

This rule is really common sense. If a person needs to see participant information to perform his or her job, they are allowed to do so. But they may not need to see all the information about every participant. They should only have access to what they need to in order to perform their job. There may also be occasions when staff or volunteers will have access to confidential information that they don’t need for their work. For example, they may see information on whiteboards or sign-in sheets throughout the center. This information must be kept confidential. There’s no doubt that staff and volunteers will overhear private health information as they do their day-to-day work. As long as each of them keeps it to him/herself, they have nothing to worry about. In the course of doing their jobs, staff may also learn information from participants about their conditions. Although there’s nothing wrong with this, staff must remember that participants trust staff to keep what they are told confidential. They must not pass it on unless it involves information the professional staff needs to know to do their jobs. Staff should tell the participant that the information will be shared with the professional staff or encourage participants to tell the information to the proper professionals themselves.

 

Before looking at a participant’s health information, staff and volunteers should ask themselves one simple question, “Do I need to know this to do my job?” If the answer is no, they should stop. If the answer is yes, they have nothing to worry about.

 

Accountability for Maintaining

HIPAA Compliance

Each organization should assign a Privacy Officer to make sure no one breaks the privacy rule. An adult day center’s administrator is usually this person. He/she is responsible for coming up with the organization’s privacy policies and enforcing them. If  someone is spotted breaking the rules, they should be reported to your supervisor or directly to the Privacy Officer. All staff and volunteers should feel comfortable going to either of them with questions about how to follow the privacy rules.

 

Participant’s HIPAA Rights

Each participant has certain rights under the HIPAA regulations. Unless the information is needed for treatment, payment, and health care operations, an organization should not release any information without a written authorization from the participant. The only exception to this rule is the release of psychotherapy notes, which always needs written authorization. The participant also has the following rights:

·      To inspect and copy his/her medical record

·      To amend the medical record if he/she feels it is incorrect

·      To an accounting of all disclosures that were made, and to whom, except those necessary for treatment, payment or health care operations

·      To restrict or limit use or access to medical information by others

·      To confidential communications in the manner he/she requests

·      A copy of the Center’s Notice of Privacy Information Practices

All of the rights listed above must be requested, in writing, on the Center’s forms designed for these specific purposes. Every employee must be aware of the contents of the Center’s Notice of Privacy Information Practices.

 

If the participant feels the Center or its staff have not followed the HIPAA regulations, they can make a formal, written complaint to our Administrator or the Secretary of the Department of Health and Human Services, Washington, DC.

 

All staff and volunteers are expected to report violations or suspected violations to the Privacy Officer. You do not have to fear any retaliation if you report a privacy violation, as this is considered one of your job responsibilities.

 

Policies and procedures must be tailored to fit the individual needs of each organization.  By implementing an effective security plan, an adult day center will demonstrate a strong commitment to maintaining the confidentiality and integrity of patient information. ¥

 

Reprinted from The Information Source for Adult Day Centers®, May 2003