HIPAA compliance for home health care workers can be especially challenging due to working in multiple – and sometimes unfamiliar – environments and often encountering scenarios that do not occur in purpose-built healthcare facilities.
Home health care workers provide a valuable service to patients in the community. As well as visiting patients unable to go to a healthcare facility and providing feedback to physicians, home health care workers check on patients’ well-being by telephone or video calls.
These two forms of working present special challenges, and can complicate HIPAA compliance for home health care workers with regards to permitted disclosures of Protected Health Information (PHI) and what technologies are used to communicate with patients.
Privacy Rule HIPAA Compliance for Home Health Care Workers
The Privacy Rule has two primary objectives – to give patients control over their health information and protect the privacy of individually identifiable health information. With regards to the first objective, home health care workers can provide any information a patient requests about their past, present, or future physical or mental health.
However, due to the second objective, any information disclosed to a patient must be done confidentially unless the patient has consented for it to be shared with family members and friends. This can result in awkward situations and interactions in the home when members of the family or friends request information concerning a loved one.
In particular situations, the refusal to disclose PHI – or disclosing only the minimum necessary when appropriate – can prevent healthcare workers from carrying out their job correctly. It could also result in family members submitting unjustified complaints to the home health care worker’s employer or HHS’ Office for Civil Rights.
Because of the risk of a complaint – and because of the pressure healthcare professionals may be put under to disclose health information impermissibly – it is important training on HIPAA compliance for home health care workers factors in how to deal with these situations so that they can carry out their jobs correctly and ensure patients are well cared for.
Security Rule HIPAA Compliance for Home Health Care Workers
In a purpose-built healthcare facility, Security Rule compliance is most often not a home care workers responsibility. Measures are implemented and configured by compliance teams to ensure the confidentiality, integrity, and availability of electronic PHI, and members of the workforce are trained how to use the measures compliantly.
This means that when home health care workers check on patients remotely, the telephone or videoconferencing system being used complies with the technical safeguards of the Security Rule. The only consideration a healthcare professional has to bear in mind is the privacy of the telephone or video call (i.e., the call is private at both ends).
In the community, Security Rule HIPAA compliance for home health care workers should be less complicated because less technology is involved. Nonetheless, it is important that any personal devices used to collect, store, or transmit PHI are configured to support access controls, audit trails, and automatic logoff.
It is also important when personal devices are used to collect, store, or transmit PHI that PHI is encrypted at rest and in transit. This is so that, if the device is lost or stolen, the data on the device is unreadable, indecipherable, and unusable – thus not making the loss or theft of the device a HIPAA violation and a notifiable data breach.
Training in HIPAA for Home Health Care Workers
As mentioned previously, training in HIPAA for home health care workers should include how to deal with situations in which a home health care worker is put under pressure to reveal more PHI to family members and friends than is permissible. The training should also cover interactions with translators, caregivers, and family members with medical power of attorney.
Subjects to focus on in training in HIPAA for home health care givers include what is PHI – and what isn’t – and what disclosures are permitted without a patient’s consent. Because disclosures may relate to violence, abuse, and neglect in the home environment, it is also essential for home health care givers to be advised on who to disclose what information to and when.
With regards to Security Rule HIPAA compliance for home health care workers, it is probably more relevant to discuss communications via personal devices. For example, a personal device should never be used to discuss patient health information with work colleagues if the device lacks audit trail capabilities, and PHI should never be posted on social media sites.
One further consideration when providing training in HIPAA for home health care workers is to ensure the healthcare professionals are aware of the difference between a HIPAA violation and a HIPAA breach, and how to report either when they occur. It is always best to report a violation or breach at the earliest possible opportunity and document the report to ensure it is preserved.