HIPAA Compliance for Home Health Care
HIPAA compliance for home health care workers can be difficult due to unique challenges they encounter that do not exist in brick and mortar hospitals.
Home health care workers provide a valuable service for patients in the community – either visiting patients who are unable to attend hospital in their homes, or checking on their well-being via phone or video. These two scenarios raise unique challenges, and complicate HIPAA compliance for home health care workers – particularly with regard to the permitted disclosure of Protected Health Information.
Under the HIPAA Privacy Rule, patients have the right to request details of their illnesses are withheld from some or all third parties. These third parties can include friends, family members and members of the clergy. Even when consent is given, health care workers – wherever they are located – should not disclose more than the minimum necessary Protected Health Information to third parties.
This can cause awkward situations – and awkward relationships – in home environments when friends and family members press for further information about a loved one. In certain circumstances, it can prevent healthcare workers from doing their job effectively, or lead to a family filing a complaint against a healthcare worker who refuses to disclose more information than they are allowed to.
Home Health Care Workers and ePHI
Home health care workers have to be aware of how Protected Health Information should be secured when created, used, stored or disclosed via electronic devices. Electronic Protected Health Information (ePHI) is subject to the Technical Safeguards of the HIPAA Security Rule and both the transmission of ePHI, and the devices on which ePHI is stored, should be secured against unauthorized disclosure.
In respect of ePHI, unauthorized disclosure does not only mean (for example) sending a text message with a test result attached to a family member who the patient has requested should not be told about their condition. An unauthorized disclosure could also relate to the text message being intercepted over a publicly-accessible cellphone network, or the test result being accessed on the healthcare worker´s mobile device when the device is left unattended.
Tools exist to mitigate the risk of an unauthorized disclosure of ePHI – or, at least, make the data that is disclosed unreadable, undecipherable and unusable to anybody to whom it is disclosed. These tools encrypt sensitive data on mobile devices to secure communications between healthcare workers and authorized personnel and have time-out mechanisms that automatically log the devices out of a secure channel of communication after a period of inactivity.
Who is Responsible for HIPAA Compliance for Home Health Care Workers?
Unless a medical professional is working as an independent contractor, the Covered Entity employing the medical professional is responsible for HIPAA compliance for home health care workers. Covered Entities are also responsible for HIPAA compliance for home health care workers if the “workers” are volunteers, as volunteers are considered to be members of a Covered Entities workforce.
Therefore, the Covered Entity has to train all healthcare workers to be HIPAA compliant, monitor their access to Protected Health Information and ensure any devices used in the execution of their duties are also HIPAA-compliant. If an unauthorized disclosure of Protected Health Information occurs due to the negligence of a healthcare worker, it is the responsibility of the Covered Entity to report the breach to the Department of Health & Human Services.