Share this article on:
HIPAA compliance is rarely straightforward in the healthcare industry, and HIPAA compliance for hospices is one area in which it less straightforward than most. The rules regarding the disclosure of Protected Health Information limit conversations with family members if patients have not previously given their consent for the conversations to take place. Furthermore, if no DPHA is appointed, obtaining consent when the patient cannot express themselves is impossible. And that´s just the beginning.
Many hospices are supported by volunteers, who – under the Privacy Rule – are regarded as members of the workforce. Volunteers have to be provided with the same training on HIPAA, permissible disclosures of Protected Health Information and HIPAA-compliant policies as professional healthcare providers. They are also subject to the same sanctions policies as professional healthcare providers, which makes things difficult if the volunteer is a priest or nun who has given comfort to the dying.
Administrative Issues Further Complicate HIPAA Compliance for Hospices
Hospice personnel can discuss the Protected Health Information of a patient with an unauthorized member of the family or other individual once the patient has died, if the conversation relates to payment for services provided – unless the disclosure of Protected Health Information is “inconsistent with a prior expressed preference of the decedent”. In these circumstances, HIPAA does not suggest how hospices should resolve outstanding payments without disclosing Protected Health Information.
Also with regard to finances, HIPAA compliance for hospices not only means complying with the administrative, physical and technical safeguards of the Security Rule, but restrictions on marketing and fundraising activities. Using patients´ names or images in marketing and fundraising activities is a breach of HIPAA unless the patient whose name or image is used – or their appointed representative – has given their informed, written consent. Hospices even have to be careful with memorials.
Are Coroners and Funeral Homes Business Associates?
A reasonable interpretation of HIPAA is that coroners and funeral homes provide a service on behalf of a Covered Entity, and during the provision of the service they receive, use and store Protected Health Information. This, in theory, would make coroners and funeral homes Business Associates. Apparently not according to §164.512(g) of the Privacy Rule. An exemption is made for coroners, medical practitioners and funeral homes – and to organ procurement organizations and secondary services.
Further complications surround individuals and entities who provide services directly to a patient not on behalf of the hospice. These include pharmacies, ambulances and hospitals, who provide a service for the patient and not for the hospice. Conversely, when the patient´s Protected Health Information is shared with a lawyer, clinical consultant or pharmacy benefit manager for the purpose of assisting a hospice with an administrative task, they become Business Associates and a Business Associate Agreement will be required.
If your business operates in this very complicated area of HIPAA, it is recommended you seek professional guidance about HIPAA compliance for hospices with regard to your specific circumstances and any state laws that may apply in your jurisdiction. Hospices have been fined in the past for non-compliance with HIPAA, plus incurred expenses to mitigate potential damage caused by a breach, and had to take corrective actions to ensure their future compliance. For a non-profit organization, the financial consequences of non-compliance can be significant.