HIPAA for Home Health Care
Home health care workers face HIPAA compliance issues not typically encountered by health care workers work in hospitals and medical offices. HIPAA home health care compliance issues include those posed by visiting patients in their homes, or checking on patients’ well-being via phone or video.
What are Home Health Care Workers?
Home health care workers are individuals who visit patients in their homes to provide healthcare services. Home health care workers frequently communicate with patients, through phone or video, to address patient concerns.
One challenge for home health care workers is HIPAA Privacy Rule compliance. Patients may reside with third parties who are family members. These family members may approach a home health care worker and request the home health care worker disclose protected health information (PHI) about the patient. Requests may be made in situations where the patient has not provided written authorization permitting such disclosure. How is the home health care worker to act?
Under the HIPAA Privacy Rule, covered entities may share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object.
Note, from the above, that the family member or friend with whom the information may be shared, must be involved in the patient’s care or payment for health care. A home health care may not disclose PHI to a family member or friend who is not involved in these activities and is, say, simply nosy – unless the patient consents to such disclosure.
Another challenge for home health care workers is HIPAA Security Rule compliance. Home health care workers must be mindful of how electronic protected health information (ePHI) must be secured when it is created, used, stored, or disclosed via electronic devices.
ePHI transmission, as well as the devices on which ePHI is stored, should be secured against unauthorized disclosure. Unauthorized disclosure includes, for example, sending text messages with test results attached, to family members whom the patient has requested should not be informed of the patient’s condition. Such messages may be disclosed without authorization in other ways as well. For example, messages may be intercepted over a cell phone network.
Tools exist that mitigate the risk of unauthorized disclosure of ePHI. Such tools encrypt sensitive data on mobile devices to secure communications among healthcare workers; these tools also have “time-out” mechanisms that automatically log devices out of secure communication channels, after a period of inactivity.