HIPAA for Activity Directors
written by Celeste Chase
Activities professionals deal with resident information on a personal level, including but not limited to: family issues, special requests from the resident, newsletter articles, etc. Without a doubt, there is a great deal of detailed personal information that must be monitored to prevent unintended disclosure. The following information will hopefully ease your mind about HIPAA regulations. That way, you will be able to have your calendars, banners, bulletin boards and posters, while being in full compliance with all of the regulations.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. It details standards for the electronic exchange, privacy and security of health information. These guidelines were initially designed to regulate "individually identifiable" - health information that was transmitted electronically. Since then, the "Privacy Rule" that is defined by HIPAA has expanded that concept.
Covered Entities "must" be HIPAA Compliant HIPAA, or Health Insurance Portability Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities. This information will focused on Health Care Providers known as nursing homes - specifically health care professionals in the role as Activity Directors.
Some of these entities are: Health care providers such as nursing homes, rehab facilities, hospitals or any other facility providing skilled or intensive care. Other entities also included are: Health Plans, Health Care Clearinghouses, and Business associates. Not sure if you are working in a Covered Entity; download this PDF for more details check the following resources.
Personal Health Information (PHI) The specific information targeted under the HIPAA regulations is data known as: "Personal Health Information" or PHI. This would be any data that provides "Individually identifiable health information" - including demographic data. PHI information may be received or created by a facility. It may contain past, present or future health diagnosis, history and/or treatment and is inclusive of payment information for medical services normally found in medical charts and billing files. Portions of such personal information may often be found on bulletin boards, photos, calendars, birthday cards, activity rooms, common areas and activity progress notes.
The Nuts and Bolts for Directors There are several ways to keep your department and resident's privacy intact and remain in compliance with HIPAA regulations. Staff orientation must include appropriate training in this area across all interdisciplinary team members.
When is PHI distribution approved under HIPAA? There are different allowable ways to exchange medical information. Generally, the facility may provide select PHI details to family members, friends and clergy.
The resident's name and room number.
The general condition of the resident: - Having a good day today. - Asked to attend sing-a-long group. - Has been a little sad today.
The residents' religious affiliation. Note: Be sure to check if your residents have authorized a legal "Health Care Proxy". This appointed person or persons can stipulate the dissemination of any health information or may over-ride permissions as to whom this personal information may be given. That said, the following are scenarios in which you are not allowed to disclose medical information in any circumstances:
Never walk away from your computer, laptop or other electronic health record device without shutting down or entering sleep command to close your screen. It is never permissible to momentarily walk away to tend to another matter while leaving personal information visible on your screen.
Never carry on conversations in areas lacking privacy within the facility between staff members. There will never be any circumstance when you should discuss or comment about your resident's day within open areas in which the conversation might be accidently overheard; such areas could be hallways, bathrooms, etc. REMEMBER: "THE WALLS HAVE EARS"
Any inbound or outbound resident health information whether fax, email, completed forms, and standard mail. Any document must be immediately addressed upon receipt. Under no circumstances should any health information be allowed to remain in waiting within view on your desk, fax machine or open file organizer until you can tend to it.
Activity Plans, Bulletin Boards and Other Publications
Photographs/Pictures: Ensure that a permission form has been signed by the authorized individual and is filed in the resident's chart. This permission form is mandatory if you plan to take resident pictures. However, once you include the resident's name with that picture, you will be in violation of HIPAA. If you need to use a name (on a bulletin board for example) all you really need to do is ask the resident for permission and document that permission was given.
Calendars and Birthday Cards: Simply remove the birth year from any information. You may only provide the residents name, month and day of birth within the given month. For example: Happy Birthday to Teddy – (3/21). It goes without saying that you should never include medical information (diagnoses, dementia items, etc.) on your monthly calendars. Bulletin Boards and Miscellaneous: Documented permissions are worth their weight in gold. In almost every case if you take the proper steps to ask permission, you can prevent any confusion and facility privacy citation during survey. Never add names to pictures. If you absolutely must, be sure to get explicit permission and again document that it was given. However, I would suggest you to steer clear of adding names period to prevent possible confusion.
Activity Rooms and Common Areas: Can pictures of residents be used in your common areas? Yes, but once more, be sure that no medical information accompanies those pictures. Additionally, never identify residents by room or unit, especially if that resident resides on a memory/dementia care unit. This information is simply not needed to convey the resident experience through pictures.
Activity and Progress Notes: As previously stated, completed resident forms should never lie in waiting, inclusive of all progress notes. These forms must be put away in the individual chart to prevent unwanted viewing of resident privacy information. Never leave it out in the open on your desk to attend to another matter. The only exception would be when you are able to secure (lock) the document in an office.