Search the Community

HIPAA for Activity Directors Activities professionals deal with resident information on a personal level, including but not limited to: family issues, special requests from the resident, newsletter articles, etc. Without a doubt, there is a great deal of detailed personal information that must be monitored to prevent unintended disclosure. The following information will hopefully ease your mind about HIPAA regulations. That way, you will be able to have your calendars, banners, bulletin boards and posters, while being in full compliance with all of the regulations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. It details standards for the electronic exchange, privacy and security of health information. These guidelines were initially designed to regulate "individually identifiable" - health information that was transmitted electronically. Since then, the "Privacy Rule" that is defined by HIPAA has expanded that concept. Covered Entities "must" be HIPAA Compliant HIPAA, or Health Insurance Portability Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities. This information will focused on Health Care Providers known as nursing homes - specifically health care professionals in the role as Activity Directors. Some of these entities are: Health care providers such as nursing homes, rehab facilities, hospitals or any other facility providing skilled or intensive care. Other entities also included are: Health Plans, Health Care Clearinghouses, and Business associates. Not sure if you are working in a Covered Entity; download this PDF for more details check the following resources. Source: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf Source: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity Personal Health Information (PHI) The specific information targeted under the HIPAA regulations is data known as: "Personal Health Information" or PHI. This would be any data that provides "Individually identifiable health information" - including demographic data. PHI information may be received or created by a facility. It may contain past, present or future health diagnosis, history and/or treatment and is inclusive of payment information for medical services normally found in medical charts and billing files. Portions of such personal information may often be found on bulletin boards, photos, calendars, birthday cards, activity rooms, common areas and activity progress notes. The Nuts and Bolts for Directors There are several ways to keep your department and resident's privacy intact and remain in compliance with HIPAA regulations. Staff orientation must include appropriate training in this area across all interdisciplinary team members. When is PHI distribution approved under HIPAA? There are different allowable ways to exchange medical information. Generally, the facility may provide select PHI details to family members, friends and clergy. The resident's name and room number. The general condition of the resident: - Having a good day today. - Asked to attend sing-a-long group. - Has been a little sad today. The residents' religious affiliation. Note: Be sure to check if your residents have authorized a legal "Health Care Proxy". This appointed person or persons can stipulate the dissemination of any health information or may over-ride permissions as to whom this personal information may be given. That said, the following are scenarios in which you are not allowed to disclose medical information in any circumstances: Never walk away from your computer, laptop or other electronic health record device without shutting down or entering sleep command to close your screen. It is never permissible to momentarily walk away to tend to another matter while leaving personal information visible on your screen. Never carry on conversations in areas lacking privacy within the facility between staff members. There will never be any circumstance when you should discuss or comment about your resident's day within open areas in which the conversation might be accidently overheard; such areas could be hallways, bathrooms, etc. REMEMBER: "THE WALLS HAVE EARS" Any inbound or outbound resident health information whether fax, email, completed forms, and standard mail. Any document must be immediately addressed upon receipt. Under no circumstances should any health information be allowed to remain in waiting within view on your desk, fax machine or open file organizer until you can tend to it. Activity Plans, Bulletin Boards and Other Publications Photographs/Pictures: Ensure that a permission form has been signed by the authorized individual and is filed in the resident's chart. This permission form is mandatory if you plan to take resident pictures. However, once you include the resident's name with that picture, you will be in violation of HIPAA. If you need to use a name (on a bulletin board for example) all you really need to do is ask the resident for permission and document that permission was given. Calendars and Birthday Cards: Simply remove the birth year from any information. You may only provide the residents name, month and day of birth within the given month. For example: Happy Birthday to Teddy – (3/21). It goes without saying that you should never include medical information (diagnoses, dementia items, etc.) on your monthly calendars. Bulletin Boards and Miscellaneous: Documented permissions are worth their weight in gold. In almost every case if you take the proper steps to ask permission, you can prevent any confusion and facility privacy citation during survey. Never add names to pictures. If you absolutely must, be sure to get explicit permission and again document that it was given. However, I would suggest you to steer clear of adding names period to prevent possible confusion. Activity Rooms and Common Areas: Can pictures of residents be used in your common areas? Yes, but once more, be sure that no medical information accompanies those pictures. Additionally, never identify residents by room or unit, especially if that resident resides on a memory/dementia care unit. This information is simply not needed to convey the resident experience through pictures. Activity and Progress Notes: As previously stated, completed resident forms should never lie in waiting, inclusive of all progress notes. These forms must be put away in the individual chart to prevent unwanted viewing of resident privacy information. Never leave it out in the open on your desk to attend to another matter. The only exception would be when you are able to secure (lock) the document in an office. Shreddables Pure and Simple...you bear the responsibility of ensuring that no "unauthorized" eyes are able to view resident health information. This also applies to any documentation that is no longer required for record retention. "Record retention guidelines" outline how long resident & treatment records must be retained. Records deemed to expire must be permanently disposed of by way of shredding. Always check with your facility Administrator to ensure your understanding of how and when shredding services are utilized by your facility. The major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. Source: https://managemypractice.com/cms-releases-record-retention-guidelines/?print=print Source: https://www.cms.gov/Regulations-and-Guidance/Guidance/CMSRecordsSchedule For more detailed HIPAA information: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html https://www.hhs.gov/hipaa/for-professionals/training/index.html Have a topic request or question for Celeste? Send them over to celestechase@activitydirector.org Our MEPAP 1&2 Courses 2 Course Formats www.ActivityDirector.org - 1.888.238.0444 Structured Class (16 Weeks) - Begins the First Tuesday of each Month Self Paced Class (13 Weeks-1 Year) - Enroll and Begin Anytime Activity Directors Network was founded in 1996 on the idea that we could help create elderly care that dramatically improved the lives of those we all serve. We envision facilities that feel like homes and that celebrate our resident's individuality and allows them to live with dignity, purpose and joy. We believe the exchange of education and wisdom between the most talented teachers and passionate students is the way to make an impact. Each and every single one of you are the revolution that is changing everything. Thanks for being a part of The Network. Copyright © 2019 Activity Directors Network, LLC All rights reserved. Our mailing address is: 2010 US HWY 190 W Ste 120 Livingston, Texas 77351