What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA). It was passed in 1996 and originally had two primary purposes. First, it made it easier for people to have continuous health care despite changes, such as job loss. Second, it helped reduce healthcare fraud. Since then, Congress has added provisions into HIPAA that protect private health information, or PHI (Protected Health Information).
How does this affect us here at Blossom?
The policies and rules that HIPAA created are important. They determine how we handle PHI and how we conduct our business. Let’s take a look at a few of these rules:
The Privacy Rule (first published in 2000 and later modified in 2002) set national standards for the protection of PHI. This means that patient privacy is protected because all “covered entities” must follow the standards laid out by this rule. Covered entities include Health Plans, Health Plan Clearinghouses, and Healthcare Providers who conduct health care transactions electronically (Blossom!).
The Security Rule (published in 2003) set national standards for protecting confidentiality of electronic PHI.
The Enforcement Rule provides standards for enforcement of rules. These rules include procedures for compliance and investigations, as well as penalties and monetary fines for those who break the rules. HIPAA violation fines can be $25,000 per violation.
Who’s in charge of making sure Blossom follows these rules?
HIPAA requires all covered entities to have a program of compliance in place. Here at Blossom, our QA Department is in charge of making sure HIPAA rules and regulations are being followed. They do this in a number of ways, and one of them is investigating potential violations.
What’s an example of a potential violation?
Here are some potential violations QA has investigated in the past:
Allegation of aide staff bringing a friend or family member to a client’s home and sharing information such as the client’s name and address.
Allegation of conversations being had via speaker phone by staff while in the presence of clients and discussing confidential information.
Allegation of personal email addresses or personal cell phones being used to discuss client information
How can Blossom employees avoid potential violations of HIPAA?
It’s the responsibility of every Blossom employee to know the rules and follow them. Here are some tips and tricks that will help our employees stay compliant.
When working from home, make sure documents containing client information are stored and transported securely. Wear headphones when communicating via phone or zoom about clients. if you are working in a shared space, don’t use full names when referring to clients.
Log out of your computer when you walk away from your workstation (at home and in the office!)
When in doubt, encrypt emails being sent to outside (non-Blossom) accounts. If you are unable to encrypt for any reason, don’t use any full names of clients (maybe use first name, last initial, and type of service.) Don’t include any client information in the email that would be identifiable by an unauthorized party.
Use the Best Practice of referring to clients in Mattermost (our internal messaging service) without using full names. Instead, use First Name, Last Initial, Area of Service, and Type of Service. Example: M. Dillon Rochester West NHTD
What could happen if an employee breaks HIPAA rules?
A HIPPA breach is when there is a failure to conceal health information from unauthorized people. Here are two examples of what can happen when a HIPAA breach is discovered.
HIPAA Enforcement Action Examples:
State Hospital Sanctions Employees for Disclosing Patient's PHI Covered Entity: Health Care Provider / General Hospital Issue: Impermissible Disclosure
A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. In addition to corrective action taken under the Privacy Rule, the state attorney general's office entered into a monetary settlement agreement with the patient.[SOURCE: HHS.gov]
Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books Covered Entity: Pharmacies Issue: Safeguards
A grocery store-based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. The Office for Civil Rights (OCR) issued a written analysis and a demand for compliance. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. Moreover, the entity was required to train of all staff on the revised policy. The chain acknowledged that log books contained protected health information and implemented the required changes. [SOURCE: HHS.gov]