The job of a long-term post-acute care (LTPAC) provider is primarily to protect the health of its residents. That job was never as important – or onerous – for providers as it was in 2020. While providers were, understandably, focused on protecting residents’ physical health, it was equally as important to protect their health information.
Even while contending with COVID-19, LTPAC providers were required to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules. With the hope that the worst of the pandemic is over, it makes sense to reexamine HIPAA rules, beginning with the Privacy Rule, and reinforce the importance of responsible policies and practices with every person working in your facility.
An essential aspect of compliance with HIPAA is awareness and understanding of the rules. Consequently, maintaining and communicating HIPAA compliance should be at the forefront of your facility’s operations.
The HIPAA Privacy Rule
HIPAA is a federal law established in 1996 mainly to ensure the continuation of health insurance coverage for individuals and to improve efficiency in the healthcare industry. As technology advanced and the protection of an individual’s personal information became more critical, the HIPAA Privacy Rule, published in 2000 and modified in 2002, was created to set standards for protecting the privacy of patients’ personal health information.
The Privacy Rule covers healthcare providers, health plans and healthcare clearinghouses. Covered healthcare providers include any service provider that furnishes, bills or is paid for healthcare. The Privacy Rule also covers business associates of these entities, defined as a contractor of the covered entity that handles patient health information on its behalf.
The Privacy Rule applies to Protected Health Information (PHI). PHI is any information relating to the health status of a patient or resident such as clinical data, health conditions or billing and payment information. This information, along with personal identifiers such as name, address or social security number that could serve to identify an individual, is protected under the Privacy Rule.
The Privacy Rule gives residents rights over their health information, such as the right to examine and obtain a copy of their medical records and request corrections, if necessary. It also establishes the allowable uses and disclosures of such individually identifiable health information.
Allowable Uses and Disclosures of Resident Health Information
The disclosure of a resident’s health information is required when requested by the resident, by his or her personal representative or when requested by the Department of Health and Human Services (HHS) as needed for a compliance investigation or audit. There are also instances in which the use and disclosure of PHI by healthcare providers is allowable, even in the absence of resident authorization.
The Privacy Rule allows for such use by a provider for certain activities, including:
Treatment: activities related to the provision, coordination or management of healthcare, consultation between healthcare providers and referral of a resident from one healthcare provider to another
Payment: activities related to obtaining payment or reimbursement or determining coverage
Healthcare operations: administrative, financial, legal and operational activities of a provider that are necessary to run its business
Additionally, the Privacy Rule allows for disclosure of resident personal health information in certain circumstances, including:
Situations of public interest or benefit activity purposes such as when it is required by law or necessary for public health activities
Situations where the individual has the opportunity to agree or object to disclosure of PHI
Situations where the use or disclosure occurred incidental to another permitted use or disclosure
While this generally covers the main uses and disclosures, it’s not an exhaustive list.
Uses and Disclosures of Resident Health Information That Are Not Allowed
Using unencrypted email or SMS text messaging
Talking in front of other residents and visitors and/or in open areas about a particular resident
Posting PHI on bulletin boards or leaving resident records in plain view allowing others without permissions to view
It's important to be aware of these rules at all times. Violations can be grounds for hefty fines.
The Role of a HIPAA Compliance Officer
LTPAC providers and other covered entities are required by HIPAA to designate a Compliance Officer to manage the organization’s compliance with HIPAA rules and regulations. Often, a provider will name both a Privacy Officer and Security Officer, particularly in larger organizations, in order to divide the duties relating to HIPAA compliance.
Carefully selecting a HIPAA Compliance Officer may be the most important step you can take toward maintaining HIPAA compliance. Every employee must know and understand HIPAA rules and be constantly cognizant of adherence to those rules throughout daily work activities. Compliance Officers who are dedicated to their roles and responsibilities are better able to impart the significance of compliant behavior to personnel.
As it pertains to maintaining compliance with the HIPAA Privacy Rule, a Compliance Officer will develop a program of policies and procedures to protect the integrity of PHI and will ensure that the program is enforced. To this end, a Compliance Officer will continually assess risk within the facility by performing an annual risk analysis. The Compliance Officer also needs to have a thorough knowledge of the HIPAA Privacy Rule and to constantly monitor for new regulations or guidelines.
In addition to overall privacy compliance, HIPAA Compliance Officers manage the handling of tasks as required under the Privacy Rule, including:
Training staff to understand what PHI can and cannot be shared internally and externally
Responding to resident health information access requests
Providing residents with Notices of Privacy Practices (NPPs)
Obtaining permission from residents to use electronic Protected Health Information (ePHI) for purposes such as research and marketing
Updating forms to include recent changes in disclosure requirements
A critical aspect of a Compliance Officer’s job of monitoring HIPAA compliance is to investigate incidents and report any breaches or violations of HIPAA rules. Whether reported by a Compliance Officer, a staff member, a resident or an inspector who has performed an annual survey, a suspected HIPAA violation will result in an audit by the HHS Office for Civil Rights (OCR).
In regards to the Privacy Rule, there are numerous ways in which HIPAA can be violated and trigger an audit. The risk associated with HIPAA violations may be mitigated by implementing and communicating certain best practices, including:
Providing up-to-date, detailed compliance training to all staff at least annually
Making sure that employees understand that any improper sharing or disclosure of PHI, even via word-of-mouth, is a violation of HIPAA
Ensuring that no resident documentation or records are ever unattended or available for public viewing
Always providing residents with personal health information within 30 days of a request
Notifying OCR of any violation or incident involving misuse of PHI within 60 days of the discovery of a breach
The Bottom Line
The importance of HIPAA compliance within an LTPAC facility cannot be understated. HIPAA violations can result in heavy fines, civil or criminal charges or even imprisonment. These consequences can be levied upon any employee within your organization who has been found in violation of HIPAA rules, whether willful or not.
The key to maintaining HIPAA compliance is making sure, to the best of a provider’s ability, that every employee knows the rules and understands what constitutes a breach.