The job of a long-term post-acute care (LTPAC) provider is primarily to protect the health of its residents. That job was never as important – or onerous – for providers as it was in 2020. While providers were, understandably, focused on protecting residents’ physical health, it was equally as important to protect their health information.
Even while contending with COVID-19, LTPAC providers were required to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules. With the hope that the worst of the pandemic is over, it makes sense to reexamine HIPAA rules, beginning with the Privacy Rule, and reinforce the importance of responsible policies and practices with every person working in your facility.
An essential aspect of compliance with HIPAA is awareness and understanding of the rules. Consequently, maintaining and communicating HIPAA compliance should be at the forefront of your facility’s operations.
The HIPAA Privacy Rule
HIPAA is a federal law established in 1996 mainly to ensure the continuation of health insurance coverage for individuals and to improve efficiency in the healthcare industry. As technology advanced and the protection of an individual’s personal information became more critical, the HIPAA Privacy Rule, published in 2000 and modified in 2002, was created to set standards for protecting the privacy of patients’ personal health information.
The Privacy Rule covers healthcare providers, health plans and healthcare clearinghouses. Covered healthcare providers include any service provider that furnishes, bills or is paid for healthcare. The Privacy Rule also covers business associates of these entities, defined as a contractor of the covered entity that handles patient health information on its behalf.
The Privacy Rule applies to Protected Health Information (PHI). PHI is any information relating to the health status of a patient or resident such as clinical data, health conditions or billing and payment information. This information, along with personal identifiers such as name, address or social security number that could serve to identify an individual, is protected under the Privacy Rule.
The Privacy Rule gives residents rights over their health information, such as the right to examine and obtain a copy of their medical records and request corrections, if necessary. It also establishes the allowable uses and disclosures of such individually identifiable health information.
Allowable Uses and Disclosures of Resident Health Information
The disclosure of a resident’s health information is required when requested by the resident, by his or her personal representative or when requested by the Department of Health and Human Services (HHS) as needed for a compliance investigation or audit. There are also instances in which the use and disclosure of PHI by healthcare providers is allowable, even in the absence of resident authorization.
The Privacy Rule allows for such use by a provider for certain activities, including:
Additionally, the Privacy Rule allows for disclosure of resident personal health information in certain circumstances, including:
While this generally covers the main uses and disclosures, it’s not an exhaustive list.
Uses and Disclosures of Resident Health Information That Are Not Allowed
Using unencrypted email or SMS text messaging
It's important to be aware of these rules at all times. Violations can be grounds for hefty fines.
The Role of a HIPAA Compliance Officer
LTPAC providers and other covered entities are required by HIPAA to designate a Compliance Officer to manage the organization’s compliance with HIPAA rules and regulations. Often, a provider will name both a Privacy Officer and Security Officer, particularly in larger organizations, in order to divide the duties relating to HIPAA compliance.
Carefully selecting a HIPAA Compliance Officer may be the most important step you can take toward maintaining HIPAA compliance. Every employee must know and understand HIPAA rules and be constantly cognizant of adherence to those rules throughout daily work activities. Compliance Officers who are dedicated to their roles and responsibilities are better able to impart the significance of compliant behavior to personnel.
As it pertains to maintaining compliance with the HIPAA Privacy Rule, a Compliance Officer will develop a program of policies and procedures to protect the integrity of PHI and will ensure that the program is enforced. To this end, a Compliance Officer will continually assess risk within the facility by performing an annual risk analysis. The Compliance Officer also needs to have a thorough knowledge of the HIPAA Privacy Rule and to constantly monitor for new regulations or guidelines.
In addition to overall privacy compliance, HIPAA Compliance Officers manage the handling of tasks as required under the Privacy Rule, including:
A critical aspect of a Compliance Officer’s job of monitoring HIPAA compliance is to investigate incidents and report any breaches or violations of HIPAA rules. Whether reported by a Compliance Officer, a staff member, a resident or an inspector who has performed an annual survey, a suspected HIPAA violation will result in an audit by the HHS Office for Civil Rights (OCR).
In regards to the Privacy Rule, there are numerous ways in which HIPAA can be violated and trigger an audit. The risk associated with HIPAA violations may be mitigated by implementing and communicating certain best practices, including:
The Bottom Line
The importance of HIPAA compliance within an LTPAC facility cannot be understated. HIPAA violations can result in heavy fines, civil or criminal charges or even imprisonment. These consequences can be levied upon any employee within your organization who has been found in violation of HIPAA rules, whether willful or not.
The key to maintaining HIPAA compliance is making sure, to the best of a provider’s ability, that every employee knows the rules and understands what constitutes a breach.
Next in our series – Part II: Security
Contact Richter’s Skilled Nursing Consultants
Do you have questions about HIPAA, implementing a compliance program or other LTPAC business challenges? Call Richter's skilled nursing facility consultants at 866.806.0799 to schedule a free consultation.
Subscribe to our newsletter to receive the latest articles and updates aimed at helping you enhance operational, clinical and financial outcomes.