|
|
HIPAA
Health Insurance Portability and Accountability Act of 1996, Public Law 104-191
Safeguarding the Medical Records & Confidentiality of Clients in Adult Day Programs |
By Mary K. Warren, NCADSA Technology Chair |
Healthcare professionals hold a very general philosophy that patient information is confidential and therefore must be securely maintained and stores. However, when asked for specifics, most have vastly different views of what is considered secure and to whom that applies. Under federal guidelines-HIPAA, adult day centers must establish procedures to ensure that participants' medical records may only be made available to those with a need to know.
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. It is federal legislation that aims to improve efficiency in the delivery of health care services and to enhance privacy and patient's rights. This legislation is not new, but aspects have been phased in over time. Full compliance with the legislation, including the privacy rules, is expected by 2003.
Who does HIPAA affect?
HIPAA regulations apply to all health care providers and associates, including those administering health care plans, authorizing services, coordinating benefits or payment, providing direct health care services, providing information services related to service delivery and so forth. In short, everyone connected with the delivery of health care services either directly or indirectly is affected. Adult day services, especially adult day health programs, will be accountable for implementing the HIPAA rules and guidelines.
What will be the impact of HIPAA on Adult Day Services?
The full impact of this legislation on our industry is hard to predict. Broadly, HIPAA will impact centers in:
- Operational policy and procedures
- Staff training and orientation programs
- Information technology systems
- Community collaboration and networking
- Finances
More specifically, HIPAA will require organizational change for many programs. The privacy requirements will affect how adult day centers share information internally and externally, bill for services, and utilize technology within their operations. Program staff will need to understand and implement these requirements at all levels. Failure to implement HIPAA's privacy requirements will leave a center at risk for legal action and civil penalties. Implementation will bring additional costs for staff training, computer upgrades and so forth. It will also affect those with whom your center does business and vice versa.
Can you give some examples?
Here are just a few possibilities to consider:
- Most of us store participant information in paper records and on computers. Policies will need to address access to this information. For example, if a volunteer has access to your office, how will you insure that this volunteer cannot access your files? Your computer files may be controlled with a password, but what will you do if an employee who knows the password is terminated?
- Some larger organizations network computers. How do you prevent someone else on the network from accessing your participant's confidential information? If your computer is connected to the Internet, how do you prevent someone in cyberspace from accessing this private information?
- Have you ever received an application for enrollment via fax or email? Many institutions label such transactions "private" and request notification and return in case of misdirection. In the future, you will need safeguards to ensure that electronic transmissions do not fall into the wrong hands. Centers will need to consider secure networks and encryption software for electronic transactions.
- Answering machines are one way to relay information to working family members. But leaving personal and medical information on an answering machine isn't a good idea because anyone with access, like the sitter or housekeeper, could listen to the message. HIPAA addresses the oral sharing of information as well as in other ways. Along those lines…Is your office private or could someone easily overhear conversations about personal details?
- HIPAA calls for the use of a single identifier for health care transactions. This means that your center and funders/insurers will need compatible information systems in order to process payments.
- Before exchanging information with third parties, client consent or authorization will be needed. Likewise, if you use a third party vendor to process payment or deliver participant services, then you must be sure that they are implementing HIPAA privacy requirements, too.
Obviously, this is a complicated issue and will require extensive planning and training in order to insure compliance.
How does my center begin to address these requirements?
Here's how to get started:
- Build an organizational awareness of HIPAA and its impact.
- Assess your organization's informational security systems, policies and procedures.
- Identify potential security and confidentiality weaknesses.
- Develop an action plan and budget to respond to those identified areas.
- Upgrade necessary information systems hardware, software or security controls.
- Make employee adherence to medical confidentiality compliance a condition of employment.
- Implement new policies and procedures.
- Train staff and enforce the use of the new policies.
- Conduct ongoing monitoring and audits to evaluate compliance.
How can I learn more about HIPAA?
You can obtain information online at:
In closing, while your staff has a need to know information, they also are required not to reveal anything to anyone who does not have a need to know. Security programs must be tailored to fit the individual needs of each organization. By implementing an effective security plan, an adult day center will demonstrate a strong commitment to maintaining the confidentiality and integrity of patient information.
|
***** |
Evaluation & Planning: A Continuous Process
- Build awareness of HIPAA and its impact.
- Assess your organization's informational security systems, policies and procedures.
- Identify security and confidentiality weaknesses.
- Develop an action plan.
- Upgrade information systems hardware, software or security controls.
- Train staff and enforce the use of the new policies.
|
***** |
Sample Confidentiality Notice
The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled.
If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents.
http://www.ahima.org/journal/pb/01.06.2html
Adapted from
"The Information Source for Adult Day Centers"
Editor: Teresa Johnson
www.theinformationsource4adc.com
|
|
