Confidentiality of Client Personal, Financial and Health Information

HIPAA stands for:

Health

Insurance

Portability and

Accountability

Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets guidelines for health care organizations to maintain client confidentiality and privacy of medical records.

HIPAA provides many details for medical doctor offices and hospitals to follow, even mandating that a computer screen cannot be in a high-traffic area where someone might walk by and see patient information.

Protect Client Information Always

Watch Video on Security and Accessing Public Wifi:

The Privacy Rule was added on December 28, 2000.

These rules provide federal protections for patient health information and give patients rights for who can see their information and how it can be used.

Confidentiality means: the state of keeping a secret or maintaining trust and confidence of secrets and private affairs.

What Caregivers Need to Know About HIPAA

Clients receiving senior care services may have medical records and medical instructions from their doctor, including medications. This information remains private to the caregiver—meaning you are not allowed to share this information with people other than those involved in the care of your client.

Personal Information: PHI = Protected Health Information

As senior care involves staying with a senior in their home, it will be natural to hear personal information about the senior’s family and friends. Maintain confidentiality of any information you hear or which the senior may share with you.

Just as when you work for any company, the company information remains confidential, so does your senior’s personal information remains confidential.

Example: You find out that your client has a terminal illness. The client's niece comes to visit: you cannot mention the fact that the client is terminal.

Financial Information:

Money matters of a client should remain confidential. Remember that seniors can become especially sensitive about money issues. This is because most seniors are no longer earning income but rather living on a fixed income. Be mindful that they may have many emotional issues surrounding money. Do not discuss your financial issues with a client and simply change the subject if a senior you are caring for begins discussing finances with you.

  • Do not share a senior care client’s information with others

  • Verify identity of doctors, pharmacists or any other providers who may call and refer them to the Care Manager

  • DO NOT get involved in information transfers to a medical professional in order to protect yourself

  • Never exchange money with a senior client in order to protect both yourself and the client

  • Personal information about your senior client remains confidential to you

ALL MEDICAL INFORMATION SHOULD BE COMMUNICATED BY A SENIOR CARE MANAGER

(Or the person with Power of Attorney for Healthcare)

HIPAA Protects Individually Identifiable Health Information:

Information about health care or payment for health care, such as:

  • Why a person is visiting the clinic or center

  • The type of treatment a person is receiving

  • The fact that a person is receiving Medicaid, for low-income consumers

Information that Identifies the person or Could Possibly Identify the Person

Examples of such information include your client or care recipient's name, address, social security number, medical record number, or photograph.

PHI (Protected Health Information) is all individually identifiable health information in any form:

  1. Paper

  2. Verbal

  3. Electronic

Exceptions:

  • Employment records (including employees’ medical information).

  • Certain education records.

Protected Health Information can be stored:

  1. On paper

  2. In files

  3. On computers

  4. On electronic devices

  5. On cell phones

  6. On tablets

  7. And also be the knowledge remembered by a caregiver

You are allowed access to the minimum amount of Protected Health Information necessary for you to perform your job duties.

You may only disclose the minimum amount of Protected Health Information necessary to satisfy a request and only request the minimum amount you need to perform your job duties.

The minimum necessary rule does not apply to:

  • Disclosures to, or requests by a health care provider for treatment

  • Uses or disclosures made to the client or participant

  • Uses or disclosures that the client authorized

  • Disclosure made to the Secretary of HHS

  • Disclosures required by law.

Verification Requirements:

Make sure you know the identity of anyone requesting information. Verify the person's identity and authority for access. Document the request which means write down the person's name, phone number and the time of the call or visit to show you verified the information.

Rules for Permission to Use or Disclose Protected Health Information and TPO:

Treatment, Payment, Operations

  • Authorization is not needed before you disclose your care recipient's Protected Health Information, or "PHI" for treatment, payment, or health care operations

  • TPO = Treatment, Payment, Operations (for Health Care) such as quality assessments, medical reviews and auditing, planning and budgeting

  • For Abuse Reports and Investigations

Generally, however, you do need specific, written authorization from your client or care recipient before you can use or disclose his or her Protected Health Information for anything other than TREATMENT, PAYMENT, OPERATIONS (unless specifically permitted by the Privacy Rule).

Situations which could lead to violations of confidentiality are:

  1. Discussing work with family and friends

  2. Informal discussions with colleagues

  3. Social gatherings

  4. Incoming phone calls

  5. Attentive repairman

FAILURE to COMPLY with HIPAA is a Violation of Federal Law: You Could be FINED or JAILED if you break this law.

If you hear someone who is in violation of HIPAA requirements and procedures, tell your manager or supervisor about the situation, as it is your duty to make sure the law is being upheld. Employers are bound by law to protect a workforce member from harassment or retaliatory actions if they report a suspected privacy violation.

Law Enforcement Officers: You are allowed to disclose PHI to law enforcement without the client/participant's authorization when:

  1. The PHI disclosed is about the person suspected of a criminal act

  2. The PHI disclosed is limited to information relevant to identifying the suspect and the nature of any injury

ASK YOUR SUPERVISOR: if you are ever unsure of how to proceed in a situation involving sharing private health information.

NEVER DISCUSS PHI you see or hear while performing your job with anyone unless necessary!

Watch Video from the U.S. Dept of Health and Human Services on HIPAA: 1 Minute, 55 Seconds

Who Must Follow HIPAA & What is HIPAA?

The HIPAA law applies to BA's and CE's.

A BA is defined as a Business Associate meaning anyone who performs or assists in doing an activity that includes access to health info.

A CE is defined as a Covered Entity

Who are Covered Entities under HIPAA?

  1. CAREGIVERS

  2. Healthcare Clearinghouses

  3. Healthcare Providers who electronically transmit any health information in connection with transactions for which Health and Human Services has adopted standards such as hospitals, medical centers, senior home care agencies, doctors, nurses

  4. Health Plans

Caregivers Must Protect All Client Information

Example 1: As a caregiver you go with your client "Mary" to the doctor. You learn that Mary's diabetes is out of control, her circulation has worsened and she needs to see a specialist about possible amputation. You return to her home and her daughter stops by, her daughter does not have healthcare power of attorney. Mary does not mention the diagnosis and tells her daughter that the visit went well and her health is good. Even though you would like to tell her daughter about the diagnosis, you cannot. Mary has decided not to tell her daughter and it is not your right to pass on the information. You may be familiar with attorney and client confidentiality, when a lawyer cannot speak to others about your case. This is similar, you are not allowed to speak to others about Mary's diagnosis.

  1. As you learned in the previous section, this information is called Protected Health Information or PHI

  2. Other things you can't share: information about the individual’s past, present, or future physical or mental health or condition, and past, present, or future payment for the provision of health care to the individual

Example 2: You learn that Mary, from Example 1, has Stage 1 Alzheimer's Disease, and you know the condition will not get better. Mary decides to tell no one. Her neighbor stops by and tells Mary "I told you we were having bridge today, I don't understand why you aren't ready, you are always ready." You cannot tell the neighbor that Mary has Stage 1 Alzheimer's disease and that is why she does not remember that she was to play bridge today.

  • A Medical Record, Laboratory Report, or Hospital Bill would be PHI (Protected Health Information) if they include a patient’s name or other identifying information.

  • The Security Rule: sets the standard for security of electronic Protected Health Information, also known as ePHI.

  • The Breach Notification Rule: requires BA's and CE's to tell (notify) when confidential information has been breached or not secured.

The HITECH Act was added to HIPAA in 2006.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act or "The Act") is part of the American Recovery and Reinvestment Act of 2009 (ARRA) and increases the potential legal liability for non-compliance.

Speeding up the electronic health record (EHR) systems among providers was the motivation for the act to be created.

What Does This Mean?

  1. The government wants all providers to use Electronic Health Records

  2. There are security measures in place that must be followed for security

  3. There can be liability for not following the new rules and laws

  4. There is more ability for the government to enforce the new rules- meaning companies can get fined for not following the law

You know what happens when you park in a no parking area- your car can be towed or you can receive parking tickets. The same situation happens if a company does not properly safeguard a patient's information.

A major provider of Home Health was fined $239,000 for not properly safeguarding client information. Learn more about the case in the next section.

💡 Tip Sheet

HIPAA means Privacy of Information Between Healthcare Providers and Clients, Senior Caregivers Must Keep Client Financial and Personal Info Private, Keep it to Yourself, a BA is defined as a Business Associate, a CE is defined as a Covered Entity, Privacy Rule protects Any and All Health Information, Security Rule, Breach Notification Rule, Privacy Rule, HITECH Act Widens Scope of HIPAA Privacy and Security Protections, Increases Potential Legal Liability for Non-Compliance, Makes it Easier to Enforce