Section 11

 HIPAA Part 2: Scenarios

In each section you will be given multiple scenarios. Write down what you think the answer is and then check your answers at the end of each section.

Disclosure in Conversation

There are so many ways we can disclose information in normal conversation. It's very important to think before you speak.

Scenario of Vivian and Rose:

You are at the grocery store and see Vivian. Vivian is good friend of Rose. Rose is your client and Vivian knows this, as she often comes over while you are caring for Rose. Vivian asks how Rose's doctor appointment went yesterday, as she knows you go to Rose's appointments.

1. You respond that it didn't go very well, Rose's blood pressure was high and her blood sugar was not controlled. You also mention for her not to tell Rose you gave her any information.

2. You politely tell Vivian you really appreciate her concern. Then politely tell Vivian that HIPAA rules require you to keep all information private.

3. Ignore her comment and walk away.

Answer for the Vivian/Rose Scenario is 2)

Scenario in a Coffee Shop:

You meet a coworker for coffee in a busy coffee shop and both begin talking about your clients. You use the person's first name only, but also talk about the drive to the client's home, the neighborhood and then tell your friend about the client's heavy use of alcohol and failure to pay medical bills. The conversation continues and at the next table one person has been sitting within ear shot for the entire conversation.

1. None of the information is identifiable, so it doesn't matter.

2. Since the first name was used, street location and other information, it could be identifiable and considered a HIPAA violation.

3. Talking to your coworker also violates HIPAA, as she does not care for your client and does not have access to her health information

Reporting to your agency client information and changes in health is not considered a HIPAA violation, as anyone that requires access to the information to perform care is bound by the same HIPAA standards.

Answer for the Coffee Shop Scenario is: 2) and 3)

----------------------------------

Talking to your co-worker who does not work with your client is a violation of HIPAA.

Talking to your family or friends about a client in a way they can figure out who the client is—or if you only have one client and they automatically know who it is, also violates HIPAA.

Did you know it's even a HIPAA violation for a person in a hospital to "look someone up" in the computer when not needed for their work?

Example: If you have a friend who works as an ER nurse and she tells you that she saw 25 cases of people with the flu during her last shift, that would not be a violation of HIPAA. She did not give any information to identify a person or violate HIPAA.

Likewise, if you say it's common to see depression in your senior clients, then you aren't giving any specifics on a client and you are not discussing any personal identifiable protected health information.

Failure to Physically Secure Information:

Did you know some of the biggest healthcare data breaches were caused by a lost or stolen device?

If your agency still uses paper for Care Notes you should remember that even lost care notes are also a HIPAA breach.

Real Life Case:

A Home Health Aide had copies of patient records in her home. When she moved out after a divorce she did not take the documents with her. Her ex-husband had full access to the records. She also sometimes stored paper documents in her car. The agency claimed the documents were taken from their office without their knowledge. It did not matter because the agency was fined $250,000 because they failed to protect PHI (protected health information).

When your company follows strict security procedures for client information, know they are required to under HIPAA.

You go to see your client in the morning for a half day shift, then go to the gym. Your company gives you a tablet which travels with you to each shift.

1. You figure it is fine to leave the tablet in the car and lock your door

2. You take it with you to your yoga class and leave it in the corner of the room with your shoes, unattended

3. You take it into the gym and lock it in your locker with your other belongings

In this case the best option is probably 3, as it is safely locked in your locker with your other belongings and not in a car which can be hot and damage devices, but also can be broken into.

Watch Video on Securing Private Health Information on Devices:

3. Using Unsecured Devices:

In the previous section you learned about the HITECH ACT which is part of HIPAA. Under this act the way information is stored and transmitted is very strict. Not only are there specific encryption rules and rules for storage, but even require companies performing EHR (electronic health record) tasks to have pricey insurance policies in case of a breach.

Text message—NOT SECURE

Using your home computer to send emails about your client to your agency—NOT SECURE

Posting to Social Media- VIOLATION of HIPAA

You are with the client and have a specific question for your manager about their care. You decide to send a quick text, remind your manager who your client is by name and then ask a care question.

That is a violation of HIPAA. Do NOT TEXT information about your senior care client.

You've been with your client for 3 years and you had a very special day. Your client has late stage Alzheimer's, but you were able to enjoy a lovely day at the park. You decide to post a selfie of you and your client at the park to your Facebook page.

1. It's fine, you didn't put your client's name

2. Your client has late stage Alzheimer's so is not aware of Facebook or that you posted, so it doesn't matter

3. Your client's face can still be recognized, so it was a violation of HIPAA

The answer is 3

Posting to Facebook is a violation of HIPAA, in this case the situation is made worse as the person cannot give permission due to their late stage Alzheimer's condition.

Release of Information after Expiration Date:

Do you ever wonder why you have to sign forms you previously signed at the doctor's office for HIPAA? HIPAA authorization forms expire. When your agency takes on a new client, the client or the person legally able to act on their behalf gives your agency consent to know their health information. It is illegal to have access to PHI after the expiration date.

Say Rose was supposed to be a client for 6 months, but is now on her 2nd year of care.

Your agency must have signed forms that are current or not expired.

What if a client refuses to sign a HIPAA form?

They cannot be denied access to care and the agency/provider must still adhere to HIPAA standards.

They keep a note on file that a client/patient refused to sign.

Caregiver Thoughts to Ponder

Can it be awkward or uneasy to not answer questions when in the home as a caregiver?

Let's say your client's son comes to visit and he asks pointed medical questions.

You know he has not been given access to medical information and does not have medical power of attorney.

However difficult the situation may be, you have an obligation to your client and your agency to keep all PHI private.

Think of ways you can respond:

Jake, I understand you have questions about your father's health, as that is normal for a child. I know you are concerned about his well being.

Please understand I cannot share the information, as I am bound by HIPAA and it is against the law for me to give you information.

If you know the client is in good mental health and is able to communicate, encourage Jake to talk to his father or mention to your client that Jake is requesting information. The client can make the decision to share the information. If the client is not sharing the information, there is probably a reason, respect for your client's PHI always comes first.

In some situations you may feel that you have to watch what you say and do, but remember you are being paid to be a caregiver and keeping your client's best interests at heart will always help you be a better caregiver.

💡 Tip Sheet

Caregiving is Your Career, Rules of HIPAA Must be Followed, HIPAA Rules are Legal Requirement for You, Your Agency and Your Client, HIPAA Privacy Protects You and Your Agency from Possible Fines and Jail Time