Introduction. HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA, along with the “HITECH Amendment” (hereinafter, together referred to as “HIPAA” or the “Act”). HIPAA dictates how we handle our client’s personal information. We must comply with this law. HIPAA regulations touch us all. We need to understand what HIPAA means to us individually in our day-to-day jobs. The HIPAA policies and procedures stated in this Handbook are not intended to be all inclusive. You may receive specific training and other written materials on HIPAA policies and procedures not stated in this Handbook. You are required to follow this policy and all other such policies and procedures and will be subject to disciplinary action up to and including discharge for violating any such policy or procedure.

As an employe, you are required to maintain the confidentiality of client information, conduct all practice with honesty, integrity, and fairness, fulfill your professional commitments in good faith, and inform the public and colleagues of services by only using factual information that you are permitted to disclose in accordance with this policy, the Company’s Code of Conduct, HIPAA and all other applicable laws

If you have any questions, please discuss with the Company’s HIPAA Privacy Officer, your Supervisor, or any Manager.  Supervisors and Managers may direct questions to the Privacy Officer.

Office Information:

Phone: (317) 575-3983

Fax: (317) 660-8703

HIPAA Privacy Officer:

Sarah Swift

What is Protected Health Information (PHI)?  Protected Health Information (PHI) is any individually identifiable health information and can be in any form:

● Verbal communication, whether face to face or over the phone

● Paper records

● Electronic communications and data entries via computers, phones and other devices, including without limitation emails, texts, and messaging (also referred to as “Electronic Protected Health Information – EPHI)

The information we talk about includes anything that identifies in any way and any fashion something about a client.

The Company is what HIPAA calls a ‘covered entity’. This means that every employee, contracted business, or individual working with us or on our behalf, needs to adhere to this law. What HIPAA dictates is how we can and cannot use the client’s protected health information.

PHI IS CONFIDENTIAL!! When Can Protected Health Information (PHI) Be Shared? Protected Health Information can be used or disclosed:

● To the client it pertains to.

● For treatment, payment or operations with authorized employees.

● Without consent in case of an emergency (see below).

● When authorization is required and obtained.

● When the client has given us their verbal agreement.

● When pertaining to certain exceptions (see below).

The Minimum Necessary Rule.  The Act tells us that we can release only what is the minimum necessary for compliance with the request. This means that we must make a serious effort to limit the disclosure of Protected Health Information to what has been requested (minimum necessary) to accomplish the intended purpose of the disclosure or request.

For example, if an authorized request you received is for your supervising nurse’s notes for a particular client during a particular period, then that’s what you provide and nothing else!  

The minimum necessary standard requires covered entities to allow workers access to the minimum amount of PHI necessary for them to do their jobs efficiently and effectively. Remember that access to PHI or other client information must be on a need to know basis.

What Happens if You Accidentally Disclose a Client’s Information?  Certain incidental uses and disclosures of Protected Health Information that occur as a by-product of another permissible or required use or disclosure is permitted as long as reasonable safeguards and minimum necessary standards are followed.  For example, if your client asks you a question about their health care in a public area with other people around, as a safeguard, you must answer their question as quietly as possible and provide only the information that answers the client’s question.

Other types of accidental uses and disclosures create more serious concerns and must be promptly reported to your Supervisor.  For example, you must immediately contact your Supervisor if you accidentally email or text client information to the wrong person.  If you suspect that you, or another employee or related third party of ComForCare, has accidentally (or intentionally) used or disclosed client information to a person or entity not authorized to receive this information, immediately notify your Supervisor or the Privacy Officer. The Supervisor must immediately notify the Privacy Officer.

Emergency Situations and Exceptions. The flow of PHI is beyond the client’s control when the disclosure is made in connection with certain emergency situations.  As a mandatory reporter, you are permitted to report information related to suspected or actual abuse, neglect or exploitation in compliance with our policies and the law.  However, most other emergency situations and exceptions require the Privacy Officer’s oversight and approval before client information may be used or disclosed.  If you receive a request for client information from a surprise visit, phone call or correspondence from a public health authority, attorney or police officer, you must immediately call the office for guidance before sharing client information.

Client Rights: You will find that within the client’s case opening packet, there is a document entitled the “ComForCare Client Bill of Rights and Responsibilities.”  We also provide clients with our HIPAA Notice of Privacy Practices.  Among many rights and responsibilities, our Notice of Privacy Practices states that clients have the right:

● To request a restriction: to restrict family members and others involved in the individual’s care from access to Protected

Health Information. (You must know and honor your client’s restrictions.)

● To have access to his/her Protected Health Information for inspection and copying. (You must immediately notify your

Supervisor if a client requests to inspect or receive a copy of their information, or requests another copy of their Notice of Privacy of Practices. The Company will follow its HIPAA procedures for meeting such client requests.)

● To request an amendment to their Protected Health Information (client care plan or service plan).

● To receive an accounting of the disclosures of PHI made by us (who have we given the info to?).

● To be provided with as accurate and thorough information of possible uses and disclosures of their PHI.

● To consent, authorize, agree or object to such things as participation in marketing pieces. (The Privacy Office oversees these matters.)

Best Practices:  The following are some situations where you may personally confront HIPAA requirements. In particular, this section discusses what to do regarding:

● Emails/texting/messaging

● Faxes

● Leaving phone messages

● Client Information Boards (Dry erase boards in office)

● Computer Workstations and personal devices

Emails, Texting, Messaging

Does the Act permit you to e-mail or otherwise electronically exchange protected health information (PHI) with authorized Company employees?

Answer: Yes. The Act allows you to share PHI electronically with authorized Company employees as long as you apply reasonable safeguards when doing so. ComForCare requires that you:

● Verify the recipient’s platform address to avoid sending confidential information to an unintended recipient.

● Whenever possible, notify the recipient to expect the email, text or message.

● All electronic transmissions of confidential information must be sent using the Company’s authorized platforms and

must include confidentiality language.  You must never send client information via your personal emails or your

personal texting or messaging platforms.  If you have questions about how to send client information, ask your

Supervisor or any office staff member.

Faxes

Does the Act permit you to fax protected health information (PHI) to authorized Company employees?

Answer: Yes. The Act allows you to share PHI through faxes as long as you apply reasonable safeguards when doing so. ComForCare requires that you:

● Verify the recipient’s fax number to avoid sending confidential information to an unintended recipient.

● Whenever possible, notify the recipient to expect the fax.

● All fax transmissions of confidential information must include a Fax Cover Sheet containing confidentiality language.

Leaving Phone Messages

May PCAs and HHAs leave messages for clients at their residence on an answering machine or with a family member?

Answer: No. While the Act permits health care providers to leave messages for clients regarding their health care either on an answering machine or with a family member, ComForCare’s policy prohibits PCAs and HHAs from telephoning clients directly for any reason. ComForCare requires that:

PCAs and HHAs never telephone clients directly for any reason.

Client Boards & Charts

May you maintain dry-erase boards that contain client information?

Answer: Yes. The Act permits the use of such items. ComForCare requires that:

● Client information placed on the boards should be limited to only information needed to assist in client location and coordinate work assignments (client name, address, contact information).

● Whenever possible, the client’s first name and last initial should be used instead of the full name.

● Sensitive health information should not be displayed on a board that could be seen by other clients or visitors.

Computer Workstations and Personal Devices Used at Work

How should you protect client information located on computers/electronics devices?

Answer: ComForCare requires that you:

● DO NOT SHARE LOGIN INFORMATION. EVERYONE SHOULD BE ASSIGNED THEIR OWN UNIQUE LOGINS.

● Always remember to logout when leaving a computer workstation or application on your personal device.

● Adopt precautionary habits when using computer workstations and personal devices in open areas or high traffic areas.

● Client information should never be downloaded onto a personal or portable device and should only be accessed on

the software program.

● If your job requires that you carry a portable electronic device with client information, adopt precautionary habits to

avoid theft or impermissible disclosures. Do not leave portable devices in your vehicle unattended; lock the device in your trunk or keep it with you. Do not allow family members to use a portable device with client information on it at any time.

What Does All of This Mean to You?

● Our clients have a right to expect we will keep their information confidential. This information includes anything that

could identify or be used to find out the identity of the client or their medical condition.

● As employees, you will come in contact with many forms of client information. You need to understand what acceptable

uses of this information are.  It is never acceptable to remove, destroy or alter a client’s paper or electronic records

without prior authorization!

● Follow the “need to know” rule. Ask yourself “do I need to see client information to perform my job”. If the answer is

“Yes”, you have nothing to worry about. If the answer is “No”, STOP.

● Information you have access to must not be the subject of conversation with family, friends or neighbors, or with other

employees who do not work with your same clients.

● Always let your supervisor know if your client requests to inspect or have copies of their information so that the office can promptly meet the client’s request.

● Never share client information with unauthorized third parties or strangers.  Promptly call your Supervisor if you receive an unusual request for client information.

● Never post client information, photos or recordings on any type of social media platform whatsoever.

● Keeping all information about our clients confidential is a serious matter.

● Violations of confidentiality and privacy policies can result in disciplinary action up to and including discharge.

● If you know of any violation of our existing confidentiality or privacy policies, it is your obligation to bring the violation

to the attention of your Supervisor or Privacy Officer.

● Compliance is NOT an option!

What Happens If You Are Not In Compliance With HIPAA Regulations?

Are there consequences? Absolutely! Noncompliance can lead to both criminal and civil sanctions charged to the organization and/or the individual(s) who violate HIPAA by federal and state authorities.

VIOLATIONS OF OUR HIPAA POLICIES AND PROCEDURES WILL RESULT IN DISCIPLINARY ACTION OR DISCHARGE

ComForCare reserves the right to have sole discretion to decide what disciplinary action needs to be taken for a variety of situations ranging from a coaching session for accidental disclosure of PHI to termination for deliberate acts which violate our policies or confidential agreement.

The Company must perform a risk assessment of breaches involving client(s) protected health information whether intentional or unintentional, and must comply with the Act’s Breach Notification Rules.  Employees who do not cooperate in good faith with the Company’s risk assessment investigation will be subject to disciplinary action up to and including discharge.

QUESTIONS

If you have any questions about HIPAA or related issues, talk to your Supervisor or call the office at (317) 575 -3983 and ask to speak to the HIPAA Privacy Officer.