HIPAA compliance for home health care workers can often be more challenging than HIPAA compliance for health care professionals working in brick-and-mortar facilities due to the different ways in which home health care workers communicate with patients and their carers either remotely or in the patient’s home environment.
Home health care workers do not exclusively work in patients’ homes. Since the COVID-19 pandemic, there has been a significant growth in health care being provided remotely – most often via videoconferencing software. However, this has only increased the challenges of HIPAA compliance for home health care.
HIPAA Laws for Caregivers
The HIPAA laws for caregivers that visit patients at home – physically or remotely – are the same as for any other healthcare professional. However, home health care workers are more likely to deal with family members, friends, and translators in the home environment – which can complicate permissible disclosures of PHI and disclosures beyond the minimum necessary.
This is because the HIPAA Privacy Rule gives patients the rights to request privacy protection for PHI (§164.522); and although Covered Entities do not have to agree to the request in all circumstances, if a patient feels sensitive health information may be disclosed to third parties, they may not be willing to share critical information about their symptoms with the home health care worker.
Additionally, the same standard of the Privacy Rule gives patients the right to request confidential communications. This is an important consideration when providing healthcare services remotely; and, as well as ensuring the communication system used complies with the Security Rule, home health care workers also have to ensure conversations with patients cannot be overheard.
Home Health Care Workers and ePHI
Home health care workers must know how to secure PHI when it is generated, used, stored, or shared using digital devices. Electronic Protected Health Information (ePHI) is covered by the Technical Safeguards of the HIPAA Security Rule. The transmission of ePHI and the devices which stores it must be protected against unauthorized access.
The unauthorized disclosure of PHI does not only consist of messaging test results to a family member who the patient does not want to know about his/her health condition. An unauthorized disclosure may also include the interception of text messages over a public network, or the accessing of test results stored on a healthcare worker’s unattended mobile device.
In the community, Security Rule HIPAA compliance for home health care workers should be more straightforward than in healthcare facilities because there is less technology being used. Nonetheless, whatever technologies are being used to collect, store, or transmit PHI must be configured to support access controls, encryption, audit trails, and automatic logoff.
Who is Responsible for HIPAA Compliance for Home Health Care Workers?
If not working as independent service providers, home health care workers are usually employed by a healthcare organization. The healthcare organization is – in most cases – a HIPAA Covered Entity; and, under the HIPAA Administrative Simplification Regulations, is responsible for HIPAA compliance for home health care works.
Being responsible for HIPAA compliance for home health care workers means the employer must provide training on HIPAA policies and procedures, and provide security awareness training. In some cases, the minimum HIPAA training requirements are insufficient to ensure a home health care worker can comply with HIPAA, and this is something that should be identified in a risk analysis.
As well as providing HIPAA training, employers need to implement and enforce a sanctions policy. The policy should stipulate what the consequences are of HIPAA violations and/or failing to comply with the employer’s policies for home health care workers. If any Covered Entities are unsure about their responsibilities for HIPAA compliance for home health care workers, it is advisable to seek professional compliance advice.