The issue of HIPAA compliance for home health care workers can be complicated because of specific challenges they come across that don’t occur in hospitals.
Home health care workers provide an invaluable service to patients within the community. They visit patients in their homes when they cannot go to the hospital, and check their well-being by telephone or video calls. These two situations present special challenges and make HIPAA compliance for home health care workers complicated – specifically with regards allowed disclosures of Protected Health Information (PHI).
The HIPAA Privacy Rule gives patients the right to ask for information about their health condition, which are withheld from a few or all third parties, including friends, family and the clergy. Even if permission is given by patients to share details of their health condition, health care workers can only disclose the minimum amount to third parties.
This can result in awkward circumstances and interactions in the home when members of the family or friends press for more information concerning a loved one. In particular situations, it can keep healthcare workers from carrying out their job correctly, or it could end up with a family submitting a complaint about a healthcare worker who does not disclose more data than they are permitted to.
Home Health Care Workers and ePHI
Home health care workers must know how to secure PHI when it is generated, used, stored or shared using digital devices. Electronic Protected Health Information (ePHI) is covered by the Technical Safeguards of the HIPAA Security Rule. The transmission of ePHI and the devices which stores it must be protected against unauthorized access.
The unauthorized disclosure of PHI does not only consist of messaging test results to a family member who the patient does not want to know about his/her health condition. An unauthorized disclosure may also include the interception of text messages over a public network, or the accessing of test results stored on a healthcare worker’s unattended mobile device.
There are tools for reducing the risk of unauthorized ePHI disclosures, such as making data unreadable, undecipherable and unusable to any person. These tools are used to encrypt sensitive information on mobile devices to protect communications and restrict data sharing to authorized staff and healthcare workers. These tools also include time-outs that log out users from their devices after a set period of inactivity.
Who is Liable for HIPAA Compliance for Home Health Care Workers?
If not working as an independent service provider, the Covered Entity hiring the medical professional is in charge of HIPAA compliance for home health care workers. For volunteer “workers,” HIPAA compliance for home health care workers is the covered entity’s responsibility since volunteers are regarded as members of a Covered Entity’s workforce.
Consequently, the Covered Entity must teach all healthcare workers to be HIPAA compliant, keep track of their access to PHI, and make sure that devices employed while performing their duties are likewise HIPAA-compliant. In case an unauthorized disclosure of PHI happens because of the healthcare worker’s negligence, the Covered Entity is required to report the incident to the Department of Health & Human Services’ Office for Civil Rights.