|HIPAA - TRAINING FOR HOME HEALTH
WHY IS CONFIDENTIALITY IMPORTANT?
As a part of our promise to give patients the highest quality health care, we keep information about their health
confidential, sharing it only with people who need the information to do their jobs.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) made it illegal for anyone to violate this
code of ethic. This Act includes punishments for anyone caught violating patient privacy. If confidentiality is
intentionally compromised for financial gain, a person can be fined as much as $250,000 or go to jail for up to 10
years. Accidentally breaking the rules can also result in fines.
WHAT IS HIPAA?
HIPAA is a broad law that covers a variety of issues. It makes it easier for people to move their health insurance
plan to another as they change jobs or become unemployed and allows providers treating patients to share
information more easily.
All health care organizations and payers are required to use standard formats for common transactions such as
submitting a claim on a patient’s behalf. By making it easier to move information, it also makes it easier for people
to misuse the information they contain.
Under HIPAA, it is illegal to release health information without permission, or fail to adequately protect it from
WHAT ARE CONSEQUENCES FOR BREAKING THE RULES?
Breaking HIPAA’s privacy or security rules can bring civil or criminal penalties.
Civil penalties are fines of up to $100 for each violation per person to a limit of $25,000.
Criminal penalties can include large fines plus jail times. The penalties increase with the seriousness of the
offence. Penalties can be as high as a $250,000 fine and up to ten years in jail.
WHAT DO I NEED TO KNOW?
Confidential information is identifying information and information about patients’ treatment:
- Social Security Number
- Medical History
- Observations of Health Status
HIPAA requires health care workers to use or share only “minimum necessary” information they need to do their
jobs effectively. Any uses beyond these are not allowed. The minimum necessary requirement does not apply to
uses and disclosures for treatment. Clinical staff are allowed to look at their patient’s entire record and share
information freely with other clinicians directly caring for that patient. Remember: Do I need to know this to do my
job? What is the least amount of information I need to do my job?
WHO IS AUTHORIZED TO SEE INFORMATION?
All members of the work force at an agency contribute to the quality of care. However, that does not mean that
everyone needs to see health information about patients. If you do not need to know confidential patient
information, you should not look at medical records. If you do not have access to records yourself, it is part of your
job to help the agency keep its commitment to patient confidentiality. If you spot violations, report them to the
Human Resources Supervisor.
WHAT IF I OVERHEAR PRIVATE INFORMATION?
Even if you don’t need to use patient information in your job, there still will be occasions when you may overhear or
see confidential information. When that happens, remember that the information is private and you are not allowed
to repeat it or share it with others. This rule applies even when you no longer work for this agency.
You may also find that patients speak to you about their condition even though you don’t need to know all the
information to do your job. There’s nothing wrongs with this, but remember that they trust you to keep that
information confidential, and you must keep it to yourself.
If you overhear other employees discuss patient care around people who don’t have a right to hear that
information, remind them of the agency’s policy and let them know that they can be overheard. If you think it’s a
persistent problem and a risk to privacy, notify your supervisor or privacy official about the problem.
HOW CAN I PROTECT PATIENT CONFIDENTIALITY?
Even when providing care in the privacy of a patient’s home, we have to be diligent about protecting confidentiality.
Don’t assume that your patient is comfortable with you discussing his or her condition in front of or within earshot of
family members or friends.
Instead, ask the patient whether he or she wants you to share information with specific individuals and obtain
permission to do so. Likewise, before leaving copies of the patient’s chart or other health information in the home,
obtain the patient’s agreement.
Do not leave patient records – including any piece of paper, computer, or handheld device containing patient
health information – where others can see them. That means not leaving patient files on your car seat or in a bag
at the front door while you are inside another patient’s home. It also means not leaving patient information around
your own home where your family members or guests might see it.
When rushing from one visit to the next, remember that you don’t’ want to interfere with patient privacy or
jeopardize the confidentiality of patient information in the process.
HOW CAN I HELP PATIENTS UNDERSTAND THEIR RIGHTS?
It’s important that patients understand how they can protect their own health information and how providers protect
their information. For this purpose, the HIPAA rule requires health care providers to have notices that tell patients
how they will use their information.
This notice also tells patients that they have the right to access their own records and request amendments to
them. First-time patients should receive the notice before they begin receiving care from your agency. If patients
have questions about how the agency uses information, direct them to this notice of privacy practices or to the
organization’s privacy official for answers.
HIPAA requires providers to make “good faith efforts” to obtain patients’ written acknowledgement that they
received a copy of the notice of privacy practices.
CAN THE AGENCY USE PATIENT INFORMATION FOR OTHER REASONS?
If our agency wants to use patient information for purposes other than treatment, payment, or routine operations, it
must obtain an authorization from the patient. The authorization must be in writing. When the patient gives us a
written authorization, the patient is voluntarily agreeing to let us use the information only for a particular purpose.
Patients are not required to sign the authorization, but we must provide care regardless of whether the patient
agrees to allow us to use or disclose his or her health information beyond the scope of treatment, payment, and
HOW DOES THIS AGENCY PROTECT PRIVACY?
Care Team has various rules to ensure that employees protect confidentiality:
- Computer screens containing patient information must be turned away from the view of the public or people
- Discussions about patient care must be kept private so that visitors and others do not overhear them.
- Care Team monitors who gains access to records to ensure that they are being used appropriately.
- Papers containing patient information that are no longer needed are shredded or placed in closed
receptacles for a recycling company that will shred them. They must never be left in the garbage.
Protecting confidentiality depends on all the employees. You must not share information that you overhear or see
in the course of your work. Doing so is a violation of the law.
CAN I USE E-MAIL ON THE JOB?
Remember that work e-mail is not meant for personal use. Sharing or opening attached files from unknown
sources can open the door to viruses and hackers. You can never be sure who will have access to your message
on the receiving end. Never send confidential information about a patient in an e-mail over a public network.
When you send e-mail, always double-check the address line just before sending the message to be sure that your
e-mail doesn’t go to the wrong person or list by mistake.
HOW CAN I PROTECT INFORMATION ON MY COMPUTER?
Passwords and security features help prevent unauthorized access to the computer system and protect patient
If you have a password access to Care Team’s computer system, never give your password to another employee
or long in to the health information system using someone else’s password even if it seems like a timesaver. It’s
essential that Care Team will be able to tell who looks at what records, and it can’t do that when employees share
Don’t write your password down, post it, or keep it where others can find it. Doing this puts information at risk.
Make sure your computer is not connected to the patient information system when you’re not using it.
WHAT IF I SEE SOMEONE BREAK THE RULES?
As an employee of Care Team, part of your job is to help maintain privacy for patients as they receive care. We
expect all employees to adhere to the privacy and confidentiality policies, but know there may be times when
employees do not follow the rules.
Employees are encouraged to report violations to the Human Resource Supervisor. You may report them
you report a privacy violation.
Care Team will not punish employees for reporting violations. It is part of your job to report instances where you
suspect the privacy or confidentiality policies are being broken.
EXCEPTIONS TO THE RULES
Be sure you understand Care Team’s policies before releasing information. Patients will be asked to acknowledge
receiving a notice of privacy practices outlining ways Care Team, uses their information and explaining their rights.
In most cases, the agency will inform patients when it is reporting their health information to police or others outside
the agency, but there are also cases in which patients to not have the right to control their information. Sometimes
Care Team has a legal responsibility to release information regardless of whether the patient approves.
In all of these cases, Care Team complies with the law and reports information when necessary. But unless
reporting this information is part of your job, you should not report it yourself.
The following are examples of releasing confidential information without patient authorization:
- State health agencies require providers to report to them when patients have certain communicable
diseases, even if the patient does not want the information reported.
- The FBA requires providers to report certain information about medical devices that break of malfunction.
- Agencies require suspected child abuse or domestic violence to be reported to the police or DCF.
- Police have the right to request certain information about patients to determine whether they are suspects in
a criminal investigation.
- The courts have the right to order providers to release patient information.
- Providers must report cases of suspicious deaths or suspected crime victims.
This file is not intended to be viewed directly using a web browser. To create a viewable file, use the Preview in Browser or Publish to Aabaco Web Hosting commands from within SiteBuilder.