HIPAA for Activity Directors

HIPAA for Activity Directors
By Chris Loga (ADN)

In the past year and half, one of the scariest words for activity directors has been… HIPAA! Throughout my travels, I have seen many of my colleagues shudder at the thought of a new set of rules and regulations. Relax… The good news is that HIPAA is not as scary as it has been made out to be. I have written this article specifically for activity directors and activity personnel. Since most of us are the makers of calendars, newsletters, banners, bulletin boards, etc., we need to know about the HIPAA policies. The following article will hopefully ease your mind about HIPAA regulations. That way, you will be able to have your calendars, banners, bulletin boards and posters, while being in full compliance with all of the regulations. What is HIPAA?

HIPAA or the Health Insurance Portability and Accountability Act was enacted in 1996 to help the federal government regulate the transferability of health insurance and to empower the government to fight fraud and abuse in long term care. So what does that have to do with Activities? In addition to the issues of health insurance, HIPAA was initially designed to regulate “individually identifiable” health information that was transmitted electronically. Since then, the “Privacy Rule” that is defined by HIPAA has expanded that concept. So basically, a large amount of information that is crucial to Nursing homes can now be covered under HIPAA(2).  Since activities personnel deal with personal resident information, one of the areas for disclosure could be the activities department. In addition, the penalties for violating these rules are pretty steep ($100 to $25,000 per year, for each violation), so pay attention. Is you facility a Covered Entity? You decide.  The only facilities that will need to adhere to HIPAA are called Covered Entities. Covered Entities are defined as the following: Health care providers, Health Plans and Health Care Clearinghouses and Business associates. Each of these groups is expected to follow the guidelines that are described in HIPAA. Those groups that do not fall under the “Covered entities” description may not have to follow HIPAA.   Here it is in English. There are four basic groups that need to worry about the HIPAA regulations; in this article I will only look at one, the health care provider. In general a health care provider is a nursing home, rehab facility, hospital or any other facility that provides skilled or intensive care.  If you are not sure if your facility is a covered entity , please ask your administrator for clarification! Personal Health Information-The nitty gritty of HIPAA In terms of HIPAA, the information that they are worried about is called  “Personal Health Information” or PHI.  It can be best described as: any information that identifies an individual, that is received or created by a facility that contains information about the past, present or future physical or mental health of an individual. PHI can also include information on payment for medical services-however, I am intentionally staying away from that topic in this article. This information is normally found in medical charts and billing files, however, it can be found in bulletin boards, Photo’s, Calendars and Birthday Cards, Activity Rooms and Common Areas and Activity Progress Notes. It is the highlighted areas that I will address in this article specifically. All other information that I do not address, should be covered by your facility, in its “Privacy Policy”. Each facility should have its own policy that is given to the resident on admission and to the staff who work at the facility. It is also not a bad idea for the activity department to follow a higher standard in regard to privacy, since we usually deal with the residents on a personal level, including but not limited to: family issues, special requests from the resident, newsletter articles, etc. Please note: it is the responsibility of every employee to keep resident information confidential with regard to every aspect listed above. It is also the responsibility of each employee to know what types of information are covered under the HIPAA policy and under facilities’ privacy policy. Please educate yourself to the specific information in those policies in addition to using this as an education tool! Now that all of the legal stuff is out of the way… Now, you are sure that your facility is a covered entity and you know the definition of PHI. There are several ways to keep your department and residents safe with HIPAA regulations.  This is especially true when you realize that there are different ways to change medical information that are allowed under HIPAA regulations. First, lets look at the instances in which it is OK to reveal PHI.   Generally, the facility may provide PHI to family members, friends and clergy, such as: 1) The residents’ name and room number 2) The general condition of the resident-(e.g.- Ms. Smith is having a good day today, she went to Bible Study on her own. Not: Ms. Smith is feeling good because we gave her a double dose of medicine.) 3) The residents’ religious affiliation. . In the following examples, we will look at some ways, in which it is not allowed to disclose medical information 1) As you walk down the hall you hear 2 staff members- “I saw Mr. Jones last night and his delusions were really bad!” Besides being gossip, this is also disclosure of PHI and a violation of HIPAA. 2) As you are entering Care Plan information on your computer, you are called away; you leave the computer on with the information on the screen, Once again a violation, since anyone can come by and look at the computer. 3) You are expecting a fax from a hospital about an incoming resident; you do not pick up the fax until the day after. Once again, who can see the information? Remember, there are several ways to violate HIPAA regulations. So let’s recap…we know that there are several ways to reveal information about residents, but what about information that we use everyday in our activity plans, bulletin boards and other publications? Well, let’s take it piece by piece.   1) Photo’s – most facilities have a standard form in which the resident gives permission to take their pictures and is kept in the chart. This allows us to use a basic picture for whatever we need. However, if you put the resident’s name with that picture, you will be violation HIPAA. If you need to use a name (on a bulletin board for example) all you really need to do is ask the resident for permission and document it! 2) Calendars and Birthday cards- The best way to avoid the HIPAA regulations with regard to Birthday cards and calendars is simple. PHI can be de-identified by removing the birth year from any information. For example: Happy Birthday to Joe Smith -6/15! There is no other medical information that should be used on a calendar anyway so simply remove (diagnoses, dementia items, etc.) from the calendar. 3) Bulletin Boards and Miscellaneous- In almost every case with PHI if you take the proper steps to ask permission, you can prevent any confusion. If you have pictures, avoid putting names with them. If you must, get explicit permission and document. If you avoid using PHI with regard to residents you are in the clear. 4) Activity Rooms and Common areas- It is fine and dandy to use pictures of residents in your common areas. Please remember that no medical information can accompany the pictures. Do not identify residents by room or unit, especially if that resident resides on a memory/dementia care unit. 5) Activity and Progress Notes- All progress notes should be in the individual chart of the resident. If there is documentation outside of the chart, it needs to be shredded or placed into the chart itself. Pure and Simple… In general, HIPAA is nothing to be afraid of for any Activity Director. The regulation was enacted to prevent privacy issues for residents of Nursing and Skilled care. If your activity department uses common sense to prevent improper disclosures you should be fine. Please feel free to use this article as a reference tool and double check with your administrator for individual questions.