Home Health Care and HIPAA Compliance

HIPAA compliance for home health care workers can prove tricky due to unique obstacles they encounter that are not present in physical hospitals.

Home health care workers supply a valuable service for patients in the community – either visiting patients who cannot attend hospital in their homes, or checking on their well-being via phone or video. These two scenarios raise unique challenges, and make HIPAA compliance for home health care workers quite difficult – particularly in relation to the permitted disclosure of Protected Health Information.

Under the HIPAA Privacy Rule, patients have the right to ask for details of their illnesses are withheld from some or all third parties. These third parties can include friends, family members and members of the clergy. Even when consent is provided, health care workers – wherever they are located – should not share more than the minimum necessary Protected Health Information to third parties.

This can cause difficult situations – and awkward relationships – in home environments when friends and family members press for further details about a loved one. In some cases, it can prevent healthcare workers from doing their job effectively, or lead to a family submitting a complaint against a healthcare worker who refuses to disclose more details than they are allowed to.

ePHI and Home Health Care Workers

Home health care workers have to be conscious of how Protected Health Information should be safeguarded when created, used, stored or disclosed via electronic devices. Electronic Protected Health Information (ePHI) is subject to the Technical Safeguards of the HIPAA Security Rule and both the sending of ePHI, and the devices on which ePHI is saved, should be secured against unauthorized disclosure.

In relation to ePHI, unauthorized disclosure does not only mean sending a text message with a test result attached to next of kin who the patient has requested should not be told about their illness. An unauthorized disclosure could also relate to the text message being intercepted over a publicly-accessible cellphone network, or the test result being seen on the healthcare worker’s mobile device when the device is left down.

Tools are available to mitigate the risk of an unauthorized disclosure of ePHI – or, at least, make the data that is disclosed unreadable, undecipherable and unusable to any individual to whom it is disclosed. These tools encrypt sensitive data on mobile devices to secure communications between healthcare staff and authorized personnel and have time-out mechanisms that automatically log the devices out of a secure channel of communication after a period of  no use.

Home Health Care Workers: Who is Responsible for HIPAA Compliance?

Unless a medical worker is employed as an independent contractor, the Covered Entity employing the medical professional is responsible for HIPAA compliance for home health care workers. Covered Entities are also responsible for HIPAA compliance for home health care workers if the “workers” are present as volunteers, as volunteers are thought of as members of a Covered Entities workforce.

Therefore, the Covered Entity has to train all healthcare staff to be HIPAA compliant, review their access to Protected Health Information and ensure any devices used in the execution of their tasks are also HIPAA-compliant. If an unauthorized disclosure of Protected Health Information takes place due to the negligence of a healthcare worker, it is the responsibility of the Covered Entity to report the breach to the Department of Health & Human Services (HHS).