• HIPAA Exceptions and Pitfalls in the Nursing Home Setting
  • March 6, 2014 | Author: Kirsten Pepper
  • Law Firm: Weltman, Weinberg & Reis Co., L.P.A. - Chicago Office
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. 104-191, 110 Stat. 1936 enacted August 21, 1996) was enacted to protect the information of patients and regulate storage and electronic transmittal of medical information. Apart from doctors, nurses and nursing homes play a critical role in the treatment process of a patient and this puts them into direct contact with the confidential information of patients. HIPAA recognizes nursing homes and long term care facilities as covered entities and they must take all steps to ensure that the medical records are safeguarded.

    There are several clear exceptions to a caregiver's obligation to keep information confidential. Those exceptions include, but are not limited to, health research, suspected abuse and public health or communicable disease. ("HIPAA Privacy Rule and Public Heath- Guidance from CDC and the U.S. Department of Health and Human Services", April 11, 2003/ 52; 1-12). Most often, the circumstances are not black and white. There are different and often confusing confidentiality obligations for those in special settings such as Home Health Care and Long Term Care facilities. Home health care workers must remember that they are not the friend of the patient and that they are there in a professional manner, even though the setting is often more relaxed. Long term care residents have often gotten to know many of their peers and the health care providers have to be extra diligent to avoid discussing a resident's treatment or condition with another resident. In nursing home and long term care facilities, lines are often blurred and patients, for better or worse, become close to their caregivers and/or other patients at the facility. This situation can be helpful to the patient's well-being, but often present possible HIPAA pitfalls in which the rules are unclear.

    Due to the "every day" nature of the care, nurses and nursing homes need to be aware of the many different forms of confidential communication, including; faxes, whiteboard for nursing assignments, dietary trays, MAR (Medical Administration Record), patient charts and lab slips, to name a few. If the patient has had an opportunity to agree or object to the disclosure, nursing homes are permitted to use some information that would otherwise be confidential to identify their patients. Unless objected to, a nursing home may maintain a directory of individuals in its facility. They may also indicate the patient's location (i.e. room number or bed number), description of the patient's condition (in general terms that do not communicate specific medical information about the patient) and religious affiliation. 45 CFR 164.510 (a).

    A nursing home may use or disclose protected heath information ("PHI"), provided the individual is informed in advance of the use or disclosure. One specific exception that is particularly relevant to nursing homes and long term care facilities is the emergency circumstances exception. 45 CFR 164.510. If the opportunity to object to uses or disclosures required cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a nursing home care provider may use or disclose some or all of the PHI if the disclosure is in the individuals best interest as determined by the covered health care provider, in the exercise of professional judgment.

    The U.S. Department of Health & Human Services Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. www.hhs.gov/ocr/privacy/hipaa/enforcement/

    The department also recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized (under State or other applicable law) to act on behalf of the individual in making health care related decisions is the individual's "personal representative". Section 45 CFR 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual for purposes of the Rule. In addition to these formal designations of a personal representative, the Rule at 45 CFR 164.510(b) addresses situations in which family members or other personal who are involved in the individual's health care or payment for care may receive PHI about the individual even if they are not expressly authorized to act on the individual's behalf. This will most often be the case when there is not time to appoint a legal guardian or personal representative for the patient and the patient requires immediate attention. A nursing facility may rely on the emergency circumstances exception as long as they can show that the patient is truly incapacitated.

    All nursing homes and nurses who have access to PHI of patients will need to comply with the HIPAA. There should be guidelines within the organization that lay down rules and regulations on how this confidential information is used and accessed. Generally speaking, it is always the best policy to get informed consent to disclose medical information from a patient during intake. A nursing home or long term care facility would be well advised to limit the information disclosed to that which is absolutely necessary for treatment, as decided by a medical professional. There should also be compliance reviews that should be conducted by these organizations so that checks and counter checks can be put into place.

    • 45 CFR 164.510 et. al.
    • http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
    • HIPAA Privacy Rule and Public Health- Guidance from CDC and the U.S. Department of Health and Human Services, April 11, 2003/52; 1-12.