HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996 (“HIPAA”)
The Agency complies with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It is the intent of the Agency to safeguard and protect the privacy and security of its clients’ “protected health information” as defined by HIPAA. We often have access to personal information about our clients. For example, when reviewing a client’s medical history form, we may discover extremely personal medical information. We respect our clients’ rights to privacy. Information about our clients, their treatment or their personal lives must be kept completely confidential.
“Protected health information” includes individually identifiable information, maintained or transmitted through any medium, relating to an individual’s past, present, or future physical or mental health or healthcare.
Health information is considered “individually identifiable” if it either identifies a person by name or creates a reasonable basis to believe the individual could be identified (through identifiers such as address, social security number, dates of service, telephone number, email address, or vehicle identification number).
It is the policy of the Agency to ensure the confidentiality, integrity, and availability of protected health information entrusted to the Agency by its consumers, clients, applicants, or employees by protecting those assets from unauthorized access, alteration, deletion, or unauthorized transmission and to ensure their physical security. Employees of the Agency shall not at any time access, use, or disclose to any person or entity, any protected health information of Agency consumers, clients, applicants, or employees, except as necessary and authorized in the course of their duties and responsibilities with the Agency or as otherwise required by court order, subpoena or state or federal law.
Similarly, Agency employees are prohibited from making any unauthorized transmission, alteration, deletion, or unauthorized access of protected health information. Such unauthorized transmission includes, but is not limited to, removing and/or transferring protected health information in any Agency computer system to an unauthorized location or using an unauthorized device—including thumb drives or external hard drives.
These privacy and security obligations apply regardless of the manner in which the Agency employees acquire the protected health information, whether it was communicated verbally, in writing, electronically, or in any format, and regardless of whether it was communicated directly to the individual or intended for his/her access. The unauthorized access, use, disclosure, alteration, deletion, or unauthorized transmission of protected health information in violation of federal law, and this policy, and may subject you to disciplinary action, up to and including termination. Employees must exercise discretion and should not discuss protected health information with any person outside of the Agency. Client matters must be kept confidential and never shared or disclosed to anyone who is not authorized personnel of the Agency.
The Agency also restricts release of any information about any patients, unless requested in writing and with the client’s authorization. It will be the responsibility of the Executive Assistant to ensure all forms for release of information are properly filled out and signed. Therefore, any request for release of client information by any outside agencies or personnel must be reported to the Executive Assistant prior to any disclosure by any caregiver or staff member.
The following are guidelines to assist employees in maintaining Protected Health Information (“PHI”):
- Whenever possible, speak softly or privately with clients so other persons do not overhear (the client deserves our utmost respect and they will always be addressed as Mr., Mrs., and Miss, unless otherwise indicated by the client);
- keep any and all client files where other clients or unauthorized personnel cannot easily see them;
- do not give advice to clients on personal matters, even if they ask for it;
- do not reveal information about a client, even to family members, unless you are speaking to the parents of a client under the age of 18;
- do not discuss personal or medical information about clients unless medically necessary and only within the Agency;
- provide client information to other health care professionals using only the appropriate medical information letter or form;
- provide client information to outside third parties only if a HIPAA-compliant release has been signed by the client;
- Fax any patient documentation using the HIPAA approved fax cover page only;
- do not befriend Agency clients on social media; any conflict with this policy must be reported to the Executive Assistant; and
- DO NOT TAKE ANY PICTURES, VIDEO, OR RECORDINGS OF THE CLIENT BY USE OF ANY DEVICE, EVEN IF THE CLIENT AUTHORIZES OR REQUESTS IT.