HIPAA Policy
Purpose
To ensure the patient’s/client’s right to privacy and security as well as respect for the patient’s/client’s property is observed.
Policy
- NurseCore will give the Notice of Privacy Practices to the Governing Body and all staff involved in patient/client care, potential employees, health care students, consultants and Business Associates which explains the patient/client’s rights regarding confidentiality, privacy, and security.
- NurseCore will give and explain to the patient/client and their representative (if any) the Notice of Privacy Practices regarding privacy rights as mandated by the Privacy Rules of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its revisions, as applicable.
- NurseCore will comply with all applicable HIPAA Security Rules, to include all of the patients’/clients’ electronic Protected Health Information (PHI).
- NurseCore and agent acting on behalf of NurseCore in accordance with a written contract must ensure the confidentiality of all patient/client identifiable information contained in the clinical record, including OASIS data, and may not release patient/client identifiable OASIS information to the public.
- CERTIFIED OFFICES: NurseCore will inform the patient/client, their representative (if any), or their caregiver both verbally and in writing on admission, regarding the patient/client Privacy Rights and Privacy Act Statement pertaining to OASIS data. The Agency will obtain acknowledgment of patient/client receipt.
- The Governing Body will be informed of and sign a “Confidentiality/Conflict of Interest Disclosure Statement”.
- The patient/client, their representative (if any) and their caregiver will be informed on admission regarding confidentiality.
- The patient’s/client’s property will be respected during the provision of patient/client care.
Procedure
- HIPAA Privacy Rules
- Clinical
- NurseCore shall provide all current employees with training on the HIPAA Privacy Rule.
- All new employees shall receive privacy training during their orientation.
- If NurseCore changes its policies and procedures, all employees shall receive retraining.
- All privacy orientation and retraining shall be documented in the employees’ personnel files.
- NurseCore shall maintain a record of privacy training given to the employees as defined in the Privacy Rule.
- On admission, patients/clients and their representatives (if any) will be informed both verbally and in writing regarding confidentiality, as well as access to, release of and the safeguarding of patient/client records as delineated in the Notice of Privacy Practices.
- NurseCore staff will obtain a consent to obtain photographs of the patient/client and/or patient/client wounds prior to taking the photograph. (See PC.23)
- Business
- NurseCore restricts the use and disclosure of certain types of information that could be advantageous to other businesses or harmful to NurseCore, its patients/clients or its employees.
- Confidential business information is considered NurseCore property.
- Utilization of confidential information for personal gain is considered by NurseCore to be improper and/or unlawful.
- Discussion of confidential information with family, friends or business and professional associates should be avoided.
- Employees will be educated regarding confidentiality pertaining to use of an electronic record, Point of Care devices, computers, electronic devices and media, information kept in the car, discussions of one patient/client to another and other aspects of potential breach of confidentiality. Employee education regarding confidentiality will include, as appropriate, the utilization of Smart Phones, Wireless Access Points (WAPs), Memory Cards, disks, CDs, DVDs, backup media, Smart cards, and Remote Access Devices (including security hardware).
- Employee data/information requested on hire and periodically, will be required and pertinent to NurseCore’s business.
- Employees and Governing Body members have a responsibility to have no conflicting interest when they represent NurseCore in negotiations or make recommendations about a third party. The employees and Governing Body members will work with patients/clients, caregivers and other parties doing business with NurseCore on the basis of what is in NurseCore’s best interest without showing favor or preference to third parties based on personal considerations.
- An employee or Governing Body member who deals with third parties on behalf of NurseCore or who makes recommendations or approves or rejects them shall not own any interest in or have any personal contact with the third party that could possibly influence the employee in regard to the best interest of NurseCore.
- An employee or member of the Governing Body shall not directly or indirectly seek or accept payments, loans, services, excessive entertainment, travel, gifts, or other reward from any individual or representative of any business or individual seeking to do business with NurseCore that might tend to influence the decision of the employee with respect to NurseCore’s business.
- Business Associates
- NurseCore’s Business Associates shall have access to the minimum amount of patient/client PHI needed to accomplish the cited purpose.
- Clinical
- HIPAA Security Rules
- NurseCore shall appoint an Information Security Officer to oversee compliance with the HIPAA Security Rules.
- This individual may be the Privacy Officer.
- NurseCore shall provide security and awareness training to all of its employees, including management, upon hire and periodically thereafter.
- NurseCore shall perform an initial risk assessment of ePHI to ensure its security measures allow it to reasonably and appropriately comply with the HIPAA Security Rule.
- In deciding if its security measures are adequate, NurseCore may consider the following:
- Its size, complexity, and capabilities
- Its technical infrastructure, hardware, and software security capabilities
- The costs of the security measures
- The probability and criticality of potential risks to electronic PHI
- NurseCore shall perform follow-up ePHI risk assessments in part or in whole at least annually and after any event that compromises NurseCore’s electronic security.
- In deciding if its security measures are adequate, NurseCore may consider the following:
- NurseCore shall ensure the confidentiality, integrity, and availability of all electronic PHI it creates, receives, maintains, or transmits.
- NurseCore shall protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
- NurseCore shall protect against any reasonably anticipated uses or disclosures of electronic PHI other than those that are permitted by the HIPAA Security Rule
- NurseCore shall obtain assurances in a written contract from its Business Associate(s) that creates, receives, maintains, or transmits electronic PHI on its behalf that the Business Associate will safeguard the information.
- NurseCore shall ensure compliance with the HIPAA Security Rule by all of its employees, including management, and its Business Associate(s).
- NurseCore shall institute sanctions against any employee as defined in its progressive discipline policy up to and including termination.
- NurseCore shall terminate the contract with the Business Associate(s) if it determines there has been a violation of the HIPAA Security Rule.
- NurseCore shall maintain the policies and procedures implemented to comply with the HIPAA Security Rule in written or electronic form.
- NurseCore shall document any action or activity taken and all risk assessments made as required by the HIPAA Security Rule.
- NurseCore shall make documentation available to those responsible for implementing the procedures recorded and to appropriate regulatory entities.
- NurseCore shall review the documentation periodically and update it as needed in response to environmental or operational changes affecting the security of the patients’/clients’ electronic PHI.
- NurseCore shall retain the required documentation for six years from its creation or the date when it was last in effect, whichever is later.
- NurseCore shall appoint an Information Security Officer to oversee compliance with the HIPAA Security Rules.