Privacy, Compliance & HIPAA

Confidentiality

Graceful Homecare collects and maintains detailed confidential and sensitive data about the client and, in some cases, respective family members. Graceful Homecare staff is aware of the responsibilities entrusted in managing these data and systematically engaging in professional and ethical conduct concerning collecting, storing, and disseminating confidential client information.

To ensure client data confidentiality, all personnel are trained in and comply with the confidentiality laws and rules found in North Carolina General Statutes 122C 51-56 and Title 10 of the North Carolina Administrative Code, Section 18D, and the Health Insurance Portability Accountability Act of 1996. Personnel working with substance abuse services and early intervention services are trained in the relevant Code of Federal Regulations. Graceful Homecare staff implements the following procedures:

1. Staff makes adequate provisions for the maintenance of the confidentiality of any information that has been obtained in the course of professional activities. Staff is to take adequate precautions against the accidental or malicious release of confidential information and the use of such information to the detriment of any individual.
2. Staff maintain reports, records, and other information under the condition of security (e.g., locked files) and make provisions for the ultimate disposition of such material in a manner that (a) maintains confidentiality for records which are stored and (b) ensures proper disposal for records to be destroyed (shredding, for example, rather than simply placing them in the trash).
3. Staff ensures that privacy and confidentiality are maintained by all persons they supervise or who are in the employ or volunteer service of the agency or office in which they work.
4. Information received in confidence by a staff member is not to be forwarded to another person or agency without the client’s or guardian’s express permission.
5. Information received in confidence may be communicated to affected persons only after the most careful deliberation and only if one or more of the following conditions are met:
a. the legal guardian has provided consent to release this information;
b. there is a clear and imminent danger to the client, to others, or society; or, c. there exists proper legal compulsion.

Only necessary, relevant, and verifiable information is to be released under such conditions and then only to appropriate professional workers or public authorities. Reasonable attempts should be made to ensure that these latter individuals maintain the confidentiality of the information. Under conditions of legal compulsion, as in a court or legislative inquiry, ethical considerations may dictate that staff raise adequate questions. need for disclosure, right to dissent, and the possibility of providing information relevant to the legal question at hand, but that is as disassociated from individuals to the extent possible.

6. When individuals are asked by staff in the course of their professional activities to provide personal information about themselves or a particular child or family, they should be informed in advance about the purposes of information gathering and limits of confidentiality. They also need to be informed of external conditions (i.e., suspicion of abuse or neglect) that require reporting such information to the proper authorities.
7. Information obtained in treatment and training and evaluation activities is to be discussed only for professional purposes and only with persons concerned with the case. To the extent possible and where reasonable, the individuals’ anonymity is to be protected in such discussions. Communications with relevant others concerning participants are standard and accepted practice; participants must be informed of this practice before providing information. Care must be taken to ensure that the third parties involved respecting the confidentiality of the information.
8. Records concerning participants in treatment are confidential.
9. Staff conducting research collect only relevant and necessary information, share the data only with authorized personnel, and only release findings for authorized purposes. They expunge individualized data once the research is completed and utilize codes rather than names where possible (with the codes kept securely and distinctly separate from the data).
10. All confidential information that Graceful Homecare staff obtain from other individuals or agencies shall be treated as any other confidential information generated by Graceful Homecare.
11. Confidential information relative to clients with HIV infection, AIDS, or AIDS-related conditions shall only be released in accordance with the communicable disease laws as specified in GS 130A-143.
12. Whenever confidential information is released by Graceful homecare, the responsible staff shall inform the recipient that re-disclosure of such information is prohibited without client consent.

HIPAA Compliance

Graceful Homecare adheres to HIPAA as required by the US Department of Health and Human Services (DHHS), providing a series of rules governing health information. In general, these rules are intended to standardize electronic health information between health care providers and health insurers. Also, these rules are intended to protect the privacy and security of individually identifiable health information.

• HIPAA Security Rule requires “covered entities” to ensure the confidentiality, integrity, and availability of “electronic protected health information.”
• HIPAA Privacy Rule requires “covered entities” to only use and disclose “protected health information” (PHI) in specific ways, to comply with certain individual rights, and to implement specific administrative measures.
• Graceful Homecare is a “covered entity” since the agency transmits health information in certain electronic transactions (e.g., referral certification and authorization).

Protected Health Information (PHI) is a series of individually identifiable health and demographic information and includes:

• Name
• Address Information
• Email Address
• Social Security Number
• Telephone Number(s)
• Facial Photos
• Medical Records
• Device Identifiers
• Zip Code

PHI does not include employment records held by a covered entity as an employer and de identified information.

Graceful Homecare’s Operation Manager is responsible for developing agency policies and procedures, including receiving complaints and providing privacy training to all staff. Supervisors ensure clients receive Notice of Privacy Practices. Graceful Homecare incident reporting will be utilized to document unauthorized access to client information.

Violations can result in civil monetary penalties of $100 per violation up to $25,000. The penalties for knowing misuse of health information are a fine of $50,000 and one year in prison. The penalties for using health information under false pretenses are a fine of $100,000 and 5 years in prison. The penalties for using health information to sell information are a fine of $250,000 and 5 years in prison.

The current confidentiality laws for North Carolina are more stringent surrounding the release of client information. HIPAA does not supersede state laws.

Under HIPAA, consents to use and disclose PHI are not required for:

⇨ Treatment: provision, coordination, or management of health care and related services by one or more providers.

⇨ Payment: activities are undertaken by a health plan to obtain premiums, determine or fulfill coverage or benefits obligations, or activities by a provider to obtain or provide payment claims.

⇨ Health Care Operations: quality assessment and improvement activities; training, accreditation, and licensing; conducting or arranging medical review, legal services, and auditing functions; business management and general administrative activities.

Uses and Disclosures of PHI for which authorization is not required:

⇨ As required by law (court order)

⇨ For public health

⇨ To avert serious threats to health and safety

⇨ For health oversight committees

⇨ For research

⇨ For law enforcement

Psychotherapy Notes: This is the only type of PHI with heightened protection. A separate authorization is required for psychotherapy notes. Authorizations for psych notes may not be combined with authorizations for the use/disclosure of other PHI. Psychotherapy notes must be maintained separately from the client record.

Definitions of Psychotherapy Notes: Notes of a mental health provider documenting or analyzing the conversation during a counseling session, excluding the following:

1. Medication prescription and monitoring
2. Counseling session start and stop times
3. Modalities and frequencies of treatment
4. Results of clinical tests
5. Summary of diagnosis, treatment plan, symptoms, prognosis, progress.

Client Access to PHI:

⇨ A client can directly request their own PHI.

⇨ An individual other than the client may be designated as a “personal representative” and be permitted to access the PHI.

⇨ Graceful Homecare requires that requests for access to PHI be in writing. ⇨ Graceful Homecare staff may provide information in a summary form. ⇨ Clients must be given the opportunity to agree in advance to summaries of PHI.

Graceful Homecare staff may deny access to personal representatives to protect vulnerable clients who may be subject to abuse or neglect. This also applies to personal representatives of minors and may be further restricted by State law. Graceful Homecare staff should consult with their supervisors for all requests.

Timelines for Responding to Requests for Access to PHI:

⇨ 30-day response time: on-site PHI

⇨ 60-day response time: off-site PHI

⇨ 30-day extension: if the client is notified in writing of the reason for the delay and the date by which the request’s action will be completed.

Denying Client Access to PHI:

The Privacy Rule allows denial of access in eight situations:

1. Danger to the life or physical safety of the client or another person
2. Psychotherapy notes, if maintained in a separate file
3. If the information is created for use in a legal action or proceeding
4. Information related to correctional institution records
5. On-going research data
6. Information subject to the Federal Privacy Act, 5 USC 552 (a)
7. Information obtained from a third party
8. Certain information maintained by specific laboratories

Business Associates

Persons and/or agencies that fall into the Business Associate category must meet the following criteria:

1.Performs a function for a covered entity; and,
2.Uses protected health information

Examples of Business Associate functions include claims processing, legal, accounting, and consultants; answering and on-call services; billing; and quality assurance.

Emergency Preparedness

Ensuring client’s and staff’s safety and well-being is a high priority to mitigate service disruption during emergencies that impacts the internal and external environments where Graceful Homecare operates. All staff is trained to be ready for emergencies and the unexpected. In each home, it is assured that the client’s information (address, allergies, known health conditions, and nearest intersection) is posted and accessible in case of the need to call 9-1-1 so these details can be provided to the operator. For non-life-threatening emergencies, other significant telephone numbers are posted and accessible for the hospital, doctor(s), poison control, police, ambulance, protective services, family members, and neighbors. All homes either contain or receive emergency kits that contain first aid supplies, medications, and other provisions. All homes are provided with a home evacuation plan that considers the home’s physicality and any limitations the client may have.

Graceful Homecare will adhere to the following as it relates to emergency preparedness:

• Staff will educate and assist clients to the greatest extent possible during an emergency
• Staff will not be expected to go into hazardous areas nor be required to operate under hazardous conditions during emergencies or disasters
• Staff will have access to and pay attention to news media outlets as they provide warnings and updates
• Staff will ensure clients with life support devices, or any other medical device that requires electricity, are registered with the local utility company supplying power to the client’s home in the instance of a power outage
• Staff will both educate and encourage clients and other family member caregivers with emergency plans and instructions
• Staff will create individual emergency plans and update them annually for their safety and to support continuity of operations
• Staff will conduct drills with clients as it relates to potential emergencies and evacuation