≥90% of participants will know how to comply with HIPAA regulations.
≥90% of participants will know how to comply with HIPAA regulations.
After completing this continuing education activity, the learner will be able to complete the following objectives:
This course outlines confidentiality and privacy issues that Nurses' aides, Certified Nursing Assistants (CNAs), Patient Care Assistants, and Medical Assistants may encounter while caring for patients and going about their everyday lives. For this educational offering, the term, CNA, will be used to stand for individuals who work under the supervision of registered nurses or physicians and feed, bathe, dress, collect specimens, and ambulate patients, among other tasks.
Typical locations of care are nursing homes, skilled care facilities, rehabilitation centers, clinics, physicians' offices, diagnostic centers, assisted living facilities, and home health settings. CNAs who help in patient homes may assist with shopping, cooking, and transportation to medical appointments. Any of these locations and activities provide opportunities to either respect or break the Health Insurance Portability and Accountability Act (HIPAA) rules.
Welcome to HIPAA training. Because we are human, it is easy to forget HIPAA rules. We all need reminders and training. CNAs are valued members of the healthcare team who have meaningful interactions with patients daily. Their workload can be demanding and hectic but also meaningful. They are often seen as family members or special people to patients in long term care facilities and are known for their compassion and kindness. The health care system could not exist without CNAs.
Protecting the privacy of patients should always be in the minds of CNAs as they perform their duties. CNAs also need to think about HIPAA when they are off duty as situations can occur where they might break the rules innocently. Privacy is the most important element of HIPAA for CNAs. CNAs protect patient privacy by knowing the HIPAA rules, applying them, and reporting any suspicions that the rules have been broken.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed by President Bill Clinton in 1996. HIPAA is a large document containing many Federal privacy rules. These Federal privacy rules assure that patient privacy is protected. Further, the rules safeguard an individual's personal health information in both written and electronic form.
Health care organizations where CNAs are employed are considered covered entities. All covered entities are required to see that their workforce follow HIPAA rules. If the rules are not followed, a health care employer can be punished with fines or other penalties. Here are two examples of HIPAA rules that all CNAs need to know.
CNAs can only read the charts of patients if they need to know some information, and their facilities allow them to read charts.
CNAs cannot tell others about their patients. They cannot share stories at home, even if they do not tell the patient's name.
Case situations will help illustrate how CNAs can break privacy rules, most often unknowingly and without bad intentions. Some of the cases will highlight the possible consequences of breaking the rules.
|
|
CNAs must become familiar with the HIPAA terms to practice safely and ethically. Even if a CNA has had HIPAA training, a refresher is often helpful. Beginning knowledge of these HIPAA terms will help CNAs understand privacy rules and the consequences of breaking them. Awareness of these terms and phrases will help CNAs appreciate their responsibilities for protecting patient privacy adequately.
The first situations are about CNAs and how they might break HIPAA rules while off duty. In these cases, CNAs may not be as careful as they should be when discussing sensitive information about patients. These situations can occur in various locations, such as parks, beaches, grocery stores, restaurants, and public transportation, such as a bus or subway train. Additionally, the sharing of PHI on social media is addressed. Some of these situations seem innocent. These CNAs did not have any thoughts of harming anyone. Reviewing these situations will help CNAs learn how to avoid breaking HIPAA rules.
Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). When they have the same workdays off, they often get together for fun. This week they decide to go to the beach where there are shaded pavilions for picnics.
While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.
Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?
While well-intentioned, Sally is breaking HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally is failing to protect PHI by confronting Katie about her diagnosis in front of Thomas, and while in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.
Colleen is a CNA who works in a nursing home. She has been at the Hancock Nursing Home for seven years. She has grown fond of several of her patients. One patient, Mrs. Rae, had taken a turn for the worse and was not able to speak to her when she provided care today. In the morning nursing report, Colleen learned that Mrs. Rae had suffered a stroke. Colleen knows that Mrs. Rae does not want any heroic measures. Colleen feels sad.
At the dinner table that night, Colleen's significant other of four months, Brady, notices her sadness and asks her about it. Colleen shares information about Mrs. Rae's stay at the Hancock Nursing Home, including her diagnoses and a recent stroke. She starts crying while talking. She tells Brady that she is afraid that Mrs. Rae's life is ending. Brady asks how old Mrs. Rae is and if she has children. He wonders if someone has called Mrs. Rae's family to let them know about her situation. Further, Brady offers to help if local family members need rides to the nursing home.
Did Colleen do anything wrong? Would it be acceptable for Brady to help family members with transportation?
CNAs often work closely with their patients to help improve their quality of life. Over time, attending staff may grow close to their patients; however, PHI should be protected at all times. In her grief, Colleen disclosed Protected Health Information to her significant partner. This disclosure violated Mrs. Rae's right to confidentiality, according to HIPAA Privacy and Security rules. CNAs should not discuss details of patient care with unauthorized persons at any time, even if no name or age is given. Even discussing the diagnosis or the location of treatment violates HIPAA. Brady's offer is kind, but he should not be helping the family.
Several CNAs work in an intercity hospital and take the bus to work. One of the CNAs, Andrew, had a bad day at work. One of the patients spits at him. Andrew knows that the patient is confused. Still, Andrew is unhappy. Andrew shares the story on the bus with two people he works with. He shares it with two other CNAs, Lana and Sarah, who work in another building.
How should Sarah or Lana respond? Did Andrew do anything wrong?
Andrew violated HIPAA privacy rules by failing to safeguard PHI. By openly discussing Mr. Recurt's illness and actions, Andrew exposed personal PHI about the patient in a public setting. Additionally, Sarah and Lana lacked a need-to-know. Sarah and Lana should stop the conversation immediately. They should tell Andrew that he is breaking HIPAA rules by discussing a patient in a public place and with people who do not need to know. They should report Andrew to the Privacy Officer or their immediate supervisor so he can receive more training on HIPAA and prevent any further rule-breaking.
Marianne, Cherylynn, and Scott are having lunch in the cafeteria, which is only open to employees of the Gray Integrated Health System. Even though they work on different units in the hospital, they often get together as friends. They started their jobs at the same time and were in orientation together. Scott is taking care of a patient with Parkinson's disease and knows that Marianne's father suffers from this disease. The conversation begins.
How should Scott respond? Since everyone in the cafeteria works for Gray Integrated Health Care System, is it alright to talk about patients in the cafeteria?
Scott should tell Cherylynn that he is unable to discuss patient PHI with her in the cafeteria or anywhere since she is not assigned to his patient. Scott should remind Cherylynn that access to patient PHI should be limited to processing payments, conducting treatment, and performing health care operations. Additionally, though everyone in the cafeteria may be coworkers, they do not have a need-to-know. This means that patient PHI should not be discussed in the cafeteria. Further, CNAs should not talk about patients in facility elevators, libraries, or parking lots. Even though these conversations seem routine, the information should only be shared on a need-to-know basis and should not be shared in public places.
Thomas and Sally are two employees of the Gray Integrated Health System. They have been close friends for several years and went to school together to become Certified Nursing Assistants (CNAs). When they have the same workdays off, they often get together for fun. This week they decide to go to the beach where there are shaded pavilions for picnics.
While having a picnic lunch, Sally spots a patient, Katie, whom she knows from the dermatology outpatient clinic. Katie is lying on a beach towel in a bathing suit getting a suntan. There is no shade umbrella, and the sun is very bright. Sally remembers that the nurse practitioner warned Katie to stay out of the sun because of her history of skin cancer. Thomas does not know this patient. Sally decides to say hello to Katie and introduce her to Thomas. She feels it is her duty to tell the patient to get out of the sun.
Will Sally be violating HIPAA rules when she introduces Thomas? Does Sally have a duty to warn Katie about the sun? What actions should be taken to comply with HIPAA and protect the patient?
While well-intentioned, Sally is breaking HIPAA privacy rules when she introduces her friend, Thomas, to her patient, Katie. According to HIPAA Rules, Sally should not disclose Katie's name or PHI without Katie's permission. Additionally, Sally is failing to protect PHI by confronting Katie about her diagnosis in front of Thomas, and while in a public setting. Thomas does not have a need-to-know concerning Katie's PHI. Sally's behavior is inappropriate.
Haley is a CNA who works in the radiology department of Gray Integrated Health System. A well-known basketball star comes to the department for x-rays after falling on the basketball court in the Final Four of March Madness. Fortunately, the star did not suffer a fracture of his leg as originally thought. He can return to the court.
Haley decides to let all of his fans know that the star is not seriously injured. While off duty and at home, she posts a note on her Facebook page with his picture, letting everyone know that the star will be returning to the basketball court in time for the final games.
Did Haley do anything wrong? If so, what are some of the consequences of her actions?
Haley has broken several HIPAA rules. If Haley did not treat the athlete, then Haley violated the PTO guidelines, which limit the access of PHI to payments, treatment, or health care operations. Additionally, Haley has exposed PHI on social media. Haley may be subject to financial and legal penalties, in addition to the termination. Steep fines and jail time could await Haley for posting about a patient on Facebook.
Imagine a similar scenario where Haley posted on Facebook that she worked with a famous actor in her ward today. She says that her patient will make a full recovery and is careful not to mention her patient's name or any of the movies he has starred in. Can Haley get in trouble for her post?
Unfortunately for Haley, disclosing the location of treatment and that a big-name celebrity was treated there, exposes PHI. The actor's name does not have to be disclosed for Haley to get into trouble. Social Media violations are serious matters that can lead to close monitoring, termination, or penalties. CNAs who care for celebrities should not tell anyone, and if someone asks CNAs if they know that a big-name person is in their facility, they should respond by saying: I cannot answer your questions. Federal laws do not permit me to answer you.
CNAs can get into trouble with HIPAA while on duty. Knowing HIPAA rules will help CNAs with protecting patient privacy and protecting their employers from reputation damage and fines. Facilities can be punished with fines when their employees break HIPAA rules. In one case, a hospital paid $100 per patient in fines each time patient information was released inappropriately.2
Thomas works in an outpatient clinic at Gray Integrated Health Systems. The clinic team takes care of patients with stomach and bowel issues and does procedures for these patients. Thomas has taken care of Mrs. Keubler and knows her history. She has been complaining of diarrhea, with up to 10 stools per day. She lost ten pounds in the past three months. The nurse practitioner has seen Mrs. Keubler in the past, and today, the nurse practitioner asks Thomas to instruct this patient on stool collection. The receptionist lets Thomas know that Mrs. Keubler has arrived and is in the waiting room. Thomas goes to the waiting room, which is full of patients, walks over to Mrs. Keubler, and sits down beside her. He instructs the patient on stool collection. The interaction goes like this:
Mrs. Keubler gives Thomas the information he requested.
Did the CNA violate HIPAA by instructing and interacting with Mrs. Keubler in the waiting room? What, if anything, could the CNA do differently?
HIPAA rules apply to the waiting room. CNAs may be asked to call out patient names in waiting rooms. This is permitted by HIPAA rules within limits. This means that CNAs may call out names but must take patients to private areas to discuss health issues. CNAs cannot discuss any medical information in waiting rooms or in front of other people.
CNAs may use patient sign-in sheets. These are quite common in outpatient offices and are helpful to operations. Sign-in sheets are acceptable as long as they do not contain diagnoses or other medical information.
Kay and Connie are CNAs at Hancock Nursing Home. They usually work the same shift and help each other out with patient care. Kay is taking care of Mr. Dodge, an older man who is of sound mind but is very weak. Kay needs help getting him out of bed and into a wheelchair. She asks Connie to assist her. While Kay and Connie are in Mr. Dodge's room providing care, the following conversation takes place.
Is anything wrong with this conversation?
In their carelessness, Kay and Connie berated another patient in front of Mr. Dodge and seriously violated HIPAA Privacy Rules. Unless Kay begins treating the new patient, Kay does not have a need-to-know and should not have asked for more information. Connie should not divulge identifiers, such as clothing, speech, or behaviors. Kay compounded the issue by naming Mrs. Brooks and implying that she has mental or behavioral issues. Both Kay and Connie need further HIPAA education and reminders to keep patient information private.
Summer is a CNA in the home health division of Gray Integrated Health System. She has a regular caseload of patients whom she sees in their homes. Summer has been taking care of Mrs. Hurst for a few weeks and has gotten to know her well. Mrs. Hurst had a shoulder replacement and is on pain medications, which make her drowsy. The surgery, plus pain medications, put Mrs. Hurst at risk for falls. Mrs. Hurst is unable to wash her hair and needs help dressing. Summer provides these services.
While Summer is helping Mrs. Hurst, the telephone rings, Mrs. Hurst asks Summer to answer it and tells Summer that she does not feel like talking. A neighbor, Emmanuel, whom Summer does not know, asks about Mrs. Hurst.
Did Summer break any HIPAA rules?
Neighbors and family members may telephone CNAs from time to time to inquire about their friend or loved one. Although Summer acted innocently, she violated HIPAA Rules by telling the neighbor about Mrs. Hurst's condition and operation. Summer should have empathized and informed Emmanuel that she is unable to give out personal information about her patient, but that she will let Mrs. Hurst know that he called.
In a similar situation, neighbors may stop CNAs on their way to a patients' home or upon leaving. CNAs, employed or working privately, are not at liberty to disclose any information to neighbors. Disclosing information is a HIPAA violation.
At the end of their shifts, Rosa, Jake, and Yasmine throw their patient notes in the trashcan in the hospital nursing station. The notes contain the names of their patients, their diagnoses, age, treatments, vital signs, and a few personal facts about them. The three CNAs assume that the trash is retrieved by hospital workers and burned. They think they are not breaking any HIPAA rules. A maintenance worker, who picks up the trash regularly, sees the notes, and decides to look at them. He has plans to become a CNA and wants to know what type of notes CNAs use.
In this case, the three CNAs, who disposed of their notes in the trashcan, did so inappropriately and broke HIPAA rules. The disposal of certain types of PHI, such as name, diagnosis, treatment information, or other sensitive information, requires more care. This is because anyone can retrieve information from trash cans, and some may use it improperly. Every health care facility must have disposal policies and procedures and must train all staff on measures. Disposal violations must be reported to the Privacy Officer so they can be corrected. Proper disposal measures may include shredding the notes so they are unreadable and cannot be reconstructed.3
Dean is a CNA who works for the main hospital with Gray Integrated Health System. He is in the nurses' station when the telephone rings, so he answers it. The person calling says that she is inquiring about Mrs. Haines, a member of the local Baptist Church and Sunday school class. She asked if Mrs. Haines is a patient in the facility and inquires how she is doing. How should Dean respond?
Dean can provide some limited information about Mrs. Haines to the caller provided the patient has consented. According to the Department of Human Health and Services (HHS), covered hospitals can release specific information regarding the patient's location and overall condition. Patients must consent orally or in writing to be listed in the hospital's directory. Once patients have consented, minimum information can be shared. Patients can refuse to participate if they desire more privacy.4
Curiosity got the best of a nurse's aide at Wayne Memorial Hospital in Honesdale, Pennsylvania. The aide looked at the records of almost 400 patients when she was not supposed to do this. She did not take any information from the records to use for anything. Even though the aide had received HIPAA training, she did not follow the rules.5 A fellow employee reported her.
If fellow employees are conscientious, they will report others who break the rules. By reporting others, health care facilities can discover rule-breaking early and take corrective action, including educating those who break the rules. This prevents further violations of HIPAA rules.
CNAs have a duty to protect PHI and ePHI. As more practices switch to electronic medical records or EMRs, a growing need for secured software solutions is needed. According to HIPAA security rules, ePHI must be encrypted to prevent outside access. Some offices log into Virtual Private Networks (VPNs) to secure data, while others use remote desktops. Additionally, access to patient records should only be granted when necessary, and access should be monitored.
Rudy is a CNA who works in the state health department. While working, he glances over at the computer screen of a nurse who is reviewing medical reports. He learns that a woman, whom his best friend has just started dating, has been diagnosed with HIV. Should he warn his friend? What should he do?
Rudy must remember his HIPAA training, which does not allow him to disclose PHI or ePHI to others, regardless of their relationship. Rudy did not have a need-to-know regarding the woman's diagnosis and should not have looked at the screen. Rudy and the hospital could be in big trouble with the Office of Civil Rights if the patient's diagnosis is shared. The hospital could be fined, and Rudy could be fired. The reviewing nurse could improve her compliance by using a privacy screen that bends light at an angle, preventing others from seeing what is on the screen.6
Tina, an experienced CNA, works for the Director of Activities at the Gray Integrated Health System. She conducts reminiscent discussion groups for some of the patients who are in the assisted living facility. One day, during a group meeting, a patient, Mrs. Jazzy Gee, complains of being weak and faints, falling to the floor. Tina calls a Code Yellow, which is used to summon the help of registered nurses.
The nurses come to the room where the meeting is taking place. They have a wheelchair and take Mrs. Gee to the clinic. Mrs. Gee does not return to the group, and Tina notices that her room in the Assisted Living Center is occupied by another patient. Tina and the other patients are curious about Mrs. Gee's condition. Tina decided to read Mrs. Gee's chart and give the group and update.
When Tina gave an update to the group did, she break any HIPAA rules?
Tina should not read Mrs. Gee's chart because she does not need to know Mrs. Gee's condition. Mrs. Gee's confidentiality is broken when Tina views the chart, and when she shares PHI with the group. These are two HIPAA violations. Tina will need additional HIPAA training to prevent further violations.
Understanding potential areas of HIPAA violations is necessary to safeguard patient privacy, one's job, and one's professional license. HIPAA violations can cost facilities and CNAs money and embarrassment. Fines and disciplinary action can be imposed so CNAs must be knowledgeable and avoid any wrongdoings.7
CNAs must alert their supervisors if they see a HIPAA violation. If they are uncomfortable going to the supervisors, they can file a complaint with their organizations' HIPAA Privacy Officer. Another option for the CNA is to file a complaint with the Office of Civil Rights (OCR). CNAs who decide to file a complaint with the OCR and want action to be taken must provide their name and contact information. If CNAs submit complaints anonymously, the OCR might not investigate it. Most complaints can be filed online using the complaint portal assistant which can be found at the following web site here.
Those that need help filing a complaint can email the office at OCRMail@hhs.gov or call 1-800-368-1019.