[Editor's note: This column addresses specific questions related to implementation of the Health Insurance Portability and Accountability Act (HIPAA). If you have questions, please send them to Sheryl Jackson, Hospital Home Health, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: firstname.lastname@example.org.]
Question: How do I decide who has access to electronic personal health information (EPHI) or personal health information (PHI)?
Answer: "Because of the minimum necessary rule, an employee's access to EPHI or PHI will be driven by what their job is," says Robert W. Markette Jr., an Indianapolis attorney.
For example, an employee who is responsible for billing is going to need access to the patient's name, address, insurance/Medicare/Medicaid information, diagnosis, and any other information required to complete the claims submission, he says.
An employee who schedules home health visits will need to know only the patient's name, contact information, general insurance information, and the reason for admission to home health, Markette points out.
Complete information about the patient's diagnosis is not needed by this employee, he says. "The real issue that drives the decision of how much access to grant the employee is what information must this employee have to perform their job," Markette notes. "Many home health agencies determine minimum informational needs based upon job description."
Each job description is used as the basis for a description of minimum PHI needs; then, when an employee is hired or placed into a position, he or she is given access based upon the position, he explains.
Question: What type of background check do I need to conduct on the employee before giving access to EPHI or PHI?
Answer: "There is not a clear rule on background checks for HIPAA purposes," Markette says.
"As a matter of practice, many states require home health care providers to perform at least limited background checks of their employees, and these states prohibit individuals with certain convictions from providing services," he adds.
The Department of Health and Human Services (HHS) has said that the need for and extent of a screening process will be based upon an assessment of risk, cost, benefit, and feasibility, as well as an evaluation of other protective measures in place, Markette explains.
"This means that each home health agency will need to assess its own screening needs based upon its risk assessment, he says. "The only thing HHS has been clear about is that background checks are not mandatory under HIPAA."
However, screening employees before giving them access to EPHI does give an agency reassurance that you do know who is handling your patient's information, Markette adds.
Question: What steps need to be taken when terminating an employee to ensure that access to EPHI is terminated?
Answer: "When terminating an employee or when an employee resigns, the home health agency should take steps to close every potential point of access the former employee might use to access EPHI or PHI," Markette recommends.
For example, the employee should return any and all keys and identification badges, and any accounts the employee had on company computers should be closed, he says.
"If the employee had access to passwords on accounts that will not be closed, the passwords should be changed," Markette adds.
If the nurse or administrative employee was given a company computer to work remotely from home or to use in the field, retrieve that computer, he notes.
If the employee worked remotely from home using his or her own computer, you need to consider how to ensure the employee does not have EPHI on a home computer, Markette says.
"One way to plan your termination procedures is to review what you do when an employee is hired," he suggests.
When an employee is hired or changes positions within the company, he or she is provided with access to the facility, to computers, and to certain information, Markette points out. Use a checklist format to list these actions when hired, and then use the same checklist to make sure each step is "undone" when the employee is terminated, he recommends.
"If all of the original steps are undone, then the access should be closed," Markette says. "In order for this to be truly effective, it is imperative that the employer adequately document the access provided to each employee and the means provided to the employee to obtain access."
One other area of concern is a lack of communication within the company, Markette notes. Some companies, when preparing for HIPAA, discovered that when an employee left the company, the proper individuals were not always notified, he says.
"In many cases, the human resources department failed to notify the information technology department, and this resulted in computer accounts remaining active for up to six months after an employee had left," Markette explains. "This is a major security concern, so home health agencies need to make sure they have a process in place to communicate with all departments upon an employee's termination."
A home care agency's termination procedure should be the same whether the employee leaves voluntarily or is terminated, because it will eliminate the possibility of confusion, he says.
"Furthermore, the procedures should result in all points of access being closed as quickly as possible," Markette adds.
[For more information on the security rule, contact:
- Robert W. Markette Jr., Attorney at Law, Gilliland & Caudill, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (800) 894-1243 or (317) 704-2400. Fax: (317) 704-2410. E-mail: email@example.com.]