Hospices & HIPAA Compliance
HIPAA compliance is not usually simple in the healthcare sector industry, and HIPAA compliance for hospices is one area in which it less simple than most. The rules in relation to the disclosure of Protected Health Information restrict conversations with family members if patients have not previously given their consent for the conversations to occur. Additionally, if no DPHA is appointed, obtaining consent when the patient cannot express themselves cannot happen.
Many hospices are manned by volunteers, who – under the Privacy Rule – are regarded as members of the workforce. Volunteers have to be given the same training on HIPAA, permissible disclosures of Protected Health Information and HIPAA-compliant policies as full time professional healthcare providers. They are also subject to the same sanctions policies as professional healthcare providers, which makes things difficult if the volunteer is a priest or nun who has given comfort to those who are dying.
Management Issues Further Complicate HIPAA Compliance for Hospices
Hospice personnel can speak about the Protected Health Information of a patient with an unauthorized member of the family or other individual once the patient has passed away, if the conversation relates to payment for services given – unless the disclosure of Protected Health Information is “inconsistent with a prior expressed preference of the decedent”. In these instances, HIPAA does not suggest how hospices should resolve unsettled payments without sharing Protected Health Information.
Also in relation to finances, HIPAA compliance for hospices not only means adhering with the administrative, physical and technical security measures of the Security Rule, but limits on marketing and fundraising activities. Using patients´ names or images in marketing and fundraising activities is a violation of HIPAA unless the patient whose name or image is used – or their appointed representative – has given their informed, written, expressed consent. Hospices even have to thread careful with memorials.
Are Coroners and Funeral Homes Deemed HIPAA Business Associates?
A reasonable interpretation of HIPAA is that coroners and funeral homes supply a service on behalf of a Covered Entity, and during the provision of the service they receive, use and store Protected Health Information. This, in theory, would make coroners and funeral homes Business Associates. Apparently not according to §164.512(g) of the Privacy Rule. An exception is made for coroners, medical practitioners and funeral homes – and to organ procurement groups and secondary services.
Further complications arise in relation to individuals and entities who provide services directly to a patient not on behalf of the hospice – such as pharmacies, ambulances and hospitals, who provide a service for the patient and not for the hospice. Conversely, when the patient’s Protected Health Information is sent to a lawyer, clinical consultant or pharmacy benefit manager for the purpose of assisting a hospice with an administrative duty, they become Business Associates and a Business Associate Agreement will be necessary.
If your business works in this very complicated area of HIPAA, it is advised that you seek professional guidance about HIPAA compliance for hospices with regard to your specific circumstances and any state laws that may be in place in your jurisdiction. Hospices have received penalties in the past for non-compliance with HIPAA, plus incurred expenses to mitigate possible caused by a breach, and had to take corrective actions to ensure their ongoing compliance. For a non-profit group, the financial consequences of non-compliance can be major.