Hi! New here, be gentle with me!
Working home health care in an urban area, I often have to sign in with security when entering a building. The forms often request time in, time out, my name, my company name (no problems so far) and then the resident's name and apartment number. Those fields make me profoundly uncomfortable from a patient privacy standpoint. It feels very HIPAA-violationy. These forms are quite often left unsecured on a clipboard on a counter accessible to anyone walking in, not behind a desk with a security officer.
I totally understand that secured buildings' management wants this information for safety and accountability, but how can I provide them with what they need while protecting my patients and my license?
Thanks in advance for any suggestions.
Jun 9, '12
Thank you for your answers. I'm trying to reconcile them with the responses in this thread
, which are overwhelmingly that address, or name + address, ARE protected health information and thus revealing them is a HIPAA violation.
According to the hhs website:
Summary of the HIPAA Privacy Rule
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Since "Health Care" is part of my company's very name (and some buildings even require me to write something in a field labeled "Service Rendered" or similar, where I generally write "Nursing",) and name and address are being provided by me...yes, I'm still concerned.
Now, it's possible that one could construe the building security/management to be "Business Associates" of either the home health company or the client, or maybe both. But for information to be shared with a Business Associate, "a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10
Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule." Janitors, vendors and visitors to the building are not authorized to see IIHI, even if a lawyer could argue that a security guard is.
Last edit by Chi-townHomeRN on Jun 9, '12
: Reason: fixed typo; probably missed more!