Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Help about how and who HIPAA applies to (certification stuff).  (Read 1273 times)

femmelf

  • Bay Watcher
    • View Profile

Having difficulty finding an answer to this one. I know there are some medical people here. I'm trying to better myself and my career. Please.

The issue seems to go around PHI (Protected Health Information) including pictures of residents in longer term facilities. I know the obvious part about it applies to "covered entities and business associates" (Hospitals, nursing homes, and businesses they hire to do stuff like medical coding). I guess that's not as good an answer as they want from me on this.

1.) What about visitors? (To like a nursing home or inpatient rehab facility).
2.) Does a nursing home or an Inpatient Rehab Facility have a responsibility to keep visitors from taking pictures?
3.) Would a nursing home or inpatient rehab facility that took its residents on a field trip have a responsibility to keep the public from taking pictures if they took their residents on field trips?

Trying to find answers on these isn't working for me. All I seem to get is "covered entities and business associates." Am I missing something? I'm really confused. Does anyone here work in a long term medical or rehab place that deals with this HIPAA stuff?

The "Visitors" and "Field Trip" thing throws me off a lot.... Thank you for any help you might give, because I don't get this.

P.S. I'm looking at possibly getting a healthcare field related job. This is a question they're asking about a privacy rule for medical stuff. I'm drawing a blank.
« Last Edit: August 17, 2017, 06:34:38 pm by femmelf »
Logged

wierd

  • Bay Watcher
  • I like to eat small children.
    • View Profile
Re: Help about how and who HIPAA applies to (certification stuff).
« Reply #1 on: August 18, 2017, 01:49:24 am »

Family of a resident may photograph the resident, under the following conditions:
1) The resident is a willing participant of the photograph
2) The resident or their DPOA has agreed to be photographed
3) The photograph does not have any additional residents in the shot (and thus does not have identifiable information of other residents), unless those additional residents have consented or have consent to be photographed.
4) The photography is tasteful, and does not present the resident in an undignified way.

In terms of going on outings, it may be necessary for care givers to advise family and bystanders that they should not violate the privacy or dignity laws of their respective state concerning the welfare of the residents under their charge, and to discourage certain kinds of photographs. Typically, most families will be perfectly OK with assuring that their loved one is not presented in an undignified, or undesired way.
Logged

femmelf

  • Bay Watcher
    • View Profile
Re: Help about how and who HIPAA applies to (certification stuff).
« Reply #2 on: August 19, 2017, 05:20:32 pm »

Thank you, Jesus this stuff is complicated.

Am I completely nuts or is the authority for this stuff just vague? I can't even find anything saying that.

Especially the field trip stuff is hard to cite and a messed up thing, right?

I mean, what are you supposed to do with residents on a field trip when somebody just snaps a picture, posts online instantly and doesn't care? You can't make them take it down or anything, right? So have a "community based environment" with strict privacy laws? I don't get how that can happen. How're you supposed to control the public taking pictures if you take the nursing home residents to a museum or something like a park?
Logged

wierd

  • Bay Watcher
  • I like to eat small children.
    • View Profile
Re: Help about how and who HIPAA applies to (certification stuff).
« Reply #3 on: August 20, 2017, 06:18:48 am »

If you have done your best to protect the privacy of your resident, and the public does it anyway, just file an incident report with your DON, or social worker, which ever has that unlucky job in your facility. They will ask the DPoA if they want to risk having the resident be further exposed to risk of indignity via public outings, or if they want to provide a chaparone for public outings to better enforce the no photography request. 

Basically, HIPAA is to do everything humanly possible to avoid uncontrolled disclosure of personally identifying information, or loss of dignity for persons receiving medical care.  Some people are just assholes, and dont care about other people's dignity or privacy, and will not comply with your request to not harm your resident. I doubt it would ever transpire, but if you document that you attempted to intervene, and did everything possible, including follow up with the DPoA about the incident, it may be possible to identify the culprit via their incessant use of social media, and for the DPoA to press charges for criminal endangerment. (Posting the identifying information of persons not able to make informed choices for themselves falls under similar legal protections as those for underage minors, making the unauthorized photography coverable by elder abuse laws, which are just about as nasty as child abuse laws.)  At this point, you need lawyers specializing in elder abuse for proper advice. Suggesting that the DPoA seek such a specialist to attempt to compel the removal of the offending photographs, and to seek statutory damages, if that is their wish.

Typically, your obligations as the immediate care giver terminate after doing everything humanly possible to protect their privacy and information from the public, including taking every precaution to conceal the nature of their infirmity if it is a dignity issue (such as an -ostomy, or catheter bag being well concealed) and avoiding encouraging the resident to engage in activities that would publicly display an undignified condition. (or any information about their medical care, condition, etc.) Should a breach of confidence occur, it is important to have that breach documented and seen to appropriately. (Again, by either your DON or social services worker.) Being a primary care giver, you are a mandatory reporter on any form of observed harm you may observe, including HIPAA violation, and failure to report is really bad juju.

Once you have done your part, all further fire will be directed at your facility heads, having been officially notified of the incident, and now responsible for performing the investigation and intervention phases of incident management. 



Logged

femmelf

  • Bay Watcher
    • View Profile
Re: Help about how and who HIPAA applies to (certification stuff).
« Reply #4 on: August 21, 2017, 07:22:40 pm »

Thank you. This whole thing just seems really confusing and worst of all, not well defined at all. Sources are basically lacking (in general when people talk about this).

I guess, the things I don't exactly get are mostly twofold. First off, are you supposed to just use a written authorization form and keep that to make sure you're covered as long as the resident signs it and has capacity? For every outing, cause the release has to be specific?

Second, what's the liability to the organization or the person? Does it depend on the incident location? If some jerk visitor comes into the facility and just starts snapping full face resident pictures despite doing everything possible to stop him, is that a problem for the nursing home? Also, same question, but for field trips where you take residents outside (because having them cooped up forever doesn't sound very nice)? It's not like the nursing home staff can take visitors' cell phones or cameras away, so can they still be held liable for published pictures from that? I don't really get what you're supposed to do: just authorization releases, asking people not to get resident pictures, something else?

(You'd think people would be nice and leave the poor old people alone and not plaster them all over the web).
Logged

wierd

  • Bay Watcher
  • I like to eat small children.
    • View Profile
Re: Help about how and who HIPAA applies to (certification stuff).
« Reply #5 on: August 21, 2017, 09:23:50 pm »

Here is the usual terrible training video on HIPAA. It is pretty vague as well, but basically covers the generalities.
https://www.youtube.com/watch?v=mEu6NGPA0Cg

Photography of a resident could be considered PHI if the photograph contains personally identifiable information, or information that could indicate condition or health status.

This is one of the big reasons why many conditions, such as having an indwelling catheter, or -ostomy,  can be very difficult. If the DPoA or the Resident do not want to be seen without their catheter or -ostomy concealed, any such exposure is a HIPAA violation.

Some jerkwad on facebook can take a full face photograph/video of a resident with dementia (doing full on dementia related behaviors, such as swearing), post it on face book, and amend a name. BAM- HIPAA violation. really big one. These days, with photo recognition being baked into more and more things online, just the face alone could be disastrous.

Given that our friends at Facebook and pals just LOOOOOOOOOOOVE personally identifiable information, facebook is not friendly with nursing or medical facilities.  Pretty much at all. Using social media inside a nursing facility is highly discouraged. It is very easy for a simple post that has names redacted, to lead to a breach of PHI, when reviewed against a circle of facebook friends, their postings, and the like. This is especially problematic, since facebook does everything it possibly can to datamine facebook postings, and to create inter-relation matricies between friends, post content, pictures, and names, including pretty sophisticated face recognition routines.  As a hypothetical, say you (as a care giver) say you are going to be taking your residents to Golden Corral after taking them on a shopping trip, and what city, on facebook. You don't specify where or what golden corral, just that you are going. All by itself, this is pretty harmless. However, your facebook friends might say "Hey, I saw [facility transport vehicle] at such and such golden corral!" and our dipshit with the camera might have photographed bad resident behavior at the golden corral in question, and mention the facility, based on the transport vehicle's markings. He might not know the resident's names, but facebook might. Especially if the residents themselves have facebook accounts, such as to communicate with grandkids. Suddenly, there is enough information for facebook's facial recognition software to trawl, and connect some dots. It is able to positively identify the facility, the location, the residents (by name), their associations, and if the image contains any other PHI, such as previously mentioned dignity damaging devices, facebook now has unauthorized PHI, and they got it because (they are fucking greedy assholes that push the envelope, and) you posted some apparently innocuous information about a planned outing.

Many facilities have rules in place to prevent this, by explicitly stating that any discussion, regardless of how obfuscated, of PHI outside of direct work environments is strictly prohibited. Many others will outright terminate you if they catch you using social media at work.

When planning an outing, in today's world where big corporate is watching, it is very important to get written release for all residents that will be attending outings, and to get that release in writing from either the resident themselves (if legally competent to do so), or from the DPoA.

"reasonable measures" is a wiggle-word, but that is as far as I can tell, the standard. If you take every reasonable precaution to avoid the disclosure, and report when disclosures happen, so that your duty officers can make policy amendments to prevent future disclosures of that type, you are in the clear.  Just be aware that modern digital media is actively antagonistic to privacy, and that means complete forbidding of those technologies may be necessary to assure reasonable protection status. Many facilities enforce such a rule, and for this very reason.  It is unreasonable to rip a camera out of a duchebag's hands. It IS reasonable to ask them that they not take the picture, and to respect your residents and their privacy. When the douchebag fails to comply, report the unauthorized photography.

That is about all you can do really.  Just be mindful about your communication, when, and where-- and do everything you possibly can to avoid revealing the information.
Logged