Need Help?
Call Us Toll Free!

You have no items in your shopping cart.

Subtotal: $0.00

HIPAA Overview for Assisted Living and Residential Care

More Views

HIPAA Overview for Assisted Living and Residential Care

Course Number:

Availability: In stock

This course is not approved by the California Department of Social Services (CDSS). For courses that are approved to meet the CDSS certification or recertification requirements, please click here.

Assisted living and residential care have a great deal of their resident's private health information, protecting the privacy of this information is an important responsibility that is heightened further by HIPAA rules. During this course we will provide an overview of the HIPAA Privacy Rules as it applies to assisted living and residential care, including identifying when a provider would be considered a 'covered entity".

Course Information:
  • Online Training Course
  • Credit Hours: 1
  • HIPAA and the Importance of Confidentiality
  • How the Privacy Laws Apply to Assisted Living and Residential Care
Helpful Instructions
 Purchasing Courses for Yourself Purchasing Courses for Yourself:

This Training course is delivered 100% online through our Online Campus. In order to enroll you in a course we will need to collect your First Name, Last Name and Email Address.

When you place your order we will create an account for you, or add the courses to your existing account if you are a return customer. Access to the Online Campus is based on your email address. If you are a return customer, please purchase using the same email address used previously to avoid creating a duplicate account.

The course(s) you purchase will be available within 10 minutes of purchase and your login information will be sent to the email address you provide.
 Purchasing Courses for Others Purchasing Courses for Others:

This Training course is delivered 100% online through our Online Campus. If you are purchasing for others or your employees, please make sure to provide the First Name, Last Name, and Email Address of the person who you are purchasing for.

IMPORTANT: Access to the Online Campus is based on email addresses. If you are purchasing for multiple people, each person must have a unique email address to access the Online Campus. DO NOT USE THE SAME EMAIL ADDRESS FOR DIFFERENT INDIVIDUALS!

When you place your order we will create accounts for each individual you are purchasing for. If you are a return customer, please purchase using the same email address used previously to avoid creating duplicate accounts.

Example: Jim is buying a course for Bob. Jim will provide Bob’s First, Last and Email before the course is added to cart. Jim then uses his personal information for the checkout process.

We understand no one likes to give out their information and that’s why we only require the course attendee’s First Name, Last Name and Email to add the course to your shopping cart.

The course(s) you purchase will be available within 10 minutes of purchase and each person’s login information will be sent to the email address you provide.


Course Objectives

    By the end of this course participants will be able to:
  • 1. Define HIPAA and explain the importance of confidentiality.
  • 2. Describe how the privacy laws apply to assisted living and residential care.
  • 3. Understand what information is protected.
  • 4. Define who is covered by the privacy rules.
  • 5. Understand how to properly disclose personal health information.
  • 6. Learn how to properly dispose of personal health information.
  • 7. Learn what penalties may be enquired for noncompliance to privacy rules.
  • 8. Develop safeguards to stay in compliance.
  • 9. Answer common questions about HIPAA Privacy Rule regulations.

Course Outcomes

    Module One
  • I. Introduction to HIPAA Privacy Rules
  • a. HIPAA is the Health Insurance Portability and Accountability Act
  • b. A federal law enacted by Congress in 1996
  • c. Two Parts of HIPAA
  • i. Title I – Protects health insurance coverage for workers and their families when they change or lose their job
  • ii. Title II – Created national standards for electronic health care transactions and provisions to address privacy and security of health information
  • d. Privacy Rule
  • i. Health history
  • ii. Medical diagnosis
  • iii. Treatment plans
  • iv. Prescriptions
  • v. Cognitive changes
  • vi. Disabilities or other physical limitations
  • e. The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form
  • II. Who is covered by the privacy rules?
  • a. The HIPAA Rules apply to covered entities and business associates
  • i. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their heath information
  • 1. Health care providers
  • 2. Health plans
  • 3. Health care clearinghouses
  • ii. Health Plan:
  • 1. Health insurance companies
  • 2. HMOs
  • 3. Company health plans
  • 4. Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
  • 5. Assisted living providers are not a “health plan”
  • iii. Health Care Clearinghouse
  • 1. Entities that process nonstandard health information they receive from another entity into a standard, or vice versa
  • 2. Assisted living providers are not a “health care clearinghouse”
  • iv. Health Care Provider
  • 1. Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers
  • 2. This could include assisted living in some circumstances…
  • 3. Doctors
  • 4. Clinics
  • 5. Psychologists
  • 6. Dentists
  • 7. Chiropractors
  • 8. Nursing Homes
  • 9. Pharmacies
  • III. Does HIPAA apply to assisted living and residential care?
  • a. Varies by state
  • b. Most assisted living residents are private pay
  • c. Caring for residents under state Medicaid programs would increase likelihood of being a covered entity
  • d. Even if you are not a “covered entity” many of the basic privacy and confidentiality provisions are a good practice for all providers
  • IV. What information is protected?
  • a. Protected Health Information (PHI)
  • i. Individually identifiable health information
  • ii. Transmitted by a Covered Entity or its Business Associate
  • b. Health information, including demographic information
  • i. Relates to an individual’s physical or mental health or the provision of or payment for health care
  • ii. Identifies the individual
  • c. Examples in Assisted Living
  • i. Physician Report
  • ii. Resident Assessments and Appraisals
  • iii. Medication Records
  • iv. Service Plans
  • V. What Is NOT Covered?
  • a. Employment records of covered entity
  • b. Family educational rights and privacy act (FERPA) records
  • c. Not considered PHI
  • VI. How PHI is Protected
  • a. A covered entity may not use or disclose a resident’s protected health information, except as specifically permitted or required in the Privacy Rule

  • Module Two
  • I. Disclosing personal health information
  • a. Disclosures
  • i. There will be times when you need to disclose personal health information about your residents
  • ii. What is allowed under HIPAA
  • 1. Required disclosures
  • 2. Allowed without authorization
  • 3. Allowed with authorization
  • iii. Permitted Disclosures
  • 1. To the Individual
  • a. A covered entity may disclose protected health information to the resident who is the subject of the information
  • 2. Treatment, Payment, and Health Care Operations
  • a. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities
  • 3. Opportunity to Agree or Object
  • a. Information permission may be obtained by asking the individual
  • 4. Incidental Use and Disclosure
  • a. Rule permits uses/disclosures incident to an otherwise permitted use or disclosure, provided minimum necessary and safeguards standards are met
  • 5. Public Interests and Benefit Activities
  • a. Public health activities
  • b. Abuse, neglect or domestic violence
  • c. Health oversight
  • d. Law enforcement
  • 6. Limited Data Set for the purpose of research, public health or health care operations
  • a. Identifiers have been removed
  • II. Authorizations
  • a. Any other disclosure requires a written authorization from the individual
  • i. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances
  • b. An authorization must:
  • i. Be written in specific terms
  • ii. Be in plain language
  • iii. The information to be disclosed or used
  • iv. The person(s) disclosing and receiving the information
  • v. Expiration
  • vi. Right to revoke in writing
  • c. An authorization may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party
  • III. Minimum necessary
  • a. A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure
  • b. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed
  • c. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary
  • IV. Privacy practices notices
  • a. Each covered entity, with certain exceptions, must provide a notice of its privacy practices
  • b. The notice must:
  • i. Describe the ways in which the covered entity may use and disclose protected health information
  • ii. State the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice
  • iii. Describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated
  • iv. Include a point of contact for further information and for making complaints to the covered entity
  • V. Access
  • a. Except in certain circumstances, individuals have the right to review and obtain a copy of their protected health information
  • b. Follow your organization’s policies before releasing information
  • c. Personal Representatives
  • i. The Privacy Rule requires a covered entity to treat a “personal representative” the same as the individual, with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights
  • ii. A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate
  • iii. The Privacy Rule permits an exception when a covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, or that treating the person as the personal representative could otherwise endanger the individual
  • VI. Disposing of PHI
  • a. Covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures or PHI, including in connection with the disposal of such information
  • b. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI
  • c. PHI Paper Records make unreadable and unable to reconstruct:
  • i. Shredding
  • ii. Burning
  • iii. Pulping
  • iv. Pulverizing
  • d. Labeled prescription bottles and other PHI opaque bags
  • i. In a secure area and using a disposal vender as a business associate to pick up and shred or otherwise destroy the PHI
  • e. Electronic Media
  • i. Clearing
  • 1. Using software or hardware products to overwrite media with non-sensitive data
  • ii. Purging
  • 1. Degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains
  • iii. Destroying the media
  • 1. Disintegration
  • 2. Pulverization
  • 3. Melting
  • 4. Incinerating
  • 5. Shredding
  • f. A covered entity may hire a business associate to appropriately dispose of protected health information on its behalf
  • VII. Penalties for noncompliance
  • a. Civil Money Penalties
  • i. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement
  • ii. Penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year
  • iii. May not impose a civil money penalty under specific circumstances
  • 1. When a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation
  • b. Criminal Penalties
  • i. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment
  • ii. Criminal sanctions will be enforced by the Department of Justice
  • iii. Increases to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses
  • iv. Increases to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm

  • Module Three
  • I. Policies and Procedures
  • a. Implement policies and procedures regarding PHI are designed to comply with the Privacy Rule
  • b. Change policies and procedures as necessary to comply with applicable laws
  • c. Ensure that material changes to privacy practices are stated in the notice
  • d. Safeguards
  • i. Implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI
  • e. Mitigation
  • i. Mitigate any harmful effect of use or disclosure of PHI in violation of policies and procedures or the Privacy Rule that is known to the Covered Entity, to the extent practicable
  • II. Complaints
  • a. Provide a process for individuals to make complaints
  • b. Do not require individuals to waive their rights to file a complaint with the Secretary of their other rights under Privacy Rules
  • c. Refrain from intimidating or retaliatory acts
  • III. Personnel
  • a. Privacy Personnel
  • i. Designate a privacy official
  • ii. Designate a contact person or office
  • b. Training
  • i. Provide privacy training to all staff as necessary and appropriate to their functions
  • c. Employee Sanctions
  • i. Develop and apply a system of sanctions for employees who violate your policies or the requirements of the Privacy Rule
  • IV. Documentation
  • a. Written or electronic for six years
  • b. Requirements
  • i. Policies and procedures
  • ii. Training provided, privacy official, contact person
  • iii. Complaints to covered entity and their disposition
  • iv. Notice of privacy practices, acknowledgement, and good faith efforts to obtain acknowledgments
  • v. Authorizations
  • vi. Business associate contracts
  • vii. IRB/Privacy Board Waivers
  • viii. Designated record sets that are subject to access by the individual, access contact person, requests, and responses
  • ix. Amendment contact persons, requests, denials, disagreements and rebuttals
  • x. Information required to be in accounting, accounting contact person, requests, and accounting provided to individual
  • xi. Restriction request agreements
  • xii. HCC designations
  • xiii. Affiliated covered entity designations
  • xiv. Verification documents of public officials, personal representatives, etc
  • xv. Any other communication required by Rule to be in writing
  • V. Compliance Checklist
  • a. Determine if you are a Covered Entity
  • b. Decide on organizational structure
  • c. Identify Business Associate relationships and enter Business Associate Agreements
  • d. Compare current PHI use and disclosure practices with Privacy Rule requirements, and identify where practices need to change.
  • e. Identify “TPO” uses and disclosures of PHI, all other uses and disclosures (e.g., public policy), and develop Minimum Necessary policies and protocols
  • f. Develop a valid authorization form for future use
  • g. Develop and provide a Notice and, if necessary, an Acknowledgment form
  • h. Develop a system to track and account for disclosures
  • i. Designate a Privacy Official and contact person or office
  • j. Design and Implement Policies and Procedures
  • k. Develop and implement systems to safeguard PHI
  • l. Train workforce
  • m. Check the Rule for particular requirements

  • Module Four I. Do we have to obtain a consent form from every resident before sharing treatment information with their physician? a. No i. Health care providers can freely share information for treatment purposes without a signed patient authorization II. Does HIPAA mean I cannot communicate with the resident’s family or responsible party? a. No – As long as the resident does not object, The Privacy Rule permits: i. Share needed information with family, friends, or anyone else a resident identifies as involved in his or her care ii. disclose information when needed to notify a family member or anyone responsible for the resident’s care about the resident’s location or general condition iii. share the appropriate information for these purposes even when the resident is incapacitated if doing so is in the best interest of the patient III. Does this mean calls or visits from family, friends, or clergy are prohibited? a. No – Unless the resident objects, basic information such as phone numbers, room number and general condition can: i. Be listed in the community directory ii. Be given to people who call or visit and ask for the resident iii. Be given to clergy along with religious affiliation--when provided by the resident--even if the resident is not asked for by name IV. Does HIPAA prohibit abuse reporting? a. No i. You may continue to report abuse or neglect to appropriate government authorities V. Does HIPAA prohibit all emails and faxes? a. No i. You can communicate with residents, providers, and others by email, telephone, or facsimile, with the implementation of appropriate safeguards to protect resident privacy

Instructor: Josh Allen, R.N.

Josh Allen is a Registered Nurse with over 20 years of experience in senior living. As the Director of InTouch at Home, Josh oversees all aspects of business development, care, services, and operations for the organization. As a part of the SRG Senior Living family of companies, InTouch at Home delivers personalized care and services to clients living in senior living communities as well as private residences across three states.

Josh also serves on the board of the American Assisted Living Nurses Association, and represents AALNA on the boards of the Center for Excellence in Assisted Living and Coalition of Geriatric Nursing Organizations. Josh has previously served as President and CEO of Care and Compliance Group, a leading training solutions provider.

Additional Information

Canonical Link No
Course Type Online Course

HIPAA Overview for Assisted Living and Residential Care