Church & HIPAA Question

Some discussions just don't fit into a well defined box. Use this forum to discuss general topics and issues revolving around the Church and the technology offerings we use and share.
srasay2-p40
New Member
Posts: 7
Joined: Mon Oct 08, 2007 5:22 pm

Church & HIPAA Question

Postby srasay2-p40 » Thu May 21, 2009 1:49 pm

As an official organization, do we need to be worried about HIPPA compliance?

I am not up to speed on the breadth and scope of the requirements for HIPPA. But let me provide you with a bit of context. As the Stake EmComm guy, and working with the Ward EmPrep specialists, we are working on compiling Skills/Resources/Special Needs - one of the special needs we thought about adding was life threatning medical conditions requiring immediate medication/treatments - i.s. Coumadin (warfarin) to prevent strokes and other heart/blood related problems. If someone was evacuated, and didnt have their medication, stroke is usually imminent within 24-36 hours... but what I want to be careful of is exposing the church to liabilities relating to the storing and sharing of private info.

Any thoughts - besides the obvious - just dont do it - would be appreciated.

Rich
W6SRA
Folsom California Stake

russellhltn
Community Administrator
Posts: 20752
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Thu May 21, 2009 3:02 pm

Good question! I'd start by capturing the minimum amount of information required to do the job. To use the example given, do we really need to know that the member needs Coumadin, or is just knowing that they require medicine enough? Or maybe just that they are a "medical priority" and it's a flag to get in contact with the member ASAP to check on them? From an operational view, I think the latter is about all we can do on a church-level anyway. Because the quantity of medicine they have in their pocket is the difference between a potential emergency and a non-issue.

From a practical standpoint, the more detail you capture, the more likely it will be out of date and the more effort it takes to keep it updated. And hopefully by keeping information in the broadest form needed, any HIPPA issue can be minimized.

I'd still like to hear from anyone with HIPPA knowledge.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

aweitzel-p40
New Member
Posts: 7
Joined: Mon May 04, 2009 12:24 pm
Location: Colorado Springs, Colorado

HIPAA and Medications

Postby aweitzel-p40 » Fri May 22, 2009 8:31 am

First – this post is for informational purposes only, and does not constitute, and may not be relied upon as, legal advice. We are not creating an attorney-client relationship here. If you need further guidance, please seek competent legal advice from an attorney licensed in your jurisdiction.

We have two issues here. The first issue is the Emergency Plan part of having medication available, and the second issue is whether HIPPA's privacy rules apply. I deal with the emergency plan issues on a constant basis in my role as a director of the National Association of Church and School Security. This is a hot topic across the country right now. With respect to medications there are also two issues. First, who administers the medication? Second, how are we controlling/storing the medication if it is a controlled substance? I want to raise some of the issues that ought to be considered, but I cannot give you definitive answers because the laws of your jurisdiction may vary.

Medications:

For example, if a primary child has severe asthma, it would be a good idea to have some on location in the event of an asthma attach during church or during an emergency, especially if something happened that caused the building to shelter-in-place, you may be stuck in that room for days. Because it is a prescription drug, there are limitations on who can administer the medication. For asthma, parents or the child could generally administer the medication as necessary. The same holds true for stroke medication and other regular prescription medications, as long as the drugs are being taken in a preventative manner. However, there are circumstances that could arise where somebody other than the patient may need to administer the medication (i.e. emergency treatments). In Colorado we have laws that allow certain qualified, identified, emergency response providers to administer medication without exposing themselves or the organization to liability. The church needs to identify those people with the requisite qualifications as part of its emergency plan. If the church does that, both the church and the member should be able to avoid liability for administering the medication. What you want to avoid is having the primary president, or relief society president, or high priest group leader, turn into a nurse tasked with dispensing or administering medication. That would be bad.

The second issue is controlling the actual medication. For most medications (including an inhaler) the patient, parent, or child could be responsible for bringing that medication to church to avoid storage issues. If a parent has that medication, you need to know where that parent will be at any hour. We generally encourage people to bring enough medication to last for a full day or more, in the event an emergency prevents them from replenishing their stock. That makes sense. You may also want to have certain medications on hand, provided that: (i) the medication is prescribed to, and provided by, the person who will be using that medication, and (ii) you have a qualified person able to administer the medication if necessary. If you decide to have medication on the premises, ensuring the secure storage of that medication is important, but not impossible. A good lock-box would work. However, you do not want to get into issues of trying to store any Schedule III drugs, such as Vicodin.

It is always a good idea to look at the "Good Samaritan" laws for your state. For example, in Colorado, a person providing emergency medical care is generally immune from liability as long as their actions are not grossly negligent; although medical professionals are still held to their normal standard of care and ethics. The same holds true for operating an AED device. The individual operator is not liable as long as they act reasonably and are not grossly negligent. However, the organization providing the AED device may be liable unless they qualify under a separate immunity provision, which states that the AED device must be provided pursuant to an emergency/training plan that is overseen by a physician. Good Samaritan laws generally do not allow for the administration of medication as part of emergency first aid. Which brings us back to the main topic – who is going to administer the medicine you have on hand, and how are you going to control it. Unfortunately, there is no "final answer" for these types of questions. I always tell churches that "a canned plan is not a plan." The right answer for your situation, as with any element of a security plan, only comes from the mental efforts of thinking critically about each potential threat or incident as it applies to your congregation and building.

HIPAA:

Now for HIPAA – the Health Insurance Portability and Accountability Act. HIPAA's privacy rules deal with the "protected health information" of individuals that is collected or held by "covered entities." This is not my main area of practice, but I do come across the rules on occasion. Generally, "covered entities" include health insurers, medical care providers, medical record/health care clearing houses, and employer sponsored health plans. Boy Scout camps collecting health forms and medications would not come within the scope of a "covered entity" nor does it seem that a church collecting similar information for emergency purposes would be considered a "covered entity." Thus, the church should not be subject to HIPAA's strict privacy and disclosure rules, nor would it be subject to the accompanying security, electronic security, and storage rules. However, it would nevertheless be a good idea to keep any information you collect as secure as possible and only discloses such information if necessary. Being careless with this type of personal information (especially something like being HIV positive) could open the church to additional claims for damages.

The earlier post also raises the practical issues of keeping this information up to date (don't our clerks already have enough to do).

Good luck!

russellhltn
Community Administrator
Posts: 20752
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri May 22, 2009 10:09 am

Great post!

If I was tasked to come up with an emergency plan, I think I'd just gather a list of people with potentially life-threatening conditions and make it a priority to check with them in a event. If there is an issue, then communicate that to authorities.

That may not sound like much of a plan, but unless the member decides to work with the church in developing their own plan, I'm not sure how practical it is to do much more.

If you have the expertise in-stake, you might be able to do more.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “General Discussions”

Who is online

Users browsing this forum: No registered users and 1 guest