HIPAA Privacy at L’Arche Cleveland
Appropriate Disclosures in a Group Home for the Developmentally Disabled
L’Arche Cleveland Director Becky Brady, like many others, attended a seminar on HIPAA Privacy which was offered by her industry trade association. She received a set of sample policies and procedures which were designed for an intermediate care facility, which was a very different type of organization. She heard talk about locking up files, shredding documents, and not revealing even the name of their clients. This type of secrecy concerned her as harmful to the heart and spirit of the L’Arche philosophy. L’Arche is built on the concept of disabled and non-disabled living together in community, sharing both life’s burdens and victories. L’Arche groups engage in the larger community, including the workplace, religious congregations, and even in political campaigns. Was it possible to comply with these new regulations without destroying the essence of their agency?
It is doubtful that the authors of the HIPAA privacy regulation have ever been in a group home for the developmentally disabled; rather the authors were thinking about hospitals, physician offices, nursing homes and other settings where “health care” is delivered. Nonetheless, after carefully reviewing the definitions and the applicability phrases of the regulations, it became clear that L’Arche Cleveland fell within the wide net cast by the authors of these regulations. L’Arche Cleveland engaged Eagle Consulting to assist with implementation of HIPAA Privacy.
The creativity in this engagement came from understanding the guiding principles, philosophy, and approach of L’Arche and to fitting this into the complex regulatory framework of the 400 page HIPAA Privacy regulations. Specifically, strategies were explored at how L’Arche could continue with the essential spirit of their mission, and be compliant with the regulations.
L’Arche Background and Philosophy
L’Arche-Cleveland is a faith community and MR/DD agency with 4 houses where 14 developmentally disabled individuals, called “Core Members,” live with 7 staff (“Assistants”). L’Arche-Cleveland is one of 130 L’Arche communities located in 28 countries worldwide. It was founded by Jean Vanier of France in 1964. Fundamental to these communities are handicapped and non-handicapped living together in relationship. In his 1979 book Community and Growth – Our pilgrimage Together, Vanier describes the therapy of L’Arche “[It] is a therapy based on the faith we have in the handicapped person, in the beauty hidden in their being and in our conviction that they can grow through authentic human relationships built up in communities founded on pardon and celebration”.
This therapeutic approach is manifested in the mission of L’Arche Cleveland:
TO CREATE HOMES where faithful relationships based on forgiveness and celebration are nurtured.
TO REVEAL THE UNIQUE VALUE AND VOCATION of each person.
TO CHANGE INDIVIDUALS AND SOCIETY by choosing to live relationships in community as a sign of hope and love.
The question is how can L’Arche-Cleveland reconcile its treatment approach involving relationships, home life, celebration with the apparent need for secrecy suggested by so many HIPAA educators?
Some Common Situations at L’Arche
“Protected Health Information,” (PHI) as defined in HIPAA, includes a person’s name, address, and virtually anything about the person which is individually identified. So when core member Joe (not his real name) has a birthday party, inviting 30 people including many from outside the L’Arche community, can a staff member introduce core members to the outside guests? Or when Minnie is hospitalized for gall bladder surgery, can a staff member call her church’s pastor to ask for prayers? When George receives an award from his employer, a national fast-food chain, for outstanding service, can a staff member reveal this with one of George’s friends outside of L’Arche? And finally, is it OK to discuss details about another core member’s compulsive overeating?
The L’Arche Philosophy in the context of the HIPAA Privacy Regulations
The HIPAA Privacy regulations specifically allow both use, and disclosure of PHI for the purposes of “treatment, payment, and operations”. Furthermore, for treatment, a healthcare provider is not obliged to implement the so-called “minimum necessary” provisions, which would limit the information disclosed to that specifically necessary to accomplish the task.
In the case of L’Arche-Cleveland, treatment includes the “therapy” of people growing through “authentic human relationships”. It includes the “creation of homes . . . based on forgiveness and celebration”. It includes “changing society” by being a “sign of hope and love”. All of this is defined in their mission, in published works regarding their philosophy and ideology, and their operating handbooks.
Activities at L’Arche certainly involve nursing care, delegated nursing, the dispensing of medications, and other activities which are clearly recognized as health care “treatment”. However, it can be argued persuasively that the documented philosophy and approach of L’Arche, described above, is also an essential aspect of what HIPAA calls “treatment”.
Consequently, L’Arche personnel have wide latitude to “use” PHI (that is, to share it within the organization) as well as to “disclose” it, that is, to share PHI with individuals outside of the L’Arche community when they are living the lifestyle and philosophy of L’Arche. The questions above are answered based on the understanding that the L’Arche philosophy is treatment. Yes, it is permissible to introduce the core members to the guests at the birthday party – this celebration is “treatment”. And it is allowed to call the pastor about a Core Member’s hospitalization – nurturing her relationship with her church is also treatment. And it is acceptable to share a Core Member’s triumphs at work with a friend – this little celebration is another example of treatment.
Does this mean that there are no HIPAA protections? Certainly not. HIPAA places the burden on L’Arche Assistants to think before they speak, and to share information only when it is in keeping with L’Arche’s stated mission and philosophy. Gossip and complaining, for example, would be difficult to construe as treatment. For example, it might be difficult to defend complaints about a core member’s compulsive eating disorder. On the other hand, a victory over this problem might be a cause for celebration, which may be acceptable for disclosure. Those looking for answers in black and white won’t find them. HIPAA compliance, and the protection of core member’s privacy, in the context of L’Arche, requires sound judgment.
Importance of Documentation and Training
Compliance with the HIPAA guidelines requires that these interpretations be formally documented in a written policy and procedure manual. Eagle Consulting assisted L’Arche Cleveland with the documentation of these guidelines for disclosure, and the creation of over 30 other policies and procedures spanning over 60 pages. Given the ambiguous nature of compliance, training of staff is particularly important. The best training involves a combination of written guidelines, with sample vignettes illustrating appropriate and inappropriate disclosures, as well as the opportunity for staff members to role play. Given the significant fines involved for inappropriate disclosure, prudent risk management suggests that staff should be trained appropriately, including annual refreshers.
The HIPAA Privacy rule is a complex work, and which often provides organizations many options in compliance approaches. In some respects, the rule provides organizations a surprising amount of latitude in disclosure. The case of L’Arche Cleveland illustrates the difficulty of applying a standard set of policies and procedures without a careful analysis of the specifics of the organization. In this instance, creativity was necessary to first understand the organization, and then find an approach to compliance while maintaining the essential mission and spirit of the organization. This was followed with the creation of custom policies, simple enough to be understood and followed by the staff, and rigorous enough to protect the organization from the significant penalties from non-compliance.