Judson, K., & Harrison, C. (20 16). Law and ethics for the health professions. (7th ed. ). New York: McGraw- Hill.
Law&Et cs FOR HEALTH PROFESSIONS
KAREN JUDSON CARLENE HARRISON
Key Terms
204
Privacy, Security, and Fraud
LEARNING OUTCOMES After studying this chapter, you should be able to:
LO 8. I Discuss U.S. constitutional amendments and privacy
laws that pertain to health care.
LO 8.2 Explain HIPAA's special requirements for disclosing
protected health information.
LO 8.3 Discuss laws implemented to protect the security
of health care information as health records are
converted from paper to electronic form.
LO 8.4 Discuss the federal laws that cover fraud and abuse
within the health care business environment and the
role of the Office of the Inspector General in finding
billing fraud.
LO 8.5 Discuss patient rights as defined by HIPAA, the Patient Protection and Affordable Care Act, and other health
care entities.
FROM THE PERSPECTIVE OF . ..
ANN, AN R.N. IN A TEXAS HOSPITAL FOR NEARLY 25 YEARS, remembers when patients' names were posted on the doors to their rooms. She and her colleagues once freely informed telephone call- ers and visitors how patients were progressing. Now, Ann remarks, because of federal legislation to protect the privacy and security of health care information, times have changed. "We have to be so care- ful about releasing any information that when my father's dear friend was admitted to my floor in the hospital where I work, I couldn't tell him that his friend had been admitted."
From Ann's perspective, because she cares about her patients, she would like to be able to talk more freely with family members or friends who also care about her patients. But she is duty-bound to follow the law, and she knows the benefits to patients for laws that guard their privacy.
From the perspective of friends and family members who call for infor- mation about a patient, the law is harsh and hard to understand. They are often angry when they cannot learn the status of a friend or loved one.
From the perspective of some patients, the law sometimes feels over- protective and unnecessarily intrusive, but for others-such as the patient who has tried to commit suicide and failed, who doesn't want anyone to know he is in the hospital, or the battered spouse who doesn't want her abusive husband to find her-it's a safety net they can depend on.
The United States Constitution and Federal Privacy Laws Contrary to popular belief, the term privacy (freedom from unauthor- ized intrusion) does not appear in the U.S. Constitution or the Bill of Rights. However, the United States Supreme Court has derived the right to privacy from the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments to the Constitution.
LO 8.1 Discuss U.S. constitutional amendments and privacy laws that pertain to health care.
privacy Freedom from unaut horized int rusion.
LANDMARK COURT CASE The Constitution Protects the Right to Privacy
In November 1961, the executive director and the medical
director of a Planned Parenthood clinic in Connecticut were
charged with violating a state statute prohibiting the dis-
pensing of contraceptive devices to a married couple. The
defendants were convicted and fined $1 00 each. The U.S.
Supreme Court heard the case in March 1965 and issued a
written opinion on June 7, 1965. William 0. Douglas, writ- ing the majority opinion for the Court, held that the Con-
necticut statute was an unconstitutional violation of the
right of privacy. Douglas noted that many rights are not
expressly mentioned in the Constitution, but the Court
has nevertheless found that persons possess such a right. In
reviewing the many rights that Americans possess, Douglas
noted the existence of "penumbras" or "zone(s) of privacy
created by several fundamental constitutional guarantees."
As a result of the Supreme Court's decision in Griswold v. Connecticut, patients possess certain rights that affect the delivery of med ical services and health care. For example,
persons have t he right to refuse medical treatment, and
courts now recognize a person 's right to die.
Griswold v. Connecticut, 381 U.S. 479, 85 S. Ct. 1978, 14 L. Ed.2d 510 (1965).
C-c9:er 8! Privacy, Security, and Fraud 205
COURT CASE
First Amendment: Congress cannot prohibit or abridge free speech. In addition, the Establishment and Freedom of Religion clauses of this amendment prohibit the government from funding, showing preference for, or discriminating against any religion.
Third Amendment: Soldiers cannot be quartered in private homes without the consent of the owner.
Fourth Amendment: People have the right to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.
Fifth Amendment: No person must testify against himself, be tried twice for the same offense, or be deprived of life, liberty, or property without due process of law. The Miranda warning ("You have the right to remain silent ... ")as read during criminal arrests, derives from this amendment.
Ninth Amendment: If certain rights are not explicitly mentioned in the Constitution, that does not mean they do not exist.
Fourteenth Amendment: All states must provide rights for citizens that are at least equal to those in the U.S. Constitution, and under the philosophy called federalism states may grant citizens additional rights not specifically granted in the U.S. Constitution.
Fourth Amendment Rights in Question
The Student Activities Drug Testing Policy adopted by
the Tecumseh, Oklahoma, School District requires all
middle and high school students to consent to urinaly-
sis testing for drugs to participate in any extracurricular
activity. Two Tecumseh High School students and their
parents brought suit, alleging that the policy violates the
Fourth Amendment, which states in part: "The right
of the people to be secure in their persons , houses,
papers, and effects, against unreasonable searches
and seizures , shall not be violated." The district court
granted the school district summary judgment. In
reversing, the court of appeals held that the policy vio-
lated the Fourth Amendment. The appellate court con-
cluded that before imposing a suspicionless drug-testing
program a school must demonstrate some identifiable
drug abuse problem among a sufficient number of those
tested, such that testing that group will actuall y redress
its drug problem , which the school district had failed
to demonstrate.
to submit to drug testing, consistent with the Fourth
Amendment?
The U.S. Supreme Court concluded that the answer to
the question was yes. In a 5-4 opinion delivered by Justice
Clarence Thomas, the Court held that, because the policy
reasonably serves the school district's important interest
in detecting and preventing drug use among its students,
it is constitutional. The Court reasoned that the board of
education's general regulation of extracurricular activities
diminished the expectation of privacy among students
and that the board 's method of obtaining urine samples
and maintaining test results was minimally intrusive on the
students' limited privacy interest. "Within the limits of the
Fourth Amendment, local school boards must assess the
desirability of drug testing schoolchildren. In upholding
the constitutionality of the Policy, we express no opinion
as to its wisdom. Rather, we hold only that Tecumseh's
Policy is a reasonable means of furthering the School Dis-
trict's important interest in preventing and deterring drug
use among its schoolchildren," wrote Justice Thomas. The question before the court was: Is the Student
Activities Drug Testing Policy, which requires all students
who participate in competitive extracurricular activities
206 Part Two I Legal Issues for Working Health Care Practitioners
Board of Education v. Earls, 536 U.S. 822 (2002).
COURT CASE Fourteenth Amendment at Issue William Baird spoke at Boston University on the sub-
ject of birth control and overpopulation. At the end of
his talk, Baird gave away Emko Vaginal Foam to a woman
who approached him. Massachusetts charged Baird with
a felony, distributing contraceptives to unmarried men
or women. Under state law, only married couples could
obtain contraceptives; only registered doctors or phar-
macists could provide them. Baird was not an authorized
distributor of contraceptives.
At issue was: Did the Massachusetts law violate the
right to privacy acknowledged in Griswold v. Connecticut, and did it violate protection from state intrusion granted
by the Fourteenth Amendment?
grounds. The Court held that the law's distinction between
single and married individuals failed to satisfy the "rational
basis test" of the Fourteenth Amendment's Equal Protec-
tion clause. Married couples were entitled to contraception
under the Court's Griswold decision. Withholding that right to single individuals without a rational basis proved the fatal
flaw. Thus, the Court did not have to rely on Griswold to invalidate the Massachusetts statute. "If the right of privacy
means anything," wrote Justice William J. Brennan, Jr., for
the majority, "it is the right of the individual, married or
single, to be free from unwarranted governmental intru-
sion into matters so fundamentally affecting a person as the
decision to whether to bear or beget a child."
The case reached the U.S. Supreme Court, where jus-
tices struck down the Massachusetts law, but not on privacy Eisenstadt v. Baird, 405 U.S. 438 ( 1972).
FEDERAL PRIVACY LAWS
Concern about privacy has led to the enactment of federal and state laws governing the collection, storage, transmission, and disclosure of personal data. Privacy laws are generally based on the following considerations:
1. Information collected and stored about individuals should be limited to what is necessary to carry out the functions of the busi- ness or government agency collecting the information.
2. Once it is collected, access to personal information should be limited to those employees who must use the information in per- forming their jobs.
3. Personal information cannot be released outside the organization collecting it unless authorization is obtained from the subject.
4. When information is collected about a person, that person should know that the information is being collected and should have the opportunity to check the information for accuracy.
A number of federal laws concern privacy, but until the Health Insurance Portability and Accountability Act (HIPAA) of 1996, fed- eral privacy laws have dealt with financial and credit information or the theft or illegal disclosure of electronic information. HIPAA of 1996 was the first federal law to deal explicitly with the privacy of medi- cal records, and to ensure compliance, HIPAA provides for civil and criminal sanctions for violators of the law.
All states have laws governing the confidentiality of medical records, but laws vary greatly from state to state. Through state preemption, if a state's privacy laws are stricter than HIPAA privacy standards and/or guarantee more patients' rights, the state laws take precedence.
Table 8-1 below lists eight major federal privacy laws passed since 1985.
state preemption If a state's privacy laws are stricter than HIPAA privacy standards, the state laws take precedence.
Chapter 8 1 Privacy, Security, and Fraud 207
COURT CASE HIPAA Preempts State Law in Certain Instances
In July 2013, the U.S. Court of Appeals for the Eleventh
Circuit ruled that HIPAA preempts state law in certain
instances. The case centered on a Florida statute that
allowed nursing homes to release medical records of a
current or former resident to "spouse , guardian , surro-
gate, proxy or attorney in fact" of the individual. How-
ever, many Florida nursing homes refused to disclose
records to surviving spouses who had not been des-
ignated as the personal representative by the probate
courts. The Florida Agency for Health Care Adminis-
tration (AHCA) ordered the various nursing homes to
release the information stating the surviving spouses were
equal to personal representatives. OPIS Management
Resources, an owner of several nursing homes in Florida
filed suit against AHCA, claiming that HIPAA standards
were higher and thus the state law conflicted. The Court
of Appeals held the state statute was fatally flawed and
"authorizes sweeping disclosures, making a deceased
(nursing home) resident's protected health information
available to a spouse or other enumerated party upon
request, without any need for authorization, for any con-
ceivable reason, and without regard to the authority of
the individual making the request to act in a deceased
resident's stead."
OPtS Management Resources LLC v. Secretary Florida Agency for Health Care Administration, No. 12- 12593 (II th Cir. Apr. 9, 20 13).
Table 8-1 Major Federal Privacy Laws
Date Enacted
1986
1994
1996
1999
2005
2009
2010
2010
Law
Electronic Communications Privacy Act (ECPA)
Computer Abuse Amendments Act
Health Insurance Portability and Accountability Act (H IPAA)
Gramm-Leach-Biiley Act
Patient Safety and Quality Improvement Act (PSQIA)
American Recovery and Reinvestment Act (ARRA), commonly called the Stimulus Bill
Patient Protection and Affordable Care Act (PPACA) common ly called the Affordable Care Act orACA
Health Care and Education Reconciliation Act (HCERA)
Purpose
Provides privacy protection for new forms of electronic commu- nications, such as voice mail, e-mail, and cellular telephone
Amends the 1984 act to forbid transmission of harmfu l com- puter code such as viruses
Guarantees that workers who change jobs can obtain hea lth insurance. Increases efficiency and effectiveness of t he U.S. health care system by electronic exchange of administrative and financial data. Improves security and privacy of patient- identifying information. Decreases U.S. health care system transaction costs
Requires all financial institutions and insurance companies to clearly disclose their privacy policies regarding the shar- ing of nonpublic personal information with affiliates and third parties
Helps assess and resol ve patient safety and health care quality issues, encourages reporting and analysis of medical errors, authorizes HHS to impose civil money penalties for violations of patient safety confidentiality
Title XIII, the Health Information Technology for Economic and Clinical Heal th (HITECH) Act, makes substantive changes to HIPAA, including privacy and security regulations, changes in HIPAA enforcement , provisions about hea lth information held by entities not covered by HIPAA, and other miscellaneous changes
Dea ls mostly with the availability of health insurance coverage for all Americans, but also reinforces privacy regarding pro- tected hea lth information
A federal law that adds to regu lations imposed on the insur- ance industry by PPACA
208 Port Two I Legal Issues for Working Health Care Practitioners
Check Your Progress
I. Does the Constitution provide specifically for the protection of privacy? Explain your answer.
2. W hat was the f irst federal law to deal explicitly w ith the pri vacy of medical records?
3.-6. Name four considerations for protecting privacy when federal and/or state legislation is written.
Since HIPAA is the federal legal standard for privacy and security of electronic health information throughout the health care industry, health care employees must follow the law's provisions, which are contained within four standards:
Standard 1. Transactions and Code Sets. A transaction refers to the transmission of information between two parties to carry out financial or administrative activities. A code set is any set of codes used to encode data elements, such as tables of terms, medical con- cepts, medical diagnostic codes, or medical procedure codes.
Required code sets for use under Standard 1 include Current Procedural Terminology (CPT) and International Classification System of Diseases; Clinical Modifications lOth Edition (ICD-10-CM); and International Classification System of Diseases-Procedure Coding System lOth Edition (ICD-10-PCS) (Since the publication of ICD-10 has been delayed to 2015, some coders may still be using ICD-9.).
Standard 2. Privacy Rule. Policies and procedures health care providers and their business associates put in place to ensure confi- dentiality of written, electronic, and oral protected health information.
Standard 3. Security Rule. Security refers to those policies and pro- cedures health care providers and their business associates use to protect electronically transmitted and stored PHI from unauthorized access.
Standard 4. National Identifier Standards. Provide unique identifiers (addresses) for electronic transmissions.
By now all four sets of HIPAA standards have been implemented, and most health care practitioners are familiar with the language and rules that make up the requirements for compliance. Anyone needing a refresher course can visit www.hipaa.com for specific information.
Of special concern in this chapter are Standard 2, the Privacy Rule and Standard 3, the Security Rule.
HIPAA's Requirements for Disclosing Protected Health Information HIPAA's Standard 2, the Privacy Rule says that protected health information (PHI) must be protected against unauthorized disclosure, whether it is written, spoken, or in electronic form. PHI refers to infor- mation that contains one or more patient identifiers and can, therefore, be used to identify an individual. Information that includes one or more of the following makes a patient's health care information identifiable:
• Name
• Zip code or other geographic identifier, such as address, city, or county.
LO 8.2 Explain HIPAA's special requirements for disclosing protected health information.
protected health information (PHI) Information t hat contains one or more patient identifiers.
Chapter 8 I Privacy, Security, and Fraud 209
,
de-identify To remove from health care transactions all information that identifies patients.
permission A reason under HlPAA for disclosing patient information.
covered entities Health care providers and clearinghouses that transmit HlPAA transactions electronically, and must comply with HlPAA st andards and rules.
• Date of birth, dates of treatment, or any other dates relevant to the individual.
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social Security number.
• Medical record numbers.
• Health plan beneficiary numbers.
• Birth certificate and driver's license.
• Vehicle identification number and license plate number.
• Web site address.
• Fingerprints and voiceprints.
• Photos
• Any other unique identifying number, characteristic, or code.
It is possible to de-identify health information, by removing the patient identifiers listed above.
Health care providers and plans can use and disclose patient infor- mation (PHl), but to do so legally they must identify a permission-a legal reason for each use and disclosure. To use PHl means that you use patients' protected health information within the facility where you work in the normal course of conducting health care business. To disclose PHI means that patients' protected health information is sent outside of a health care facility for legitimate business or health care reasons.
Permissions: Using and disclosing PHI must fall within the follow- ing six HIPAA-defined permissions:
1. Disclosures to patients. HIPAA requires that PHI be disclosed to any patient who asks to see his or her own medical records (unless the health care provider believes that access will do harm to the patient). This includes talking to the patient about his or her diagnosis, treatment, and medical condition, as well as allow- ing the patient to review his or her entire medical record. Some records, however, such as psychotherapy notes, may be withheld.
2. Use or disclosure for treatment, payment, or health care operations: Health care practitioners need to use PHI within the medical office, hospital, or other health care facility for coordinating care, consult- ing with another practitioner about the patient's condition, pre- scribing medications, ordering lab tests, scheduling surgery, or for other reasons necessary to conduct health care treatment or busi- ness, such as insurance claims and billing. PHI disclosures for these purposes do not require written authorization.
If other covered entities contact you or your employer for access to PHl, such as insurance plans, attorneys, medical survey represen- tatives, and pharmaceutical companies, you must have the patient's written authorization to release PHI. (Covered entities are health care providers and clearinghouses that transmit HIPAA transactions electronically, and must comply with HIPAA standards and rules.)
3. Uses and Disclosures with Opportunity to Agree or Object. Accord- ing to the HHS Web site http://www.hhs.gov/ocr/privacy/hipaa/ understanding/summary/index.html, informal permission may be
210 Part Two I Legal issues for Working Health Care Practitioners
:
I
I
I I
,,
:
obtained by asking the indi idual outright, or by circumstances that clearly give the individual the opportunity to agree, comply silently or without objection, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in their professional judgment, the use or disclosure is determined to be in the best interest of the individuaL
4. Incidental uses and disclosures of PHI are permitted without authorization from patients as follow s:
• Nursing care center staff members can talk about patients' care if they take reasonable precautions to prevent unauthorized individuals, such as visitors in the area, from overhearing.
• Health care practitioners can talk to patients on the phone or discuss patients' medical treatments with other providers on the phone if they are reasonably sure that others cannot overhear.
• Health care practitioners can discuss lab results with patients and among themselves in a joint treatment area if they take reasonable precautions to ensure that others cannot overhear.
• Health care practitioners can leave messages on answering machines or with family members, but information should be limited to the amount necessary for the purpose of the calL (For detailed messages, simply ask the patient to return the call.)
• You can ask patients to sign in, call patients by name in waiting rooms, or use a public address system to ask patients to come to a certain area. A patient sign-in sheet, however, must not ask for the reason for the visit.
• You can use an X-ray light board at a nursing station if it is not visible to unauthorized individuals in the area.
• You can place patient charts outside exam rooms if you use reasonable precautions to protect patient identity: face the chart toward the wall or place the chart inside a cover while it is in place.
5. Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual's authorization or permission, for 12 national priority purposes, as listed on the HHS Web site at http://www.hhs.gov/ ocr/privacy/hipaa/understanding/summary/index.html:
• If required by law.
• As part of public health activities.
• For victims of abuse, neglect, or domestic violence.
• In health oversight activities.
• For judicial and administrative proceedings.
• For law enforcement purposes.
• For decedents when cause of death is released to funeral home, coroners, or medical examiners.
• For cadaveric organ, eye, or tissue donation.
• For research
• In the event of serious threat to health or safety.
Chapter 81 Privacy, Security, and Fraud 211
,,
,,
.I
limited data set Protected hea lth inform atio n from which ce rta in pat ient identifiers have been removed.
• For essential government functions.
• In claims for Workers' Compensation.
6. Limited data set. A limited data set is protected health informa- tion from which certain specified, direct identifiers of individuals and their relatives, household members, and employers have been removed . A limited data set may be used and disclosed for research, health care operations, and public health purposes, pro- vided the recipient enters into an agreement promising specified safeguards for the PHI within the limited data set.
The HIPAA Privacy Rule does not give patients the express right to sue. Instead, the person must file a written complaint with the secre- tary of Health and Human Services through the Office for Civil Rights. The HHS secretary then decides whether or not to investigate the complaint. Patients may have other legal standings to sue under state privacy laws. (See Court Case, "EMT Liable for Violating Patient's Privacy.") See Table 8-3 on page 222 for a list of patients' rights under the HIPAA Privacy Rule.
COURT CASE EMT Liable for Violating Patient's Privacy
An EMT employed by a volunteer fire department pro-
vided emergency treatment to a female patient for a
possible drug overdose. The unresponsive patient was
transported to a hospital. The EMT returned home and
later spoke to a friend, telling her that she had assisted in
taking a specific patient to the hospital emergency room
for treatment for a possible drug overdose.
Prior to the emergency, the EMT had never met the
patient. However, about two weeks prior to the incident,
the EMT had heard about the patient and her medical
problems at a social event. The woman who spoke about
the patient was apparently a friend, and it was th is person
whom the EMT telephoned, after the patient 's overdose.
The patient sued the EMT and her insurance company,
alleging that she had defamed her and violated her privacy
by publicizing information concerning her medical condi-
tion and making untrue statements indicating that she had
7. Define protected health information.
8. Define de-identify.
attempted suicide. The patient claimed that she had been
and was continuing to undergo medical care due to illness,
and that the apparent overdose she suffered was a "reac-
tion to medication."
The insurance company claimed the EMT's actions
were with in the scope of her employment. The EMT
argued that she had not acted recklessly or unreasonably
in contacting the patient 's friend regarding her care.
The EMT offered to settle for $5,000, but the plaintiff
refused and the matter went to a jury trial. The jury found
that the EMT had vio lated the plaintiff's right of privacy,
as alleged . The jury also awarded the plaintiff/patient
$37,909.86 in compensatory damages and attorney fees.
The EMT and her insurance company appealed. An
appeals court upheld the judgment of the lower court.
Pachowitz v. Ledoux, 2003 WL 21221823 ('Nis. App., May 28, 2003).
9. Which law usually prevails, federal or state, if a state law provides greater privacy protection than a
federal law? Explain your answer.
I 0. What is the process illustrated in question 9 called?
II. One can only legally release PHI under six HIPAA-defined __ .
212 Part Two J Legal issues for Working Health Care Prac titi o ners
li
Laws Implemented to Protect the Security of Health Care Information As listed in Table 8-1, the American Recovery and Reinvestment Act (ARRA), commonly called the Stimulus Bill, made substantive changes to HIPAA, including privacy and security regulations, changes in HIPAA enforcement, provisions about health information held by enti- ties not expressly covered by HIPAA, and other miscellaneous changes. The ARRA also mandated a deadline-January 1, 2014-for all public and private health care providers and other eligible professionals across the country to have adopted and demonstrated "meaningful use" of elec- tronic medical records (EMR) in order to keep their existing Medicare and Medicaid reimbursement levels. ("Meaningful use" is explained below.)
First, note the difference between electronic medical records (EMR) and electronic health records (EHR), because, according to www.healthit.gov, an online source of information about information technology in the health industry, the two terms are not interchange- able. The electronic medical record (EMR) is the electronic form of a patient's medical history from just one practice. It lets health care pro- viders in one facility:
• Track data over time.
• Identify with a glance which patients are due for screenings or check-ups.
• Check patients' progress within certain parameters, such as blood pressure, cholesterol and blood sugar readings, and vaccinations.
• Monitor and improve overall patient care within the practice.
By contrast, the electronic health record (EHR) is a more compre- hensive electronic patient history, focusing on the total health of the patient and including a broader view of a patient's care. This more detailed record allows for:
• A record that travels with the patient so that emergency depart- ment clinicians who see a patient in his home city or traveling across the country will know about any life-threatening allergies, or clinicians treating people injured in a disaster will know which medications the patient is taking.
• The opportunity for the patient to log on to her own record and see trends in lab results over time, which can help her plan for staying healthy.
• Specialists to see what tests, X-rays, and other procedures have already been done on a patient, thus avoiding unnecessary dupli- cation when possible.
• Notes from any hospital stays that can help inform discharge instructions and follow-up care for the patient and can let patients
! move smoothly from one care setting to another.
"Meaningful use" of electronic health records, as defined by HealthiT .gov, consists of using digital medical and health records to achieve the following:
• Improve quality, safety, and efficiency of health care, and reduce health disparities.
LO 8.3 Discuss laws implemented to protect the security of health care information as health records are converted from paper to electronic form.
electronic medical record (EMR) Contains all patient medical records for one practice.
electronic health record (EHR) A more comprehensive record than the EMR, focusing on the total health of the patient and t raveling with the patient.
Chapter 8 1 Privacy, Security, and Fraud 213
breach Any unauthorized acquisition, access, use, or disclosure of personal health information which compromises the security or privacy of such information.
firewalls Hardware, software, or both designed to prevent unauthorized persons from accessing electron ic information.
FIGURE 8-1 How Breaches Happen
• Engage patients and family in comprehensive health care plans.
• Improve care coordination and the health of populations and also improve public health practices.
• Maintain the privacy and security of patient health information.
HIPAA'S SECURITY RULE
HIPAA's Standard 2, the Privacy Rule, details procedures for maintain- ing the privacy of protected health information. The act's Standard 3, the Security Rule, explains the requirements for maintaining the security of electronic health records, both in transmission and storage. Lack of compliance with HIPAA security measures can lead to substan- tial fines and in extreme cases even loss of medical licenses. According to www.hipaa.com, medical practices can follow 5 steps to ensure compliance to HIPAA standards and to avoid data breaches. (A breach is any unauthorized acquisition, access, use, or disclosure of personal health information which compromises the security or privacy of such information.)
1. Run a complete risk assessment of the medical practice. There are many electronic health recording systems, but practices need to use a system that meets HIPAA guidelines and standards. A risk assessment against HIPAA guidelines can reveal those areas where changes are needed, and should include evaluating how well each person protects passwords. Passwords should not be posted for anyone to see, should not be unnecessarily divulged to others, and should be changed regularly, and firewalls should be in place to protect against outside intrusion (see Figure 8-1) . Are security measures reasonable and appropri- ate for the health care practice and are they periodically reviewed? Have security breaches occurred in the past? If so, what caused the breaches and have causes been remedied? Are internal sanctions in place for security breaches, and have staff members been informed of such sanctions?
2. Be prepared for a disaster. One of the best ways to ensure against loss or corruption of medical data is to back up all data regularly. Data is most safely backed up in offsite locations, so that fires, water leaks, and other incidents at the practice site do not threaten
HOW BREACHES HAPPEN Employees report the following as common causes of data breaches:
31%
roi (} :::; ::l () " ~
33%
Source: Data from ProPublica: http://www.propublica.org/
42% oom ::J 3 8:.-o c:~
(1)
2. s- ~ :2: a. ~ :::1. '<
46%
214 Part Two I Legal issues fo r Wor ki ng Health Care Practitioners
data. Antivirus programs should also be installed on all computers and regularly updated so that computer viruses and hackers are not a threat to data.
3. Train all employees in proper computer use. Access controls such as passwords and PIN numbers, are HIPAA Security Rule require- ments, and encryption systems provide an additional level of security. Encrypting stored information means that PHI cannot be read or understood except by someone who can decrypt it using a special decryption key provided only to authorized individuals. A medical practice can have a secure encryption system, but if employees don't use their passwords to securely access records and files, the encryption system is useless, and records are open to unauthorized intrusion. Training should be ongoing, so that new employees are informed and long-term employees are reminded of proper use.
4. Buy products with security compliance and compatibility in mind. When purchasing any new medical computer software or other medical products, check to be sure the new purchase meets HIPAA security rules and will be compatible with other products already in use.
5. Collaborate with all compliance-affected parties. All depart- ments within a practice are affected when compliance changes are made, and employees should be informed and consulted.
ProPublica data reveals that new technology trends threaten patient data in that 91 percent of hospitals surveyed are using cloud technology (Internet, off-medical-facility-site storage capability) to store data, yet 47 percent of these hospitals were not confident they could keep the data secure in the cloud. In addition, 81 percent of organizations let employ- ees use their own mobile devices (BYOD), yet 46 percent of these orga- nizations don't ensure that employee devices are secure (see Figure 8-2).
ProPublica estimates that data breaches have cost the health care industry $7 billion to date, both in fraudulent schemes and in identity theft, where criminals use health care data to assume a person's iden- tity and make unauthorized purchases in that person's name.
NEW TECHNOLOGY TRENDS THREATEN PATIENT DATA
Source: Data from ProPublica: http://www.propublica.org/
encryption The scrambling or encoding of information before sending it electronical ly.
FIGURE 8-2 New Technology Trends Threaten Patient Data
Chapter 81 Privacy, Security, and Fraud 215
Health Information Technology for Economic and Clinical Health Act (HITECH) A section of the American Recovery and Reinvestment Act (ARRA) that strengthened certain HIPAA privacy and security provisions.
American Recovery and Reinvestment Act (ARRA) A 2009 act that made substantive change to HIPAA's privacy and security regulations.
HITECH RULE
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvest- ment Act (ARRA) of 2009, strengthened the privacy and security pro- tections for health information established under HIPAA. Provisions under HITECH carried a September 23, 2013 enforcement date.
The HITECH Rule strengthens privacy and security by:
• Extending compliance with HIPAA privacy and security rules to business associates and their subcontractors.
• Prohibiting the sale of protected health information without appropriate authorization.
• Expanding individual rights to electronically access one's pro- tected health information (PHI).
• Prohibiting the use of genetic information for insurance under- writing purposes.
• Finalizing breach notification requirements.
• Expanding individuals' rights to obtain restrictions on certain dis- closures of protected health information to health plans if services are paid for out of pocket.
• Establishing new limitations on the use and disclosure of protected health information for marketing and fund-raising purposes.
• Providing easier access to immunization records by a school.
• Removing HIPAA Privacy Rule protections for PHI of an individ- ual deceased for more than 50 years.
A provision of the law states that breaches must be reported, not just to the Office of Civil Rights (OCR), which has federal enforce- ment authority, but also to the media. A quick search of the Internet will reveal that breaches occur frequently. Since October 2009 through November 2013, there have been 768 complaints alleging a violation of the Security Rule. The HHS/OCR closed 579 complaints after investi- gation and appropriate corrective action and as of November 30, 2013 had 254 open complaints and compliance reviews.
While maintaining privacy and security of PHI are vital consider- ations in today' s health care environment, fraud is claiming a huge portion of the health care dollar, and has necessitated federal interven- tion in the form of legislation and anti-fraud measures.
12.-13. Briefly distinguish between the electronic medical record (EMR) and the electronic health record (EHR).
14. What is a breach of PHI?
15.-17. If you use computers in the course of your daily work, what are three important rules for you to remember, in order to protect the security of electronic medical records?
18. Briefly explain the purpose of HITECH.
216 Port Two I Legal Issues for Working Health Care Practitione rs
Controlling Health Care Fraud and Abuse According to the following figures, as published by The Sentinel, for fiscal year 2011 (the latest FY for which statistics were available) esti- mates for dollar losses, including fraud, abuse, and waste in all health care arenas included:
• $1.2 trillion a year, based on a 2008 report by Pricewaterhouse- Coopers' Health Research Institute.
• $600 to $850 billion a year, according to a Thomson Reuters report that broadly defined "waste" as "healthcare spending that can be eliminated without reducing the quality of care."
• $64.8 billion in improper payments by Medicare and Medicaid for FY 2011, according to the Government Accounting Office (GAO). ("Improper" meaning the care was not necessary or the bill was wrong. Improper payments may include fraudulent claims, but not all improper payments are fraudulent. Improper payments may be due to honest mistakes.)
• $28.8 billion in improper payments were made to Medicare fee- for-service (Original Medicare) providers in 2011, according to GAO.
• $21.9 billion in improper Medicaid payments in 2011, according to GAO.
• $2.4 billion in health care fraud judgments and settlements were won or negotiated in 2011, according to the 2011 Health Care Fraud and Abuse Control Program report by the Department of Health and Human Services (HHS) and Department of Justice (DOJ).
• $1.2 billion in Medicare and Medicaid audit disallowances (findings of unallowable costs), according to the HHS Office of Inspector General (OIG).