One of hipaa's five overall objectives is

Chapter 10

Patient Confidentiality and HIPAA

Learning Objectives

After completing this chapter, you will be able to:

· 1. Define the key terms.

· 2. Identify the problems associated with patient confidentiality.

· 3. Describe the information to which the Privacy Rule refers and how it applies to your profession.

· 4. Discuss the purpose of the Health Insurance Portability and Accountability Act (HIPAA) of 1996

· 5. List which entities are affected by HIPAA.

· 6. Discuss the penalties for noncompliance with HIPAA.

· 7. List the patients’ rights under the Privacy Standards.

· 8. Discuss the ethical issues concerning information technology.

Key Terms

Clearinghouse

Covered entities

Covered transactions

Deidentifying

Electronic Health Records (EHR)

Employer Identification Number (EIN)

Employer Identifier Standard

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Healthcare Integrity and Protection Data Bank (HIPDB)

Healthcare plan

HIPAA-defined permission

Medical informatics

Minimum necessary standard

Notice of Privacy Practices (NPP)

Office of Civil Rights (OCR)

Permission

Privacy Act of 1974

Privacy Rule

Protected Health Information (PHI)

Sanctions

State’s preemption

Telemedicine

Treatment, payment, and healthcare operations (TPO)

Voice Recognition Technology

Wireless Local Area Networks (WLANs)

THE CASE OF THE NEW MINISTER

Dawn is an ordained minister in a little church located in a small Midwest community. She has had to overcome some discrimination as the first female clergy member in the town. However, Dawn feels that her church congregation and other members of the community have finally started to accept her in this new role. Dawn was recently diagnosed with irritable bowel syndrome by a gastroenterologist in the next town. He performed a colonoscopy on Dawn to rule out cancer of the bowel and found nothing more than a few benign polyps, which he removed. He told Dawn that he wanted her to start taking amitriptyline for three months to see if that would solve her irritable bowel problem. He said that he had success using this antidepressant, also known as Elavil, to treat irritable bowel syndrome. He said he would call the prescription into Dawn’s local pharmacy.

When Dawn went in to pick up her prescription, she met two members of her congregation who were also picking up their prescriptions. The pharmacist leaned over the front counter and said to Dawn, “Do you know that this is an antidepressant?”

· 1. What rights of Dawn’s were violated?

· 2. Were any laws broken by the pharmacist’s statement? If so, what are they?

· 3. How could Dawn’s reputation suffer from this brief comment by the pharmacist?

Introduction

Patients have two major expectations when they visit a physician’s office or other medical facility: quality care and confidentiality. They have a right to expect both. However, with the advent of modern technology, including the Internet, e-mail, fax machines, and computers, the number of people who have access to patient information has increased at a rapid rate. In order to address the concern for patients’ privacy, especially via electronic transmissions, Congress mandated that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforce its privacy provision by April 14, 2003. This law, while somewhat complicated and expensive for physicians to implement, has meant more careful attention to issues of patient privacy.

CONFIDENTIALITY

One version of the Hippocratic Oath states, “What I see or hear in the course of the treatment…, which on no account must be spread abroad, I will keep to myself….” Historically, physicians were expected to maintain all confidences concerning their patients, and patients took this confidentiality for granted. However, the image of one patient sharing his or her medical information with only one physician is no longer applicable in today’s modern world. A dozen or more physicians may be involved in a patient’s care along with multiple institutions, including hospitals, MRI testing centers, rehabilitation centers, and skilled-nursing facilities. Today, there is widespread use of computerized record keeping and electronic transmission of medical records. For example, information needs to be transmitted to third-party providers, such as insurance companies, to arrange for payment of the patient’s medical services.

Modern medicine and technology have meant that patient privacy issues have become of paramount concern among patients, medical professionals, and ethicists. In many cases, patients have become fearful of admitting to what could be embarrassing information, such as past drug use, abortions, homosexuality, and mental health problems. When patients fail to convey this information to their physicians, it creates a difficult environment for the physicians who are treating the patients without benefit of complete medical information ( Figure 10.1 ).

Figure 10.1 Computer Screen Hidden from Patient View

Confidentiality about sensitive information is necessary to preserve the patient’s dignity. However, in order to receive payment from third-party payers such as insurance companies, Medicare, and Medicaid, the patient’s diagnosis may have to be revealed, no matter how embarrassing it is for the patient. But patients want to be assured that the information relayed about them to a third party is limited to just the minimum necessary standard in order to carry out the request. In addition, patients expect to be told when information about them is being relayed to a third party such as an insurance company.

MED TIP

Personal and confidential information about patients should be limited to conveying it to the absolute minimum number of healthcare employees.

Our Right to Privacy

U.S. Supreme Court Justice Louis Brandeis defined our right to privacy as “… the right most valued by civilized men.” While we realize that much has changed since 1928 when Justice Brandeis wrote these words, we still believe that this is a precious right that needs to be protected. Our right to privacy is not protected specifically by the Bill of Rights or any portion of the Constitution. However, many legal scholars believe that the right to privacy is found in some of the constitutional amendments, such as the First, Fourth, Fifth, Ninth, and Fourteenth Amendments.

There are numerous court cases, creating case law, which defend our constitutional rights to privacy. These decisions have then become precedent for future cases. Unfortunately, new technology, especially computer data banks, since Justice Brandeis, has allowed personal patient information to become public. For example, testing for the presence of drugs and alcohol in some business areas such as transportation and private industry may infringe on individual rights.

AIDS and Privacy

There is a great deal of discussion and controversy about the role of privacy for patients who have AIDS. AIDS is not only a threat to the homosexual population, but also to pregnant women, children, and heterosexual couples. Because this disease is transmitted through direct sexual contact including rape, as well as through contaminated needles and the accidental use of infected blood products, it is now apparent the public needs information to protect themselves. This information needs to be carefully communicated in order to protect the privacy rights of the infected individuals. Tennis champion Arthur Ashe, who contracted AIDS through a contaminated blood transfusion, wrote that, “keeping my AIDS status private enabled me to control my life. ‘Going public’ with a disease such as AIDS is akin to telling the world in 1900 that you had leprosy.” Before his death, he asked “To what extent is my private life not my own?”

The medical community has been conscientious about having patients sign an approval form granting permission for the release of their medical records. for a copy of an approval form for release of medical information. However, patients’ confidentiality and privacy have become more difficult with the advent of technologies such as fax transmission, the Internet, and computers in every medical office. Unfortunately, the creation of new laws has become necessary as a result of the unethical violation of patients’ privacy.

MED TIP

Always keep in mind that computer screens should never be visible to patients or visitors.

PRIVACY ACT OF 1974

The Privacy Act of 1974 provides private citizens some control over information that the federal government collects about them by limiting the use of information for unnecessary purposes. Under this 1974 law, an agency may maintain only the information that is relevant to its authorized purpose. Additionally, under this law citizens have the right to gain access to their records and to copy any of the records, if necessary. Under the privacy act individuals were given the right to:

· Find out what information is collected about them by the government.

· See and have a copy of that information.

· Correct or amend their information.

· Exercise control over disclosure of that information.

The Privacy Act only applies to federal agencies and government contractors. However, hospitals that are operated by the federal government, such as Veterans’ Administration hospitals, are bound by the act to make their records available for public disclosure.

It is sometimes necessary for confidential information to be shared without the knowledge or consent of the person. Thus, this law also permits federal agencies to collect, maintain, use, or disseminate any record of identifiable personal information but only in a manner that assures that:

· Such action is for a necessary and lawful purpose.

· The information is current and accurate for its intended use.

· Adequate safeguards are provided to prevent misuse of such information.

· The information is used only in those cases where there is an important public policy need that has been determined by a specific statutory authority.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) OF 1996

The Health Insurance Portability and Accountability Act (HIPAA) , signed into law on August 21, 1996, regulates the privacy and confidentiality of patient health information. This law was an effort to reduce costs of healthcare and streamline the fragmented and complicated healthcare system. HIPAA is a sweeping reform law that affects virtually everyone in the U.S. healthcare system—patients, providers, payers, and intermediaries such as pharmacies and medical device companies. The four objectives are to

· Improve the portability of health insurance.

· Combat fraud, abuse, and waste in healthcare.

· Promote the expanded use of medical savings accounts.

· Simplify the administration of health insurance.

Title II, Administrative Simplification, of the law is the section of HIPAA that affects most healthcare providers, insurance companies, and clearinghouses. Within this law, the Title II provisions were meant to make it easier and cheaper to electronically transmit health information. However, Congress realized that widespread electronic transmission of a patient’s health information could affect a patient’s privacy. Subsequently, Congress mandated that the Department of Health and Human Services (HHS) was responsible for developing detailed Privacy Standards. The overall objectives were to:

· Improve efficiency and effectiveness of the healthcare system via electronic exchange of administrative and financial information.

· Protect security and privacy of this stored patient medical information.

· Reduce high transaction costs in healthcare, which include paper-based transactions, multiple healthcare data formats, misuse, errors, and the loss of healthcare records.

The Privacy Rule

The Privacy Rule went into effect on April 14, 2001, and required that all “covered entities” must be in compliance with the privacy, security, and electronic-data provisions by April 14, 2003. These rules are meant to ensure:

· Standardization of electronic patient health records; administrative and financial data, including healthcare claims, healthcare payments and remittance advice; healthcare claims status; enrollment and unenrollment in a healthcare plan; eligibility in a healthcare plan; and healthcare premium payments.

· Unique identifying codes for all healthcare providers, healthcare plans, employers, and individuals.

· Security of electronic health information with standards protecting the confidentiality and integrity of individually identifiable health information, past, present, or future.

MED TIP

Many of the privacy provisions under HIPAA have caused confusion for the medical community. The original document began as a 337-word guideline, but the final regulation expanded to 101,000 words, or more than 500 pages.

While it is true that the Privacy Rule is concerned with confidentiality, that is not the basis for this rule. As medical records expanded into electronic format and were transmitted electronically, it became critical to protect patient privacy.

Most laws will permit certain practices unless there is a specific provision or rule against doing it. However HIPAA is just the opposite. You can only use and disclose patient information if there is a reason for each disclosure. The basis of the Privacy Rule is that a permission , which is a reason for each use and disclosure of patient information, must be identified. For example, permissions or reasons include disclosure to the patient, required disclosures, and payment for treatment.

The Privacy Rule applies to Protected Health Information (PHI) , which refers to any individually identifiable information that relates to all past, present, and future physical or mental conditions or the provision of healthcare to an individual. For example, information such as a patient’s name, age, gender, Social Security number, zip code, e-mail, and medical diagnosis are all PHI. This information can be oral or recorded in any form or medium, such as with electronic transmission. The Privacy Rule lays down the standards that should be followed to become HIPAA compliant.

The HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of The American Recovery & Reinvestment Act (ARRA) of 2009, includes measures to modernize the nation’s use of technology when handling private health information. The HITECH Act is meant to promote the adoption and “meaningful use” of health information technology. This act addresses privacy and security concerns that are associated with the electronic transmission of health information, as well as the civil and criminal enforcement of the HIPAA rules. The HITECH Act further elaborates on the complex use of electronic health information including enforcement, accountability, penalty, and prosecution guidelines for those involved in accessing private health information.

Eligible hospitals and professionals must become “meaningful users” of certified Electronic Health Records (EHR) to qualify for incentive payments through the state Medicare Incentive Program. Uses for electronically captured health information include: tracking clinical conditions, reporting clinical quality measures, and the use of this information to include the patient and their family in their care. This is more comprehensive than the Electronic Medical Record (EMR).

HIPAA requires the covered entities to limit the disclosures to only the minimum information necessary to carry out the medical treatment. Under HIPAA, this information can be conveyed to vendors, such as health insurance carriers, if they have obtained a written assurance (contract) from the vendor that the information will be protected. These standards to protect the PHI are in effect even if the patient is deceased. See a listing of the five forms required by HIPAA to protect a patient’s privacy in Table 10.1 .

Under HIPAA, patients must grant written consent or permission to disclose their PHI for treatment, payment, and other healthcare reasons. A Notice of Privacy Practices (NPP) , a legal, written statement which details the provider’s privacy practices, must be distributed to every patient. The patient is requested to read the document and then sign it. This signed form, or acknowledgment, is then placed into the patient’s medical record. See Table 10.2 for recommendations if a patient refuses to sign the NPP.

TABLE 10.1 Five Forms Required to Protect Patient’s Privacy

· 1. The privacy notice

· 2. Acknowledgment that the notice was received

· 3. Authorization, or consent, from the patient to provide information to others

· 4. An agreement reached with a healthcare professional’s business associates

· 5. A trading partner agreement

TABLE 10.2 What to Do If the Patient Refuses to Sign the NPP

· Indicate the patient’s decision and date on an acknowledgment form or log.

· Include the reason for the patient’s decision, if known.

· Place a copy of this documented unsigned acknowledgment form in the patient’s record.

· Assure the patient that a refusal to sign the NPP does not mean that he or she cannot exercise their rights.

· No physician or institution can refuse to treat the patient based solely on refusal to sign the NPP.

· The patient may still request a copy of the NPP even if he or she refuses to sign it.

TABLE 10.3 Patient Rights under HIPAA

· 1. Access to and right to copy medical records

· 2. Requests to have an amendment (or change) made to a medical record

· 3. Request for an accounting of disclosures

· 4. Request to be contacted at an alternate location

· 5. Request for further restrictions on who has access to the medical record

· 6. Right to file a complaint

Patients have six rights under HIPAA that are put in writing in the Notice of Privacy. They are listed in Table 10.3 .

MED TIP

A notice should be posted in the reception area of all healthcare providers explaining the HIPAA policy on confidentiality.

Release of Information and Consent

Under HIPAA regulations patients have the right to know how, when, and why their medical information is used ( Figure 10.2 ). They also have the right to some control over the content of the precise information that is disclosed. However, providers can refuse to provide treatment if a patient refuses to sign a consent form. There are three main exceptions to providing consent. One is during an emergency situation, and even then written consent must be obtained as soon as possible after the patient receives treatment. A second exception occurs if there is a language barrier without an interpreter, and then consent may have to be implied. The third exception occurs when treating prison inmates.

Figure 10.2 Healthcare Professional Explaining HIPAA Document to Patient

Who Are Affected?

Public health authorities, healthcare clearinghouses, and self-insured employers, as well as private insurers, information systems vendors, various service organizations, and universities are all included under HIPAA. These organizations are referred to as covered entities . A healthcare clearinghouse is a private or public entity that processes or facilitates the processing of nonstandard electronic transactions into HIPAA transactions. Thus, a clearinghouse may also refer to a billing service. See Table 10.4 for a listing of covered entities under HIPAA.

In other words, if a provider, such as a physical therapist, submits a bill or receives payment for healthcare or treatment, this healthcare professional would most likely be considered to be a covered entity under HIPAA.

MED TIP

Note that patients are not included as covered entities.

Under HIPAA, a healthcare plan is an individual or a group plan that provides or pays for medical care. Healthcare plans include group health plans, health maintenance organizations (HMOs), the Medicare program parts A and B, the Medicaid program, and employee welfare benefit plans. Thus, there are few, if any, healthcare providers that are not affected by this law.

Treatment, payment, and healthcare operations , also referred to as TPO, is the term used to indicate that a healthcare provider is qualified to provide care or treatment, may reveal a patient’s PHI in order to obtain payment for healthcare, and can provide functions or healthcare operations such as quality assurance.

Covered Transactions

There are certain types of electronic transactions for the transmission of healthcare information that are mandated under HIPAA regulations. These are called covered transactions between two covered entities and they include the following:

· A physician or healthcare provider submitting an electronic claim to an insurance company or healthcare plan

TABLE 10.4 Covered Entities under HIPAA

· Physician practices

· Hospitals, including academic medical centers

· Skilled-nursing facilities

· Laboratories

· Dental practices

· Home health agencies

· Hospices

· Private insurers

· Ambulance companies

· Clinical laboratories

· Pharmacies and pharmaceutical companies

· Medical device companies

· Physical therapists

· Podiatrists

· Chiropractors

· Osteopaths

· Health plans (payers)

· Healthcare clearinghouses

· Comprehensive out-patient rehabilitation centers

· A physician sending any Protected Health Information (PHI) to another physician

· A physician sending any PHI to a billing service he or she uses

MED TIP

Remember that because patients are not included as covered entities, they can send electronic requests (e-mail) to their physician requesting information about their own records. However, many physicians are reluctant to send information via e-mail to their patients due to privacy concerns.

Denial of the Request for Privacy

There are extraordinary circumstances in which a request for a patient’s medical and personal information must be denied in order to protect the patient. One example occurs with nursing homes, because some of their patients may be confused. They often have no family members who are responsible for their care and, thus, the nursing home administration becomes the responsible party. If there is a concern that the patient’s healthcare information may be misused, then the nursing home may refuse to allow access.

In addition, certain businesses and individuals, such as employers who sponsor health plans, lawyers, accountants, consultants, and other professionals working for the covered entities, are affected by HIPAA in an indirect manner. The covered entity must make sure that the businesses, or business associates it works with, comply with the Privacy Rule. There are severe penalties for violations for both the covered entity and the indirect supplier.

State’s Preemption

There are some situations in which a state’s privacy laws are stricter than the Privacy Standards established by HIPAA. In this case the state’s laws would take precedence over the federal HIPAA regulation. This is referred to as a state’s preemption . There are situations when state laws will require the release of information for the good of society. For example, when a state law requires a disclosure, such as reporting an infectious disease outbreak to the public health authorities, the federal privacy regulations would not preempt the state law.

Unique Identifiers for Healthcare Providers

In the past, healthcare organizations used multiple identification formats when doing business with each other. This resulted in confusion and errors. Standard identifiers are now being used in an attempt to reduce these problems. The Employer Identifier Standard , which was published in 2002, uses an employer’s tax ID number or their Employer Identification Number (EIN) as the standard code number for all electronic transmissions.

An individual’s Social Security number is still used for insurance identification purposes, as most Americans have a Social Security number and identification card. HIPAA has added the EIN for purposes of electronic transmission by healthcare providers.

Can Protected Health Information (PHI) Be Deidentified?

There are many reasons for obtaining health information in which the patient does not need to be identified. For instance, health statistics relating to communicable diseases can be obtained by deidentifying , or removing, descriptive information about the patient. See Table 10.5 for a listing of information that must be removed to deidentify PHI.

TABLE 10.5 Deidentified Public Health Information (PHI)

· Patient’s name

· Address, including zip code

· Social Security number

· Telephone and fax numbers

· All dates, including birth (except year), admission, discharge, and death

· Other identifying numbers or characteristics such as birth certificate, photos, fingerprints

· E-mail and website address

· Medical records numbers

· Healthcare insurance and beneficiary numbers

· License numbers

· Motor vehicle registration numbers

· Facial photographs, such as found on driver’s license

What Are the Obligations to the Patient under HIPAA?

The healthcare provider, such as a physician, has several confidentiality obligations to the patient. These include the obligation to obtain patient consent and authorization for any disclosures of medical information and permitting patient access to medical information. In addition, the provider must obtain patient authorization prior to disclosing PHI for purposes other than medical treatment, such as payment collection or a disclosure of psychotherapy notes.

The provider has a requirement to provide only the minimum necessary standard information for any disclosure about the patient. This standard means that the provider must make a reasonable effort to limit the disclosure of patient information to only the minimum that is necessary to accomplish the purpose of the request. The minimum necessary standard does not apply when a provider is submitting information to the patient, the HHS, or another provider, such as a physician or hospital, for the purpose of treatment ( Figure 10.3 ).

The minimum necessary standard requirements do not apply to any health information disclosures that are required by law. For example, a physician, as a covered entity, is still required to disclose PHI that is requested in a subpoena.

Figure 10.3 Only the Minimum of Information That Is Needed can be Sent to Another Provider

MED TIP

The minimum necessary standard is important to remember when supplying a request for patient information. Never send a copy of the patient’s entire medical record when only specific information is requested.

Permitted Incidental Disclosures

When the Privacy Rule became effective in 1996, there was confusion as to what could and could not be disclosed about the patient. In response to this confusion Health and Human Services (HHS) released a guidance document in 2002 that clarified the “permitted incidental disclosures.” See Table 10.6 for examples of permitted disclosures.

What Are the Penalties for Noncompliance with HIPAA?

Noncompliance with HIPAA can result in serious penalties for healthcare providers such as physicians and hospitals. The penalties for violating HIPAA range from civil penalties of up to $100 per person per incident for minor improper disclosures of health information, and up to $25,000 for multiple violations of the same standard in a calendar year. Federal criminal liability for improper disclosure of information or for obtaining information under false pretenses carries sanctions (fines) of up to $50,000 and one year in prison. The liability for obtaining Protected Health Information under false pretenses with the intent to sell, transfer, or use the information for personal gain or for a malicious action, such as Medicare fraud, carries penalties of up to $250,000 and/or up to 10 years in prison. Severe penalties are in effect if lax security allows health information to be stolen. There is also a risk of a class action suit as well as public relations damage to the institution’s or physician’s image.

Healthcare fraud, especially relating to the Medicare and Medicaid programs, has been increasing during the past decade. Fraud alerts issued by the Inspector General’s Office of the Department of Health and Human Services (HHS) concerning suspicious practices can alert providers and the public to the potential for medical privacy abuse.

TABLE 10.6 Permitted Incidental Disclosures

· Healthcare staff at a nursing station can coordinate patient care if they speak in a low voice.

· Nurses and other staff members can talk to a patient by phone or discuss the treatment of a patient with another provider if the discussions are conducted in low voices and away from listeners.

· Laboratory results can be discussed with patients or other healthcare professionals in a treatment area if privacy precautions are taken.

· A message can be left for a patient on an answering machine or with family members, but the amount of information must be limited for just the purpose of the call.

· Patients can be asked to sign in and be called by name in the waiting room, but they should not sign the reason for their visit.

· The patient’s name can be announced in the waiting room or use a public address system to come to a particular location.

· A lighted x-ray board can be used in a nursing station if it is not publicly visible.

· Patient charts can be placed outside of exam rooms if reasonable precautions are used. The charts should be placed with the name faced to the wall or a cover concealing the chart.

TABLE 10.7 Patients’ Rights under the Privacy Standards

· A copy of the privacy notice from the healthcare provider

· Access to their medical records and the right to restrict access by others, request changes, and learn how their records have been accessed

· Ask the provider to limit the way in which healthcare information is shared and to keep disclosures to the minimum needed for treatment and business operations

· Ask to whom the healthcare information was given

· Ask to be contacted in a special way, such as by mail or at work

· Ask to be contacted in a place other than home or work

· Examine and copy the health information the provider has recorded

· Complain to the covered entity and the Department of Health and Human Services if the patient believes there is a violation of his or her privacy

Another provision under HIPAA is the establishment of the Healthcare Integrity and Protection Data Bank (HIPDB) . This is a national data bank that collects reports and disclosures of actions taken against healthcare practitioners, providers, and vendors for noncompliance and fraudulent activities. This extensive data bank is not available to the general public, but can be accessed by federal and state government agencies and various health plans.

What Are the Patients’ Rights Under the Privacy Standards?

Patients have many rights under HIPAA. Healthcare providers have the additional responsibility of alerting patients to their own rights under this law. See Table 10.7 for patients’ rights under the Privacy Standards.

HIPAA-Defined Permissions

HIPAA defines 11 areas in which permission must be granted in order to use or disclose patient health information (PHI). HIPAA-defined permission is based on the reason for knowing, or use of, the information. Only two disclosures are required by HIPAA: for Health and Human Services (HHS) requests and to honor patient requests. All 11 permissions are described in Table 10.8 .

Special Rules Relating to Research

HIPAA regulations also relate to medical information that is compiled and used for research purposes. Providers and other covered entities that wish to use individually identifiable patient information that is related to treatment, such as for cancer patients, must perform a very detailed authorization form. The researchers must obtain

· A patient authorization that complies with the rules set by HIPAA, or

· A waiver of authorization from a privacy board or an Institutional Review Board, such as is found in a teaching hospital or university. The waiver must include extensive documentation as required by HIPAA.

This regulation also covers information used for research from deceased patient records.

TABLE 10.8 HIPAA-Defined Permissions

Disclosure

Condition

· 1. Required disclosures

· a. Health and Human Services (HHS) can view accounts, records, and other financial documents

· b. Patient requests to view own records

· 2. Valid patient authorization

· a. Allows for PHI to be disclosed

· 3. Patient requests for disclosure

· a. May view own records

· b. May discuss treatment and medical condition with physician

· 4. For use in treatment of patients, payment, or other healthcare operations (TPO).

· 5. For the treatment, payment, and healthcare operations (TPO) of other covered entities

· a. Patient’s written permission is needed for other covered entities, such as attorneys and insurance plans, to have access to PHI covered entities.

· 6. For patient representatives such as family

· a. Must present a legal document, such as Medical Power of Attorney, before granting access to PHI by family or friend

· 7. Qualified disaster relief organizations

· a. Used to provide notification regarding disaster relief

· b. May be provided unless patient objects

· 8. Incidental disclosures about patients without their authorization

· a. Nurses and healthcare professionals may discuss patient cases when they are out of the hearing distance of others.

· b. Healthcare professionals may discuss laboratory results with patients and others if they are out of the hearing distance of others.

· c. Healthcare professionals may leave limited telephone messages for patients; it is always preferable to ask the patient if this is acceptable.

· d. May call a patient by name in a waiting room or over a public address system

· e. May leave patient chart outside an exam room if the patient’s identity is not visible

· 9. For public purposes

· a. When the PHI disclosure is required by law such as with a request by the court

· b. Public health departments are authorized to collect data relating to communicable diseases, births, and deaths.

· c. In all cases of abuse or neglect

· d. Disclosure necessary to prevent serious harm, such as when a patient threatens another person or makes a suicide threat; healthcare professionals must notify the patient that this disclosure has been made.

· e. Food and Drug Administration (FDA) can collect PHI relating to safety of drugs and products.

· f. PHI may be disclosed in order to notify people at risk of a communicable disease.

· g. May release PHI in case of subpoena; consult with privacy official to determine specific criteria that apply

· h. Law enforcement has the right to PHI in cases of abuse, neglect, gunshot wounds, suspicious death, identifying a suspect, or medical emergency.

· i. Coroners and funeral directors may receive PHI in order to perform their functions.

· j. Organ and tissue donation agencies may receive PHI to facilitate the donation process.

· k. Researchers may receive PHI under certain conditions; consult with privacy officer.

· l. State Worker’s Compensation programs may need PHI.

· m. Government agencies and facilities, such as prisons and the military, may receive PHI under certain conditions.

· 10. When deidentification has occurred (i.e., when patient identifiers have been removed)

· 11. In a limited data set in which certain identifiers, such as patient’s, relative’s, and employer’s names have been removed, patients do not have the right to access

· a. Psychotherapy notes

· b. Certain laboratory tests, under the Clinical Laboratory Improvement Act of 1988 (CLIA) may only be given to person who authorized the test—usually a physician.

· c. If they are prison inmates

· d. Certain research projects in which the limited access has been granted in advance

· e. If the PHI is part of a government record

· f. If the PHI was obtained under a promise of confidentiality

Problems Relating to Implementation of HIPAA’s Privacy Rules

HIPAA is an often misunderstood law. New studies are finding that some healthcare providers are being too overzealous in applying this law, leaving family members, caregivers, public health personnel, and law enforcement officers without necessary information to care for the patients. This results in frustration and delays in treatment of patients. HIPAA was passed by Congress in 1996 to allow patient’s easier access to their medical records, while limiting this access to others. Unfortunately, this has not always happened.

HIPAA regulations have made many healthcare agencies, such as hospitals, reluctant to release any information about their patients due to fear of civil or criminal penalties under HIPAA. This is particularly true when a patient refuses to be listed on the hospital’s patient directory. In certain situations, some healthcare providers, trying to avoid any error under HIPAA by disclosing PHI inappropriately, refuse to provide medical records to anyone except the patient. For instance, state workers’ compensation programs, which are exempted under HIPAA, have difficulty receiving the medical information they require in order to provide financial assistance for the patient.

Reports of problems with accessing patient information have been filed by nonmedical persons. For example, human resource departments often require medical information in order to administer the Family and Medical Leave Act (FMLA), facilitate return-to-work policies, assist in Americans with Disabilities Act (ADA) accommodation discussions, and obtain results from drug testing. In addition, lawyers working with workers’ compensation claims, medical malpractice, and personal injury litigation need access to medical records. And members of the clergy complain that the privacy rules keep them from visiting the sick members of their congregations when they are hospitalized. They complain that the law is being too narrowly interpreted.

Police are also confronting problems as a result of HIPAA. The law requires hospitals to report to the police when a patient comes in with a gunshot wound or there is a suspected case of child abuse or neglect. According to some police officials, compliance with HIPAA is slowing police investigations and even impeding the prosecution of crimes. Police officers complain that they are being denied access to anyone, including crime victims and persons previously reported as missing, who have opted not to be listed in hospital directories. Although HIPAA makes exceptions for criminal investigations, some hospitals, concerned with violating the law, err on the side of caution and refuse to release any information. Under HIPAA, hospitals must allow police to interview patients and must provide information about their condition when a serious crime has been committed.

There have been serious problems occurring as a result of improperly interpreting the requirements of HIPAA. For example, Charlie, a mental patient in Chicago, was released from the hospital into the care of his friend to recuperate. Within a week Charlie was dead after jumping to his death from his friend’s balcony. The friend did not know that Charlie was suicidal when he was admitted to the hospital after he had attempted to take his own life. The hospital did not release that information to the friend since they believed they could not under HIPAA regulations. The friend said he would have monitored Charlie better if he had only been told about his condition.

In another case, a California mother was unable to get the hospital to produce a key medical record documenting her son’s blood pressure in his final hours. The young man had died from an overdose just hours after she was told that he was stable. The record finally arrived six years later and indicated that her son had been in mortal danger for several hours while awaiting care. The medical record arrived too late under state law to file a civil lawsuit. Disputes over an inability to receive records by designated family members has become a common complaint.

In another situation, a heart patient was transferred from one hospital to another in order to receive heart surgery. The first hospital refused to release the patient’s laboratory records because they believed it would be a violation under HIPAA.

Educational facilities are coping with the task of gaining access to information about the mental stability of their students after the horrendous killing of 32 students and faculty at Virginia Tech. Many mental health professionals believe their patients’ records are protected from disclosure under HIPAA. However, other experts believe that information about mentally disturbed students, who indicate that they would use harmful behavior against others, should be made known to the authorities.

MED TIP

A violation of HIPAA, a federal law, is a criminal offense. Therefore, fear of violating this law has caused an overreaction to it among many healthcare professionals. According to Dr. William Kobler, former president of the Illinois State Medical Association, physicians have become excessively cautious about releasing patient information out of fear that they will be slapped with a large fine.

Misconceptions about HIPAA

The Department of Health and Human Services (HHS) states that the law requires “reasonable safeguards” be taken in order to protect patient privacy. The privacy provision applies to physicians, pharmacists, and insurers. It was originally intended to protect computerized medical records and billing and to allow patients easier access to their own medical records. However, the purpose has been interpreted much more broadly. According to the HHS, many misconceptions about HIPAA are slowly being cleared up. The privacy law

· Does not prevent physicians or hospitals from sharing patient information with other physicians or hospitals in order to treat patients.

· Does not prevent hospitals from disclosing names of patients to clergy or from keeping patient directories. It does not require that patients sign in to be included in the hospital directory of patients, only that they can opt out and not be included.

· Allows hospitals or physicians to share information with the patient’s spouse, family members, friends, or anyone whom the patient has identified as involved in their care.

· Does not apply to most police or fire departments. The hospital may release names and information about homicides, accident victims, and other incidents. However, HIPAA does limit the information that emergency medical technicians (EMTs) may disclose.

Office personnel, acting on behalf of physicians and dentists, can still send out reminders about appointments and leave messages on patients’ answering machines.

MED TIP

The HIPAA law, as currently written, prohibits patients/consumers from suing over privacy violations. Instead, patient/consumers must register their complaints with the government agency, Health and Human Services ( www.hhs.gov/ocr/hipaa or www.hipaadvisory.com ).

Recommendations

Following are some practical recommendations for physicians and physician groups to follow when implementing HIPAA:

· Appoint and train a privacy officer to receive complaints and provide information concerning the provider’s privacy notice materials.

· Conduct an internal assessment of existing policies, procedures, and practices for collecting and handling medical records and patient information to determine where the deficiencies in privacy may occur.

· Enter into written agreements with all nonemployee service providers who may have access to PHI.

· Adopt procedures for handling patient requests.

· Implement a Notice of Privacy Practices.

· Revise employee manuals regarding HIPAA standards. These personnel policies must reflect the organization’s handling of employees who use or disclose PHI in violation of HIPAA. The Office of Civil Rights (OCR) would likely ask for a copy of these policies during an investigation of violations.

· Train all employees on policies and procedures regarding HIPAA.

· Retain signed authorizations, copies of notices of privacy practices, and any agreements with patients restricting disclosure of PHI. This documentation should be retained for a period of six years from the date they were created or the date when they were last in effect.

· Implement and enforce sanctions (penalties) for violations of provider policies and procedures.

· Establish a complaint process for noncompliance with the privacy regulation.

See Table 10.9 for a list of precautions relating to HIPAA.

The costs associated with compliance with HIPAA can be extremely high depending on the size of the organization. Blue Cross estimates that the initial cost of complying with the privacy law would be several billion dollars over a five-year period. This is estimated to cover staffing, computer software, and expanded paperwork.

ETHICAL CONCERNS WITH INFORMATION TECHNOLOGY (INFORMATICS)

Informatics presents a multitude of ethical issues, especially with the use of the Internet by physicians and patients. Healthcare providers have expressed concern about security when patient data, such as that contained in medical records, is transmitted via the Internet. A report on confidentiality and security issues by Computer Based Patient Record Institute, based in Schaumburg, Illinois, states, “Breaches of confidentiality can lead to loss of employment and housing, health and life insurance problems, and social stigma…. Formal information security programs must be established by each organization entrusted with healthcare information.”

TABLE 10.9 Precautions Relating to HIPAA

· You need to use a fax cover sheet to fax anything with Protected Health Information (PHI).

· When conferencing about a patient, you should not be in a place where others can hear you.

· Do not leave laptops or desktops unattended with patient information on the screen.

· Do not give out your computer password to anyone. Change passwords frequently.

· Do not let someone else use your computer when you are already signed on.

· Have anti-virus software, robust firewalls, and screensavers installed in all computers.

· An organization can be fined each time it breaks the rule, up to $25,000 a year.

· An individual person can be fined or sent to prison.

Wireless Local Area Networks (WLANs) are used by physicians and nurses to access patient records from central databases while they are conducting patient rounds (bedside visits), adding observations and patient assessments to the databases, checking on medications, and completing a variety of other functions. The use of wireless networks by healthcare professionals presents ethical challenges and dilemmas. There can be a trade-off between quick access to the patient’s medical records and the security of those records. Decisions relating to the use of WLANs must take into account the impact they have on the patient’s privacy as mandated by HIPAA. HIPAA requires that there be safeguards in place to protect the privacy of electronic and nonelectronic Protected Health Information. The HIPAA security rules that were issued in final form on February 20, 2003, apply to PHI in electronic form only.

Voice Recognition Technology

With the advent of voice recognition, doctors are now able to verbally chart their patient’s records using Voice Recognition Technology . This allows a more immediate and thorough documentation. New technology enables a physician to input information by voice in real time on mobile devices as they talk with the patient. Some devices, such as Dragon voice-recognition software, can actually highlight and validate medical facts, as well as spot inconsistencies in dictation. Most doctors are already skilled using dictation devices in hospital medical record systems. The new technology takes this a step further and allows dictation and data storage as well as “intelligence” software. For example, the software can prompt the doctor to add more information if some clarification is missing, such as the patient’s blood pressure or heart rate.

MED TIP

Because the amount of medical information available is said to double every five years, computerized systems have become indispensable.

Medical informatics is the application of communication and information to medical practice, research, and education. Many hospitals and healthcare institutions are able to link together diverse areas such as pharmacy, laboratory, administrative, and medical records through the use of informatics. For example, many hospital pharmacies have implemented a fully computerized medication ordering system to lower the incidence of medication errors due to the inability to correctly interpret handwritten orders.

Telemedicine , or the use of communication and information technologies to provide healthcare services to people at a distance, is seen as the future of medicine. Modern technology has the ability to provide health services for homebound and rural patients via telephone, fax, Internet, and even real-time television. All of these methods have been used to provide continuing medical education for the past decade.

Some of these methods for treatment are still in the developmental stage. For example, Virginia Mason Medical Center, a large multispecialty group practice in Seattle, has telemedicine sites in rural Washington and Alaska. This center uses telemedicine to consult on diagnosis and treatment, transmit radiological studies, and conduct presurgical and postsurgical exams. It has telemedicine projects in radiology, cardiology, neurology/neurosurgery, psychiatry, dermatology, oncology, rheumatology, and rehabilitation medicine.

Health Partners, a Minneapolis-based health plan, uses a 24-hour two-way video conferencing method to link the nurses with the home care patients. Ordinary phone lines are used in this system. The nurses are able to inspect wound care and healing over this video link.

A multitude of medical information is currently available over the Internet—in varying degrees of usefulness. Healthcare consumers can use the Internet to research their disease and treatment options. Many healthcare plans and institutions have their own websites with current information about services and medical information (see Appendix B for a listing of useful medical websites).

Telemedicine raises legal issues, such as concerns about practicing medicine across state lines, that must be addressed. Physician reimbursement for these types of consultations is uncertain. Also, the credentials of the person giving medical advice over the Internet are open to both legal and ethical discussion.