The false claims act contains which distinguishing provision

Judson, K., & Harrison, C. (20 16). Law and ethics for the health professions. (7th ed. ). New York: McGraw- Hill.

Law&Et cs FOR HEALTH PROFESSIONS

KAREN JUDSON CARLENE HARRISON

Key Terms

204

Privacy, Security, and Fraud

LEARNING OUTCOMES After studying this chapter, you should be able to:

LO 8. I Discuss U.S. constitutional amendments and privacy

laws that pertain to health care.

LO 8.2 Explain HIPAA's special requirements for disclosing

protected health information.

LO 8.3 Discuss laws implemented to protect the security

of health care information as health records are

converted from paper to electronic form.

LO 8.4 Discuss the federal laws that cover fraud and abuse

within the health care business environment and the

role of the Office of the Inspector General in finding

billing fraud.

LO 8.5 Discuss patient rights as defined by HIPAA, the Patient Protection and Affordable Care Act, and other health

care entities.

FROM THE PERSPECTIVE OF . ..

ANN, AN R.N. IN A TEXAS HOSPITAL FOR NEARLY 25 YEARS, remembers when patients' names were posted on the doors to their rooms. She and her colleagues once freely informed telephone call- ers and visitors how patients were progressing. Now, Ann remarks, because of federal legislation to protect the privacy and security of health care information, times have changed. "We have to be so care- ful about releasing any information that when my father's dear friend was admitted to my floor in the hospital where I work, I couldn't tell him that his friend had been admitted."

From Ann's perspective, because she cares about her patients, she would like to be able to talk more freely with family members or friends who also care about her patients. But she is duty-bound to follow the law, and she knows the benefits to patients for laws that guard their privacy.

From the perspective of friends and family members who call for infor- mation about a patient, the law is harsh and hard to understand. They are often angry when they cannot learn the status of a friend or loved one.

From the perspective of some patients, the law sometimes feels over- protective and unnecessarily intrusive, but for others-such as the patient who has tried to commit suicide and failed, who doesn't want anyone to know he is in the hospital, or the battered spouse who doesn't want her abusive husband to find her-it's a safety net they can depend on.

The United States Constitution and Federal Privacy Laws Contrary to popular belief, the term privacy (freedom from unauthor- ized intrusion) does not appear in the U.S. Constitution or the Bill of Rights. However, the United States Supreme Court has derived the right to privacy from the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments to the Constitution.

LO 8.1 Discuss U.S. constitutional amendments and privacy laws that pertain to health care.

privacy Freedom from unaut horized int rusion.

LANDMARK COURT CASE The Constitution Protects the Right to Privacy

In November 1961, the executive director and the medical

director of a Planned Parenthood clinic in Connecticut were

charged with violating a state statute prohibiting the dis-

pensing of contraceptive devices to a married couple. The

defendants were convicted and fined $1 00 each. The U.S.

Supreme Court heard the case in March 1965 and issued a

written opinion on June 7, 1965. William 0. Douglas, writ- ing the majority opinion for the Court, held that the Con-

necticut statute was an unconstitutional violation of the

right of privacy. Douglas noted that many rights are not

expressly mentioned in the Constitution, but the Court

has nevertheless found that persons possess such a right. In

reviewing the many rights that Americans possess, Douglas

noted the existence of "penumbras" or "zone(s) of privacy

created by several fundamental constitutional guarantees."

As a result of the Supreme Court's decision in Griswold v. Connecticut, patients possess certain rights that affect the delivery of med ical services and health care. For example,

persons have t he right to refuse medical treatment, and

courts now recognize a person 's right to die.

Griswold v. Connecticut, 381 U.S. 479, 85 S. Ct. 1978, 14 L. Ed.2d 510 (1965).

C-c9:er 8! Privacy, Security, and Fraud 205

COURT CASE

First Amendment: Congress cannot prohibit or abridge free speech. In addition, the Establishment and Freedom of Religion clauses of this amendment prohibit the government from funding, showing preference for, or discriminating against any religion.

Third Amendment: Soldiers cannot be quartered in private homes without the consent of the owner.

Fourth Amendment: People have the right to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.

Fifth Amendment: No person must testify against himself, be tried twice for the same offense, or be deprived of life, liberty, or property without due process of law. The Miranda warning ("You have the right to remain silent ... ")as read during criminal arrests, derives from this amendment.

Ninth Amendment: If certain rights are not explicitly mentioned in the Constitution, that does not mean they do not exist.

Fourteenth Amendment: All states must provide rights for citizens that are at least equal to those in the U.S. Constitution, and under the philosophy called federalism states may grant citizens additional rights not specifically granted in the U.S. Constitution.

Fourth Amendment Rights in Question

The Student Activities Drug Testing Policy adopted by

the Tecumseh, Oklahoma, School District requires all

middle and high school students to consent to urinaly-

sis testing for drugs to participate in any extracurricular

activity. Two Tecumseh High School students and their

parents brought suit, alleging that the policy violates the

Fourth Amendment, which states in part: "The right

of the people to be secure in their persons , houses,

papers, and effects, against unreasonable searches

and seizures , shall not be violated." The district court

granted the school district summary judgment. In

reversing, the court of appeals held that the policy vio-

lated the Fourth Amendment. The appellate court con-

cluded that before imposing a suspicionless drug-testing

program a school must demonstrate some identifiable

drug abuse problem among a sufficient number of those

tested, such that testing that group will actuall y redress

its drug problem , which the school district had failed

to demonstrate.

to submit to drug testing, consistent with the Fourth

Amendment?

The U.S. Supreme Court concluded that the answer to

the question was yes. In a 5-4 opinion delivered by Justice

Clarence Thomas, the Court held that, because the policy

reasonably serves the school district's important interest

in detecting and preventing drug use among its students,

it is constitutional. The Court reasoned that the board of

education's general regulation of extracurricular activities

diminished the expectation of privacy among students

and that the board 's method of obtaining urine samples

and maintaining test results was minimally intrusive on the

students' limited privacy interest. "Within the limits of the

Fourth Amendment, local school boards must assess the

desirability of drug testing schoolchildren. In upholding

the constitutionality of the Policy, we express no opinion

as to its wisdom. Rather, we hold only that Tecumseh's

Policy is a reasonable means of furthering the School Dis-

trict's important interest in preventing and deterring drug

use among its schoolchildren," wrote Justice Thomas. The question before the court was: Is the Student

Activities Drug Testing Policy, which requires all students

who participate in competitive extracurricular activities

206 Part Two I Legal Issues for Working Health Care Practitioners

Board of Education v. Earls, 536 U.S. 822 (2002).

COURT CASE Fourteenth Amendment at Issue William Baird spoke at Boston University on the sub-

ject of birth control and overpopulation. At the end of

his talk, Baird gave away Emko Vaginal Foam to a woman

who approached him. Massachusetts charged Baird with

a felony, distributing contraceptives to unmarried men

or women. Under state law, only married couples could

obtain contraceptives; only registered doctors or phar-

macists could provide them. Baird was not an authorized

distributor of contraceptives.

At issue was: Did the Massachusetts law violate the

right to privacy acknowledged in Griswold v. Connecticut, and did it violate protection from state intrusion granted

by the Fourteenth Amendment?

grounds. The Court held that the law's distinction between

single and married individuals failed to satisfy the "rational

basis test" of the Fourteenth Amendment's Equal Protec-

tion clause. Married couples were entitled to contraception

under the Court's Griswold decision. Withholding that right to single individuals without a rational basis proved the fatal

flaw. Thus, the Court did not have to rely on Griswold to invalidate the Massachusetts statute. "If the right of privacy

means anything," wrote Justice William J. Brennan, Jr., for

the majority, "it is the right of the individual, married or

single, to be free from unwarranted governmental intru-

sion into matters so fundamentally affecting a person as the

decision to whether to bear or beget a child."

The case reached the U.S. Supreme Court, where jus-

tices struck down the Massachusetts law, but not on privacy Eisenstadt v. Baird, 405 U.S. 438 ( 1972).

FEDERAL PRIVACY LAWS

Concern about privacy has led to the enactment of federal and state laws governing the collection, storage, transmission, and disclosure of personal data. Privacy laws are generally based on the following considerations:

1. Information collected and stored about individuals should be limited to what is necessary to carry out the functions of the busi- ness or government agency collecting the information.

2. Once it is collected, access to personal information should be limited to those employees who must use the information in per- forming their jobs.

3. Personal information cannot be released outside the organization collecting it unless authorization is obtained from the subject.

4. When information is collected about a person, that person should know that the information is being collected and should have the opportunity to check the information for accuracy.

A number of federal laws concern privacy, but until the Health Insurance Portability and Accountability Act (HIPAA) of 1996, fed- eral privacy laws have dealt with financial and credit information or the theft or illegal disclosure of electronic information. HIPAA of 1996 was the first federal law to deal explicitly with the privacy of medi- cal records, and to ensure compliance, HIPAA provides for civil and criminal sanctions for violators of the law.

All states have laws governing the confidentiality of medical records, but laws vary greatly from state to state. Through state preemption, if a state's privacy laws are stricter than HIPAA privacy standards and/or guarantee more patients' rights, the state laws take precedence.

Table 8-1 below lists eight major federal privacy laws passed since 1985.

state preemption If a state's privacy laws are stricter than HIPAA privacy standards, the state laws take precedence.

Chapter 8 1 Privacy, Security, and Fraud 207

COURT CASE HIPAA Preempts State Law in Certain Instances

In July 2013, the U.S. Court of Appeals for the Eleventh

Circuit ruled that HIPAA preempts state law in certain

instances. The case centered on a Florida statute that

allowed nursing homes to release medical records of a

current or former resident to "spouse , guardian , surro-

gate, proxy or attorney in fact" of the individual. How-

ever, many Florida nursing homes refused to disclose

records to surviving spouses who had not been des-

ignated as the personal representative by the probate

courts. The Florida Agency for Health Care Adminis-

tration (AHCA) ordered the various nursing homes to

release the information stating the surviving spouses were

equal to personal representatives. OPIS Management

Resources, an owner of several nursing homes in Florida

filed suit against AHCA, claiming that HIPAA standards

were higher and thus the state law conflicted. The Court

of Appeals held the state statute was fatally flawed and

"authorizes sweeping disclosures, making a deceased

(nursing home) resident's protected health information

available to a spouse or other enumerated party upon

request, without any need for authorization, for any con-

ceivable reason, and without regard to the authority of

the individual making the request to act in a deceased

resident's stead."

OPtS Management Resources LLC v. Secretary Florida Agency for Health Care Administration, No. 12- 12593 (II th Cir. Apr. 9, 20 13).

Table 8-1 Major Federal Privacy Laws

Date Enacted

1986

1994

1996

1999

2005

2009

2010

2010

Law

Electronic Communications Privacy Act (ECPA)

Computer Abuse Amendments Act

Health Insurance Portability and Accountability Act (H IPAA)

Gramm-Leach-Biiley Act

Patient Safety and Quality Improvement Act (PSQIA)

American Recovery and Reinvestment Act (ARRA), commonly called the Stimulus Bill

Patient Protection and Affordable Care Act (PPACA) common ly called the Affordable Care Act orACA

Health Care and Education Reconciliation Act (HCERA)

Purpose

Provides privacy protection for new forms of electronic commu- nications, such as voice mail, e-mail, and cellular telephone

Amends the 1984 act to forbid transmission of harmfu l com- puter code such as viruses

Guarantees that workers who change jobs can obtain hea lth insurance. Increases efficiency and effectiveness of t he U.S. health care system by electronic exchange of administrative and financial data. Improves security and privacy of patient- identifying information. Decreases U.S. health care system transaction costs

Requires all financial institutions and insurance companies to clearly disclose their privacy policies regarding the shar- ing of nonpublic personal information with affiliates and third parties

Helps assess and resol ve patient safety and health care quality issues, encourages reporting and analysis of medical errors, authorizes HHS to impose civil money penalties for violations of patient safety confidentiality

Title XIII, the Health Information Technology for Economic and Clinical Heal th (HITECH) Act, makes substantive changes to HIPAA, including privacy and security regulations, changes in HIPAA enforcement , provisions about hea lth information held by entities not covered by HIPAA, and other miscellaneous changes

Dea ls mostly with the availability of health insurance coverage for all Americans, but also reinforces privacy regarding pro- tected hea lth information

A federal law that adds to regu lations imposed on the insur- ance industry by PPACA

208 Port Two I Legal Issues for Working Health Care Practitioners

Check Your Progress

I. Does the Constitution provide specifically for the protection of privacy? Explain your answer.

2. W hat was the f irst federal law to deal explicitly w ith the pri vacy of medical records?

3.-6. Name four considerations for protecting privacy when federal and/or state legislation is written.

Since HIPAA is the federal legal standard for privacy and security of electronic health information throughout the health care industry, health care employees must follow the law's provisions, which are contained within four standards:

Standard 1. Transactions and Code Sets. A transaction refers to the transmission of information between two parties to carry out financial or administrative activities. A code set is any set of codes used to encode data elements, such as tables of terms, medical con- cepts, medical diagnostic codes, or medical procedure codes.

Required code sets for use under Standard 1 include Current Procedural Terminology (CPT) and International Classification System of Diseases; Clinical Modifications lOth Edition (ICD-10-CM); and International Classification System of Diseases-Procedure Coding System lOth Edition (ICD-10-PCS) (Since the publication of ICD-10 has been delayed to 2015, some coders may still be using ICD-9.).

Standard 2. Privacy Rule. Policies and procedures health care providers and their business associates put in place to ensure confi- dentiality of written, electronic, and oral protected health information.

Standard 3. Security Rule. Security refers to those policies and pro- cedures health care providers and their business associates use to protect electronically transmitted and stored PHI from unauthorized access.

Standard 4. National Identifier Standards. Provide unique identifiers (addresses) for electronic transmissions.