10 Patient Confidentiality and HIPAA Journal Topic: What are the problems associated with patient confidentiality.

Learning Objectives Define the key terms. Identify the problems associated with patient confidentiality. Describe the information to which the Privacy Rule refers and how it applies to your profession. Discuss the purpose of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. continued on next slide

Learning Objectives List which entities are affected by HIPAA. Discuss the penalties for noncompliance with HIPAA. List the patients’ rights under the Privacy Standards. Discuss the ethical issues concerning information technology.

Confidentiality Physicians are expected to maintain all confidences concerning their patients Modern medicine and technology make patient privacy issues a paramount concern Confidentiality preserves the patient's dignity Minimum necessary standard

Confidentiality Our right to privacy AIDS and privacy Right to privacy is not protected specifically by the Bill of Rights or any portion of the Constitution AIDS and privacy AIDS threat to all persons Information needs to be carefully communicated

Privacy Act of 1974 Agency may maintain only information relevant to its authorized purpose Citizens have right to gain access to records and to copy records if necessary Applies only to federal agencies and government contractors

Health Insurance Portability and Accountability Act (HIPAA) Signed into law in 1996 Regulates the privacy of patient health information Four objectives Improve portability Combat fraud, abuse, and waste Promote use of medical savings Simplify administration continued on next slide

Health Insurance Portability and Accountability Act (HIPAA) Five major categories covered under HIPAA Insurance portability Administrative simplification Medical savings and tax deductions Group health plan provisions Revenue offset provisions

Privacy Rule Applies to Protected Health Information (PHI) Limits disclosures to only the minimum information necessary to carry out the medical treatment Patient must grant written consent or permission to disclose their PHI for treatment, payment, and other health care operations

HITECH Act Health Information Technology for Economic and Clinical Health Act Meant to promote the adoption and “meaningful use” of health information technology Electronic Health Records (EHR) Notice of Privacy Practices (NPP)

Release of Information and Consent Patients have the right to know how, when, and why their medical information is used Providers can refuse treatment without consent form Exceptions Emergency situations Language barriers Prison inmates

Who Are Affected? Public health authorities Health care clearinghouses Self-insured employers Private insurers Information systems vendors continued on next slide

Who Are Affected? Various service organizations Universities Healthcare plans Treatment, payment, and healthcare operations (TPO)

Covered Transactions Healthcare provider submitting an electronic claim Physician sending PHI to another physician Physician sending PHI to a billing service

Denial of the Request for Privacy Some health care institutions, such as nursing homes, may have to deny access to a patient's medical information in order to protect the patient

State's Preemption Some states have stricter privacy standards than those of HIPAA The state's laws would then take precedence over the Federal HIPAA regulation

Unique Identifiers for Health Care Providers Standard identifiers are used to reduce confusion and errors Employer Identifier Standard Published 2002 Uses employer's tax ID number or Employer Identification Number (EIN)

Can Protected Health Information (PHI) Be Deidentified? To "deidentify" patient information, remove: Patient's name Address, including e-mail Telephone and fax numbers All dates, including birth (except year), admission, discharge, and death continued on next slide

Can Protected Health Information (PHI) Be Deidentified? To "deidentify" patient information, remove: Social security number Medical records numbers Health care insurance numbers License numbers Facial photos Other identifying numbers or characteristics

Obligations to Patient Under HIPAA Obtain consent and authorization for any disclosure of medical information Permit patient access to medical information Provide only the minimum necessary standard Permitted Incidental Disclosures

Penalties for Noncompliance with HIPAA Civil penalties Federal criminal liability with sanctions (fines) and time in prison Risk of class action suit and public relations damage Health Integrity and Protection Data Bank (HIPDB) National data bank collects reports and disclosure of actions taken

Patients' Rights Under the Privacy Standards Copy of privacy notice Access to medical records Limit how health care information is shared Accounting of to whom information is given continued on next slide

Patients' Rights Under the Privacy Standards Ask to be contacted in special way (phone or mail) Ask to be contacted in a place other than home or work Examine health information provider's copy Complain to "covered entity" if violation of privacy is suspected

HIPAA-Defined Permissions Permission to use information based on reason for knowing, or use of, the information

Special Rules Relating to Research Researcher must obtain: Patient authorization that complies with HIPAA Waiver of authorization from a privacy board or Institutional Review Board Waiver must include extensive documentation as required by HIPAA

Problems Relating to HIPAA'S Privacy Rules Some health care providers now refuse to provide medical records to anyone except the patient Compliance with HIPAA slows police investigations and impedes prosecution of crimes

Misconceptions about HIPAA Does not prevent physicians or hospitals from sharing patient information to treat Does not prevent disclosure to clergy Allows hospitals and physicians to share information with spouse or anyone patient has identified as involved in their care continued on next slide

Misconceptions about HIPAA Does not apply to most police or fire departments (may release information about accident victims) Does limit information EMTs may disclose

Recommendations Appoint and train privacy officer Conduct internal assessment of existing policies Enter agreements with all nonemployee service providers Adopt procedures for handling patient requests Implement Notice of Privacy practices continued on next slide

Recommendations Revise employee manuals regarding HIPAA standards Train all employees on policies and procedures Retain signed authorizations, copies, etc. (six years) continued on next slide

Recommendations Implement and enforce sanctions for violations Establish complaint process for noncompliance

Ethical Concerns with Information Technology (Informatics) Wireless local area networks (WLANs) Communication system used to access patient records from central databases Voice Recognition Technology Physician inputs information by voice in real time on mobile devices Dragon "Intelligence" software continued on next slide

Ethical Concerns with Information Technology (Informatics) Medical informatics Application of communication and information to medical practice, research, and education Telemedicine Use of communication and information technologies to provide health care services to people at a distance continued on next slide

Technology Technicians Health Information Administrator Health Information Technician Require college degrees and certification in Certified in Health Care Privacy and Security (CHIPS)