1. 10 Patient Confidentiality and HIPAA
Journal Topic: What are the problems associated with patient confidentiality.

2. Learning Objectives Define the key terms.
Identify the problems associated with patient confidentiality.
Describe the information to which the Privacy Rule refers and how it applies to your profession.
Discuss the purpose of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
continued on next slide

3. Learning Objectives List which entities are affected by HIPAA.
Discuss the penalties for noncompliance with HIPAA.
List the patients’ rights under the Privacy Standards.
Discuss the ethical issues concerning information technology.

4. Confidentiality
Physicians are expected to maintain all confidences concerning their patients
Modern medicine and technology make patient privacy issues a paramount concern
Confidentiality preserves the patient's dignity
Minimum necessary standard

5. Confidentiality Our right to privacy AIDS and privacy
Right to privacy is not protected specifically by the Bill of Rights or any portion of the Constitution
AIDS and privacy
AIDS threat to all persons
Information needs to be carefully communicated

6. Privacy Act of 1974
Agency may maintain only information relevant to its authorized purpose
Citizens have right to gain access to records and to copy records if necessary
Applies only to federal agencies and government contractors

7. Health Insurance Portability and Accountability Act (HIPAA)
Signed into law in 1996
Regulates the privacy of patient health information
Four objectives
Improve portability
Combat fraud, abuse, and waste
Promote use of medical savings
Simplify administration
continued on next slide

8. Health Insurance Portability and Accountability Act (HIPAA)
Five major categories covered under HIPAA
Insurance portability
Administrative simplification
Medical savings and tax deductions
Group health plan provisions
Revenue offset provisions

9. Privacy Rule Applies to Protected Health Information (PHI)
Limits disclosures to only the minimum information necessary to carry out the medical treatment
Patient must grant written consent or permission to disclose their PHI for treatment, payment, and other health care operations

10. HITECH Act
Health Information Technology for Economic and Clinical Health Act
Meant to promote the adoption and “meaningful use” of health information technology
Electronic Health Records (EHR)
Notice of Privacy Practices (NPP)

11. Release of Information and Consent
Patients have the right to know how, when, and why their medical information is used
Providers can refuse treatment without consent form
Exceptions
Emergency situations
Language barriers
Prison inmates

12. Who Are Affected? Public health authorities Health care clearinghouses
Self-insured employers
Private insurers
Information systems vendors
continued on next slide

13. Who Are Affected? Various service organizations Universities
Healthcare plans
Treatment, payment, and healthcare operations (TPO)

14. Covered Transactions
Healthcare provider submitting an electronic claim
Physician sending PHI to another physician
Physician sending PHI to a billing service

15. Denial of the Request for Privacy
Some health care institutions, such as nursing homes, may have to deny access to a patient's medical information in order to protect the patient

16. State's Preemption
Some states have stricter privacy standards than those of HIPAA
The state's laws would then take precedence over the Federal HIPAA regulation

17. Unique Identifiers for Health Care Providers
Standard identifiers are used to reduce confusion and errors
Employer Identifier Standard
Published 2002
Uses employer's tax ID number or Employer Identification Number (EIN)

18. Can Protected Health Information (PHI) Be Deidentified?
To "deidentify" patient information, remove:
Patient's name
Address, including
Telephone and fax numbers
All dates, including birth (except year), admission, discharge, and death
continued on next slide

19. Can Protected Health Information (PHI) Be Deidentified?
To "deidentify" patient information, remove:
Social security number
Medical records numbers
Health care insurance numbers
License numbers
Facial photos
Other identifying numbers or characteristics

20. Obligations to Patient Under HIPAA
Obtain consent and authorization for any disclosure of medical information
Permit patient access to medical information
Provide only the minimum necessary standard
Permitted Incidental Disclosures

21. Penalties for Noncompliance with HIPAA
Civil penalties
Federal criminal liability with sanctions (fines) and time in prison
Risk of class action suit and public relations damage
Health Integrity and Protection Data Bank (HIPDB)
National data bank collects reports and disclosure of actions taken

22. Patients' Rights Under the Privacy Standards
Copy of privacy notice
Access to medical records
Limit how health care information is shared
Accounting of to whom information is given
continued on next slide

23. Patients' Rights Under the Privacy Standards
Ask to be contacted in special way (phone or mail)
Ask to be contacted in a place other than home or work
Examine health information provider's copy
Complain to "covered entity" if violation of privacy is suspected

24. HIPAA-Defined Permissions
Permission to use information based on reason for knowing, or use of, the information

25. Special Rules Relating to Research
Researcher must obtain:
Patient authorization that complies with HIPAA
Waiver of authorization from a privacy board or Institutional Review Board
Waiver must include extensive documentation as required by HIPAA

26. Problems Relating to HIPAA'S Privacy Rules
Some health care providers now refuse to provide medical records to anyone except the patient
Compliance with HIPAA slows police investigations and impedes prosecution of crimes

27. Misconceptions about HIPAA
Does not prevent physicians or hospitals from sharing patient information to treat
Does not prevent disclosure to clergy
Allows hospitals and physicians to share information with spouse or anyone patient has identified as involved in their care
continued on next slide

28. Misconceptions about HIPAA
Does not apply to most police or fire departments (may release information about accident victims)
Does limit information EMTs may disclose

29. Recommendations Appoint and train privacy officer
Conduct internal assessment of existing policies
Enter agreements with all nonemployee service providers
Adopt procedures for handling patient requests
Implement Notice of Privacy practices
continued on next slide

30. Recommendations Revise employee manuals regarding HIPAA standards
Train all employees on policies and procedures
Retain signed authorizations, copies, etc. (six years)
continued on next slide

31. Recommendations Implement and enforce sanctions for violations
Establish complaint process for noncompliance

32. Ethical Concerns with Information Technology (Informatics)
Wireless local area networks (WLANs)
Communication system used to access patient records from central databases
Voice Recognition Technology
Physician inputs information by voice in real time on mobile devices
Dragon
"Intelligence" software
continued on next slide

33. Ethical Concerns with Information Technology (Informatics)
Medical informatics
Application of communication and information to medical practice, research, and education
Telemedicine
Use of communication and information technologies to provide health care services to people at a distance
continued on next slide

34. Technology Technicians
Health Information Administrator
Health Information Technician
Require college degrees and certification in Certified in Health Care Privacy and Security (CHIPS)