ISC471/HCI 571 Isabelle Bichindaritz1 Privacy and Health Law 9/18/2012.

1ISC471/HCI 571 Isabelle Bichindaritz

Privacy and Health Law

9/18/2012

ISC471/HCI 571 Isabelle Bichindaritz

2

• Explain why health information management professionals must be knowledgeable about medico legal issues.

• Distinguish between confidential and non confidential information within a health information system.

• Describe general legal principles governing access to confidential health information in a variety of circumstances.

Learning Objectives

9/18/2012


3

• Distinguish proper or valid requests for access to health information from improper or invalid requests.

• Describe the four components of negligence.• Distinguish between properly executed consents

and authorizations and incomplete or improper consents and authorizations.

Learning Objectives

9/18/2012


4

• Health care providers are required by law to maintain health records.

• Some requests for health information are legitimate while others are not.

• HIM professionals must make decisions about what information can and cannot be disclosed.

Why are Legal Issues So Important to Health Information Management Professionals?

9/18/2012


5

• Laws govern:– Private relationships

• Relationships between private parties

– Public relationships• Relationships between private parties and the

government


Fundamentals of the Legal System

9/18/2012


6

• Private Law consists of:– Tort actions

• Is allegation that one party’s wrongful conduct has caused another party harm

• Wronged party seeks damages.

– Contract actions• Is allegation that a contract exists between two parties and that

one party has breached that contract in some manner.• Wronged party seeks compensation or a court order to enforce

the contract.


Fundamentals of the Legal System

9/18/2012


7

• Health Care Law comes from four main sources:– Federal and state constitutions– Federal and state statutes– Rules and regulations of administrative

agencies– Court decisions


Sources of Law

9/18/2012


8

• Constitution is the highest law in the United States.

• If there is a conflict between the Constitution and other laws, the Constitution overrides the other law.

• When a law is found to be “unconstitutional” it means that it conflicts with the Constitution, making that law invalid.


Sources of Law – Constitutional Law

9/18/2012


9

• U.S. Constitution also limits the powers of the federal and state governments.– Bill of Rights protects specific rights of the

citizens.• Example: The people are protected from deprivation

of property without due process.• In a public health facility, a physician’s appointment

to the staff is considered a property right.• The physician cannot be terminated without due

process, such as a full hearing.



9/18/2012


10

• The right of privacy:– Very important in health care– Not an express right in the Constitution– Basic definition is the right to:

• Be left alone• Make decisions about one’s own body• Control one’s own information



9/18/2012


11

• Examples of Laws that affect health care facilities are:– Americans with Disabilities Act– Safe Medical Devices Act– American Recovery and Reinvestment Act of

2009


Sources of Law – Federal and State Statutes

9/18/2012


12

• If there is a conflict between federal and state law, federal law controls.

• If there is conflict between state and local law, state law controls.

• Therefore the hierarchy of laws is:

Constitution federal law state law local law


Sources of Law – Federal and State Statutes

9/18/2012


13

• Three levels of courts:– Trial courts– Intermediate courts of appeal– Supreme court

• Federal trial courts: U.S. district courts• Appeals from U.S. district courts go to a

U.S. court of appeals.– There are 12 circuits, each has its own court of

appeals.

The Legal SystemThe Court System

Federal Courts

9/18/2012


14

• States typically have three levels of courts just like the federal government:– The names of the courts vary by state, but they still generally

include:• Trial courts• Intermediate courts of appeal• A high court

• Some state trial courts are further divided into specialty courts such as:– Traffic court– Probate court– Family court

The Legal SystemThe Court System

State and Territory Courts

9/18/2012


15

• Negligence:– Conduct that society considers unreasonably

dangerous because:• The party knew or should have known that the

conduct (or absence of conduct) would subject others to an appreciable risk of harm.

The Legal SystemCases that Involve Health Care Facilities

and Providers – Malpractice and Negligence

9/18/2012


16

• Two theories to hold the hospital responsible for the conduct of its employees:– Respondeat superior:

• Literally means let the master answer.• Legal system holds the health care organization

responsible for the negligent actions of the organization’s employees or agents when their actions are performed within the scope of their employment.



9/18/2012


17

– Corporate negligence:• Corporate negligence is when courts hold health

care organizations liable for their own acts of negligence.

• Organizations responsible for monitoring the activities of all the people who function within their facilities.

• Includes employees and independent contractors (such as physicians).

• Organizations also responsible for complying with appropriate industry standards.



9/18/2012


18

• Claims against health care facilities may include:– Assault– Battery– False imprisonment– Defamation of character– Invasion of privacy– Fraud or misrepresentation– Intentional infliction of emotional distress


and Providers – Intentional Torts

9/18/2012


19

• Assault:– Is a deliberate threat + the apparent ability to do

harm to another person without that person’s consent.

– Does not require any actual physical contact.– Victim must be aware of the threat.



9/18/2012


20

• Battery– Battery is touching another person in a socially

impermissible manner without consent.– Victim does not have to be aware of the touching.– Consent may be implied – when an unconscious person

is treated in a facility for life-saving treatment.– This is primary reason that written consent is required

for all procedures.– Does not matter if the treatment would help

the patient.



9/18/2012


21

• False imprisonment:– Unlawful restrain of a person’s personal liberty– Unlawful restraining or confining of a person– No requirement of physical force– Does require the reasonable fear that force will be used

to detain or intimidate the victim into following orders– Examples in this context:

• Refusing to let a patient leave until the bill is paid• Use of physical restraints only because of understaffing to

monitor patients



9/18/2012


22

• Defamation of character:– Two types:

• Slander – oral• Libel – written

– Is a communication that tends to damage the defamed person’s reputation in the eyes of the community.

– Must show communication to a third party.– A defense to defamation is truth of the statements.– If the statement occurs during a privileged communication

(example, confidential communications between spouses, discussion with a priest) there is no defamation unless there was a malicious intent.

– Is rare in a health care context.



9/18/2012


23

• Invasion of privacy:– Very important in a health care context– Negligent disregard for a patient’s privacy can result in:

• A tort claim• Regulatory penalties• Criminal penalties

– Invasion of privacy includes:• Divulging confidential information from a patient’s record to

an improper recipient without the patient’s consent



9/18/2012


24

• Fraud:– Willful and intentional misrepresentation that

could cause harm or loss to a person or the person’s property

– May include:• Improper billing for procedures not performed• Deliberately coding incorrectly to gain a higher

payment• Promising a certain surgical result when not certain



9/18/2012


25

• Intentional infliction of emotional distress– Must be intentional– Must actually cause significant emotional

distress



9/18/2012


26

• Health Information Portability and Accountability Act of 1996 (HIPAA), the Balanced Budget Act, and the Federal False Claims Act all impose penalties for health care providers who engage in fraudulent practices.– May include criminal sanctions.


and Providers – Crimes and Corporate Compliance

9/18/2012


27

• Failure to comply with government imposed statutes, rules, and regulations can lead to:– Monetary penalties– Criminal penalties– Removal from participation in Medicare– Loss of licensure


and Providers – Noncompliance with Statutes, Rules, and Regulations

9/18/2012


28

• Patients have certain rights in connection with their health care.

• These rights are established by laws, rules, regulations, ethical codes, or the Constitution.

• These laws alert the patients to their rights and provide remedies for the patient if health care providers fail to respect their rights.

Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers

Duties to Patients in General

9/18/2012


29

• HIPAA outlines what documents must be maintained for patient access and use as part of a designated record set (DRS).

• Patients must be able to access the information in the designated record set for at least 6 years.

• Designated Record Set for a covered entity include:– The medical records and billing records about individuals

maintained by or for a covered health provider– The enrollment, payment, claims adjudication, and case or

medical management record systems maintained by or for a health plan

– Use, in whole or in part, by or for the covered entity to make decisions about individuals


Duty to Maintain Health Information

9/18/2012


30

• Implied duty to maintain health information can be found within:– Vital statistics laws– Mandatory reporting does not require patient

consent, in fact may be done over express request by the patient not to report.

– Natural tension between reporting requirements and confidentiality



9/18/2012


31

• Laws requiring the reporting of certain diseases and medical events:– Gunshot wounds– Suspected child abuse– Elder abuse– Industrial accidents– Certain poisonings– Abortions– Cancer cases– Communicable diseases



9/18/2012


32

• Administrative Simplification section of HIPAA is in part designed to stimulate the development of standards to facilitate electronic maintenance and transmission of health information.– In response DHHS adopted standards for

electronically maintained health information and for electronic signatures.


Duty to Retain Health Information and Other Key Documents and to Keep Them Secure

9/18/2012


33

• HIM professionals must: – protect health care information from loss or destruction– prevent the corruption of electronically stored data

from power losses and surges– protect the integrity of the information itself

• protect from inappropriate alteration• control access to records• make special precautions for records involved in litigation


Duty to Retain Health Information and Other Key Documents and to Keep Them Secure

9/18/2012


34

• When new information is being added to a record

• Patients may ask for an amendment to their record.– Generally will be granted unless it falls under a

specific exception that allows for denial.– If granted, should be treated as an addendum to

the record without change to the original entry.


Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Addenda

9/18/2012


35

• Authentication:– Identification of the author of a document or

entry– Indication that the author has reviewed the

entry for accuracy and attests to it– Paper: original signature or stamp– Electronic: use of a unique identification code

and password


Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Authentication and Authorship Issues

9/18/2012


36

• Important reason to protect health records is for their potential use as evidence in court.

• Hearsay Rule prohibits the admission into evidence of out-of-court statements (including written statements) unless they fall under one of the specific exceptions to the rule.

• Health records are often considered an exception to the “hearsay rule.”

• Exceptions are generally circumstances where there is a presumption of reliability.


Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Validity of Health Information as Evidence

9/18/2012


37

• Judge makes a determination as to whether or not the medical records will be admitted as evidence as an exception to the hearsay rule.

• The HIM professional is often responsible for testifying in court that the health record is kept in the normal course of business.

• Best evidence rule: If the original record exists, it must be provided; if not, a copy may be deemed acceptable if it can be authenticated properly.


Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Validity of Health Information as Evidence

9/18/2012


38

• Communications between patients and their health care providers are confidential.

• Health care workers are bound to maintain the confidentiality of private health information.

• A primary goal of HIPAA is to protect the confidentiality of protected health information.

• Organizations required to provide patients with a notice of their privacy practices.

• Not all information in the health record is protected so it is important that health care workers understand what is and is not confidential

• If the state has more restrictive rules on confidentiality, they will govern, HIPAA would not override


Duty to Maintain Confidentiality

9/18/2012


39

• HIPAA definition of protected health information:– Individually identifiable health information that

is transmitted by electronic media, maintained in any medium described as electronic media, or transmitted or maintained in any other form or medium



9/18/2012


40

• Definition of individually identifiable health information:– Information that is a subset of health information, including:

• Demographic information• Information created or received by a health care provider, health plan,

employer, or health care clearinghouse• Relates to the past, present, or future physical or mental health or

condition of an individual• Relates to the provision of health care to an individual• Relates to the past, present or future payment for the provision of

health care to an individual • That which identifies the individual.• Information that could reasonably be believed to identify the

individual



9/18/2012


41

• HIPAA privacy rule used to only apply to covered entities, it has recently been expanded to include the covered entities business associates. – Covered entity:

• Health care provider that conducts certain transactions in electronic form

• A health care clearinghouse• A health plan

• Business associate agreement: used when a health care organization contracts out to a third party to handle or process personal health information (including billing).



9/18/2012


42

• Designed to give citizens some control over the information that the federal government and its agencies collect

• Grants people the right to:– Find out what information about them has been collected– See and have a copy of that information. – Correct or amend the information.– Exercise limited control of the disclosure of that information

to other parties.• Applies to:

– Health care organizations operated by the federal government

– Record systems operated pursuant to a contract with a federal government agency


Duty to Maintain Confidentiality – Privacy Act of 1947

9/18/2012


43

• Requires that records pertaining to the executive branch of the government be available to the public.

• Exception is matters that fall within nine explicitly exempted areas.

• One of these areas sometimes includes medical records:– Personnel and medical files and similar files, the disclosure of

which would constitute a clearly unwarranted invasion of personal privacy.”

– Unwarranted invasion of personal privacy:• Information is contained in a personnel, medical, or similar file.• Disclosure constitutes an invasion of personal privacy.• Severity of the invasion outweighs the public interest in disclosure.


Duty to Maintain Confidentiality – Freedom of Information Act

9/18/2012


44

• Restrict disclosures of patient health information without patient authorization

• Specifically apply to facilities that provide alcohol or drug abuse diagnosis, treatment, or referral for treatment

• Facility must offer either:– An identified unit that provides alcohol or drug abuse

diagnosis, treatment or referral for treatment– Medical personnel or other staff whose primary

function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment


Duty to Maintain Confidentiality – Regulations on Confidentiality of Alcohol and Drug Abuse Patient Records

9/18/2012


45

• Internal uses may not need patient authorization.

• Health care workers who are involved in the treatment of a patient have access, but this does not extend to employees of the organization who are not involved in the patient’s care.

• Minimum necessary is only the minimum necessary amount of information to fulfill the request should be shared.


Internal Uses and External Disclosures of Health Information

9/18/2012


46

• Under HIPAA internal uses include:– Treatment– Payment– Health care operations

• External disclosures often do not need patient authorization either.– Disclosure to a lawyer who represents someone

other than the hospital would require authorization.


Internal Uses and External Disclosures of Health Information

9/18/2012


47

• Generally – the health facility owns the record but the patient has an ownership interest in the information within the record.

• Patient maintains a right to control the flow of his or her private health information.


General Principles Regarding Access and Disclosure Policies – Health Information Ownership

9/18/2012


48

• Organizations must set policies and have written procedures to guide staff in responding to requests for information.

• Should use the most up-to-date resources available because laws change frequently.

• Sources to help write the policies:– State HIM association legal manuals– Peers in other local facilities– AHIMA guidelines and practice standards


General Principles Regarding Access and Disclosure Policies – Resources on Releasing Patient Information

9/18/2012


49

• Standards for what must be present in an authorization are included in:– HIPAA Privacy Rule– Regulations on Confidentiality of Alcohol and Drug

Abuse Patient Records– Many state laws

• HIM professionals have the responsibility to ensure that authorizations meet all applicable standards.

• Violations of the standards set forth in the HIPAA Privacy Rule can result in penalties.


General Principles Regarding Access and Disclosure Policies – Authorizations for Disclosure of Patient Information

9/18/2012


50

• Reasonable assumption that when a patient comes in for care, he or she authorizes the care providers to have information about his or her conditions and treatments.

• HIPAA privacy rule allows internal uses of protected health information for treatment without patient authorization.– Does not include access for anyone in the facility who

may be curious.• Internal use should still be restricted to those who

need to know in order to treat the patient.


General Principles Regarding Access and Disclosure Policies – Disclosure for Direct Patient Care

9/18/2012


51

• In cases where the patient is being treated externally (by a new doctor, in a nursing facility) some or all the information from the record may need to be disclosed.– In these cases HIPAA Privacy Rule permits disclosure

for treatment without authorization.– There may be other regulations (state-based) that do

require authorization.• Conservative view – get authorization any time

that there is an external disclosure except when an emergency prevents authorization.


General Principles Regarding Access and Disclosure Policies – Disclosure for Direct Patient Care

9/18/2012


52

• Health information sometimes is used to evaluate that quality of care and services provided to patients.

• In these cases, it is not important who the patient is, just the procedures for treatment.– Records would be referred to by number so no names would

be used.

• HIPAA does not require authorization for use of health information in this context.

• Important to verify that the requester in fact wants the information for quality management purposes.


General Principles Regarding Access and Disclosure Policies – Disclosure for Performance Management and Patient Safety

9/18/2012


53

• Also involves impersonal use of the records• It does not matter who the patient is, just

the symptoms, treatment, and results.• Facility should still have a policy as to

when records can be released for research without patient authorization.

Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and

Disclosure Policies – Disclosure for Research

9/18/2012


54

• Researchers often have to have projects reviewed by an institutional review board.– Researcher may need to specify data security provisions.– HIM professional may need to review the data collection

forms to ensure that patient-identifiable data are not to be included.

– Special problems arise if the researchers want to contact patients directly.

– Verifying the names and addresses of patients is possibly a breach of confidentiality.

– The facility may agree to contact the patient on behalf of the researcher to determine the patient’s willingness to participate.


General Principles Regarding Access and Disclosure Policies – Disclosure for Research

9/18/2012


55

• This is one of the most frequent disclosures of health information.

• HIPAA does not require authorization for this purpose but some states do.

• New regulations allow an option for patients to shield some information from their insurer.– Must be a circumstance where the patient is

paying for the service in full out of pocket.• Complicated issue because the person whose information is

going to the insurance company may not be the person who applied for coverage (generally a family member)– One solution is making the authorization for disclosure to the

insurance company a part of the general consent to treatment.


General Principles Regarding Access and Disclosure Policies – Disclosure for Payment Purposes

9/18/2012


56

• Requires one of:– Written authorization from the patient or the patient’s

legal representative– Valid subpoena that meets HIPAA’s special

requirements• No authorization is required if the attorney

represents the health care provider that owns the record.– Attorney for the hospital does not require authorization. – Attorney for an individual employee of the hospital

does.


General Principles Regarding Access and Disclosure Policies – Disclosure to Attorneys

9/18/2012


57

• Internal systems must protect health information from: – Loss– Theft– Destruction– Alteration– Unauthorized access


General Principles Regarding Access and Disclosure Policies – Health Information Management Department Security Measures to Prevent

Unauthorized Access

9/18/2012


58

• Important job of HIM professionals is to keep confidential information out of the hands of unauthorized users through:– Appropriate policies and procedures– Facility and space planning– Information systems design and selection– Staff education– Security management



Unauthorized Access

9/18/2012


59

• Policies and procedures should be specific as to who has access to what.

• HIPAA rules require that access control decisions be based on need. – HIM professionals should never hesitate to

verify the validity of a request.– Verification of employee identification is

always important.



Unauthorized Access

9/18/2012


60

• It often means getting a patient to sign a form.• Informed consent is only valid though if it means that

the patient and the health professional have had:– sufficient communication that the patient has information

about the anticipated treatments and – the communication has met certain basic requirements

• Duty to obtain informed consent is split into two basic parts:– Duty to obtain a general consent for treatment – Physician’s or surgeon’s duty to obtain a separate informed

consent before the performance of surgery or other invasive procedure


Duty to Obtain Informed Consent to Treatment

9/18/2012

ISC471/HCI 571 Isabelle Bichindaritz1 Privacy and Health Law 9/18/2012.

Documents

health law

health information system

health care law

health records

confidential information

isabelle bichindaritz

private law

health care providers