Transcript notes #7

Privacy and Health Law
9/18/2012
ISC471/HCI 571 Isabelle Bichindaritz
1
Learning Objectives
• Explain why health information management
professionals must be knowledgeable about
medico legal issues.
• Distinguish between confidential and non
confidential information within a health
information system.
• Describe general legal principles governing access
to confidential health information in a variety of
circumstances.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
2
Learning Objectives
• Distinguish proper or valid requests for access to
health information from improper or invalid
requests.
• Describe the four components of negligence.
• Distinguish between properly executed consents
and authorizations and incomplete or improper
consents and authorizations.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
3
Why are Legal Issues So Important to Health
Information Management Professionals?
• Health care providers are required by law to
maintain health records.
• Some requests for health information are
legitimate while others are not.
• HIM professionals must make decisions
about what information can and cannot be
disclosed.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
4
Why are Legal Issues So Important to Health
Information Management Professionals?
Fundamentals of the Legal System
• Laws govern:
– Private relationships
• Relationships between private parties
– Public relationships
• Relationships between private parties and the
government
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
5
Why are Legal Issues So Important to Health
Information Management Professionals?
Fundamentals of the Legal System
• Private Law consists of:
– Tort actions
• Is allegation that one party’s wrongful conduct has caused
another party harm
• Wronged party seeks damages.
– Contract actions
• Is allegation that a contract exists between two parties and that
one party has breached that contract in some manner.
• Wronged party seeks compensation or a court order to enforce
the contract.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
6
Why are Legal Issues So Important to Health
Information Management Professionals?
Sources of Law
• Health Care Law comes from four main
sources:
– Federal and state constitutions
– Federal and state statutes
– Rules and regulations of administrative
agencies
– Court decisions
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
7
Why are Legal Issues So Important to Health
Information Management Professionals?
Sources of Law – Constitutional Law
• Constitution is the highest law in the United
States.
• If there is a conflict between the
Constitution and other laws, the
Constitution overrides the other law.
• When a law is found to be
“unconstitutional” it means that it conflicts
with the Constitution, making that law
invalid.
9/18/2012
ISC471/HCI 571 Isabelle
8
Bichindaritz
Why are Legal Issues So Important to Health
Information Management Professionals?
Sources of Law – Constitutional Law
• U.S. Constitution also limits the powers of
the federal and state governments.
– Bill of Rights protects specific rights of the
citizens.
• Example: The people are protected from deprivation
of property without due process.
• In a public health facility, a physician’s appointment
to the staff is considered a property right.
• The physician cannot be terminated without due
process, such as a full hearing.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
9
Why are Legal Issues So Important to Health
Information Management Professionals?
Sources of Law – Constitutional Law
• The right of privacy:
– Very important in health care
– Not an express right in the Constitution
– Basic definition is the right to:
• Be left alone
• Make decisions about one’s own body
• Control one’s own information
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
10
Why are Legal Issues So Important to Health
Information Management Professionals?
Sources of Law – Federal and State Statutes
• Examples of Laws that affect health care
facilities are:
– Americans with Disabilities Act
– Safe Medical Devices Act
– American Recovery and Reinvestment Act of
2009
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
11
Why are Legal Issues So Important to Health
Information Management Professionals?
Sources of Law – Federal and State Statutes
• If there is a conflict between federal and state
law, federal law controls.
• If there is conflict between state and local law,
state law controls.
• Therefore the hierarchy of laws is:
Constitution  federal law  state law  local
law
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
12
The Legal System
The Court System
Federal Courts
• Three levels of courts:
– Trial courts
– Intermediate courts of appeal
– Supreme court
• Federal trial courts: U.S. district courts
• Appeals from U.S. district courts go to a
U.S. court of appeals.
– There are 12 circuits, each has its own court of
appeals.
9/18/2012
ISC471/HCI 571 Isabelle
13
Bichindaritz
The Legal System
The Court System
State and Territory Courts
• States typically have three levels of courts just like the
federal government:
– The names of the courts vary by state, but they still generally
include:
• Trial courts
• Intermediate courts of appeal
• A high court
• Some state trial courts are further divided into
specialty courts such as:
– Traffic court
– Probate court
– Family court
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
14
The Legal System
Cases that Involve Health Care Facilities
and Providers – Malpractice and Negligence
• Negligence:
– Conduct that society considers unreasonably
dangerous because:
• The party knew or should have known that the
conduct (or absence of conduct) would subject
others to an appreciable risk of harm.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
15
The Legal System
Cases that Involve Health Care Facilities
and Providers – Malpractice and Negligence
• Two theories to hold the hospital
responsible for the conduct of its
employees:
– Respondeat superior:
• Literally means let the master answer.
• Legal system holds the health care organization
responsible for the negligent actions of the
organization’s employees or agents when their
actions are performed within the scope of their
employment.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
16
The Legal System
Cases that Involve Health Care Facilities
and Providers – Malpractice and Negligence
– Corporate negligence:
• Corporate negligence is when courts hold health
care organizations liable for their own acts of
negligence.
• Organizations responsible for monitoring the
activities of all the people who function within their
facilities.
• Includes employees and independent contractors
(such as physicians).
• Organizations also responsible for complying with
appropriate industry standards.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
17
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Claims against health care facilities may
include:
–
–
–
–
–
–
–
9/18/2012
Assault
Battery
False imprisonment
Defamation of character
Invasion of privacy
Fraud or misrepresentation
Intentional infliction of emotional distress
ISC471/HCI 571 Isabelle
Bichindaritz
18
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Assault:
– Is a deliberate threat + the apparent ability to do
harm to another person without that person’s
consent.
– Does not require any actual physical contact.
– Victim must be aware of the threat.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
19
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Battery
– Battery is touching another person in a socially
impermissible manner without consent.
– Victim does not have to be aware of the touching.
– Consent may be implied – when an unconscious person
is treated in a facility for life-saving treatment.
– This is primary reason that written consent is required
for all procedures.
– Does not matter if the treatment would help
the patient.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
20
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• False imprisonment:
–
–
–
–
Unlawful restrain of a person’s personal liberty
Unlawful restraining or confining of a person
No requirement of physical force
Does require the reasonable fear that force will be used
to detain or intimidate the victim into following orders
– Examples in this context:
• Refusing to let a patient leave until the bill is paid
• Use of physical restraints only because of understaffing to
monitor patients
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
21
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Defamation of character:
– Two types:
• Slander – oral
• Libel – written
– Is a communication that tends to damage the defamed
person’s reputation in the eyes of the community.
– Must show communication to a third party.
– A defense to defamation is truth of the statements.
– If the statement occurs during a privileged communication
(example, confidential communications between spouses,
discussion with a priest) there is no defamation unless there
was a malicious intent.
– Is rare in a health care context.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
22
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Invasion of privacy:
– Very important in a health care context
– Negligent disregard for a patient’s privacy can result in:
• A tort claim
• Regulatory penalties
• Criminal penalties
– Invasion of privacy includes:
• Divulging confidential information from a patient’s record to
an improper recipient without the patient’s consent
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
23
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Fraud:
– Willful and intentional misrepresentation that
could cause harm or loss to a person or the
person’s property
– May include:
• Improper billing for procedures not performed
• Deliberately coding incorrectly to gain a higher
payment
• Promising a certain surgical result when not certain
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
24
The Legal System
Cases that Involve Health Care Facilities
and Providers – Intentional Torts
• Intentional infliction of emotional distress
– Must be intentional
– Must actually cause significant emotional
distress
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
25
The Legal System
Cases that Involve Health Care Facilities
and Providers – Crimes and Corporate Compliance
• Health Information Portability and
Accountability Act of 1996 (HIPAA), the
Balanced Budget Act, and the Federal False
Claims Act all impose penalties for health
care providers who engage in fraudulent
practices.
– May include criminal sanctions.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
26
The Legal System
Cases that Involve Health Care Facilities
and Providers – Noncompliance with Statutes,
Rules, and Regulations
• Failure to comply with government imposed
statutes, rules, and regulations can lead to:
–
–
–
–
9/18/2012
Monetary penalties
Criminal penalties
Removal from participation in Medicare
Loss of licensure
ISC471/HCI 571 Isabelle
Bichindaritz
27
Legal Obligations and Risks of Health Care
Facilities and Individual Health Care Providers
Duties to Patients in General
• Patients have certain rights in connection
with their health care.
• These rights are established by laws, rules,
regulations, ethical codes, or the
Constitution.
• These laws alert the patients to their rights
and provide remedies for the patient if
health care providers fail to respect their
rights.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
28
Legal Obligations and Risks of Health Care
Facilities and Individual Health Care Providers
Duty to Maintain Health Information
• HIPAA outlines what documents must be maintained for
patient access and use as part of a designated record set
(DRS).
• Patients must be able to access the information in the
designated record set for at least 6 years.
• Designated Record Set for a covered entity include:
– The medical records and billing records about individuals
maintained by or for a covered health provider
– The enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a
health plan
– Use, in whole or in part, by or for the covered entity to make
decisions about individuals
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
29
Legal Obligations and Risks of Health Care
Facilities and Individual Health Care Providers
Duty to Maintain Health Information
• Implied duty to maintain health information
can be found within:
– Vital statistics laws
– Mandatory reporting does not require patient
consent, in fact may be done over express
request by the patient not to report.
– Natural tension between reporting requirements
and confidentiality
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
30
Legal Obligations and Risks of Health Care
Facilities and Individual Health Care Providers
Duty to Maintain Health Information
• Laws requiring the reporting of certain
diseases and medical events:
–
–
–
–
–
–
–
–
9/18/2012
Gunshot wounds
Suspected child abuse
Elder abuse
Industrial accidents
Certain poisonings
Abortions
Cancer cases
Communicable diseases
ISC471/HCI 571 Isabelle
Bichindaritz
31
Legal Obligations and Risks of Health Care
Facilities and Individual Health Care Providers
Duty to Retain Health Information and Other Key
Documents and to Keep Them Secure
• Administrative Simplification section of
HIPAA is in part designed to stimulate the
development of standards to facilitate
electronic maintenance and transmission of
health information.
– In response DHHS adopted standards for
electronically maintained health information
and for electronic signatures.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
32
Legal Obligations and Risks of Health Care
Facilities and Individual Health Care Providers
Duty to Retain Health Information and Other Key
Documents and to Keep Them Secure
• HIM professionals must:
– protect health care information from loss or destruction
– prevent the corruption of electronically stored data from
power losses and surges
– protect the integrity of the information itself
• protect from inappropriate alteration
• control access to records
• make special precautions for records involved in litigation
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
33
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Retain Health Information and Other Key
Documents and to Keep Them Secure – Addenda
• When new information is being added to
a record
• Patients may ask for an amendment to
their record.
– Generally will be granted unless it falls under a
specific exception that allows for denial.
– If granted, should be treated as an addendum to
the record without change to the original entry.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
34
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Retain Health Information and Other Key Documents
and to Keep Them Secure – Authentication and Authorship Issues
• Authentication:
– Identification of the author of a document or
entry
– Indication that the author has reviewed the
entry for accuracy and attests to it
– Paper: original signature or stamp
– Electronic: use of a unique identification code
and password
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
35
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Retain Health Information and Other Key Documents and
to Keep Them Secure – Validity of Health Information as Evidence
• Important reason to protect health records is for
their potential use as evidence in court.
• Hearsay Rule prohibits the admission into
evidence of out-of-court statements (including
written statements) unless they fall under one of
the specific exceptions to the rule.
• Health records are often considered an exception
to the “hearsay rule.”
• Exceptions are generally circumstances where
there is a presumption of reliability.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
36
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Retain Health Information and Other Key Documents and
to Keep Them Secure – Validity of Health Information as Evidence
• Judge makes a determination as to whether or not
the medical records will be admitted as evidence
as an exception to the hearsay rule.
• The HIM professional is often responsible for
testifying in court that the health record is kept in
the normal course of business.
• Best evidence rule: If the original record exists, it
must be provided; if not, a copy may be deemed
acceptable if it can be authenticated properly.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
37
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality
• Communications between patients and their health care
providers are confidential.
• Health care workers are bound to maintain the
confidentiality of private health information.
• A primary goal of HIPAA is to protect the confidentiality
of protected health information.
• Organizations required to provide patients with a notice of
their privacy practices.
• Not all information in the health record is protected so it is
important that health care workers understand what is and
is not confidential
• If the state has more restrictive rules on confidentiality,
they will govern, HIPAA would not override
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
38
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality
• HIPAA definition of protected health
information:
– Individually identifiable health information that
is transmitted by electronic media, maintained
in any medium described as electronic media,
or transmitted or maintained in any other form
or medium
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
39
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality
• Definition of individually identifiable health
information:
– Information that is a subset of health information, including:
• Demographic information
• Information created or received by a health care provider, health plan,
employer, or health care clearinghouse
• Relates to the past, present, or future physical or mental health or
condition of an individual
• Relates to the provision of health care to an individual
• Relates to the past, present or future payment for the provision of
health care to an individual
• That which identifies the individual.
• Information that could reasonably be believed to identify the
individual
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
40
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality
• HIPAA privacy rule used to only apply to covered
entities, it has recently been expanded to include the
covered entities business associates.
– Covered entity:
• Health care provider that conducts certain transactions in electronic
form
• A health care clearinghouse
• A health plan
• Business associate agreement: used when a health care
organization contracts out to a third party to handle or
process personal health information (including
billing).
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
41
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality – Privacy Act of 1947
• Designed to give citizens some control over the
information that the federal government and its
agencies collect
• Grants people the right to:
–
–
–
–
Find out what information about them has been collected
See and have a copy of that information.
Correct or amend the information.
Exercise limited control of the disclosure of that information
to other parties.
• Applies to:
– Health care organizations operated by the federal
government
– Record systems operated pursuant to a contract with a
federal government agency
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
42
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality – Freedom of Information Act
• Requires that records pertaining to the executive branch of
the government be available to the public.
• Exception is matters that fall within nine explicitly
exempted areas.
• One of these areas sometimes includes medical records:
– Personnel and medical files and similar files, the disclosure of
which would constitute a clearly unwarranted invasion of personal
privacy.”
– Unwarranted invasion of personal privacy:
• Information is contained in a personnel, medical, or similar file.
• Disclosure constitutes an invasion of personal privacy.
• Severity of the invasion outweighs the public interest in disclosure.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
43
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Maintain Confidentiality – Regulations on Confidentiality of
Alcohol and Drug Abuse Patient Records
• Restrict disclosures of patient health
information without patient authorization
• Specifically apply to facilities that provide
alcohol or drug abuse diagnosis, treatment, or
referral for treatment
• Facility must offer either:
– An identified unit that provides alcohol or drug
abuse diagnosis, treatment or referral for treatment
– Medical personnel or other staff whose primary
function is the provision of alcohol or drug abuse
diagnosis, treatment, or referral for treatment
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
44
Legal Obligations and Risks of Health Care Facilities and
Individual Health Care Providers
Internal Uses and External Disclosures of Health Information
• Internal uses may not need patient
authorization.
• Health care workers who are involved in the
treatment of a patient have access, but this
does not extend to employees of the
organization who are not involved in the
patient’s care.
• Minimum necessary is only the minimum
necessary amount of information to fulfill
9/18/2012
ISC471/HCI 571 Isabelle
45
the request should
be
shared.
Bichindaritz
Legal Obligations and Risks of Health Care Facilities and
Individual Health Care Providers
Internal Uses and External Disclosures of Health Information
• Under HIPAA internal uses include:
– Treatment
– Payment
– Health care operations
• External disclosures often do not need
patient authorization either.
– Disclosure to a lawyer who represents someone
other than the hospital would require
authorization.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
46
Legal Obligations and Risks of Health Care Facilities and
Individual Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Health Information Ownership
• Generally – the health facility owns the
record but the patient has an ownership
interest in the information within the record.
• Patient maintains a right to control the flow
of his or her private health information.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
47
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Resources on Releasing Patient Information
• Organizations must set policies and have
written procedures to guide staff in
responding to requests for information.
• Should use the most up-to-date resources
available because laws change frequently.
• Sources to help write the policies:
– State HIM association legal manuals
– Peers in other local facilities
–
AHIMA
guidelines
and
practice
standards
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
48
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Authorizations for Disclosure of Patient Information
• Standards for what must be present in an
authorization are included in:
– HIPAA Privacy Rule
– Regulations on Confidentiality of Alcohol and Drug
Abuse Patient Records
– Many state laws
• HIM professionals have the responsibility to
ensure that authorizations meet all applicable
standards.
• Violations of the standards set forth in the HIPAA
Privacy Rule can result in penalties.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
49
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Disclosure for Direct Patient Care
• Reasonable assumption that when a patient comes
in for care, he or she authorizes the care providers
to have information about his
or her conditions and treatments.
• HIPAA privacy rule allows internal uses of
protected health information for treatment without
patient authorization.
– Does not include access for anyone in the facility who
may be curious.
• Internal use should still be restricted to those who
need to know in order to treat the patient.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
50
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Disclosure for Direct Patient Care
• In cases where the patient is being treated
externally (by a new doctor, in a nursing facility)
some or all the information from the record may
need to be disclosed.
– In these cases HIPAA Privacy Rule permits disclosure
for treatment without authorization.
– There may be other regulations (state-based) that do
require authorization.
• Conservative view – get authorization any time
that there is an external disclosure except when an
emergency prevents authorization.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
51
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Disclosure for Performance Management and Patient Safety
• Health information sometimes is used to evaluate that
quality of care and services provided to patients.
• In these cases, it is not important who the patient is,
just the procedures for treatment.
– Records would be referred to by number so no names would
be used.
• HIPAA does not require authorization for use of
health information in this context.
• Important to verify that the requester in fact wants the
information for quality management purposes.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
52
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers General Principles Regarding Access and
Disclosure Policies – Disclosure for Research
• Also involves impersonal use of the records
• It does not matter who the patient is, just the
symptoms, treatment, and results.
• Facility should still have a policy as to
when records can be released for research
without patient authorization.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
53
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Disclosure for Research
• Researchers often have to have projects reviewed by
an institutional review board.
– Researcher may need to specify data security provisions.
– HIM professional may need to review the data collection
forms to ensure that patient-identifiable data are not to be
included.
– Special problems arise if the researchers want to contact
patients directly.
– Verifying the names and addresses of patients is possibly a
breach of confidentiality.
– The facility may agree to contact the patient on behalf of the
researcher to determine the patient’s willingness to
participate.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
54
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Disclosure for Payment Purposes
• This is one of the most frequent disclosures of health
information.
• HIPAA does not require authorization for this purpose but
some states do.
• New regulations allow an option for patients to shield some
information from their insurer.
– Must be a circumstance where the patient is
paying for the service in full out of pocket.
• Complicated issue because the person whose information is
going to the insurance company may not be the person who
applied for coverage (generally a family member)
– One solution is making the authorization for disclosure to the
insurance company a part of the general consent to treatment.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
55
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure
Policies – Disclosure to Attorneys
• Requires one of:
– Written authorization from the patient or the patient’s
legal representative
– Valid subpoena that meets HIPAA’s special
requirements
• No authorization is required if the attorney
represents the health care provider that owns the
record.
– Attorney for the hospital does not require authorization.
– Attorney for an individual employee of the hospital
does.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
56
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure Policies – Health
Information Management Department Security Measures to Prevent
Unauthorized Access
• Internal systems must protect health
information from:
–
–
–
–
–
9/18/2012
Loss
Theft
Destruction
Alteration
Unauthorized access
ISC471/HCI 571 Isabelle
Bichindaritz
57
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure Policies – Health
Information Management Department Security Measures to Prevent
Unauthorized Access
• Important job of HIM professionals is to
keep confidential information out of the
hands of unauthorized users through:
–
–
–
–
–
9/18/2012
Appropriate policies and procedures
Facility and space planning
Information systems design and selection
Staff education
Security management
ISC471/HCI 571 Isabelle
Bichindaritz
58
Legal Obligations and Risks of Health Care Facilities and Individual
Health Care Providers
General Principles Regarding Access and Disclosure Policies – Health
Information Management Department Security Measures to Prevent
Unauthorized Access
• Policies and procedures should be specific
as to who has access to what.
• HIPAA rules require that access control
decisions be based on need.
– HIM professionals should never hesitate to
verify the validity of a request.
– Verification of employee identification is
always important.
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
59
Legal Obligations and Risks of Health Care Facilities
and Individual Health Care Providers
Duty to Obtain Informed Consent to Treatment
• It often means getting a patient to sign a form.
• Informed consent is only valid though if it means that
the patient and the health professional have had:
– sufficient communication that the patient has information
about the anticipated treatments and
– the communication has met certain basic requirements
• Duty to obtain informed consent is split into two basic
parts:
– Duty to obtain a general consent for treatment
– Physician’s or surgeon’s duty to obtain a separate informed
consent before the performance of surgery or other invasive
procedure
9/18/2012
ISC471/HCI 571 Isabelle
Bichindaritz
60