discussion post
rhode07
hippaa.docxIntroduction to HIPAA
Key Terms:
Group Health Plan - an employee welfare benefits plan that provides health coverage in the form of medical care and services.
Health Care Clearing house - a public or private entity that processes information received from another entity in a nonstandard format into a standard format.
Health Care Provider - a provider of medical or other health services who furnishes, bills, or is paid for health care in the normal course of business.
HIPAA - a federal law that allows persons to qualify for health insurance coverage when they change employment; mandates use of standards for the electronic exchange of health care data; mandates use of national identification systems for health care patients, providers, payers, and employers; and requires measures to protect the security and privacy of health information.
Medical Savings Account - tax-sheltered savings account earmarked for medical expenses only.
Privacy - an individual's claim to control the use and disclosure of personal information.
Transaction - exchange of information between two parties to carry out financial or administrative activities related to health care.
Certain definitions are explained here that are used to build on later concepts. Some historical background provides reasonable basis for the law. Primary concepts: 1. The original reason for writing HIPAA 2. The scope of HIPAA law to both health care and the insurance industry 3. The need to protect privacy and security of health information 4. Types of entities who are Covered Entities 5. The importance of the HIPAA Officer 6. Scenario to bring the ruling into work place perspective Debate the reasons for keeping health information private. a. What are reasons for disclosure? Disclosure must happen within the covered entities in order for patients to receive quality medical treatment. Without disclosure to insurance companies, the provider would not receive reimbursement. There are other business practices that need access to protected health information. There are reporting regulations and other mandates when disclosure is for protection of the public good that require disclosures. b. What are reasons for privacy? Privacy is necessary so personal information is kept from those who do not need to know. Employers provide for a portion of health care costs and because of that may receive health information about their employees. Individuals may find discrimination against them if certain protected health information is disclosed. There is the chance of bias if specific health information is open to the public. c. What are reasons for security? Security is very different from privacy. Security covers the ability of persons to access electronic information. When health information is in electronic format, then the added protection from destruction, alteration, and unauthorized access is vital. 4. Give examples of how people might be hurt when certain medical information is revealed to employers, family members, friends, and financial organizations. a. Employers: Job security may be in jeopardy. Access to broad benefits of group health coverage may be limited. Certain job openings may be limited due to an individual’s health expectancy. b. Family members: Due to certain family dynamics, some family members do not need to be advised of specific individual health concerns. c. Friends: Friends may not hold information in confidence e.g. STD, unwanted pregnancy, terminal illnesses etc., and disclose information to outside parties who might misuse the information. They might even think they are doing a favor by telling someone. d. Financial organizations: Knowing specific health information may bias the decision of a financial institution for insurance coverage, loan options, or other uses. e. Insurance rates may become unreachable or coverage denied due to disclosed information
Privacy Issues Explained Key Terms: Authorization - written permission by the patient or the patient's personal representative allowing the use or disclosure of specific protected health information for purposes other than treatment, payment, or health care operations. Consent - permission granted by the patient or the patient's representative to use or disclose protected health information for purposes of treatment, payment, or health care operations. Covered entity - a health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Disclosure - the release, transfer, divulging of, or providing access to protected health information to an outside entity. Health Plan - an entity that assumes the risk of paying for part or all medical treatments as outlined in their policy coverage. Incidental Disclosure - a disclosure of individually identifiable health information (IIHI) as a result of or as "incident to" otherwise permitted use or disclosure. Marketing - any communication about a product or service that encourages recipients to purchase or use the product or service with certain exceptions. Minimum Necessary - effort made to limit protected health information (PHI) to only that which is necessary to accomplish the intended purposes of the use, disclosure, or request. Need To Know - a security principle stating that a user should have access only to the data he or she needs to perform a particular function. Treatment - provision, coordination, or management of health care and related services for an individual by one or more health care providers. Use - sharing, application, examination, or analysis of individually identifiable health information (IIHI) within an entity that maintains such information. This chapter looks only at the Privacy Rule of HIPAA. This rule became effective April 2003 after generating lots of preconceived ideas, a number of them wrong. People generally over-reacted to the privacy issue. HIPAA again and again sought to find the “reasonable” approach. The concern was the patient’s best interest enabling the provider to give the best health care possible without endangering the integrity of the medical record. The primary concepts covered in this chapter: 1. Know the definition of protected health information (PHI). 2. Recognize the difference between consent and authorization and their use in HIPAA. 3. Be familiar with required disclosures, those permitted without authorization, and those permitted with authorization. 4. Identify when Business Associate contracts must be obtained. 5. Understand how HIPAA mandates training for the public and health care workforce. 6. Grasp how the DHHS has ordered compliance with HIPAA law
Think About It 1. Why might someone not want their records copied and sent to their employer? a. Employees consider their health concerns a private matter that should not influence how they are treated on the job. There might be issues the employee is facing that are not part of how they function at work. This should not influence the employer to treat them any differently than other workers. 2. What could be included that would bias the employer against the worker? a. Certain diagnoses may indicate a large future cost to provide health care for the worker or their dependents. Employers might use that to find a means to eliminate that job or make the situation difficult so the employee would want to quit rather than stay employed. HIPAA gives federal clout to existing but weaker laws. 3. What kind of information did patients receive from a health provider about their medical information after April 14, 2003? a. As of April 14, 2003 every health care provider gives a Notice of Privacy Practices to each patient they treat. This lengthy paper explains how the provider is treating their personal health information to be in compliance with HIPAA law. Each provider is expected to have a signed paper showing that the patient or guarantor received his or her copy of the NOPP. If the signature is not received, the provider must show they made a “good faith” effort to receive the signature.
True Stories True Story: The medical records of an Illinois woman were posted on the Internet without her knowledge or consent a few days after she was treated at St. Elizabeth’s Medical Center following complications from an abortion at the Hope Clinic for Women. The woman has sued the hospital, alleging St. Elizabeth’s released her medical records without her authorization to anti-abortion activists, who then posted the records online along with a photograph they had taken of her being transferred from the clinic to the hospital. The woman is also suing the anti-abortion activists for invading her privacy. (Hillig and Mannies, 2001) This news report is included to show just how far unlawful disclosures can be used to damage the reputation of someone. True Story: Consider how not authorizing release of information changed this woman’s employment status. Why might employers want to know medical history of employees? Are these valid reasons? A South Carolina resident was suspended from work for refusing to release her medical records to her employer. (Crowley, 2000) Since employers pay for much of an employee’s group health plan, some employers wish to know if they are taking on a large risk medically. The implications to the employer are that the employee will probably miss work, increase the cost to the company for health care and in some sense be a liability to the company. There is much to debate about whether these reasons are valid for disclosure of medical records to an employer. True Story: “A gentleman came to the (police) station for help. His wife was transported to the hospital for a psychiatric evaluation and she was transferred to another hospital and the hospital wouldn’t tell him what hospital she was transferred to,” said Pennsylvania State Police St. Tony Sivo. “Public officials and public agencies often improperly cite HIPAA in denying access to information. In most cases they are not covered entities and are not covered by the provisions,” per Teri Henning, media law counsel for the Pennsylvania Newspaper Association. (Mengers, 2004) This news article points up the need for health care providers to keep the best interests of the patient in mind when making decisions about disclosing specific health information to family members. It could be argued that there was possibility of abuse within the home and that the wife needed protection. The providers at the hospital would be the best ones to make that decision based upon the condition of the patient. As noted at the end of the article, the police were not covered entities and not restricted to limiting disclosure due to HIPAA law.
