Nicohwilliam
Assignment : answer real world case 9.1 and 9.2 questions; at least one
Page per case ; cite textbook
Please see chapter readings from textbook below
Real-World Case 9.1
HIPAA privacy breaches are of great concern and they occur too frequently. The Office for Civil Rights (OCR) in the Department of Health and Human Services reported in December 2018 that a critical access hospital in Colorado reached a settlement via a resolution agreement to pay $111,400 to HHS and to adopt a corrective action plan because it allowed a former employee to have continued remote access to ePHI, affecting 557 individuals. No business associate agreement had been signed with the former employee (HHS 2018b).
This case highlights that actions as simple as immediately terminating access to systems upon employment separation can avoid breaches. Procedures that incorporated a routine termination process would have prevented an incident of this nature.
The fact that this incident involved a critical access hospital, which is small by definition and in comparison, to its multi-hospital healthcare system counterparts, demonstrates that breaches and penalties resulting from breaches do not occur in large organizations only. Covered entities and business associates of all types and sizes can commit breaches and be penalized for them.
Real world case 9.1 questions
1. What steps could a privacy officer have taken to prevent this breach?
2. How would you have responded to the breach had it not been prevented at your healthcare organization?
3. Should small healthcare organizations be charged fines for non-compliance with HIPAA? Justify your response.
Real-World Case 9.2
Anndorie Cromar is a medical identity theft victim. A pregnant woman used Cromar’s medical identity to pay for maternity care at a nearby hospital. Because the infant was born with drugs in her system, the state’s child protective services (CPS) assumed she was Cromar’s infant and threatened to take Cromar’s four children away. It required a DNA test to get her name off of the infant’s birth certificate, but years to get her health records corrected. “That first stage was the most terrifying thing I’ve ever experienced in my life, getting the call from CPS and having them say, ‘We are coming to take your kids’” (Andrews 2016).
Medical identify theft is not detected and stopped readily like financial fraud, where the bank or credit card company calls when they see suspicious charges on a person’s account. Consumers therefore need to be particularly vigilant about information that can be stolen to commit medical identity theft: personal, medical, and insurance information. Consumers should do the following:
Scrutinize insurance company explanation of benefits forms and correspondence from healthcare providers and health insurers
Be suspicious of inaccurate statements and bills, including documentation relating to services they did not receive
Routinely review credit reports for debts that do not belong to them
Treat insurance cards and policy numbers with the same care as Social Security numbers, and not share them readily
Additionally, consumers should not post information about medical treatments on social media. A criminal could use that information, along with other personal data located online, to create a complete and accurate profile by which to exploit the victim. Once the perpetrator’s and victim’s medical information are intertwined, it is much more difficult to undo than simple financial identity theft cases. Further, because medical identity theft involves a person’s health profile, it cannot be shut down as quickly as a credit card number can (Andrews 2016).
Real world case 9.2 questions
1. What could Anndorie Cromar, or any of us, do to prevent becoming a victim of medical identity theft?
2. Why should healthcare organizations be interested in financial identity theft?
3. What impact might medical identity theft have on the patient?
HITT 1301 CHAPTER 9
Health Information Management Technology,
An Applied Approach
Nanette Sayles, Leslie Gordon
Copyright ©2020 by the American Health Information Management Association. All rights reserved.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means, electronic, photocopying,
recording, or otherwise, without the prior written permission of AHIMA, 233 North Michigan Avenue,
21st Floor, Chicago, Illinois 60601-5809 (http://www.ahima.org/reprint).
ISBN: 978-1-58426-720-1
AHIMA Product No.: AB103118
Privacy is a social value and is the right “to be let alone” (Rinehart-Thompson and Harman 2017). The US Constitution does not grant a right of privacy, but courts have interpreted it to give privacy rights in certain areas such as religion and child-rearing. Patients have a right to their privacy. Although there is no constitutional right of privacy to one’s health information, the health record is not a public document and – further – privacy protections to health information have been established through court cases as well as laws such as the Health Insurance Portability and Accountability Act (HIPAA), discussed in great detail in this chapter.
Confidentiality is similar to privacy, but it stems from the sharing of private thoughts in confidence with someone else. Legally, such sharing is protected when the communication is between parties such as physician and patient, attorney and client, or clergy and parishioner. Laws define those communications that are protected (Brodnik 2017a).
Use and Disclosure
Use is how a healthcare organization avails itself of health information internally, such as a nurse reviewing a patient’s health record. Disclosure is how health information is disseminated outside a healthcare organization. An example of disclosure is providing patient information to an insurance company. Use and disclosure are usually associated with the concepts of ownership and control of the health record because the organization that owns and controls the health record is also able to control the use and disclosure of its contents. Compliance with all applicable privacy and confidentiality laws and standards is important to avoid inappropriate use and disclosure of health information. Disclosure becomes very important when a healthcare organization is involved in litigation and health information becomes key evidence necessary for fact-finding during the discovery process and at trial, as described in chapter 8, Health Law.
State Laws—Privacy
Laws protecting the privacy of health information vary significantly from state to state. Some states have laws that are very specific while others are general or even absent. Every person or organization that is subject to HIPAA (federal law) must abide by the state law. State laws supersede HIPAA if the state law is stricter. This is the concept of preemption, which is discussed later in this chapter.
In addition to state laws that protect health information privacy, all states have laws that require the disclosure of health information, even without patient authorization. These include the reporting of vital statistics (births and deaths) and other public health, safety, or welfare situations. For example, healthcare providers may be required to provide information to the appropriate state agency about patients who suffer from sexually transmitted and other communicable diseases, have been injured by knives or firearms, or have wounds that suggest some type of violent criminal activity. The treatment of suspected victims of child abuse or neglect also must be reported. These purposes are permitted by HIPAA and described later in the chapter.
HIPAA Privacy Rule and ARRA
The HIPAA Privacy Rule is one of the key federal regulations that governs the protection of protected health information (PHI). This chapter provides an overview of HIPAA legislation (namely, the Privacy Rule) and the accompanying American Recovery and Reinvestment Act (ARRA) of 2009.
HIPAA and ARRA Overview
As shown in figure 9.1, HIPAA contains five titles. Title II is the most relevant title to the health information management (HIM) professional. It contains provisions relating to the prevention of healthcare fraud and abuse and medical liability (medical malpractice) reform, as well as administrative simplification. The HIPAA Privacy Rule resides in the administrative simplification provision of Title II along with the HIPAA security standards, national provider identifiers, and transaction and code set standardization requirements. Administrative simplification is HIPAA’s attempt to streamline and standardize the healthcare industry’s non-uniform business practices, such as billing, to include the electronic transmission of data.
Figure 9.1 HIPAA structure
Source: Walsh 2016. Reprinted with permission.
Before HIPAA was enacted, no federal statutes or regulations generally protected the confidentiality of health information. Specific laws applied only in particular circumstances, such as to providers of Medicare services or to those receiving federal funds to provide substance abuse treatment.
Patient privacy protection laws governing access, use, and disclosure had largely resided with the individual states. They varied considerably, creating a patchwork of laws across the United States. Many states had passed laws to protect highly sensitive health records such as mental health and HIV/AIDS, but many states had no statutes or regulations to protect health information generally. If health information was wrongfully disclosed, individuals had to resort to lawsuits, often alleging negligence. With the Privacy Rule, protection was achieved uniformly across all the states through a consistent set of standards affecting providers, healthcare clearinghouses, and health plans.
The legal doctrine of preemption means that federal law (for example, the HIPAA Privacy Rule) may supersede state law. However, the HIPAA Privacy Rule is only a federal floor, or minimum, of privacy requirements so it does not preempt or supersede stricter state statutes (or other federal statutes). Stricter means that a state or federal statute provides an individual with greater privacy protections or gives individuals greater rights with respect to their PHI. If a question arises, it is important to consult with legal counsel to determine whether federal or state law prevails.
The American Recovery and Reinvestment Act (ARRA) provided significant funding for health information technology and other economic stimulus funding, and it also made important changes to the HIPAA Privacy and Security Rules. These changes are located in the Health Information Technology for Economic and Clinical Health Act (HITECH), which is a part of ARRA.
Office of the National Coordinator for Health Information Technology (ONC)
The Office of the National Coordinator for Health Information Technology (ONC) was first established by presidential executive order. It is now recognized by statute as an entity within the Department of Health and Human Services (HHS). It has been the primary federal entity responsible for coordinating national efforts to implement and use health information technology, and to promote the exchange of electronic health information. HHS currently includes a number of offices and agencies including the Office of Policy, Office of Standards and Technology, and Office of the Chief Privacy Officer, which plays an important role in promoting electronic health information privacy and security (ONC 2018).
Applicability of the Privacy Rule
The Privacy Rule does not apply to every person or every organization. It also does not apply to all types of information. This section identifies, first, to whom the Privacy Rule applies: persons or organizations identified as covered entities, business associates, and workforce. This section also discusses what the Privacy Rule protects: protected health information (PHI).
Covered Entities
A covered entity (CE) is a person or organization that must comply with the HIPAA Privacy Rule. The three types of covered entities are the following:
1. Healthcare providers, but only those that conduct certain transactions (financial or administrative) electronically. Healthcare providers include hospitals, long-term care facilities, physicians, and pharmacies.
2. Health plans, which pay for the cost of medical care (for example, a health insurance company).
3. Healthcare clearinghouses, which process claims between a healthcare provider and payer (for example, an intermediary that processes a hospital’s claim to Medicare to facilitate payment).
Electronic transactions specified in the act include but are not limited to health claims and encounter information, health plan enrollment and disenrollment, healthcare payment and remittance advice, health plan premium payments, referral certification, and coordination of benefits.
Business Associates
The Privacy Rule also applies to entities that are business associates of HIPAA-covered entities. A business associate (BA) is a person or organization other than a member of a CE’s workforce that performs functions or activities on behalf of or for a CE that involves the use or disclosure of PHI. Common BAs include consultants, billing companies, transcription companies, accounting firms, and law firms. ARRA also included in the BA definition patient safety organizations (PSOs), which utilize information to improve the safety and quality of patient care; health information organizations (HIOs); e-prescribing gateways and persons who facilitate data transmissions; as well as personal health record (PHR) vendors who, by contract, enable CEs to offer PHRs to their patients as part of the CE electronic health record (EHR) (HHS 2010, 40872).
A BA’s subcontractors are also BAs if they require access to an individual’s PHI, regardless of whether an agreement has actually been signed (HHS 2010, 40873). BAs and their subcontractors must comply with certain HIPAA provisions and are subject to the same civil and criminal penalties that CEs face for violating the law. In addition to the Privacy Rule, BAs and their subcontractors must also comply with the HIPAA security provision, which is covered in more detail in chapter 10, Data Security.
The Privacy Rule does not allow CEs to disclose PHI to BAs unless the two enter into a written contract, or business associate agreement (BAA), that meets HIPAA and ARRA requirements. However, if a person or organization meets the definition of a BA, they are a BA by law (even if the required agreement has not been signed) and are subject to penalties if they violate HIPAA. The BA may use or disclose PHI once it agrees to the CE’s requirements to protect the information’s security and confidentiality. The CEs must respond to BA noncompliance, and ARRA requires BAs to respond to CE noncompliance. The BA does this by corrective action or by severing the relationship with the CE.
The BAAs must be HIPAA- and ARRA-compliant. There are components that an agreement between a CE and BA should contain. These are outlined in figure 9.2.
Figure 9.2 Components of a business associate agreement
• Parties to the BAA (CE and BA; BA and subcontractor of BA)
• Purpose of the BAA (compliance with HIPAA and ARRA)
• Definitions (breach; electronic PHI; individual; PHI; law; Secretary of HHS; security incident)
• Obligations and activities of the BA
• Permitted uses and disclosures by BA (or subcontractor)
• Obligations of the CE
• Term and termination
• Indemnity for both parties
• Limitation of liability
• Miscellaneous
• Signatures, titles, contact information
Source: ©AHIMA 2016.
Workforce Members
Both CEs and BAs (including their subcontractors) are responsible under the Privacy Rule for their workforce members. A workforce consists not only of employees, but also volunteers, student interns, trainees, board of directors, and even employees of outsourced vendors who routinely work on-site in the CE’s facility.
To illustrate this, examine the following scenario. Tidy Team, a company that contracts with Mercy Hospital to provide janitorial services, employs Ted as a custodial worker. Ted has been assigned to Mercy Hospital. As part of his duties, he routinely cleans the floors and empties the trash in the HIM department. What is Tidy Team’s relationship with Mercy Hospital? What is Ted’s relationship with Mercy Hospital? Does a BA relationship exist here?
In this example, the hospital contracted Tidy Team to clean, not to use or disclose individually identifiable health information. The fact that Ted is in close proximity to such information on a regular basis does not make him (or Tidy Team) a BA. Because he routinely works in Mercy Hospital’s HIM department, however, he should be treated as a workforce member and trained as such.
Protected Health Information
The Privacy Rule safeguards protected health information (PHI). The PHI either identifies an individual or provides a reasonable basis to believe the person could be identified from the information given. PHI can be in any form including electronic, paper, and oral. Determining whether information is PHI or not requires meeting all parts of a three-part test. First, the information must be held or transmitted by a CE or a BA in any of the forms listed previously. Second, it must be individually identifiable health information. To be individually identifiable, the information must either identify the person or provide a reasonable basis to believe the person could be identified from the information. Third, it must relate to a person’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for the provision of healthcare. The PHI of deceased persons loses PHI status and is no longer protected by HIPAA after the individual has been deceased more than 50 years.
Deidentified Information
Deidentified information does not identify an individual because personal characteristics have been stripped from it in such a way that it cannot be later constituted or combined to reidentify an individual. Not all patient information is PHI. Deidentified information is not protected by the HIPAA Privacy Rule. Deidentified information is commonly used in research.
Information technology is powerful in assisting with the collection and analysis of data, so it is possible to identify individuals by combining specific data. Therefore, the HIPAA Privacy Rule requires the CE to do one of the following to ensure deidentification:
· The CE can strip certain elements to ensure the patient’s information is truly deidentified. These elements are listed in figure 9.3 (Rinehart-Thompson 2018)
· The CE can have an expert apply generally accepted statistical and scientific principles and methods to minimize the risk that the information might be used to identify an individual (Rinehart-Thompson 2018)
Figure 9.3 Data elements to be removed for deidentification of information
Source: 45 CFR 164.514(b)(2)(i).
Figure 9.4 identifies methods of deidentification that can be used to remove the data elements found in figure 9.3.
Figure 9.4 HIPAA Privacy Rule De-Identification Methods
Source: HHS 2015.
Other Basic Concepts
In addition to understanding to whom the Privacy Rule applies and what it protects, it is important to understand other basic HIPAA concepts, which are discussed in the sections that follow.
Individual
The Privacy Rule defines an individual as the person who is the subject of the PHI (45 CFR 160.103).
Personal Representative
A personal representative is a person who has legal authority to act on another’s behalf. Per the Privacy Rule, a personal representative must be treated the same as an individual regarding use and disclosure of the individual’s PHI.
Designated Record Set
A designated record set (DRS) includes the health records, billing records, and various claims records that are used to make decisions about an individual (45 CFR 164.501). HIPAA provisions apply to the DRS. The DRS is broader than the legal health record, which was discussed in chapter 8, Health Law, because it contains more components than those that would ordinarily be produced upon request.
Minimum Necessary
The minimum necessary standard requires that uses, disclosures, and requests be limited to only the amount needed to accomplish an intended purpose. For example, for payment purposes, only the minimum amount of information necessary to substantiate a claim for payment should be disclosed. The minimum necessary standard does not apply to PHI used, disclosed, or requested for treatment, payment, or operation purposes.
To ensure compliance with the minimum necessary standard, policies and procedures should identify those persons or classes of persons who work for the CE and who need to access PHI to perform their duties. They should further identify what PHI is needed to perform their jobs. For example, employees working in the housekeeping department would not have the same level of access to PHI as a nurse working in critical care.
ARRA has specified that, without final clarification of minimum necessary, CEs are to use the limited data set (PHI with certain specified direct identifiers removed) for using or disclosing only minimum necessary information, while reverting back to the amount needed to accomplish the intended purpose definition when the limited data set definition is inadequate (AHIMA 2009). For example, decision-making is specific to the CE, which must determine what PHI is reasonably needed to accomplish that particular purpose, given the nature of its business (HHS 2006; reviewed 2013).
Treatment, Payment, and Operations
Treatment, payment, and operations (TPO) is an important concept because the Privacy Rule provides a number of exceptions for PHI that is being used or disclosed for TPO purposes. Treatment means providing, coordinating, or managing healthcare or healthcare-related services by one or more healthcare providers. For example, treatment includes caring for patients admitted to the hospital or coming for an appointment with a physician. Treatment also includes healthcare provider consultations and referrals of the patient from one provider to another.
Payment includes activities by a health plan to obtain premiums, billing by healthcare providers or health plans to obtain reimbursement, claims management, claims collection, review of the medical necessity of care, and utilization review.
The Privacy Rule provides a broad list of activities that are healthcare operations. They include quality assessment and improvement, case management, review of healthcare professionals’ qualifications, insurance contracting, legal and auditing functions, and general business management functions such as providing customer service and conducting due diligence. Operations do not include marketing or fundraising activities.
Individual Rights
There are two key goals to the Privacy Rule: (1) to provide greater privacy protections for one’s health information (this also serves to limit access by others) and (2) to provide an individual with greater rights with respect to his or her health information. The Privacy Rule’s individual rights further the second goal. The individual rights include right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations. These rights are described as follows.
Right of Access
The Privacy Rule’s right of access allows an individual to inspect and obtain a copy of his or her own PHI contained within a designated record set, such as a health record (45 CFR 164.524). The right of access extends as long as the PHI is maintained, although the Privacy Rule does not require health records be retained for a specified period. There are exceptions to the right of access. For example, psychotherapy notes, which are behavioral health notes that document a mental health professional’s impressions from private counseling sessions; information compiled in reasonable anticipation of a civil, criminal, or administrative action or proceeding; or PHI subject to the Clinical Laboratory Improvements Act (CLIA) are all exceptions to the right of access. Covered entities with EHRs must make PHI available electronically per individual request if it is readily producible or if the individual requests to send PHI to a designated person or entity electronically (Rinehart-Thompson 2018).
Per the Privacy Rule, there are times when a CE can deny an individual access to PHI. These are described as follows and are generally categorized as no opportunity to review or opportunity to review.
No Opportunity to Review A CE can deny an individual access to PHI without providing him or her an opportunity to review or appeal the denial in the following situations:
· The PHI is in psychotherapy notes
· The PHI was compiled in reasonable anticipation of, or for use in, civil or criminal litigation or administrative action
· The CE is a correctional institution or provider that has acted under the direction of a correctional institution, and an inmate’s request for his or her PHI creates health or safety concerns
· The PHI is created or obtained by a covered healthcare provider in research that includes treatment, and an individual receiving treatment as part of a research study agrees to suspend his or her right to access PHI temporarily, while the study is in progress
· The PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information
· The PHI is contained in records that are subject to the federal Privacy Act (5 USC 552a) if the denial of access under the Privacy Act would meet the requirements of that law
· The PHI is maintained by a CE that is subject to the Clinical Laboratory Improvement Amendments (CLIA) of 1988, which regulates the quality of laboratory testing, and CLIA would prohibit access
· The PHI is maintained by a CE exempt from CLIA requirements (Rinehart-Thompson 2018)
The PHI refers to another individual who is not a healthcare provider, and a licensed healthcare professional has concluded from the documentation that the access requested is likely to cause significant harm to that other individual (45 CFR 164.524)
Opportunity to Review In two instances, the Privacy Rule requires a CE to give an individual the right to review a denial of access. These are situations where a licensed healthcare professional determines that access to requested PHI would likely endanger the life or physical safety of the individual or another person or would reasonably endanger the life or physical safety of another person mentioned in the PHI.
When a denial is made, the CE must write the denial in plain language and include a reason. Second, it must explain that the individual has the right to request a review of the denial. Third, it must describe how the individual can complain to the CE and must include the name or title and phone number of the person or office to contact. Finally, it must explain how the individual can lodge a complaint with the secretary of HHS.
The individual has the right to have the denial reviewed by a licensed healthcare professional who did not participate in the original denial and is designated by the CE to act as the reviewing official. The CE must grant or deny access in accordance with the reviewing official’s decision.
The Privacy Rule gives individuals the right to request access to their PHI, but the CE may require that requests be in writing. An individual’s request for review of PHI must be acted on no later than 30 days after the request is made (or 60 days if the PHI is not on-site). This may be extended once by a maximum of 30 additional days if the individual is given a written statement (within the 30 days) explaining the reasons for the delay and the date by which the CE will respond. A CE must arrange a convenient time and place for an individual to inspect his or her PHI; otherwise, a copy of the PHI must be mailed if requested. The Privacy Rule allows a reasonable cost-based fee when the individual requests a copy of PHI or agrees to accept summary or explanatory information. The fee may include the cost of the following:
· Copying, including supplies and labor of copying
· Postage, when the individual has requested that the PHI be mailed
· Preparing an explanation or summary, if agreed to by the individual (45 CFR 164.524)
The HIPAA does not permit retrieval fees to be charged to patients. However, they are permitted for non-patient requests. If a CE does not wish to calculate actual or average costs for electronic PHI, the Office for Civil Rights (OCR), the federal agency within HHS that is responsible for enforcing the Privacy Rule, recommends a flat fee up to $6.50. Fees cannot be assessed to individuals who access their PHI via a View, Download, and Transmit function of a certified electronic health record (Rinehart-Thompson 2018).
A CE must provide access to the PHI in the format requested if it is readily producible in such form or format. If not, it must be produced in a readable hard-copy form or other format agreed to by the CE and the individual.
The right of access gives the individual the right to obtain his or her own PHI, or to direct a CE to transmit PHI about that individual to a third party without barriers or unreasonable delays. Disclosure to a patient does not require patient authorization using the HIPAA authorization form that is described later in this chapter; however, for validation and record-keeping purposes the CE may require that the request be in writing (Rinehart-Thompson 2018). Certain limits cannot be placed on individuals exercising the right of access. For example, the patient cannot be limited to patient portal information only and cannot be required to physically appear at the CE to receive their PHI (HHS 2016).
The right of access becomes more complex when an individual directs a CE to transmit PHI about the individual to a third party. Oftentimes, these access requests appear to have been initiated by a third party instead of from the individual. As a result, seemingly identical requests may be handled differently (one as a patient access request and one as a third-party request requiring authorization) and fees assessed differently.
Right to Request Amendment of PHI
The Privacy Rule allows an individual the right to request amendment. With this right, one may request that a CE amend PHI or a record about the individual in a designated record set (45 CFR 164.526). The CE may deny the request when it determines that the PHI or the health record did not comply with the following:
· Was not created by the CE
· Is not part of the designated record set
· Is not available for inspection as noted in the regulation of access (for example, psychotherapy notes, inmate of a correctional institution, and so on)
· Is accurate or complete as is (45 CFR 164.526)
A CE may require that the amendment request be in writing. The CE may also require the requester to include a rationale for the amendment, as long as the requester was notified in advance that a rationale would be required (usually in the Notice of Privacy Practices, discussed later in this chapter).
An individual’s amendment request must be acted on no later than 60 days after receipt by allowing it or denying it in writing. The CE may extend its response once, by 30 days, if it explains the reasons for the delay in a written statement and gives a date by which it will act. If an amendment is granted, the Privacy Rule requires a CE to do the following:
· Identify the documentation in the designated record set that is affected by the amendment, append the information, and supply a link to the amendment’s location where applicable. For example, if the diagnosis is incorrect, the amendment will have to appear or be linked to each report in the designated record set
· Inform the individual that the amendment was accepted and have him or her identify the persons with whom the amendment needs to be shared and then obtain his or her agreement to notify those persons. The CE must make reasonable efforts to provide the amendment within a reasonable amount of time to anyone who has received the PHI (45 CFR 164.526)
Denials must be made within 60 days of the request, be written in plain language, and contain the following:
· The basis for the denial
· The individual’s right to submit a written statement disagreeing with the denial
· The process by which the individual can submit his or her disagreement
· A statement explaining how, when the individual does not submit a disagreement, he or she may request that both the original amendment request and the CE’s denial accompany any future disclosures of the PHI that is the subject of the amendment
· A description of how the individual may complain to the CE, including the name or title and telephone number of the contact person or office (45 CFR 164.526)
The CE can prepare a written rebuttal if the individual submits a disagreement statement, and it must provide the individual with a copy of the rebuttal.
All requests for amendments, denials, the individual’s statement of disagreement, and the CE’s rebuttal (if one was created) must be appended or linked to the record or PHI that is the subject of the amendment request. Future disclosures of the subject information must include this material or a summary. If a request for amendment was denied and the individual did not write a statement of disagreement, the request for amendment and denial must accompany future disclosures only if the individual requests such action.
Right to Request Accounting of Disclosures
Maintaining some type of accounting procedure for monitoring and tracking PHI disclosures has been a common practice in HIM departments. However, the Privacy Rule has a specific standard with respect to such recordkeeping. Per the right to request accounting of disclosures, an individual has the right to receive an accounting of certain disclosures made by a CE (45 CFR 164.528). The Privacy Rule requires an accounting of all disclosures within the six years prior to the date on which the accounting was requested. A CE may either account for the disclosures of its BAs or require the BAs to make their own accounting. BAs must respond to accounting requests that are made directly to them.
The types of disclosures that must be accounted for are limited, but include those made erroneously (that is, breaches, which are discussed later in the chapter), for public interest and benefit activities (discussed later in this chapter) where patient authorization is not obtained, and pursuant to a court order. Disclosures for which an accounting is not required (that is, exceptions) are the following disclosures:
· For TPO (this exception only applies to CEs without EHRs)
· To individuals to whom the information pertains, or the individual’s personal representative
· Incidental to an otherwise permitted or required use or disclosure (for example, a patient’s name appears on a sign-in sheet at a physician office; this is a permitted use that may be seen by [disclosed to] the next patient who signs in)
· Pursuant to an authorization
· For use in the facility directory, to persons involved in the individual’s care, or for other notification purposes
· To meet national security or intelligence requirements
· To correctional institutions or law enforcement officials
· As part of a limited data set
· That occurred before the compliance date for the CE (45 CFR 164.528) (Rinehart-Thompson 2018)
The definition of healthcare operations is broad, but the Privacy Rule has carved out exceptions to this definition so the following must be included in an accounting of disclosures. For example, mandatory public health reporting is not part of a CE’s operations (this includes state requirements to report births [birth certificates]; communicable diseases; and incidents of abuse or suspected abuse of children, mentally disabled individuals, and the elderly). As a result, these must be included in an accounting of disclosures. For example, if a physician’s office reports a case of tuberculosis to a public health authority, that disclosure must be included if the patient requests an accounting. If a CE provides PHI to a third-party public health authority to review, but the third party does not actually review it, the third-party’s access must be included in an accounting of disclosures.
Disclosure pursuant to a court order (if without a patient’s written authorization) is also subject to an accounting of disclosure. However, disclosure pursuant to a subpoena that is accompanied by a patient’s written authorization is not subject to an accounting of disclosure because the authorization exempts the disclosure from the accounting of disclosure requirement. The accounting of disclosure requirement includes disclosures made in writing, by telephone, or orally. In some situations, an individual’s right to an accounting of disclosure may be suspended at the written request of a health oversight agency or law enforcement official indicating that an accounting of disclosure would impede its activities. This request should specify how long such a suspension is required. The Privacy Rule provides a list of exceptions to the accounting of disclosure requirement, but not disclosures that must be accounted for. An accounting of disclosure must include the following items:
· Date of disclosure
· Name and address (when known) of the entity or person who received the information
· Brief description of the PHI disclosed
· Brief statement of the purpose of the disclosure or a copy of the individual’s written authorization or request (45 CFR 164.528)
A CE must act on a request for an accounting of disclosures no later than 60 days after receipt (extended by no more than 30 days if the CE notifies the individual in writing of the reasons for the delay and the date by which the accounting of disclosure will be made available).
The first accounting of disclosure within any 12-month period must be provided to the patient without charge. Additional requests within a 12-month period may be assessed a reasonable, cost-based fee if the individual is informed in advance and given an opportunity to withdraw or modify the request or avoid or reduce the fee.
The Privacy Rule requires that documentation be maintained on all accounting of disclosure requests, including information included in the accounting of disclosure, the written accounting that was provided to the individual, and the titles of persons or offices responsible for receiving and processing requests for an accounting of disclosure. Policies and procedures must be developed to ensure the PHI disclosed from all areas of the CE, likely including departments outside HIM, can be tracked and compiled when an accounting of disclosure request is received.
Right to Request Restrictions of PHI
An individual can request that a CE restrict the uses and disclosures of PHI to carry out TPO (45 CFR 164.522(a)(1)). This is the right to request restrictions of PHI. In almost all cases, a CE can decline a restriction request. However, restriction requests must be complied with (unless otherwise required by law) if the disclosure would be made to a health plan for payment or operations purposes and the individual had paid for the healthcare service or item completely out of pocket (Rinehart-Thompson 2018).
When a CE agrees to a restriction, whether voluntarily or mandated, it must live up to the agreement. To illustrate how difficult this can be, examine the following scenario. A patient, Mr. Smith, agrees to allow a hospital to tell callers that he has been admitted to the hospital and therefore is in the facility directory. Such notification is a hospital operation. However, he requests that this information be restricted and withheld only from his Aunt Mary and Uncle Jack, if they should call. Should the hospital agree to this restriction request? In this scenario, the hospital is not required to agree. In fact, the hospital probably should not agree to this request because of the administrative difficulty of informing certain individuals, but not others, of Mr. Smith’s status. There is also the risk of accidentally violating the request. It would be difficult for every receptionist to recall this small restriction, particularly if other patients had similar restrictions on their information. The risk of violation simply becomes too great.
The individual or the CE can terminate a restriction that was agreed upon. When the CE entity initiates termination of the agreement, it must inform the individual that it is doing so. However, the termination is only effective with respect to the PHI created or received after the individual has been informed (45 CFR 164.522(a)(1)).
Right to Request Confidential Communications
Healthcare providers and health plans must give individuals the opportunity to request that communications of PHI be routed to an alternative location or by an alternative method (45 CFR 164.522(b)(1)). This is the right to request confidential communications. Healthcare providers must honor such a request without requiring a reason if it is reasonable. Health plans must honor such a request if it is reasonable and if the requesting individual states that disclosure could pose a safety risk. However, providers and health plans may refuse to accommodate requests if the individual does not provide information as to how payment will be handled or an alternative address or method by which he or she can be contacted.
An example of a request for confidential communications would be a woman who requests that billing information from her psychiatrist, from whom she is seeking treatment because of a domestic violence situation, be sent to her work address instead of to her home.
Right to Complain of Privacy Rule Violations
A CE must provide a process for an individual to file a complaint or allegation about the entity’s policies and procedures, its noncompliance with them, or its noncompliance with the Privacy Rule (45 CFR 164.530(d)(1)). The CE’s notice of privacy practices, described later in this chapter, must contain contact information at the CE level and inform individuals of the ability to submit complaints to HHS. All complaints must be documented along with corresponding dispositions.
HIPAA Privacy Rule Documents
The Privacy Rule outlines three key documents that inform patients and give them a degree of control over their PHI. The notice of privacy practices and the authorization—are required, whereas the HIPAA consent to use or disclose PHI is optional.
Notice of Privacy Practices
Except for certain exceptions for health plans and inmates in correctional facilities, an individual has the right to a notice explaining how his or her PHI will be used and disclosed (45 CFR 164.520). This notice of privacy practices must also explain in plain language the patient’s rights and the CE’s legal duties with respect to PHI.
Healthcare providers with a direct treatment relationship with an individual must provide the notice of privacy practices by the first service delivery date (for example, first visit to a physician’s office, first admission to a hospital, or first encounter at a clinic), including service delivered electronically. Notices must be available at the site where the individual is treated and must be posted in a prominent place where patients can reasonably be expected to read them. If the CE has a website with information about their services and benefits, the notice of privacy practices must be prominently posted to it. The notice of privacy practices must be updated to reflect material changes. It must state that uses and disclosures not described in the notice will require an authorization. It must also address marketing and the right to opt out of fundraising communications (both of which are explained later in this chapter). A CE’s obligation to comply with a restriction request if the item or service is paid in full out-of-pocket must also be included in the notice. AHIMA outlines the requirements for the content of the notice of privacy practices (McLendon and Rose 2013). In general, the notice is to include the following:
1. A header such as: “this notice describes how information about you may be used and disclosed and how you can get access to this information. Please review it carefully”
2. A description, including at least one example of the types of uses and disclosures that the CE is permitted to make for treatment, payment, and healthcare operations
3. A description of each of the other purposes for which the CE is permitted or required to use or disclose PHI without the individual’s written consent or authorization
4. A statement that other uses and disclosures will be made only with the individual’s written authorization and that the individual may revoke such authorization
5. When applicable, separate statements that the CE may contact the individual to provide appointment reminders or information about treatment alternatives and other health-related benefits and services that may be of interest to the individual
6. A statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization. CEs that do not record or maintain psychotherapy notes are not required to include a statement
7. A statement regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a CE intends to contact an individual to raise funds for the CE. If a CE does not make fundraising communications, then this statement does not need to be included
8. For health plans that perform underwriting activities only, a statement must be included indicating the health plan is prohibited from using or disclosing genetic information for underwriting purposes
9. A statement of the individual’s rights with respect to PHI and a brief description of how the individual may exercise these rights including:
a. The right to request restrictions on certain uses and disclosures as provided by 45 CFR 164.522(a)(1), including a statement that the CE is not required to agree to a requested restriction
b. For healthcare providers only, a statement indicating the right to restrict certain disclosures of PHI to a health plan when the individual pays out of pocket in full for the healthcare item or service
c. The right to receive confidential communications of PHI
d. The right to access, inspect, and receive a copy of PHI on paper, including the right to have electronic copies if kept in electronic form
e. The right to request electronic copies of PHI be forwarded to a third party
f. The right to request an amendment of PHI
g. The right to receive an accounting of disclosures
h. The right to be notified of the CE’s privacy practices
i. The right to control PHI use for marketing, sales, and research
j. The right to be notified of a breach to PHI
k. The right to file complaints with the Office for Civil Rights
10. A statement that the CE is required by law to maintain the privacy of PHI and to provide individuals with a notice of its legal duties and privacy practices with respect to PHI
11. A statement that the CE is required to abide by the terms of the notice currently in effect
12. A statement that the CE reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains
13. A statement describing how the CE will provide individuals with a revised notice
14. A statement that individuals may complain to the CE and to the Secretary of Health and Human Services if they believe their privacy rights have been violated; a brief description of how one files a complaint with the CE; and a statement that the individual will not be retaliated against for filing a complaint. Include contact information
15. The name or title and the telephone number of a person or office to contact for further information
16. An effective date, which may not be earlier than the date on which the notice is printed or otherwise published
Consent to Use or Disclose PHI
Under the Privacy Rule healthcare providers are not required to obtain HIPAA consent, which is the patient’s agreement to use or disclose individually identifiable information for TPO (45 CFR 164.506(b)). However, some healthcare providers obtain consents as a matter of policy. Except for special circumstances such as emergencies (discussed in this section), the HIPAA consent is usually obtained at the time care is provided and has no expiration date. However, the individual can revoke the HIPAA consent as long as the revocation is in writing. HIPAA consents should be written in plain language. The CE must document and retain signed HIPAA consents and revocations. A sample HIPAA consent is provided in figure 9.5.
Figure 9.5 Sample HIPAA consent for the use or disclosure of individually identifiable health information
Source: HHS 2000. 82818.
Authorization
Written authorization by an individual, granting permission for a specific use or disclosure of his or her health information, is a longstanding legal requirement and health information practice. However, the authorization is a key component of the Privacy Rule. As a general requirement, the Privacy Rule states that an authorization for uses and disclosures must be obtained from an individual (45 CFR 164.508). However, there are a number of exceptions, outlined later in this chapter.
Authorizations are always required for the use or disclosure of psychotherapy notes except to carry out TPO; for treatment by the originator of the notes; in mental health training programs by the CE; to defend a legal action or other proceeding brought by the individual; or for oversight of the originator of the notes (45 CFR 164.508(a)). The Privacy Rule also provides other specifications for authorization, including those requested by a CE for its own uses and disclosures and those requested for disclosures by others. This section of the Privacy Rule also generally prohibits requiring an authorization as a condition of treatment and allows authorizations to be combined only in certain situations (45 CFR 164.508).
The Privacy Rule requires that authorizations be obtained for uses and disclosures of PHI in research unless the CE obtains documentation that an Institutional Review Board (IRB) or privacy board has approved an alteration or waiver. Where authorizations are required, the Privacy Rule requires that the authorization contain the required core elements, which are described later in this chapter.
An individual may revoke an authorization at any time if it is in writing. However, revocation does not apply to disclosures that have already been made. CEs must document and retain signed authorizations and revocations and must permit individuals to review what was disclosed pursuant to authorizations.
Table 9.1 outlines differences among the three key Privacy Rule documents discussed in this section.
Table 9.1 Differences among notice of privacy practices, consent, and authorization
Notice of privacy practices
Consent
Authorization
Required?
Required by HIPAA
Optional
Required by HIPAA
Requirements regarding TPO
Must explain TPO uses and disclosures, along with other types of uses and disclosures
Only obtains patient permission to use or disclose PHI for TPO purposes
Is used to obtain for a number of types of uses and disclosures, although it not required for TPO uses and disclosures
PHI this document addresses
Provides prospective and general information about how PHI might be used or disclosed in the future (and includes information that may not have been created yet)
Provides prospective and general information about how PHI might be used or disclosed in the future for TPO purposes (and includes information that may not have been created yet)
Obtains patient permission to use or disclose specific information that generally has already been created and for which there is a specific need
Required for treatment?
May not refuse to treat an individual because he or she declines to sign this form
May condition treatment on individual signing this form
May not refuse to treat an individual because he or she declines to sign this form
Time limit on document validity
No time limit on validity of the document
No time limit on validity of the document
Time limit on validity of document (specified by an expiration date or event)
Source: Adapted from Rinehart-Thompson 2018.
Uses and Disclosures of Health Information: Authorization and Patient Right of Access
As table 9.2 shows, PHI may not be used or disclosed by a CE unless the individual who is the subject of the information authorizes the use or disclosure in writing or the Privacy Rule requires or permits such use or disclosure without the individual’s written authorization. The Privacy Rule requires such use or disclosure in only two situations: when the individual or individual’s personal representative requests access to or an accounting of disclosures of the PHI (with the exceptions detailed earlier in this chapter), and when HHS is conducting an investigation, review, or enforcement action.
Table 9.2. Authorization requirements for use and disclosure of PHI
I. Patient authorization required:
All situations except those listed in Part II
II. Patient authorization not required:
A. When use or disclosure is required, even without patient authorization
• When the individual/patient or individual’s/patient’s personal representative requests access or accounting of disclosures (with exceptions)
• HHS investigation, review, or enforcement action
B. When use or disclosure is permitted, even without patient authorization
• Patient has opportunity to informally agree or object
∘ Facility directory
∘ Notification of relatives and friends
• Patient does not have opportunity to agree or object
∘ Public interest and benefit
1. As required by law
2. For public health activities
3. To disclose PHI regarding victims of abuse, neglect, domestic violence
4. For health oversight activities
5. For judicial and administrative proceedings
6. For law enforcement purposes (six specific situations)
7. Regarding decedents
8. For cadaveric organ, eye, or tissue donation
9. For research, with limitations
10. To prevent or lessen serious threat to health or safety
11. For essential government functions
12. For workmen’s compensation
∘ Situations other than public interest and benefit
13. TPO
14. To the individual/patient
15. Incidental disclosures
16. Limited data set
Source: Rinehart-Thompson 2018.
In addition to the two situations where use or disclosure is required without the individual’s written authorization (section II.A of table 9.2), there are many situations where the Privacy Rule permits a CE to use or disclose PHI without an individual’s written authorization (45 CFR 164.510 and 164.512). These exceptions to the patient authorization requirement are summarized in section B of table 9.2.
Patient Has Opportunity to Agree or Object
As listed in table 9.2 (section II.B), the Privacy Rule lists two circumstances where PHI can be used or disclosed without the individual’s written authorization, although the individual must be informed in advance and given an opportunity to informally agree or object (45 CFR 164.510). In both circumstances, the CE may inform the individual verbally and obtain his or her verbal agreement or objection.
The first circumstance is when the healthcare organization maintains a facility directory of patients for persons who ask for individuals by name, and for clergy. The information may include the patient’s name, location in the healthcare organization (room number), condition described in general terms (such as critical or stable), and religious affiliation. Disclosure of an individual’s religious affiliation is limited to members of the clergy.
The CE must inform the patient of the information to be included in the facility directory and to whom information may be disclosed. The patient must have the opportunity to prohibit all uses or disclosures from the facility directory or request restrictions of some of the uses and disclosures.
When it is not possible to get the patient’s agreement (for example, in emergencies), the CE can use and disclose PHI in the facility directory if the disclosure is consistent with the prior expressed preference of the patient or if the CE believes it is in the patient’s best interest. When it becomes possible after the emergency situation, the CE must inform the patient and give him or her the opportunity to object to use and disclosure from the facility directory.
The second circumstance is disclosing, to a family member or a close friend, PHI that is directly relevant to his or her involvement in the patient’s care or payment. The patient’s written authorization is not required but verbal agreement is, if it can be obtained. Likewise, a CE may disclose PHI, including the patient’s location, general condition, or death, to notify or assist in the notification of a family member, personal representative, or some other person responsible for the patient’s care (45 CFR 164.510(b)). It must be reasonably inferred from the circumstances that the patient does not object to the disclosure.
The CE may also use or disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts.
Patient Does Not Have Opportunity to Agree or Object
There are 16 circumstances where PHI can be used or disclosed without an individual’s authorization, and the individual does not have the opportunity to agree or object. The first 12 circumstances are sometimes referred to as public interest and benefit circumstances because they are of benefit to society (45 CFR 164.512). Although the Privacy Rule permits the 12 public interest and benefit uses or disclosures without an individual’s authorization, if it would violate a state law that otherwise protects the patient’s information, the information cannot be legally used or disclosed. This is because, as a general rule, the Privacy Rule does not preempt state laws that provide a greater level of privacy protection.
A use or disclosure may meet more than one of the following 12 public interest and benefit situations:
1. As required by law. Disclosures are permitted when required by laws that meet the public-interest requirements of disclosures relating to victims of abuse, neglect, or domestic violence, judicial and administrative proceedings, and law enforcement purposes (45 CFR 164.512(a)).
2. Public health activities. These include preventing or controlling diseases, injuries, and disabilities, and reporting disease, injury, and vital events such as births and deaths. Examples include the reporting of adverse events or product defects to comply with US Food and Drug Administration (FDA) regulations and, when authorized by law, reporting a person who may have been exposed to a communicable disease and may be at risk for contracting or spreading it (45 CFR 164.512(b)). Disclosure of students’ immunization records may be considered a public health disclosure. Where applicable law requires that a school obtain a student’s authorization records prior to enrollment, authorization is not required for the information to be disclosed to the school. An oral agreement from the student’s legal guardian or the student (if age of majority has been reached) is, however, still required.
3. Victims of abuse, neglect, or domestic violence. An example is the reporting to authorities authorized by law to receive information about child or other abuse or neglect. In non–child abuse situations, the Privacy Rule requires the CE to promptly inform the individual or personal representative that a report has been or will be made unless it believes that doing so would place the individual at risk of serious harm or not be in his or her best interest (such as informing the personal representative, who is believed to be responsible for the abuse, neglect, or other injury) (45 CFR 164.512(c)).
4. Healthcare oversight activities. An authorized health oversight agency may receive PHI for activities authorized by law such as audits, civil or criminal investigations, licensure, and other inspections (45 CFR 164.512(d)).
5. Judicial and administrative proceedings. Disclosures of specified PHI are permitted in response to a court order or an administrative agency order. For subpoenas and discovery requests, the party seeking the PHI must assure the CE that it has made reasonable efforts to make the request known to the subject individual. The CE also must be assured that the time for the individual to raise objections to the court or administrative agency has elapsed and that either no objections have been filed, all objections have been resolved, or a qualified protective order has been secured (45 CFR 164.512(e)).
6. Law enforcement purposes. The Privacy Rule specifies six instances when disclosures to law enforcement do not require patient authorization or the patient has no opportunity to agree or object:
∘ Pursuant to legal process or otherwise required by law: Examples of legal process include a court order, a court-ordered warrant, or a subpoena or a summons issued by a judicial officer. An example of “otherwise required by law” is a state law that requires certain types of wounds or other physical injuries to be reported to law enforcement.
∘ In response to a law enforcement official’s request for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Only the following may be disclosed: name and address, date and place of birth, Social Security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death (if applicable), and description of distinguishing physical characteristics including height, weight, gender, race, hair and eye color, and presence or absence of facial scars or tattoos.
∘ In response to a law enforcement official’s request about an individual who is, or is suspected to be, a victim of a crime (when the individual agrees to the disclosure or when the CE is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance). The law enforcement official must show the information is needed to determine whether a violation of law has occurred, that immediate law enforcement activity depends on the disclosure, and that disclosure is in the best interest of the individual as determined by the CE.
∘ About a deceased individual when the CE suspects that the death may have resulted from criminal conduct.
∘ To a law enforcement official when the CE believes in good faith that the information constitutes evidence of criminal conduct that occurred on the CE’s premises.
∘ To a law enforcement official in response to a medical emergency when the CE believes that disclosure is necessary to alert law enforcement to the commission and nature of a crime, the location or victims of such crime, and the identity, description, and location of the perpetrator of such crime. Further, it is permitted when the CE believes the medical emergency was the result of abuse, neglect, or domestic violence (45 CFR 164.512(f)).
7. Decedents. Disclosures to a coroner or medical examiner are permitted to identify a deceased person, determine a cause of death, or for other purposes required by law. In accordance with applicable law, disclosures to funeral directors are permitted, as necessary, to allow them to carry out their duties with respect to the decedent. This type of information also may be disclosed in reasonable anticipation of an individual’s death (45 CFR 164.512(g)).
8. Cadaveric organ, eye, or tissue donation. PHI may be disclosed to organ procurement agencies or other entities to facilitate procurement, banking, or transplantation of cadaveric organs, eyes, or tissue (45 CFR 164.512(h)).
9. Research. Authorizations for the use of PHI in research are required except where an IRB or privacy board alters or waives the authorization requirement (in whole or in part) and documents it (45 CFR 164.512(i)). Table 9.3 provides a detailed analysis of the responsibilities of both the IRB and the researcher under the Privacy Rule requirements. A CE may combine conditioned authorizations (that is, those that condition research-related treatment upon research participation) and unconditioned authorizations (that is, those that do not condition research-related treatment upon research participation) as long as the conditioned and unconditioned components are clearly distinguished and the individual is able to opt in to the unconditioned research activities (HHS 2018a). This provision does not apply to psychotherapy notes (Rinehart-Thompson 2018).
Table 9.3 Actions required for use of PHI in research
Type of Information
IRB
Researcher
Research subject (patient or decedent)
PHI preparatory to research
None*
Representation that use is solely and necessary for research and will not be removed from covered entity
None
Deidentified health information
None*
Removal of safe-harbor data or statistical assurance of deidentification
None
Limited data set
None*
Removal of direct identifiers and data use agreement
None
Individually identifiable health information on decedents
None*
Representation that use is solely and necessary for research on decedents and documentation of death upon request of covered entity
None
PHI of human subjects (whether research is interventional or record review)
Waive authorization requirement if determined that risk to privacy is minimal
Representation that:
1. Privacy risk is minimal based on:
• Plan to protect identifiers
• Plan to destroy identifiers unless there is a health or research reason to retain
• Written assurance that PHI will not be reused or redisclosed
2. Research requires use of specifically described PHI
3. Justify the waiver
4. Obtain IRB approval under normal or expedited review procedures
None
Approve alteration of authorization (for example, to restrict patient’s access during study) if determined that risk to privacy is minimal
Same as above
Sign altered authorization form
Approve research protocol ensuring that there is an authorization for use either combined with consent for and disclosure of PHI research or separate
Sign authorization combined with consent for research or sign standard authorization for use and disclosure of PHI for research as described in authorization
* There may be requirements imposed by the IRB, but there are none imposed by HIPAA.
Source: Amatayakul 2003.
10. Threat to health and safety: Use or disclosure is allowed if thought necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. Disclosure must be made to a person who can reasonably prevent or lessen the threat. Disclosures are permissible when law enforcement officials must apprehend an individual who may have caused harm to the victim being treated or when the individual appears to have escaped from a correctional institution or lawful custody. For correctional institutions or a law enforcement official who has lawful custody of an inmate, the Privacy Rule allows disclosures if the institution states that the information is necessary to provide continuing healthcare; to secure the health and safety of the individual or other inmates, officers, employees, transportation personnel, or law enforcement on the premises; or to ensure the administration and maintenance of the institution’s safety, security, and good order (45 CFR 164.512(j)).
11. Specialized government functions: These include information regarding armed forces personnel for military and veteran’s activities, for purposes of national security and intelligence activities, for protective services for the President of the United States and others, and for public benefits and medical suitability determinations (45 CFR 164.512(k)).
12. Workers’ compensation: The Privacy Rule permits the disclosure of PHI relating to work-related illness or injury or a workplace-related medical surveillance if the disclosure complies with workers’ compensation laws (45 CFR section 164.512(l)).
The remaining four types of uses and disclosures that do not require patient authorization or an opportunity for the patient to agree or object are TPO; disclosure to the subject individual; incidental disclosures; and limited data set. The first two were addressed earlier in this chapter; the remaining two are explained as the following:
Incidental uses or disclosures occur as part of a permitted use or disclosure (CFR 164.502(a)(1)(iii)). For example, calling out patients’ names in a physician office is an incidental disclosure because it occurs as part of office operations. It is permitted as long as the information disclosed is the minimum necessary (for example, the patient’s name with no diagnostic information).
A limited data set is PHI that excludes direct identifiers of the individual, the individual’s relatives, employers, or household members without completely deidentifying them (45 CFR 164.514(e)(2)). Restrictions are lifted for items such as ages and dates, and parts of geographic subdivisions that are deemed not too specific (for example, city, state, or zip code) (Rinehart-Thompson 2018). Such PHI may be used or disclosed, provided it is used or disclosed only for research, public health, or healthcare operations.
Table 9.4 outlines the differences between the HIPAA authorization versus the patient’s right of access.
Table 9.4 HIPAA authorization vs. right of access
HIPAA Authorization Right of Access
Permits, but does not require, a covered entity to disclose PHI Requires a covered entity to disclose PHI, except where an exception applies
Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of his or her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.
Must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI
No timeliness requirement for disclosing the PHI; Reasonable safeguards apply (for example, PHI must be sent securely)
Covered entity must act on request no later than 30 days after the request is received
Reasonable safeguards apply (for example, PHI must be sent securely)
Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium
No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration
Fees limited as provided in 45 CFR 164.524
Source: HHS 2016.
Breach Notification
As originally implemented, the Privacy Rule required CEs to mitigate (lessen the harmful effect) of the wrongful use or disclosure of PHI as much as possible. However, notification to the individual was optional (Rinehart-Thompson 2018). This changed with ARRA, which defined a breach. ARRA also added breach notification requirements that specify victims of breaches be notified and, depending on the number of individuals affected, the federal government and media outlets also be notified. CEs and BAs are subject to HHS-issued breach notification regulations, and non-covered entities and non-BAs (including PHR vendors) are subject to breach notification regulations issued by the Federal Trade Commission (FTC). The FTC is a federal agency that promotes consumer protection.
Definition of Breach
A breach is an “unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information” (Rinehart-Thompson 2018). There are three exceptions to the breach definition:
1. Unintentional acquisitions made in good faith and within the scope of authority
2. Disclosures where the recipient would not reasonably be able to retain the information
3. Disclosures by a person authorized to access PHI to another authorized person at the CE or BA (Rinehart-Thompson 2018)
A breach should be presumed following an impermissible use or disclosure unless the CE or BA demonstrates a low probability that the PHI has been compromised (Rinehart-Thompson 2018). A four-factor risk assessment is used to determine whether PHI has been compromised:
1. Nature and extent of PHI involved, including types of identifiers involved and how likely it is that reidentification can occur
2. Who the unauthorized recipient of the PHI was
3. Whether the PHI was actually obtained or viewed
4. Degree to which the CE or BA mitigated the risk (for example, immediate destruction of the PHI) (HHS 2013)
Breach notification requirements apply only to unsecured PHI that technology has not made unusable, unreadable, or indecipherable to unauthorized persons (Rinehart-Thompson 2018). This PHI is considered to be most at risk. Using the breach definition, list of exceptions, and four-factor risk assessment, covered entities must identify whether incidents are to be reported. Further, per their agreements, BAs must notify CEs of breaches. Finally, all workforce members must be educated to notify the appropriate contact person within the CE when they learn of a breach so the required notifications can be made.
Notification Requirements
Breaches by CEs and BAs (both are governed by HHS breach notification regulations) are deemed discovered when the breach is first known or reasonably should have been known. All individuals whose information has been breached must be notified without unreasonable delay, and not more than 60 days, by first-class mail or a faster method such as by telephone if there is the potential for imminent misuse. If 500 or more individuals are affected, they must be individually notified immediately, and media outlets must be used as a notification mechanism as well. The Secretary of HHS must specifically be notified of the breach (Rinehart-Thompson 2018). All breaches affecting fewer than 500 people must be logged by the CE in an HHS online reporting system and submitted annually as a report not later than 60 days after the end of the calendar year (Rinehart-Thompson 2018).
Individuals who are notified that their PHI has been breached must be given a description of what occurred (including date of breach and date that breach was discovered); the types of unsecured PHI that were involved (such as name, Social Security number, date of birth, home address, account number); steps that the individual may take to protect himself or herself; what the CE is doing to investigate, mitigate, and prevent future occurrences; and contact information for the individual to ask questions and receive updates.
Companion breach notification regulations by the FTC provide protection to individuals whose information has been breached by non-covered entities and non-BAs that are PHR vendors, third-party service providers of PHR vendors, or other non-HIPAA covered entities or BAs that are affiliated with PHR vendors (Rinehart-Thompson 2018). In addition to notifying the individuals affected by the breach, these entities must also notify the FTC of the breach. Third-party PHR service providers shall notify the PHR vendor or entity of the breach. Other notification requirements, such as the content and nature of breach notices, parallel HHS requirements (Rinehart-Thompson 2018).
Requirements Related to Commercial Uses: Marketing, Sale of Information, and Fundraising
The Privacy Rule defines marketing as communication about a product or service that encourages the recipient to purchase or use that product or service (45 CFR 164.501). PHI use or disclosure for marketing requires an authorization from the individual except in certain cases. The following marketing activities do not require authorization:
· Occur face to face between the CE and the individual, or
· Concern a promotional gift of nominal value provided by the CE
Some activities look like marketing but do not meet the Privacy Rule’s definition of marketing. As a result, no authorization is required for the following:
· Communications to describe health-related products and services provided by, or included in the plan of benefits of, the CE itself or a third party
· Communication for treatment of the individual
· Case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, healthcare providers, or care settings (45 CFR 164.501)
Unless a communication fits one of the above categories, authorization is required.
Uses and disclosures for healthcare operations do not require authorization. The categories here are not healthcare operations (even if they otherwise meet the definition) if the CE was paid for making the communication. There are exceptions, however. If a communication describes a currently prescribed drug, if the payment was reasonable (and the CE made the communication and received an authorization from the recipient), or the communication was made by a BA on behalf of a CE and is consistent with a BAA, then the communication will be considered a healthcare operation despite payment (AHIMA 2009). If the CE has received—or will receive—direct or indirect payment in exchange for making a communication to an outside entity, this must be prominently stated.
In addition, when the communication is directed toward a specific target audience (for example, not a broad spectrum or cross-section of patients), it must instruct individuals how to opt out of future communications.
If a CE uses PHI to target an individual or group based on health status or condition, it must determine that the product or service being marketed may benefit the health of the type of individual being targeted before it makes the communication. Then, the communication must explain why the individual has been targeted and how the product or service relates to his or her health.
Related to the concept of marketing is the sale of information. A CE or BA is prohibited from selling (receiving direct or indirect compensation in exchange for) an individual’s PHI without that individual’s authorization. The authorization must also state whether the individual permits the recipient of the PHI to further exchange the PHI for compensation. Exceptions to this prohibition include public health and research data, treatment, and healthcare operations to a BA pursuant to a BAA, to an individual who is receiving a copy of his or her own PHI, and for other exchanges deemed by the Secretary of HHS to be permissible (Rinehart-Thompson 2018).
For fundraising activities that benefit the CE, the CE entity may use or disclose to a BA or an institutionally related foundation, without authorization, demographic information (name, address or other contact information, age, date of birth, gender); dates of healthcare services provided to the individual; department of service (for example, urology); treating physician; health insurance information; and outcome information (45 CFR 164.514(f)). However, the CE must inform individuals in its notice of privacy practices that PHI may be used for this purpose. It must also include in its fundraising materials instructions on how to opt out of receiving materials in the future. If a fundraising activity targets individual based on diagnosis (for example, patients with kidney disease are solicited in a capital campaign for a new kidney dialysis center), prior authorization is required. Fundraising communications that meet the definition of healthcare operations must clearly and conspicuously provide the opportunity to opt out of future communications. This opt-out is a revocation of authorization (Rinehart-Thompson 2018).
HIPAA Privacy Rule Administrative Requirements
The Privacy Rule provides standards regarding administrative requirements that are important to the health information professional, including the following:
· Designation of a privacy officer and a contact person for receiving complaints
· Standards for policies and procedures and changes to policies and procedures
· Requirements for privacy training
· Requirements for establishing privacy safeguards for handling complaints
Designation of Privacy Officer
The Privacy Rule requires CEs to designate an individual as a chief privacy officer to be responsible for privacy practices within the CE. This position is ideally suited to the background, knowledge, and skills of the health information professional because the role includes developing and implementing privacy policies and procedures, facilitating organizational privacy awareness, performing privacy risk assessments, maintaining appropriate forms, overseeing privacy training, participating in compliance monitoring of BAs, ensuring that patient rights are protected, maintaining knowledge of applicable laws and accreditation standards, and communicating with the Office for Civil Rights (OCR) and other entities in compliance reviews and investigations of alleged privacy violations (AHIMA 2015).
Additionally, the CE must designate a person or office as the responsible party for receiving initial complaints about alleged privacy violations. This individual must be able to provide further information about matters covered by the CE’s notice of privacy practices.
Standards for Policies and Procedures
The CE must implement policies and procedures to ensure compliance with the Privacy Rule. This process includes an ongoing review of privacy policies and procedures and ensuring that all policy changes are consistent with changes in the privacy and security regulations. Any regulatory changes that materially affect the CE’s notice of privacy practices must be reflected in the notice; thus the notice may have to be updated. All revisions must be noted in the policies, procedures, or notice of privacy practices. Health information professionals are ideally qualified for developing and overseeing policies and procedures.
Privacy Training
Every member of the CE’s workforce (as defined earlier in this chapter) must be trained in privacy policies and procedures to include maintaining the privacy of patient information, upholding individual rights guaranteed by the Privacy Rule, and reporting alleged breaches and other Privacy Rule violations. Each new employee must be trained within a reasonable period of time after joining the workforce. When material changes are made to policies or procedures regarding privacy, employees must receive additional training. It is also recommended that refresher training be provided to all workforce members at least annually.
Further, the CE must maintain documentation showing that privacy training has occurred. Although not required, a signed acknowledgment of training by each workforce member is helpful to show compliance.
CEs must have safeguards and mechanisms in place to protect the privacy of PHI. This includes appropriate administrative, technical, and physical safeguards. These safeguards should work hand in hand with those specified in the Privacy Rule. (See chapter 10, Data Security, for more additional information on HIPAA security regulations.)
Enforcement of Federal Privacy Legislation and Rules
Legal responsibility for HIPAA privacy and security violations is not limited to CEs. Employees or other individuals can be individually prosecuted. Civil and criminal penalties also apply to both BAs and CEs.
Figure 9.6 Disclosure of health information database screen
Source: ©CIOX Health eSmartlog. Used with permission.
Penalties
ARRA/HITECH established tiered penalties, with a range of $100 to $50,000 per violation for unknowing violations; $1,000 to $50,000 per violation if due to reasonable cause (knew or would have known of violation with reasonable diligence); $10,000 to $50,000 per violation for willful neglect that was corrected; and $50,000 per violation for willful neglect that was uncorrected. There is a $1.5 million annual cap for identical violations in each category. The nature and extent of both the violation and the harm determine the amount assessed within each statutory range. Compensation of individuals harmed by a Privacy Rule violation was included in the ARRA provisions, but no further action has been taken for this to occur.
Legal Action by State Attorneys General
State attorneys general may bring civil actions in federal district court on behalf of residents believed to have been negatively affected by a HIPAA violation. To that end, the OCR trained all state attorneys general on this. Previously, only the Office of Civil Rights held this enforcement right; however, it now encourages collaboration with state attorneys general to bring legal action. Individuals still cannot bring lawsuits under a HIPAA cause of action (Rinehart-Thompson 2018).
Audits
HIPAA enforcement does not occur solely based on complaints, as it did originally. Unannounced audits by OCR to detect Privacy and Security Rule violations are mandated for CEs and BAs. Desk and on-site audits determine whether comprehensive policies and procedures are in place and whether they have been implemented to comply with the Privacy and Security Rules.
Disclosure of Health Information
The disclosure of health information process has long been central to the health information professional’s responsibilities. Disclosure of health information is the process of providing PHI access to individuals or entities that are authorized to either receive or review it (Brodnik 2017b).
Protecting the security and privacy of patient information is one of a healthcare organization’s top priorities, and the HIM department is usually responsible for determining appropriate access to and disclosure of health information from patient health records. For example, disclosure of health information may take the form of a patient’s request to mail copies of his or her health records to a healthcare provider.
The Disclosure of Health Information Function
Management of the disclosure of health information function includes the following steps:
Step 1: Enter the request in the disclosure of health information database. Generally, information such as patient name, date of birth, health record number, name of requester, address of requester, telephone number of requester, purpose of the request, and specific health record information requested is entered in the computer. Figure 9.6 is an example of a computer screen used for entering disclosure of health information data.
Step 2: Determine the validity of authorization. The HIM professional will compare the authorization form signed by the patient with organizational requirements for authorization to determine the validity of the authorization form. The healthcare organization’s requirements are based on state and federal (for example, HIPAA) regulations. Certain types of information such as substance abuse treatment records, behavioral health records, and HIV records require that specific components be included in the authorization form per state and federal regulations. If the request is valid, the HIM professional proceeds to the next step. If the authorization is invalid, the problem with the authorization is noted in the disclosure of health information database and it is returned to the requester with an explanation.
Step 3: Verify the patient’s identity. The HIM professional must verify that the patient has been a patient at the healthcare organization. To do this, the HIM professional compares the information on the authorization form with information in the master patient index. The patient’s name, date of birth, Social Security number, address, and phone number are used to verify the identity of the patient whose record is requested. The patient’s signature in the health record is compared with the patient’s signature on the authorization for disclosure of health information form.
Step 4: Process the request: The health record is retrieved (paper or electronic) and only the information authorized for release is copied or printed and released. The patient information may also be faxed or otherwise released directly from the EHR.
To comply with the Privacy Rule, a healthcare organization must maintain an account of disclosures.
Disclosure of health information may also be a response to a subpoena duces tecum (discussed in chapter 8, Health Law). It is necessary to verify that the subpoena is valid, and the requested information may be released to the court in compliance with applicable state or federal law. In response to a subpoena, a representative from the HIM department may appear in person either in court or at a deposition and give sworn testimony as to the health record’s authenticity.
The disclosure of health information function has grown immensely in the past decade, due in part to the Privacy Rule. Staffing has increased in some departments to address this growth. Other HIM departments outsource disclosure of health information to companies that specialize in this function. This may be done to keep pace with requests or to eliminate backlogs. These outsource companies are BAs and therefore must meet all of the requirements of a BA. Even with outsourcing, however, the HIM department remains ultimately responsible for ensuring that proper practices and all laws are followed.
Disclosure of Health Information Quality Control
Quality control in disclosure of health information includes both productivity (that is, turnaround time) and accuracy (namely, that information is released appropriately). The HIM department receives a high volume of requests and must prioritize the processing of disclosure of health information. Continuity of care requests are processed before other types of requests to align with the mission of most healthcare organizations. The HIM department must establish productivity standards to meet the expected turnaround time of various requests. With these standards the average turnaround times for disclosure of health information may be tracked, and delays in responding to requests for information may be addressed. While productivity information may be collected manually, electronic systems offer tools for data manipulation and can provide individual production statistics, departmental request volumes, and information regarding request turnaround times. The accuracy of disclosure of health information must also be monitored. The following examples illustrate how the timeliness and accuracy of disclosure of health information can be monitored.
To monitor timeliness, the date a request is received and the date that health records are sent are entered into a disclosure of health information database. This information can be used to generate a report that will determine whether the health records are being sent in a timely manner.
To monitor accuracy of disclosure of health information, random authorizations are checked to verify their validity and to ensure compliance with federal and state regulations. A validation that the appropriate health records were released is also conducted. The error rate (or, alternatively, the accuracy rate) can be determined and compared against a set standard established by the healthcare organization (Cerrato and Roberts 2013).
Authorizations
Authorizations have long been a key component of the disclosure of health information process, used as a tool to document and validate the legal use and disclosure of health information. While the Privacy Rule generally requires authorization for the use and disclosure of PHI and specifies situations where authorization is not required (discussed earlier in this chapter), it also specifies requirements for a valid authorization form. Elements of the authorization form, such as patient name and signature, dates of service to be released, and names of the entities both disclosing and receiving the information, are well established in health information practice. However, with the passage of the Privacy Rule many established health information practices have also become legal requirements.
Valid Authorization
The Privacy Rule provides specific parameters regarding the content required for a valid authorization. Under the Privacy Rule, an authorization must be written in plain language. A valid authorization is one that contains at least the following elements:
· A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion
· The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure
· The name or other specific identification of the person(s), or class of persons, to whom the CE may make the requested use or disclosure
· An expiration date or event that relates to the individual or the purpose of the use or disclosure
· A statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke
· A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure (subsequent disclosure of health information) by the recipient and no longer protected by this rule
· Signature of the individual and date
· When the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual (45 CFR 164.508(c))
An authorization is considered invalid when any one of the following defects exists:
· The expiration date has passed or the expiration event is known by the CE to have occurred
· The authorization has not been filled out completely
· The authorization is known by the CE to have been revoked
· The authorization lacks a required element (for example, appropriate signature)
· The authorization violates the compound authorization requirements, if applicable
· Any material information in the authorization is known by the CE to be false (45 CFR 164.508(b))
Health information professionals must also ensure the validity of an authorization by confirming that the patient or patient’s personal representative actually signed the form (through signature comparisons), the person who signed the form is legally competent, and evidence does not exist indicating the authorization form was signed involuntarily or without the patient’s knowledge (Brodnik 2017b). When the patient or other authorized individual picks up the health information, he or she must validate their identity – generally with a drivers license.
Who Can Authorize Release
Legally competent individuals have the right to authorize or refuse to authorize the disclosure of their own health information. As noted previously in this chapter, the Privacy Rule provides many exceptions to the authorization requirement. Additionally, there are situations where an individual is deemed not legally competent, and authority to authorize release of their health information resides with someone else. For example, by law (and with exceptions), minors are deemed legally incompetent and a personal representative (a parent or guardian) will provide the authorization. Minors who are emancipated, given a legal status that gives them full rights to make decisions for themselves, can authorized the release. The requirements for emancipation vary by state but generally apply when the minor is married, is self-supporting, and lives on their own (Brodnik 2017a). In other words, they are not living with or receiving support from their parents. Adults may also be legally incompetent by virtue of a permanent disability (such as a developmental disability) or a temporary condition (for example, incompetent to stand trial until restored to competency). A legal guardian then acts to handle the matters of the incompetent individual, including authorizing the release of health information. Table 9.5 highlights the authority to grant authorization based on the type of individual whose health information is involved. Where highly sensitive information is involved, such as behavioral health, substance abuse, HIV/AIDS, or genetic information, the same principles apply regarding who has the legal authority to authorize the disclosure of health information. However, legal requirements and best practices also dictate that individuals specifically designate their permission and forms denote individuals’ awareness that highly sensitive information will be released.
Table 9.5 Authority to grant authorization for disclosure of health information
Permitted to authorize disclosure? If no, who can authorize disclosure?
Legally competent adult Yes N/A
Legally incompetent adult (permanent) No Personal representative (for example, guardian)
Legally incompetent adult (temporary) No Personal representative (until competency is restored) (for example, guardian)
Minor No Personal representative (for example, parent or guardian)
Source: © AHIMA
Medical Identity Theft
Medical identity theft is a crime that challenges healthcare organizations and the health information profession. A type of healthcare fraud that includes both financial fraud and identity theft involves either (a) the inappropriate or unauthorized misrepresentation of one’s identity (for example, the use of one’s name and Social Security number) to obtain medical services or goods, or (b) the falsifying of claims for medical services in an attempt to obtain money (Dixon 2006). Regardless of the purpose, the individual’s health information is either created under the wrong name or altered, leading to potentially deadly consequences. Medical identity theft does not include the inappropriate change of patient information if the patient’s identity has not been assumed or abused by someone else. Likewise, using a patient’s financial information to purchase nonmedical goods or service is not medical identity theft because there are financial, but not medical, consequences.
Medical identity theft can be internal or external. Internal medical identity theft is committed by insiders in a healthcare organization, such as clinical or administrative staff with access to vast amounts of patient information. Culprits range from individuals acting alone to sophisticated crime rings that may infiltrate a healthcare organization to commit internal medical identity theft. Individuals outside a healthcare organization who assume a person’s identity, perhaps to utilize the victim’s health insurance benefits, commit external medical identity theft. As a result, medical information about the culprit is created under the victim’s name, and information about the two individuals may be intertwined (Olenik and Reynolds 2017). The addition of information about another patient in the victim’s record can result in improper medical treatment. For example, if the perpetrator’s blood type is wrongfully entered into the victim’s record, the victim could receive a transfusion of the wrong blood type. This is potentially fatal. The World Privacy Forum suggests that internal crimes occur more frequently than external ones (Dixon 2006). Further, there is concern that the evolution of the EHR may assist culprits by granting them broad access to patient information.
Patient Verification
It is important to verify a patient’s identity at the beginning of a healthcare encounter by requiring presentation of a driver’s license, taking a photograph of the patient for future reference, or even using biometric identifiers such as fingerprints. However, there are two caveats. Patient verification does not hinder internal medical identity theft. Further, the measures listed rely on valid baseline patient verification. If the information the healthcare organization relies upon is the culprit’s information (for example, photo, signature, or fingerprint), all future encounters will be based on fraudulent information, decreasing the chances of detecting the fraud or otherwise causing the healthcare organization to wrongfully identify the true patient as the culprit if he or she later presents to that healthcare organization for treatment. Measures to combat internal medical identity theft include performing background checks on new hires and contractors (Olenik and Reynolds 2017). The collection of Social Security numbers should be limited, and staff access to this sensitive information should also be limited. EHR access and access to other business records should only be given to the extent that people need information to complete their jobs. Technical measures also include routinely monitoring access or attempted access through audit trails and using features such as screen savers and automatic logoffs. These technical safeguards are discussed in chapter 10, Data Security.
Fair and Accurate Credit Transactions Act (FACTA)
The federal Fair and Accurate Credit Transactions Act (FACTA) requires financial institutions and creditors to develop and implement written identity theft programs that identify, detect, and respond to red flags that may signal the presence of identity theft. Although this law does not specifically address medical identity theft, many healthcare organizations meet the definition of creditor, which is anyone who meets one of the three following criteria:
1. Obtains or uses consumer reports in connection with a credit transaction
2. Furnishes information to consumer reporting agencies in connection with a credit transaction
3. Advances funds to—or on behalf of—someone, except for funds for expenses incidental to a service provided by the creditor to that person
The law includes the Red Flags Rule, which consists of five categories of red flags that are used as triggers to alert the healthcare organization to a potential identity theft (16 CFR Part 681). The following are the five categories are:
1. Alerts, notifications, or warnings from a consumer reporting agency
2. Suspicious documents
3. Suspicious personally identifying information such as a suspicious address
4. Unusual use of, or suspicious activity relating to, a covered account
5. Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account (16 CFR Part 681)
In addition to mandated red flags, healthcare providers must act to prevent, detect, and mitigate activities in an effort to address both external and internal incidents. Employee awareness and training, and implementation of organization-wide policies and procedures, are important.
Patient Advocacy
Over time, the role of the HIM professional has evolved. It continually becomes more multifaceted. Today, it includes the role of patient advocate. As a patient advocate, the HIM professional is a steward of the patient’s health record, ensuring not only its integrity but also safeguarding it according to all applicable laws, policies and procedures, and industry best practices. However, as the healthcare industry has placed increasing emphasis on patient-centered healthcare, patient empowerment, and health literacy, health information professionals must also prioritize patient rights to ensure the patients gain needed and legal access to their health records and have the tools to understand the information documented about them.
Compliance
Compliance is an industry concept that means conformance with applicable laws. A culture of compliance within a healthcare organization is critical. Healthcare is a heavily regulated industry and there are many healthcare-specific laws and relevant non–healthcare-specific laws with which healthcare organizations must comply (for example, fair labor standards and environmental regulations). This chapter has focused on laws that regulate the privacy of patient information, most notably the HIPAA Privacy Rule. Compliance with the Privacy Rule is critical to safeguard individuals’ health information and preserve their dignity while, at the same time, avoiding penalties that are assessed as the result of noncompliance.
HIM Roles
Health information privacy has always been a core principle of the HIM profession. The HIPAA Privacy Rule has codified that principle, while also making the role of privacy officer a required position. Standard privacy officer responsibilities include the following:
Development and implementation of privacy policies and procedures
Promotion of organizational privacy awareness
Performance of privacy risk assessments
Maintenance of HIPAA-required forms and records
Facilitation of privacy training sessions and maintenance of training records
Compliance monitoring of BAs
Protection of patient health information rights
Knowledge of applicable laws and accreditation standards
Receipt of complaints alleging HIPAA Privacy Rule violations
Internal investigation of alleged HIPAA Privacy Rule violations
Participation in breach notification analyses
Reporting and mitigation of breaches
Communication with OCR and other entities in compliance reviews and investigations