Medical Office Management Assignment!
bakliy
hs210_kinn_ed06_ch16.pdf
Sabrina Ragland, a medical assistant with 12 years’ experience, works for a gastroenterologist, Dr. Tim Taylor. She comes from a family heavily involved in the medical fi eld. Her father was a surgeon and her mother was his offi ce assistant. Two of Sabrina’s sisters are nurses, and her brother is a respiratory therapist. Her husband, Joe, is a biomedical technician, and his mother, Elsa Ragland, has been an RN for 40 years. For more than half of her career, Elsa has worked for a local internist, Dr. Royce Berry. A casual comment at the Ragland family picnic resulted in a medical professional liability lawsuit based on violation of patient privacy. Sabrina and Elsa’s careers were jeopardized by a simple exchange of what seemed to be innocent information.
Vivian Adams, a 42-year-old hospital insurance biller, saw Dr. Berry in his offi ce for pain located in her lower left quadrant. Ms. Adams was not a new patient but had not visited the offi ce in approximately 2 years. When she arrived for her visit, she was presented with the offi ce privacy policy and was asked to sign the document. Vivian glanced through it, signed it, and saw the doctor. He performed an examination and found that Vivian was likely suffering from irritable bowel syndrome and prescribed medication. Ms. Adams called the physician 1 week later complaining that she was no better. Dr. Berry changed her medication without seeing her and did not hear from her again, other than her requests for refi lls of the medication. After 6 months with no improvement, Ms. Adams went to Dr. Taylor; after several diagnostic tests, she was told that she had colon cancer and was given a bleak prog- nosis. She told Dr. Taylor that she blamed Dr. Berry for not being more thorough in his testing. Sabrina was in the room and heard the comment.
That weekend at the picnic, Sabrina mentioned Ms. Adams to her mother-in-law and stated that the patient might sue Dr. Berry, although the pa- tient never said those words. Elsa defended Dr. Berry and proclaimed that he was a good doctor, then expressed her hope that Ms. Adams would not sue her employer. One week later, Elsa was in a grocery store and saw Ms. Adams. Elsa immediately expressed her sympathy about her diagnosis, and then asked if there was anything she could do. Her intent was to be kind and try to avert litigation against Dr. Berry. Her gesture might have been well received had Ms. Adams’ daughter, Terri, not been standing with her. Terri was not yet aware that her mother had been diagnosed with cancer. Ms. Adams had told no one about her illness at that point. After the incident at the grocery store the fi rst person Ms. Adams told was her attorney.
While studying this chapter, think about the following questions:
291
16 SCENARIO
Privacy in the Physician’s Offi ce
• When can the medical assistant discuss a patient, and with whom, and under what circumstances?
• What has HIPAA done for the medical industry and the patients it serves?
• When new policies and procedures are implemented, how can the staff embrace the changes and make the transitions easier?
• What happens if the patient refuses to sign the privacy policy?
1. Defi ne, spell, and pronounce the terms listed in the vocabulary. 2. Explain how the HIPAA Privacy Rule benefi ts the healthcare
industry and patients. 3. List what must be included on a Notice of Privacy Practices. 4. Explain the difference between Title I and Title II of the HIPAA
Privacy Rule. 5. List the rights that patients have under the Privacy Rule. 6. Briefl y explain what is expected of healthcare providers in
relation to the Privacy Rule.
7. Describe an incidental disclosure. 8. List the three instances when a parent is not considered the
child’s representative. 9. Explain why a provider can discuss protected health information
with a patient’s friends and family. 10. Discuss the role of the Notice of Privacy Practices in
emergencies.
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE292
O ne of the most valuable character traits that the medi- cal assistant develops is the ability to adjust to change and be fl exible. The medical profession evolves rapidly,
and advances in technology allow medicine to progress. Think of how few computers were found in physician’s offices 40 years ago. Today, computers adorn almost every desk. Change is a concept that many individuals resist.
The creation of privacy and security laws was a huge step toward more efficient healthcare and faster reimbursements. Technology often forces organizations to move forward somewhat quickly. Healthcare facilities with already strapped budgets sometimes view such innovations as a hindrance. Compliance officers at larger facilities may wonder if additional federal regulations are necessary.
business associates Individuals or organizations that perform or assist a covered entity in the performance of a function or activity that involves the use or disclosure of individually identifiable health information.
complainant (kuhm-pla -nuhnt) Person making a complaint against a person or organization.
covered entity An organization that transmits information in an electronic form during a transaction, as defined by HIPAA.
divulge (duh-vuhlj ) To make known, as a confidence or secret. due diligence Also known as due care; the effort made by an
ordinarily prudent or reasonable party to avoid harm to another party or himself; doing everything possible to prevent something from happening.
electronic media Means of electronic transmission, including the Internet, private networks, dial-up phone lines, and fax modems; includes information moved from one place to another while stored on an electronic device.
healthcare providers Providers of medical or health services, individually or as organizations, that furnish, bill for, or are paid for services or products.
individually identifiable health information Any part of a patient’s health record that is created or received by a covered entity.
infer To derive as a conclusion from facts and premises. Office for Civil Rights (OCR) The division of the federal
government that enforces privacy standards. Office of Inspector General (OIG) Established to protect the
integrity of the Department of Health and Human Services (HHS), the office conducts audits, investigations, and inspections involving the laws that pertain to HHS.
personal health information The patient’s own information that pertains to his or her health.
preclude To rule out in advance. prevalent Generally or widely accepted, practiced, or favored. privacy officer A person designated to ensure compliance with
privacy standards for a covered entity. protected health information (PHI) Any individually
identifiable health information that is transmitted and/or maintained in electronic form.
transactions As defined by HIPAA, transmissions of informa- tion between two parties to carry out financial or administra- tive activities related to healthcare.
verbiage A manner of expressing oneself in words.
Many healthcare workers feel that they can say nothing to anyone, about any patient, at any time. By understanding the compliance that HIPAA requires, the employees of the physician’s office can feel secure about their dealings with the patients and other individuals who frequent the facility.
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
The Health Insurance Portability and Accountability Act (HIPAA) was introduced in Chapter 7. HIPAA, enacted in 1996, is a group of laws that affect both employees of a healthcare facility, insurance company, or other covered entity and the patients the organizations serve. The federal government
National Accreditation Competencies and Content CAAHEP COMPETENCIES ABHES COMPETENCIES
General Professionalism 3.c.(2)(a). Identify and respond to issues of confi dentiality 1.b. Maintain confi dentiality at all times 3.c.(2)(b). Perform within legal and ethical boundaries 1.d. Be cognizant of ethical boundaries 3.c.(2)(d). Document accurately
Legal Concepts 5.a. Determine needs for documentation and reporting
5.b. Document accurately 5.c. Use appropriate guidelines when releasing records or information 5.g. Monitor legislation related to current healthcare issues and practices 5.h. Perform risk management procedures
293CHAPTER 16 Privacy in the Physician’s Offi ce
conditions that in the past prevented or limited an employee from obtaining health insurance coverage. If an individual left a job with insurance coverage and attempted to secure new coverage, a preexisting health condition would often preclude that person from obtaining coverage for that illness. Many individuals were refused any coverage at all, especially if the condition was a serious one, such as a heart condition or high blood pressure. Today, because of HIPAA laws, discrimination against individuals who are in poor health now or were in the past is prohibited. The regulations limit the use of preexisting condition exclusions and guarantee that certain individuals can purchase healthcare insurance after leaving or losing a job.
The goal of Title II is to reduce administrative costs in the healthcare industry. Often goals sound simple, but to reach a goal, many actions are necessary. The medical assistant who enters school sets graduation as his or her goal. However, in order to graduate, he or she must study, pass tests, arrange for childcare, sacrifice sleep, adjust working hours, readjust to the school environment, and make any number of other adjustments to reach the goal. Likewise, to simplify the administrative costs involved in patient care, many different objectives must be met.
Provisions of Administrative Simplification If given a choice to use a computer or an electric typewriter to write a report, most individuals would likely choose the computer. Because computers can perform so many duties much more rapidly than those that were performed manually, they have become indispensable to the healthcare profession. Electronic media is used daily in modern physician offi ces and healthcare facilities. However, as computers have become prevalent, patients have begun to express concerns about who sees protected health information (PHI) and what is done with that information. Title II contains two parts:
• Development and implementation of standardized electronic transactions using Standard Code Sets
• Implementation of privacy and security procedures to prevent the misuse of health information by ensuring confidentiality
The second part of the administrative simplification provision deals with privacy, confidentiality, and security of PHI and is the focus of this chapter.
Patient Rights Separate from the Patients’ Bill of Rights, HIPAA provides for several patient rights. These include the following:
• The right to notice of a facility’s privacy practices • The right to have access to, view, and obtain a copy of
their PHI • The right to restrict certain parts or uses of their PHI • The right to request that communications from the
facility be kept confidential • The right to request the facility to amend the PHI • The right to receive notice of all disclosures of their PHI These patient rights are the heart of the HIPAA Privacy
Rule. These rights must be protected by those involved in the
required all covered entities to be in compliance with HIPAA by April 14, 2003 (small healthcare plans received an extra year to comply, extending their deadline to April 14, 2004).
Effect of the HIPAA Privacy Rule The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information. This is the first time that such a group of laws has been enacted to protect patient privacy. The creation of the HIPAA Privacy Rule provides benefits to both patients and their healthcare providers:
• Patients have more control over their medical records. • Patients are able to make informed choices regarding how
their personal health information is used. • Boundaries are set on the use and release of health
records. • Safeguards are established that healthcare providers must
achieve to protect the privacy of health information. • Violators are held accountable and face both civil
and criminal penalties if patient privacy rights are compromised.
• The Privacy Rule protects public health by striking a balance when public responsibility supports disclosure of personal health information.
Under the few laws that existed before the HIPAA Privacy Rule, personal health information could be distributed to others without either notice or authorization from the patient, even if the reason for the exchange of information had nothing to do with the patient’s medical treatment or healthcare reimbursement. A health plan could pass patient information to a financial lender, who might then deny the patient a home mortgage or credit card based on his or her health history. Employers could obtain health information and use it in personnel decisions. Because computers make information exchange so much easier, laws had to be enacted to protect patient privacy (Figure 16-1).
Title I and Title II Provisions HIPAA contains two provisions, Title I and Title II. Title I regulates insurance reform, and Title II deals with administrative simplification. Title I limits the use of preexisting health
FIGURE 16-1 The HIPAA Privacy Rule was created in part to give patients more control over their personal health information.
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE294
healthcare profession and are explained in more detail in the following section.
Right to Notice of Privacy Practices Patients have the right to a copy of the Notice of Privacy Practices used in the physician’s office (Figure 16-2). A copy of the Notice of Privacy Practices must also be prominently displayed in the office. This policy is developed by the individual facility and must be written in terminology that the patient will understand. Patients should be given a copy of the Notice of Privacy Practices and sign an acknowledgement that they received the copy. If a patient refuses to sign the acknowledgement, the medical assistant can note that the document was offered to the patient and he or she refused to sign. This proves due diligence on the part of the office and that a good faith effort was made to provide the patient with privacy information. Most patients will sign the document. Be prepared to explain the Notice of Privacy Practices to the patients.
The Notice of Privacy Practices must include the following: • How PHI is used and disclosed by the facility • The duties of the provider to protect health information • Patient rights regarding PHI • How complaints can be filed if patients believe their
privacy has been violated • Whom to contact at the facility for more information • The effective date of the Notice of Privacy Practices
Right to Access Protected Health Information Patients must be allowed access to their personal health information. The maker, not the patient, owns the record; however, the HIPAA Privacy Rule grants patients the right to access, inspect, and obtain a copy of their health information. Most physicians’ offices require patients to request access in writing and act on that request within 30 days (Figure 16-3). HIPAA does restrict access to psychotherapy notes, information compiled for use in legal proceedings, and information exempted from disclosure by the Clinical Laboratory Improvement Amendment (CLIA).
Right to Request Restrictions on Certain Uses and Disclosures of Protected Health Information Patients can request restrictions on the use of their PHI. For
instance, if a patient had an abortion many years ago and does not want that information released, she has the right to ask a provider not to divulge that information. The provider does not have to agree to the request but must review it and give a good reason for the restriction not to be honored. An appeal process should be in place for instances when the provider does not agree with the restriction.
Right to Request Confidential Communications Patients have the right to express where they wish to receive communications from the provider. The patient may prefer to be contacted on a cell phone instead of a home phone, or through email. Providers must accommodate reasonable requests. Suppose a married female patient comes to the clinic for a pregnancy test. Further suppose that her husband has had
a vasectomy. Clearly, a call to her home phone number with test results could initiate personal and private difficulties for the patient. Make certain that the preferred method of com mu- nication is used when contacting any patient (Procedure 16-1).
Right to Request Amendment of Protected Health Information Patients can request that changes be made to their medical record, if they inspect it and find an error. This request should be made in writing. Providers must review the request and act on it in a timely manner, generally within 60 days. The request may be denied if the provider was not the creator of the record, as in the case of records provided by a consulting physician. Or, the provider may believe that the information is correct and complete. A review process must be in place by which such requests can be considered.
Right to Receive an Accounting of Disclosures of Protected Health Information Patients may request that the physician provide an accounting of all disclosures of the patient’s PHI that are nonroutine (as defined in the facility’s Notice of Privacy Practices). Patients are entitled to receive this accounting annually without charge, but the provider can charge patients for additional accountings.
Responsibilities of Providers or Health Plans The responsibilities placed on providers and health plans seems extensive when one reads the actual verbiage of the law. Do not be intimidated when reading a publication written by the federal government. These documents are rarely written for ease of understanding and may need to be reread several times before the reader grasps the meaning of a regulation.
In general, the HIPAA Privacy Rule requires activities such as the following.
• Notifying patients of their privacy rights • Explaining how their health information might be used • Development of privacy procedures in the facility • Implementation of those privacy procedures • Training employees so that they understand the procedures
in place
Seven Components of HIPAA Compliance Offered by the Office of Inspector General
To simplify compliance with HIPAA regulations, the Office of Inspector General (OIG) has developed seven components of an effective compliance program. These components are as follows: • Conducting internal monitoring and auditing • Implementing compliance and practice standards • Designating a compliance officer or contact • Conducting appropriate training and education • Responding appropriately to detected offenses, and developing
corrective action • Developing open lines of communication • Enforcing disciplinary standards through well-publicized guidelines
295CHAPTER 16 Privacy in the Physician’s Offi ce
WALNUT HILL FAMILY AND PREVENTIVE MEDICINE CLINIC, PA 1701 W. Walnut Hill Lane, Suite 200
Dallas, Texas 75229 214-549-1111 214-549-1222 (FAX)
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
YOUR MEDICAL RECORD (CHART) contains your symptoms, examination, and test results, diagnoses, treatment, and plan for follow-up. This is protected health information (PHI), and is used for many reasons. Your medical record serves as a
• basis for planning your care and treatment (this includes scheduling and appointment reminders) • means of communication among the many health professionals who contribute to your care • legal document describing the care you received • means by which you or a third-party payer can verify services billed • tool in educating health professionals • source of data for quality control programs and medical research • source of information for public health officials (by law, certain illnesses must be reported)
YOUR HEALTH INFORMATION RIGHTS Although your medical record (chart) is the physical property of the clinic, the information contained within the record belongs to you. You have the right to:
• request a restriction on certain uses and disclosures of your information • obtain a paper copy of this notice • inspect and obtain a copy of your medical record as provided in our office policy manual • amend your health record (requests must be made in writing) • request communications of your health information by alternative means or at alternative locations • revoke your authorization to use or disclose health information except to the extent that action has already been taken • obtain an accounting of any non-routine disclosures of your health information
OUR RESPONSIBILITIES The Walnut Hill Family and Preventative Medicine Clinic is required to:
• maintain the privacy of your medical record (chart) • abide by the terms of this notice • notify you if we are unable to agree to a requested restriction • accommodate reasonable requests you may have to communicate health information by alternative means or at
alternative locations or phone numbers
We reserve the right to change our practices and to make new provisions effective for all protected health information we maintain. We will post a copy of our current notice in a visible location at all times. We will not use or disclose your protected health information without your authorization, except as described in this notice.
FOR MORE INFORMATION OR TO REPORT A PROBLEM Please contact Sue Singer or Ron Rachels during regular office hours at 214-549-1111 or you can email or mail questions or complaints to Dr. Robbie Speasak at the above address. If you believe that your privacy rights have been violated, you can file a complaint with the Secretary of the Department of Health and Human Services. You will not be penalized in any way for filing a complaint.
FIGURE 16-2 Notice of Privacy Practices.
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE296
Phone
Address ________________________________________________________________
________________________________________________________________
________________________________________________________________ ________________________________________________________________
City ____________________________ State ______________ Zip_________________
Email Address ___________________________________________________________
Date of Last Office Visit ___________________________________________________
Please note below what information should be copied or provided:
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
❒ Yes ❒ No
____________________________________________ _________________________ Patient Signature Date
__________________________ Date Mailed _______________________
__________________________________________________________
REQUEST TO ACCESS MEDICAL RECORD
Patients have the right to access their personal health information. We will be happy to accommodate any patient who wishes to exercise this access to inspect or obtain a copy of the record. Please provide the information requested on this form. This request will be acted upon within thirty (30) days. Standard copy charges will apply.
Patient Name
Date of Birth
Please note below the following change(s) that need to be addressed:
I wish to receive a regular accounting of non-routine disclosures of my protected I wish to receive a regular accounting of non-routine disclosures of my protected health information.
FOR OFFICE USE ONLY
Date Copied
Certified Mail #
FIGURE 16-3 Request to access a medical record.
297CHAPTER 16 Privacy in the Physician’s Offi ce
• Designating an individual to be responsible for implementation
• Securing medical records so that they are not available to those who do not need them
PERMISSION TO DISCLOSE PROTECTED HEALTH INFORMATION
Once the patient has signed the Notice of Privacy Practices, the physician may disclose PHI in the manner that is described on the policy. Virtually all of the daily operations that involve PHI are covered under the Notice of Privacy Practices.
Some offices ask patients to sign a receipt of privacy practices annually. Others simply post the current policy prominently in the office, and state where it can be found on the original notice that the patient signs. Using either method, every current medical record should contain a signed Notice of Privacy Practices, an acknowledgement that the patient received the Notice of Privacy Practices, or a statement that the patient refused to sign the notice. Physicians also use separate release of information forms that detail exactly where to call a patient, whether the patient prefers email communications, and/or specific releases for human immunodeficiency virus (HIV)– related and psychotherapy information (Figures 16-4 and 16-5).
At times, confl icting permissions may be an issue when disclosing PHI. Suppose that a patient requests that a copy of his or her medical record be sent to a third party, such as an
attorney. The patient signs the release at an office visit. Before the medical record is copied and sent, the attorney forwards a signed release for just the progress notes. Call the patient first and attempt to verify what he or she wishes sent. Another option is to adhere to the most restrictive request; in this case, send only the progress notes. Always document any form of communication about the patient’s preference in writing. The medical assistant may find it necessary to ask the patient to sign a new permission form. Do not hesitate to contact the patient if any question arises about what he or she wishes to be released.
Identifying the Patient Providers see numerous patients each day and the medical assistant may not know each one by sight. Always insist on identification when releasing any type of health information to anyone. A state-issued drivers license or identification card is the best method of identification, but alternates may be necessary for those who do not have that particular document. The office policy manual should list acceptable forms of identification. When making any type of disclosure, make certain to note why the person has the authority to request and receive the PHI.
Patient Names and Sign-In Sheets A staff member in a physician’s office may call out a patient’s name when it is time to see the physician. Sign-in sheets that list patient names may also be used. Covered entities are permitted to make such incidental disclosures if they comply with the
PROCEDURE 16-1
Identify and Respond to Issues of Confi dentiality CAAHEP COMPETENCY: 3.c(2)(a) ABHES COMPETENCY: 1.b
GOAL: To become profi cient at identifying issues involving confi dentiality and respond to them in the manner prescribed by offi ce policy.
EQUIPMENT and SUPPLIES
• Offi ce policy manual • Offi ce procedure manual, if separate • Release of information forms • Notice of Privacy Practices • Clerical supplies • Patient medical records
PROCEDURAL STEPS
1. Review offi ce policy regarding release of patient information and confi dentiality in the facility.
PURPOSE: To make certain that offi ce policy is stringently followed and that the offi ce remains in HIPAA compliance.
2. Review the Notice of Privacy Practices for the facility. PURPOSE: To be sure that the offi ce’s privacy policies are
followed. 3. Review the facility’s Authorization to Release Medical Records
form.
4. Thoroughly read the request for information that is presented to the facility.
PURPOSE: To determine what information is being requested. 5. Determine if the document is valid.
PURPOSE: No information should be released if the requesting documents are not valid.
6. Determine the exact information that is being requested. PURPOSE: Only the exact information being requested should be
released. 7. Make certain that the release of information form either is one
designed by the facility or contains all of the same information. 8. Make the requestor complete one of the facility’s request forms,
if necessary. 9. Forward only the information requested to the person or
organization that presented the authorization for release of information.
PURPOSE: No information that has not been requested can be released without additional consent by the patient.
10. Release the information by mail or to the agent of the requestor.
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE298
Patient Consent to the Use and Disclosure of Health Information for Treatment, Payment, or Health Care Operations
I understand that as part of my health care, the practice originates and maintains paper and/or electronic records describing my health history, symptoms, examination and test results, diagnoses, treatment, and any plans for future care or treatment. I understand that this information serves as:
I request the following restrictions to the use or disclosure of my health information:
May we leave a message on your answering machine at home [ ] or at work [ ]. Do not leave a message [ ] May we leave a message with someone at your home using the doctor’s name or the practice name: Yes [ ] No [ ] May we leave a message with someone at your work using the doctor’s name or the practice name: Yes [ ] No [ ] Messages will be of a nonsensitive nature, such as appointment reminders.
May discuss treatment, payment, or health care operation with the following persons:
I understand that as part of treatment, payment, or health care operations, it may become necessary to disclose health information to another entity, i.e., referrals to other health care providers, labs, and/or other individuals or agencies as permitted or required by state or federal law.
*If other than patient is signing, are you the parent, legal guardian, custodian, or have Power of Attorney for this patient for treatment, payment, or health care operations? Yes [ ] No [ ]
FOR OFFICE USE ONLY
[ ] Patient refused to sign the consent form. [ ] Restrictions were added by the patient (see restrictions listed above) [ ] “Consent form” received and reviewed by on (date) [ ] “Consent form” placed in the patient's medical record on (date)
Signature
(Please check all that apply) Spouse [ ] Your Children [ ] Relatives [ ] Others [ ] Parents [ ]
Please list the names and relationship, if you checked “Relatives” or “Others” above
I fully understand and accept the information provided by this consent.
Restrictions:
• A basis for planning my care and treatment, • A means of communication among professionals who contribute to my care, • A source of information for applying my diagnosis and treatment information to my bill, • A means by which a third-party payer can verify that services billed were actually provided, • A tool for routine health care operations, such as assessing quality and reviewing the competence of staff.
Print name of person signing Date
Messages or Appointment Reminders: (Please check all that apply)
I have been provided the opportunity to review the “Notice of Patient Privacy Information Practices” that provides a more complete description of information uses and disclosures. I understand that I have the following rights:
• The right to review the “Notice” prior to acknowledging this consent, • The right to restrict or revoke the use or disclosure of my health information for other uses or purposes, and • The right to request restrictions as to how my health information may be used or disclosed to carry out treatment, payment, or health care operations.
FIGURE 16-4 Example of HIPAA-compliant patient disclosure form. (From Klieger DM: Saunders textbook of medical assisting, St Louis, 2005, Saunders.)
299CHAPTER 16 Privacy in the Physician’s Offi ce
GENERAL MEDICAL HEALTH CARE AUTHORIZATION FOR RELEASE OF MEDICAL INFORMATION
General Medical Health Care 1234 Riverview Road, Anytown, FL 33333
I,
to release medical, including HIV Antibody Testing, Psychiatric/Psychological, Alcohol and/or Drug Abuse, information records to:
I understand that if I consent to the release of any of my medical records, the results of any HIV Antibody Testing, Psychiatric/Psychological, Alcohol and/or Drug Abuse information will be released.
I understand this consent may be cancelled upon written notice to the hospital, except that action by the hospital has been taken in reliance on this authorization, and that this authorization shall remain in force for a 90-day period in order to effect the purpose for which it is given. Alcohol and drug abuse information, if present, has been disclosed from records whose confidentiality is protected by Federal Law. FEDERAL REGULATIONS (42CFR, part II) prohibit making any further disclosure of records without the specific written authorization of the undersigned, or as otherwise permitted by such regulations. The confidentiality of HIV antibody test results is protected by Florida Law [Fla. Stat.ANN. 381.609 (2) (F)], which prohibits any further disclosure by a person to whom this information has been disclosed, without specific written consent of the undersigned or as otherwise permitted by state law.
Print Patient’s Name Date of Birth Social Security Number hereby authorize/ /
(Street) (City) (State) (Zip)
To:
Address
Please Specify Reason for Disclosure
For the purpose of: 1. Drs. appointment on:
From: (Date of Authorization) (Dates to be Released)
To:
Patient’s Signature
Parent, Legal Guardian, or Authorized Representative Signature
Relationship to Patient
Witness
2. Other:
FIGURE 16-5 Example of HIPAA-compliant patient disclosure form containing HIV and psychologic information release. (From Klieger DM: Saunders textbook of medical assisting, St Louis, 2005, Saunders.)
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE300
minimum necessary requirements of HIPAA (Figure 16-6). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted. The
Privacy Rule is not intended to impede customary and necessary healthcare communications or practices or to require that all risk of incidental use or disclosure be eliminated to satisfy the Privacy standards. Disclosures that could occur as a byproduct of engaging in healthcare communications or practices may be considered acceptable under the Privacy Rule.
Incidental disclosures could include the following: • Confidential conversations between providers or with
patients, if a possibility exists that they may be heard (e.g., by hearing the patient and physician talking through the wall when in an adjacent examination room)
• Seeing other patient names when signing in • A person not authorized to see PHI walks by medical
equipment and sees material containing individually identifiable health information (e.g., seeing a patient’s name on an ultrasound screen)
• Physicians speaking with patients in semiprivate hospital rooms
• Healthcare staff orally coordinating patient care services at a nurse’s station or central location within an office
• A pharmacist discussing a patient with a physician on the phone when another person is standing nearby
Most physician offices have implemented sign-in sheets that ideally allow only one patient to sign in at a time and prevent them from seeing other patient names. Sign-in sheets that use pressure-sensitive stickers are a good example. The patient signs in on the form, then the sticker is removed and placed either in the patient’s medical record or on a log sheet. Some offices are more technologically advanced and have a computer sign-in system. The patient arrives and goes to the computer screen, sees his or her name, and then presses “enter” to signify that he or she has arrived for the appointment. The patient name appears only for 15 minutes or so before the appointment and for 15 minutes after. If the name is not on the screen, the patient is directed to see the office staff. This subtly teaches the patient to be on time for appointments. These devices save time, although the patient must receive brief training on how to use the system. The short time that the patient’s name is viewable on the screen is an incidental exposure but is acceptable through HIPAA guidelines as explained previously.
FIGURE 16-7 In most cases the parent is considered the child’s representative and is allowed to view ’the child’s medical records.
HIPAA MINIMUM NECESSARY STANDARD [45 CFR 164.502(b), 164.514(d)]
Background
The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protect- ed health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health informa- tion. The Privacy Rule’s requirements for minimum necessary standards are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.
How the Rule Works
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended pur- pose. The minimum necessary standard does not apply to the following:
• Disclosures to or requests by a health care provider for treat- ment purposes. • Disclosures to the individual who is the subject of the information. • Uses or disclosures made pursuant to an individual’s authorization. • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules. • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes. • Uses or disclosures that are required by other law.
The implementation specifications for this provision require a cov- ered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce. While guidance cannot anticipate every question or factual application of the minimum necessary standard to each specific industry context, where it would be generally help- ful we will seek to provide additional clarification on this issue in the future. In addition, the Department will continue to monitor the workability of the minimum necessary standard and consider pro- posing revisions, where appropriate, to ensure that the Rule does not hinder timely access to quality health care.
http://www.hhs.gov/ocr/hipaa/
FIGURE 16-6 HIPAA’s Minimum Necessary Standard Overview.
301CHAPTER 16 Privacy in the Physician’s Offi ce
Placement of Patient Medical Records Many physician offices place medical records inside a wall folder just outside of the examination room. By turning the record so that the name cannot be seen by someone passing through the hallway, the facility meets the minimum necessary requirement in protecting patient privacy. The hallway area should be supervised, and nonemployees should be escorted when in the clinical area of the office.
Children’s Health Records The Privacy Rule does allow parents to see the medical records of their children as long as this is not inconsistent with state law. In most cases the parent is the child’s personal representative under the Privacy Rule (Figure 16-7). However, several instances exist in which the parent is not considered the child’s personal representative. These instances include the following:
• When the minor is the one who consents to care and the consent of the parent is not required under state or other applicable law (for example, in the case of an emancipated minor)
• When the minor obtains care at the direction of a court or a person appointed by the court
• When the parent agrees that the minor and healthcare provider can have a confidential relationship
Discussing Information with Friends and Family The Privacy Rule specifically permits covered entities to share information that is directly relevant to the patient’s care with a spouse, family members, friends, or other persons identified by a patient. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object or that the action is in the best interest of the patient. Remember that if the patient has requested that such information not be shared with others, the provider must honor that request unless it is deemed unreasonable.
Both covered entities and business associates can discuss a patient’s bill with a person other than the patient to obtain
reimbursement. No limit is placed on to whom such a disclosure may be made. However, the Privacy Rule does require a covered entity or business associate to reasonably limit the amount of information disclosed for such purposes to the minimum necessary and to abide by reasonable requests for confidential communications and restrictions that the patient has requested.
Telephone Messages and Faxes Medical assistants must communicate with patients, and that communication is often initiated with a telephone call (Figure 16-8). At times the patient is not at home or available and the medical assistant must use professional judgment about leaving a message, as well as about how much information to disclose to the person who answers the telephone. Even leaving a message on an answering machine can be questionable, because no one is sure who will hear a message containing PHI.
If the patient has requested that the provider or provider’s employees communicate only in a confidential manner, such as by alternative means or at an alternative location, the provider must honor that request if it is reasonable. For instance, requests to receive calls at work instead of at home are reasonable requests, unless there are extenuating circumstances.
A fax can be sent containing PHI to another healthcare provider for treatment purposes or to another individual as requested by the patient. Use reasonable care in sending a fax, such as verifying the correct numbers, directing the fax to a certain person, and using cover sheets that stress confidentiality. All fax machines should be located in secure areas to prevent unauthorized access to PHI. Information used for treatment purposes can be shared by fax, email, or telephone with other healthcare providers.
Emergencies Healthcare providers and facilities, such as hospitals, with a direct treatment relationship with individuals are not required to provide their Notices of Privacy Practices to patients at the time they are providing emergency treatment (Figure 16-9). In such situations the HIPAA Privacy Rule requires only that
FIGURE 16-8 The telephone remains one of the most vital tools for communication with patients.
FIGURE 16-9 In emergencies the Notice of Privacy Practices does not have to be offered until it is practical to do so.
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE302
providers give patients a notice when it is practical to do so after the emergency situation has ended. In addition, the Privacy Rule does not require that providers make a good faith effort to obtain the patient’s written acknowledgement of receipt of the notice.
Complaints about Privacy Violations When a patient has a complaint regarding his or her privacy information, the first person he or she should seek out is the privacy officer at the facility where the incident took place. If the complaint is not resolved, patients should be directed to the office manager or physician. In the event that the patient’s issue has still not been resolved, he or she has the option to file a written complaint either on paper or electronically with the Office for Civil Rights (OCR). The complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred (Figure 16-10). The OCR may waive the 180-day time limit if good cause is shown.
Complaints must meet the following criteria: • They must be filed in writing, either on paper or
electronically. • They must name the entity that is the subject of the
complaint. • They must describe the acts or omissions believed to be
in violation of the Privacy Rule. • They must be filed within 180 days of the incident. • They must apply to an incident that occurred after April
14, 2003 (2004 for small health plans). OCR has 10 regional offices, and each one covers certain
states. Complaints must be filed with the correct regional office that has jurisdiction over the state in which the incident occurred. A complaint form is available on the OCR website. The Offi ce of the Inspector General (OIG) conducts investigations and audits when there is a question regarding privacy laws.
CLOSING COMMENTS
Every employee of the physician’s office must read the policy and procedure manual to make certain that he or she has a firm understanding of the HIPAA Privacy Rule and how it relates to the individual office (Figure 16-11). The medical assistant is responsible for learning and following the guidelines set forth by HIPAA. If uncertain about any situation, contact the privacy officer in the organization for direction or research the question on the HIPAA website. Never assume that a patient will not mind if certain information is disclosed. Always check the medical record to determine patient preferences. Keep current on changes to HIPAA regulations and continue to function in a state of constant learning. Embrace changes designed to improve patient care and treatment.
FIGURE 16-10 The time may come when a patient files a complaint against a provider for a violation of privacy practices.
303CHAPTER 16 Privacy in the Physician’s Offi ce
Guidelines for HIPAA Privacy Compliance
1. Consider that conversations occurring throughout the office could be overheard. The reception area and waiting room are often linked, and it is easy to hear the scheduling of appointments and exchange of confidential information. It is necessary to observe areas and maximize efforts to avoid unauthorized disclosures. Simple and affordable precautions include using privacy glass at the front desk and having conversations away from settings where other patients or visitors are present. Health care providers can move their dictation stations away from patient areas or wait until no patients are present before dictating. Phone conversations by providers in front of patients, even in emergency situations, should be avoided. Providers and staff must use their best professional judgment. 2. Be sure to check in the patient medical record and in the computer system to see if there are any special instructions for contacting the patient regarding scheduling or reporting test results. Follow these requests as agreed by the office. 3. Patient sign-in sheets are permissible, but limit the information requested when a patient signs in, and change it periodically during the day. A sign-in sheet must not contain information such as reason for visit because some providers specialize in treating patients with sensitive issues. Showing that a particular individual has an appointment with the physician may pose a breach of confidentiality. 4. Make sure patients sign a form acknowledging receipt of the NPP. The NPP allows the physician to release the patient’s confidential information for billing and other purposes. If the practice has other confidentiality statements and policies besides HIPAA mandates, these must be reviewed to ensure they meet HIPAA requirements. 5. Format policies for transferring and accepting outside PHI must address how the office keeps this information confi- dential. When using courier services, billing services, transcription services, or email, ensure that transferring PHI is done in a secure and compliant manner. 6. Computers are used for a variety of administrative functions, including scheduling, billing, and managing medical records. Computers typically are present at the reception area. Keep the computer screen turned so that viewing is restricted to authorized staff. Screensavers should be used to prevent unauthorized viewing or access. The
computer should automatically log off the user after a period of being idle, requiring the staff member to reenter their password. 7. Keep usernames and passwords confidential, and change them often. Do not share this information. An authorized staff member such as the PO will have administrative access to reset passwords if they are lost or if someone dis- covers the password. Also, practice management software can track users and follow their activity. Do not ever give out a password. Safeguards include password protection for electronic data and storing paper records securely. 8. Safeguard the work area; do not place notes with confidential information in areas that are easy to view by nonstaff. Cleaningservices will access the building, usually after business hours; ensure that PHI is protected. 9. Place medical record charts face down at reception areas so the patient’s name is not exposed to other patients or visitors to the office. Also, when placing medical records on the door of an examination room, turn the chart so that the identifying information faces the door. If medical record are kept on countertops or in receptacles, ensure that non-staff persons will not access the records. Handling and storing medical records will certainly change because of HIPAA guidelines. 10. Do not post the health care provider’s schedule in areas viewable by non-staff individuals. The schedules are often posted for professional staff convenience, but this may be a breach in patient confidentiality. 11. Fax machines should not be placed in patient examina- tion rooms or in any reception area where non-staff persons may view incoming or sent documents. Only staff members should have access to the faxes. 12. Direct mail and phone calls only to the appropriate staff members. 13. Recognize, learn, and use HIPAA TCS if involved in coding and billing. 14. Send all privacy-related questions or concerns to the appropriate staff member. 15. Immediately report any suspected or known improper behavior to supervisors or the PO so that the issue may be documented and investigated. 16. Direct all questions to the supervisors or PO.
FIGURE 16-11 Guidelines for HIPAA Privacy Compliance. (From Quick Guide to HIPAA for the physician’s office, St Louis, 2004, Saunders.)
UNIT THREE HEALTH INFORMATION IN THE MEDICAL OFFICE304
Sabrina and Elsa will experience many challenges as a result of the information exchange they shared at the family picnic. Their conversation probably
began like any other, but once Sabrina told Elsa the details of Ms. Adams’ visit, they violated patient privacy laws. Their future in the medical field is now uncertain.
Ms. Adams suffered emotionally after the breach of privacy. Her daughter, Terri, does not understand why her mother did not tell her about the illness. The relationship between the mother and daughter is now stressful, an interference with their normal bond during this critical time. The family questions whether to pursue the matter legally or spend the time they have left together in more productive ways. They have many decisions to make.
Dr. Taylor placed Sabrina on probation for 3 months. Before this incident, she had never received any type of disciplinary action. Elsa was not formally disciplined, largely because of her long-standing relationship with Dr. Berry. Still, there is sharp tension between them in the office now, as he faces a possible medical professional liability lawsuit, as well as complaints
SUMMARY OF SCENARIO
about the privacy of Ms. Adams’ PHI. Neither Sabrina nor Elsa will look at their jobs the same way as before the incident—for them, everything is different. They both feel that they have disappointed their employers, their patients, and themselves.
The medical assistant must remember that patients should be discussed only with others who are directly involved in the patient’s medical care. The HIPAA Privacy Rule has made great strides in protecting patient privacy and in simplifying administrative processes. However, the rule is effective only if office policies are established and practiced. New policies may be difficult to implement, but gaining an understanding of the reason for the policy and its major goals will help the medical assistant embrace changes more readily.
Patients may not agree with the privacy practices or may not understand them. Make an effort to help the patient see the benefit in the policies that the office has established, reminding the patient that such policies are designed for their protection. The patient does not have to agree with the policy or sign it as long as the staff members make a good faith effort toward this end.
Continued
1. Define, spell, and pronounce the terms listed in the vocabulary. • Spelling and pronouncing medical terms correctly adds
credibility to the medical assistant. Knowing the definition of these terms promotes confidence in communication with patients and co-workers.
2. Explain how the HIPAA Privacy Rule benefits the healthcare industry and patients. • As a result of the HIPAA Privacy Rule, patients have more
control over their medical records. They are able to make informed choices as to how their personal health information is used, and boundaries are set on the use and release of health records. Safeguards are established that healthcare providers must achieve to protect the privacy of health information. Violators are held accountable and face both civil and criminal penalties if patient privacy rights are compromised. The HIPAA Privacy Rule also protects public health by striking a balance when public responsibility supports disclosure of personal health information.
3. List what must be included on a Notice of Privacy Practices. • A Notice of Privacy Practices must include details as to how
PHI is used and disclosed by the facility; the duties of the provider to protect health information; patient rights regarding PHI; how complaints can be filed if patients believe their privacy has been violated; whom to contact at the facility for more information; and the effective date of the Notice of Privacy Practices.
4. Explain the difference between Title I and Title II of the HIPAA Privacy Rule. • Title I of the HIPAA Privacy Rule regulates insurance reform. It
limits the use of preexisting health conditions that in the past would have prevented or limited an employee from obtaining health insurance coverage. If an individual left a job with insurance coverage and attempted to secure new coverage, a preexisting health condition would often preclude that person from obtaining coverage for that illness. Title II deals with administrative simplification. This section is the source of privacy and security laws that affect the patient. The goal of Title II is to reduce administrative costs in the healthcare industry.
5. List the rights that patients have under the Privacy Rule. • Patients have several rights under the Privacy Rule, including
the right to notice of a facility’s privacy practices; the right to have access to, view, and obtain a copy of their PHI; the right to restrict certain parts or uses of their PHI; the right to request that communications from the facility be kept confidential; the right to request the facility to amend the PHI; and the right to receive notice of all disclosures of their PHI.
6. Briefl y explain what is expected of healthcare providers in relation to the Privacy Rule. • Healthcare providers are expected to notify patients of their
privacy rights; explain how their health information might be used; develop privacy procedures in the facility; implement
305CHAPTER 16 Privacy in the Physician’s Offi ce
Continued
Study Guide Connection: Go to Chapter 16 Study Guide. Read the Case Study and Workplace Applications and complete the assignments. Do online research for answers to the questions in the Internet Activities associated with privacy in the physician’s offi ce.
CD Connection: Go to the Medical Assisting Competency Challenge CD and do the training activities under Legal Concepts.
Evolve Connection: For more information related to privacy in the physician’s offi ce, go to http://evolve.elsevier.com/ kinn/admin and visit related weblinks for Chapter 16. Click on the Medical Assisting Exam Review and do the practice questions to sharpen your test-taking skills.
C O N N E C T I O N S
those privacy procedures; train employees so that they understand the procedures in place; designate an individual to be responsible for implementation; and secure medical records so that they are not available to those who do not need them.
7. Describe an incidental disclosure. • An incidental disclosure is a secondary use or disclosure
that cannot reasonably be prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted.
8. List the three instances when a parent is not considered the child’s representative. • A parent is not considered the child’s representative in any of
three instances: when the minor is the one who consents to care and the consent of the parent is not required under state or other applicable law (e.g., in the case of an emancipated minor); when the minor obtains care at the direction of a court or a person appointed by the court; or when the parent agrees that the minor and healthcare provider can have a confidential relationship.
9. Explain why a provider can discuss protected health information with a patient’s friends and family. • A provider can discuss PHI with a patient’s friends and family
unless the patient has limited disclosure and requested that he or she receive only confidential communication with the provider. Unless the patient makes this request, which should be in writing, the provider is able to discuss the patient with others as long as good judgment is used and the communication is related to the patient’s treatment.
10. Discuss the role of the Notice of Privacy Practices in emergencies. • Healthcare providers and facilities, such as hospitals, with a
direct treatment relationship with individuals are not required to provide their Notices of Privacy Practices to patients at the time they are providing emergency treatment (Figure 16-9). In such situations the HIPAA Privacy Rule requires only that providers give patients a notice when it is practical to do so after the emergency situation has ended.
