Health Care Informatics
LESSON 5 Regulation of Health Care LECTURE NOTES ______________________________________________________________________________________
Introductory Lesson Comments
This lesson will focus on the legal, regulatory, and oversight of health care organizations and
their health information systems.
Regulation of Health Care
For health care providers, many governmental agencies have the responsibility to provide
regulations and oversight of health care organizations and health care professionals. This might
include the following:
Licensure boards for the various health-related professions
State and federal agencies that determine compliance with Medicare and Medicaid standards
Other state and federal agencies for other rules and regulations (i.e., OSHA, Wage and Hour, EPA, IRS, etc.)
Local government entities such as health departments, food safety, etc.
Generally, laws, rules, and regulations by governmental agencies are mandatory for health care
providers to follow. Failure to meet the standards may result in the imposition of sanctions,
including monetary fines, suspension of payments, and termination from a reimbursement
program.
For health information systems, there are numerous regulations and requirements for the maintenance
of health records. These include federal, state, and local regulations as well as the requirements of
credentialing bodies and payer agencies, such as insurance carriers, health maintenance
organizations, and preferred provider networks.
The requirements may vary for each of the various entities; however, most of the requirements are
quite similar. They might include the demand for certain information in a mandated format, such as
an assessment form that is signed by the health care professional that attests to the care, condition, or
diagnosis of the patient. Many of the required information tools are needed by the paying agency to
verify the following:
That the services rendered were needed to treat the patient
That the services rendered were actually provided to the patient
That the services rendered were within the professional standards
That the services rendered achieved the desired outcome
Other standards for health records have been created by professionals and experts to assist in the
organization of the actual health record. This is done to create a standard format for health records
that allows for the accurate, timely, and completeness of the information by the various health care
professionals who need to access or input information. By creating standard protocols and formats
for health records, individual professionals who need to review information or otherwise access the
information can quickly find a section of the record rather than search numerous documents and
pages of information.
One of the main tools used by governmental agencies, insurance carriers, and other third-party
payers is the use of payment for services to enforce standards, rules, and requirements. Since
providers want to receive payment for services rendered, and most health care services are
covered by either a governmental or insurance program, providers are required to sign
agreements with those organizations that include certain requirements and mandates for records.
This would include how the provider protects health information.
Protecting Health Information – HIPAA and Related Privacy Issues
The protection and privacy of patient information has been a long-standing practice for health
care providers and has become an expectation of the public. This needs to be a key focus area
for all health care providers in their policies and procedures, in their orientation of employees,
and as an essential part of the culture of their organization.
Professional standards have evolved demanding that providers take affirmative steps to protect
the confidentiality of personal health care information. While professional standards were used
to create the privacy and confidentiality standards, these were considered to be voluntary, and
compliance was sporadic. Since violations of the voluntary standards did occur, some form of
governmental oversight and regulation was necessary.
Historically, medical privacy and confidentiality laws were first regulated by local and state
governments. They created mandatory standards and could impose sanctions on providers who
failed to adhere to the requirements. Voluntary standards were included as part of the ethical
requirements of professional organizations, such as the American Hospital Association, the
American Medical Association, and the American Nursing Association. Most professional
organizations created a code of ethics or other requirements of the profession for individuals to
follow to maintain the privacy and confidentiality of personal health information.
As the role of the government as a source of payment grew larger, the federal government
became involved in the protection of information through various laws and regulations. This
role allowed the government to mandate stronger requirements and impose sanctions for failure
to meet the standards.
Major federal legislation passed in 1996 increased the requirements for privacy and is commonly
referred to as HIPAA (Health Insurance Portability and Accountability Act of 1996 [P.L.104-
191]). This law has many provisions beyond privacy and includes how patients may access
information, how they can extend health care coverage, and how electronic data can be
exchanged.
The federal Department of Health and Human Services, Office of Civil Rights (OCR), has the
responsibility for enforcing the HIPAA rules. The Department issues rules and information for the
public to use in order to comply with the various requirements. Providers must allocate resources to
assure that they are in compliance with the ever-changing environment of privacy.
There are numerous and ongoing actions that involve providers and the breaching of privacy or
security of protected information. The Department has the authority to apply monetary and other
sanctions, and there are private civil actions for breaches of privacy afforded to the patient.
Investigations typically begin with a complaint made by an individual who believes his or her
privacy has been compromised.
As investigations of breaches by the OCR evolved over the years, several major cases have been
covered by the media that indicated the imposition of major fines to providers well into the hundreds
of thousands of dollars. This got the attention of Boards of Directors and Senior Management Teams
of health care organizations as well as financial accountants, consultants, and others who are
interested in this area of practice.
Systems have been developed to create internal protocols, monitor performance, audit activities, and
generally create tools and resources to keep health information from unauthorized access and
breaches. Unfortunately, all of those systems are dependent on people to assure compliance. So,
ultimately, this is not a system or technology problem; it is a people problem.
The creation of electronic information creates new challenges and problems for providers, payers, the
government, and the patient in protecting confidential and private information. HIPAA has processes
for establishing standards for electronic health information, including how data may be exchanged
between entities, or electronic data interchange (EDI). These standards began as part of the long
journey to establish electronic health records, which continues today and well into the future as new
formats and forms of health information are created electronically.
As requirements of law and others mandate the maintenance and protection of information, this also
includes the storage of information once the service has been rendered. Whether health information
is contained in paper form or electronic form, providers need to create policies, procedures,
protocols, and systems for the long-term safe storage of this information. The length of time for
record retention that is mandated by local, state, or federal law is usually a time period of years.
Once the time period has expired, providers may dispose of the records. However, they must do so
in a way that assures the records are not readable and are not in a usable format, such as shredding or
other means to destroy the information.
Health care providers are also required to provide access to records when requested by an authorized
agency or the patient. This means that the information, while secure, still needs to be in a form or
location easily accessible by authorized individuals. Proper written authorization or legally
mandated access demands the need to have policies and procedures that are enforced by the
organization.
Failure to comply with any law, requirement, or rule could cause sanctions to be imposed on the
offending provider which range from fines (in governmental operated programs) to termination
from the payment system (used by both government and private sectors.) In this situation,
sanctions or termination provide significant incentives for providers to create systems, processes,
and protocols that assist in protecting an individual’s health information.