Essentials of Health Information Management Chapter 9

For a medical record to be considered admissible as evidence, it must be:

Created by a person within the business who has knowledge of the acts, conditions, diagnoses, events, or opinions documented Documented in the normal course of business Generated at or near the time of patient care Maintained in the regular course of business

Civil Law

Deals with legal rights and relationships of private individuals; includes torts and contracts.

Public law

Deals with relationships between individuals and government and includes criminal law and regulations.

In general, security provisions should include the following policies and procedures:

Define authorized users of patient information to control access Implement a tracking procedure to sign out records to authorized personnel Limit record storage access to authorized users Lock record storage areas at all times Require that all original medical records remain in the facility at all times

Release of information log

Document of patient information released to authorized requestors; data is entered manually (e.g., 3-ring binder) or by using tracking software.

Federal regulations are issued as the Code of Federal Regulations (CFR), which is subdivided into how many titles

50

Food and Drug Administration (FDA)

A covered entity may disclose PHI without obtaining authorization from the individual to the jurisdiction of the Food and Drug Administration regarding FDA-regulated products or activities related to quality, safety, or effectiveness of products or activities and to collect or report adverse events, product defects, or problems.

Workers Compensation

A covered entity may disclose protected health information to comply with workers' compensation laws that provide benefits for work-related injuries or illness regardless of fault.

Specialized Government Functions

A covered entity may use or disclose protected health information (PHI) without obtaining authorization from the individual for the following: Medicare Medicaid Military and veterans activities Armed forces personnel National security and intelligence activities Protective services for the president and others Medical suitability determinations Correctional institutions for the provision of health care

Law

A rule of conduct passed by a legislative body that is enforced by the government and results in penalties when violated; also called a statute.

Criminal law

A type of public law that deals with crimes and their punishments.

In addition to the Constitution of the United States and individual state constitutions, sources of law include:

Administrative law Case law (or common law) Statutory law

Security rule

Adopts standards and safeguards to protect health information that is collected, maintained, used, or transmitted electronically.

Privileged communication

Any information communicated by a patient to a health care provider.

In response to a law enforcement official's request to assist in identifying or locating a suspect, fugitive, material witness, or missing person; only the following information may be disclosed:

Name and address Date and place of birth SSN ABO blood type and Rh factor Type of injury Date and time of treatment Date and time of death Distinguishing physical characteristics, including weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos

Breach of confidentiality

Occurs when patient information is disclosed to other(s) who do not have a right to access the information.

Statutory law

Passed by a legislative body, and it can be amended, repealed, or expanded by the legislative body.

Patients have the following specific rights:

Patient education on privacy protections. Redisclosure of PHI. Patient access to their records Disclosures to business associates. Patient care and notification. Disclosures about deceased patients Fundraising activities. Limited uses and disclosures when the patient is not available. Disclosures by whistleblowers and workforce member crime victims. Obtaining patient authorization before information is disclosed. Proof of immunization. Recourse if privacy protections are violated.

According to HIPAA privacy and security provisions:

Patients have the right to an expectation of privacy regarding their privileged communication, which means information cannot be disclosed without their authorization. Security safeguards must be implemented to ensure that facilities, equipment, and patient information are safe from damage, loss, tampering, theft, or unauthorized access.

Medical liability

Pays a lawsuit's covered damages or settlement amount and defense costs; also called malpractice insurance.

Medical examiner

Physician officially authorized by a governmental agency to determine causes of deaths, especially those due to other than natural causes.

Covered entities

Private and public sector organizations that must follow HIPAA provisions; include health care providers that conduct certain transactions in electronic form, health plans, and health care clearinghouses.

Qualified protective order

Prohibits the use or disclosure of PHI for any purpose beyond the litigation at hand, and requires that the PHI, and all copies, be returned to the covered entity or destroyed when the litigation is over.

Digital

Proposed standard for electronic signatures, which applies a mathematical function to the electronic document resulting in a unique bit string (computer code) called a message digest that is encrypted and appended to the electronic document.

Electronic protected health information

Protected health information that is in electronic format.

HIPAA standards for privacy of individually identifiable health information

Provisions that protect the security and confidentiality of health information; also called the privacy rule.

An individual has the right to access his or her own PHI for the purpose of inspection and to obtain a copy, except for the following:

Psychotherapy notes Information compiled for use in a civil, criminal, or administrative action

Plaintiff

The individual who initiates a civil complaint; there is no plaintiff in criminal law.

Confidentiality

The process of keeping privileged communication secret, which means that information cannot be disclosed without the patient's authorization.

Dorrence Kenneth DARLING, II, Appellee, v. CHARLESTON COMMUNITY MEMORIAL HOSPITAL

This action was brought against the hospital to recover damages for allegedly negligent medical and hospital treatment which necessitated below the knee amputation of his right leg.

HIPAA is the first federal law that governs the privacy of health information nationwide. HIPAA legislation was organized according to five titles:

Title I—Health Care Access, Portability, and Renewability Title II—Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform Title III—Tax-Related Health Provisions Title IV—Application and Enforcement of Group Health Plan Requirements Title V—Revenue Offsets

Encrypt

To encode a computer file, making it safe for electronic transmission so that unauthorized parties cannot read it.

Civil law deals with the legal rights and relationships of private individuals and includes:

Torts, Contracts, Public law, and criminal law

Currently, no state has enacted a ________ that systematically deals with all issues raised by the computerization of records

comprehensive law

Regulations

published rules that interpret laws

Federal regulations are issued as:

the Code of Federal Regulations (CFR)

All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, paper-based, or verbal, are covered by______

the privacy rule

The medical record is a legal business record that must be maintained according:

to accreditation standards (e.g., The Joint Commission)

The types of civil legal actions that most typically affect the health care industry are

torts and contracts

Law Enforcement Agencies

The covered entity must obtain the patient's authorization to disclose PHI to all law enforcement agencies, except when no authorization is required by HIPAA.

Third-Party Payers

The covered entity must obtain the patient's authorization to disclose PHI to all third-party payers, except in the course of TPO.

Workers' Compensation Carriers

The covered entity must obtain the patient's authorization to disclose PHI to all workers' compensation carriers, when required by state law.

Internal Revenue Service (IRS)

The covered entity must obtain the patient's authorization to disclose PHI to the Internal Revenue Service

Patient or Patient Representative

The covered entity must obtain the patient's authorization to disclose PHI to the patient or patient representative, except when no authorization is required by HIPAA.

Information for the identification and location of an individual is limited to the following:

Name and address Date and place of birth SSN ABO blood type and Rh factor Type of injury Date and time of treatment Date and time of death Description of physical characteristics

Employers

The covered entity must obtain the patient's authorization to disclose PHI to all employers, except when PHI is released to report work-related illnesses or injuries

Government Agencies

The covered entity must obtain the patient's authorization to disclose PHI to all government agencies, except as required by HIPAA.

Heath care providers

The covered entity must obtain the patient's authorization to disclose PHI to all health care providers, except those involved in direct care of the patient.

Research that Includes Treatment of an Individual

The covered entity must obtain the patient's authorization to disclose PHI to all health care providers, except those involved in direct care of the patient.

Burden of proof

"Proving harm" is the responsibility of the individual who initiates a civil complaint.

The covered entity (e.g., provider) may disclose PHI to health oversight agencies for activities authorized by law, including:

Audits (e.g., quality improvement organization, QIO, studies) Civil, administrative, or criminal investigations (e.g., state office of professional misconduct) Inspections (e.g., state department of health on-site inspection, OSHA) Licensure or disciplinary actions (e.g., physician disciplinary action) Civil, administrative, or criminal proceedings or actions (e.g., subpoena duces tecum issued for records in a medical malpractice lawsuit) Other activities necessary for appropriate oversight of health care system (e.g., government benefit programs such as Medicare and Medicaid)

Case law

Based on judicial decisions and precedent rather than on statutes; also called common law.

A covered entity may disclose PHI about victims of abuse, neglect, or domestic violence to a governmental authority that is authorized to receive such reports. The covered entity must promptly inform the individual that a report has been or will be made unless the covered entity:

Believes that notification would place the individual at risk of serious harm Would be notifying a personal representative who is responsible for the abuse, neglect, or other injury (and, as such, would not act in the individual's best interests)

The following penalties apply when covered entities misuse personal health information:

Civil monetary penalties of $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated. Federal criminal penalties of up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm. The HITECH Act of 2009 increased civil penalties for willful neglect up to $250,000, with repeat and/or uncorrected violations extending up to $1.5 million.

HIV-related information

Confidential human immunodeficiency virus (HIV) related information is any information indicating that a person had an HIV-related test; or has HIV infection, HIV-related illness, or acquired immunodeficiency syndrome (AIDS); or any information that could indicate a person has been potentially exposed to HIV.

Sources of law

Constitution of the United States, individual state constitutions, administrative law, case law (or common law), and statutory law.

De-identification of protected health information (PHI)

Contains no identification information about an individual; de-identified information can be disclosed if nothing can individually identify the patient.

Covered entities are allowed to disclose PHI to the following in order to carry out their duties with respect to the deceased person:

Coroners and medical examiners Funeral directors Cadaver organ, eye, or tissue donation purposes

Subpoena ad testificandum

Court order that requires an individual to appear in court to testify.

A covered entity may disclose PHI in the course of any judicial or administrative proceeding in response to a(n):

Court order, but only the PHI expressly authorized for release by such order Subpoena duces tecum, if the covered entity has satisfactory assurance:

Covered entities have the flexibility to establish their own policies and procedures to meet privacy rule standards. They should:

Create written privacy policies and procedures that clarify who has the right to access protected information, how protected information will be used within the covered entity, and when protected information may be disclosed. Covered entities must ensure that their business associates also protect the privacy of health information (e.g., add HIPAA clause to business agreements). Train employees regarding HIPAA privacy policies and procedures. Designate a privacy officer who is responsible for ensuring that procedures are followed (e.g., health information manager).

Negligence

Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party (American Heritage® Dictionary of the English Language).

Contempt of court

Failure to obey a subpoena; punishable by fine or imprisonment.

Clinical Laboratory Improvement Amendments of 1988 (CLIA)

Federal law that delineates requirements for certification of clinical laboratories.

Interrogatory

Form of discovery that includes a list of written questions that must be answered by the party upon whom it is served (either defendant or plaintiff), and that party must swear, under oath, that the answers provided are accurate to the best of his or her knowledge.

Deposition

Form of discovery used to learn answers to certain questions, obtain a sworn statement from the deponent, observe a witness's behavior and ability to testify, and discover weaknesses and strengths in each party's case.

According to HIPAA, the following uses and disclosures of PHI do not require the covered entity (e.g., provider) to obtain consent or authorization from the patient, or to provide the opportunity for the patient to agree or object to disclosure:

Health oversight activities Public health activities Law enforcement purposes Judicial and administrative proceedings Identification and location purposes Decedents who are deceased over 50 years Research purposes FDA Specialized government functions (e.g., military and veterans activities) Workers' compensation

Impeach

If an answer to a trial question is different from that given to the same question in interrogatory format, the judge could doubt the party's honesty.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)

Imposes data breach notification requirements for unauthorized uses and disclosures of unsecured protected health information (PHI), which essentially means unencrypted PHI.

The covered entity may disclose PHI in response to a law enforcement official's request relating to an individual who is (or is suspected of being) a victim of a crime if the:

Individual (alleged victim) agrees Covered entity is unable to obtain an individual's agreement because of incapacity or other emergency provided that the: Law enforcement official needs the information to determine if someone else committed a crime, and the PHI will not be used against the victim Immediate law enforcement activity that depends on disclosure of the PHI would be materially and adversely affected by waiting Covered entity, exercising professional judgment, believes disclosure is in the best interest of the victim

Defendant

Individual against whom the complaint is brought; there is a defendant in criminal law.

Emancipated minors

Individual who is married, living away from home and self-supporting, declared legally emancipated by a court of law, pregnant and unmarried, on active duty with the U.S. Armed Forces, or at least 16 years of age and living independently from parents or guardians. If state laws permit a minor to seek alcohol or drug abuse treatment, the minor can authorize disclosure of PHI.

Privacy

Information cannot be disclosed without patient authorization.

Protected health information (PHI)

Information that is identifiable to an individual (or individual identifiers) such as name, address, telephone numbers, date of birth, Medicaid ID number and other medical record numbers, social security number (SSN), or name of employer.

The Centers for Medicare and Medicaid Services (CMS) is the federal administrative agency

Is responsible for creating regulations to implement HIPAA legislation.

Payment

It encompasses the various activities of health care providers to obtain payment or be reimbursed for their services, and of a health plan to obtain premiums, fulfill coverage responsibilities and provide benefits under the plan, and obtain or provide reimbursement for the provision of health care.

Treatment

It generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

It is a federal law passed by Congress that amended "the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes."

Security

Keeping facilities, equipment, and patient information safe from damage, loss, tampering, theft, or unauthorized access.

Respondeat superior

Latin for "let the master answer," which means that an employer is responsible for the legal consequences of an employee's actions.

Res jusicata

Latin for "the thing is decided," which means that the final judgment of a competent court is conclusive. It prevents a plaintiff from suing on a claim that has already been decided, and it prevents a defendant from raising any new defense to defeat enforcement of an earlier judgment.

Res ipsa loquitur

Latin for "the thing speaks for itself," which means that something is self-evident.

Res gestae

Latin for "things done," which means that hearsay statements made during an incident are admissible as evidence.

Stare decisis

Latin for "to stand by things decided," which means it is a doctrine of precedent and courts adhere to the previous ruling.

Discovery

Legal process lawyers use to obtain information about all aspects of a case; goal is to find information that will help prepare a case for trial or settlement.

The covered entity (e.g., provider) may disclose PHI for public health activities and purposes to:

Public health authorities authorized by law to collect or receive reportable disease and/or event information (e.g., births, deaths, cancer cases) Public health authority or other government authority authorized by law to receive reports of child abuse or neglect (e.g., local law enforcement) FDA for the purpose of tracking products; enabling product recalls, repairs, or replacement; and conducting post-marketing surveillance (e.g., adverse events, product defects or problems, or biological product deviations) Person(s) who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition (e.g., sexually transmitted disease) Employer, about an employee, to evaluate whether the individual has a work-related illness or injury (e.g., employee uses workers' compensation benefits to receive health care services)

Coroner

Public officer who investigates deaths due to other than natural causes.

Decrypts

Recipient of transmitted electronic document decodes the message digest and compares the decoded digest with the transmitted version; if identical, the message is unaltered and the identity of the signer is proven.

Heath care operations

Refers to certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and support the core functions of treatment and payment.

Statute of limitations

Refers to the time period after which a lawsuit cannot be filed. Statutes of limitations vary state to state, and the statute of limitations for medical malpractice cases varies from 1 to 3 years.

Administrative law

Regulations created by administrative agencies of government.

Disclosed

Released.

Case law principles also include the following:

Res gestae Res ipsa loquitur Res judicata Respondeat superior Stare decisis Subpoena ad testificandum Subpoena duces tecum

Medical malpractice

Results when a health care provider acts in an improper or negligent manner and the patient's result is injury, damage, or loss.

Marketing Communications

The covered entity must obtain the patient's authorization to disclose PHI for all marketing communications, including reports to news media.

Attorney Requests

The covered entity must obtain the patient's authorization to disclose PHI to all attorneys, except the provider's attorney when the PHI is released during a normal course of business, such as to prepare for a medical malpractice lawsuit.

EHRs are also admissible if they meet the four principles above and meet the following Comprehensive Guide to Electronic Health Records guidelines that demonstrate accuracy and trustworthiness:

Type of computer used is accepted as standard and efficient equipment Method of operation to create electronic medical record is recorded Method and circumstances of preparing the record include sources of information on which the record is based, procedures for entering information into and retrieving information from the computer, controls and checks used, and tests performed to ensure the accuracy and reliability of the record Information documented in the EHR has not been altered in any way

call-back method

Used in an emergency situation to release protected health information (PHI) by obtaining the requesting provider's main number from the phone book or directory assistance, calling the main number, and asking to be connected to the requesting provider to ensure that you are speaking with an individual authorized to obtain PHI. As a follow-up, require the requesting provider to obtain the patient's authorization to release PHI and mail it to your attention.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and state confidentiality laws control the disclosure of information from patient records. The following must be considered:

When an authorization to disclose PHI is required and when it is not required Special circumstances that impact disclosure of PHI (e.g., correctional facilities, HIV, military records) Patient access to records Accounting of disclosures of PHI Prohibition on redisclosure of PHI Use of release of information log to document disclosure of PHI

A covered entity may also disclose PHI to law enforcement officials:

When reporting certain types of wounds and injuries (e.g., gunshot wounds)

Court order

Written command or direction ordered by a court or judge.

Subpoena duces tecum

Written command or direction that requires an individual to appear in court with documents; a subpoena duces tecum is signed by the clerk of the court.

Torts

Wrongful acts for which a civil suit can be brought.