Legal and ethical responsibilities (Privacy & Security)

Confidentiality

using discretion when handling protected health information

Fax Machines

-Contact the receiver and verify the fax number of the receiving location before faxing confidential information. -Do not fax confidential information to unauthorized individuals. -Attach a cover sheet that contains a confidentiality statement. -Do not fax confidential information if unauthorized individuals are in the area and can see the information. -Do not leave fax machines unattended while faxing confidential information. -Make sure to collect confidential information from fax machines. -Do not throw unneeded faxes of confidential information in trash cans. Instead, this should be shredded. -Contact the receiver after faxing confidential information.

Copiers

-Do not copy confidential information if unauthorized individuals are in the area and can see the information. -Do not leave copiers unattended while copying confidential information. -If a paper jam occurs, be sure to remove the copies that caused the jam from the copier. -Make sure to collect all copies of confidential information, as well as the original from the copier. -Do not throw unneeded copies of confidential information in trash cans. Instead, these should be shredded.

Printers

-Do not leave printers unattended while printing confidential information. -Do not print confidential information on printers that are shared by unauthorized individuals. -Do not print confidential information on wrong printers. -Make sure to collect printouts of confidential information from printers. -Do not throw unneeded printouts of confidential information in trash cans. Instead, these should be shredded.

Telephones

-Do not use patients' names if unauthorized individuals are in the area and can overhear. -When leaving messages, simply ask patients to return the call. Do not speak about any confidential information.

Abuse

-Emotional abuse includes excessive demands. It includes insults and humiliation. It also includes jealousy, control, and isolation. -Emotional abuse includes stalking and threats. And it includes lack of affection and support. -Physical abuse includes hitting, kicking, pushing, shaking, pulling hair, pinching, choking, biting, burning, scalding, and threatening with a weapon. It also includes inappropriate restraint. And physical abuse includes withholding food and water, not providing physical care, and abandonment. -Sexual abuse includes using sexual gestures, suggesting sexual behavior, and unwanted sexual touching or acts.

Electronic Medical Records

-Instant access -Remote access to up-to-date information -Simultaneous access -Decreased time to record information -Legible -Better organized -Flexible data layout -Automated checks and reminders -Increased privacy and decreased tampering, destruction, and loss due to required authorization The following are disadvantages of electronic medical records: -Additional hardware, software, and licensing costs -Resistance to giving up paper records -Difficult data entry -Training -Computer downtime, such as unexpected failure or routine servicing -Confidentiality and security concerns, such as access of information to unauthorized individuals

Confidentiality of Electronic Records

-Limit individuals who have access to records by using passwords, fingerprints, voice recognition, and eye patterns. -Require codes to access specific information. -Place monitors in areas where others cannot see the screen. -Do not leave monitors unattended while confidential information is on the screen. -Do not send confidential information by e-mail. -Back up data. -Constantly monitor and evaluate the use of electronic medical records.

Signs of Abuse

-Patient statements -Unexplained injuries, such as bruises, abrasions, fractures, bite marks, and burns -Unreasonable explanations for injuries -Malnutrition and dehydration -Poor personal hygiene -Pain or bruising in the genital area -Unexplained genital infections -Emotional problems, such as anxiety, depression, aggressiveness, changes in appetite, problems at school or work

Medical Records

-Personal information, such as full name, phone number, address, work number and address, birth date, social security number, and marital status -Medical history -Description of symptoms -Diagnoses -Treatments -Prescriptions and refills -Records of patient's telephone calls -Name of legal guardian -Name of power of attorney -Notes about copies of medical records

Patient Rights under the Privacy Rule

-Right to Notice of Privacy Practices: At a patient's first visit to a health care facility, the patient must be given a written copy of the facility's rules and the patient's rights regarding protected health information. -Right to request restrictions on certain uses of protected health information: Patients may select which items in their medical records should not be disclosed. For example, a patient may restrict an item in the medical record if the previous health condition is no longer applicable or if the patient feels that it will cause embarrassment. -Right to request confidential communications: Patients may request reasonable, alternative forms of communication. For example, a patient may ask to be contacted at a work phone number instead of a home phone number.

Patient Rights under the Privacy Rule (continued)

-Right to access a copy of protected health information: With the exception of psychotherapy notes, patients may access, inspect, and obtain a copy of their medical records. Typically, the request must be made in writing and acted on within 30 days. Most facilities will charge a fee to patients to obtain copies of their medical records. -Right to request an amendment of protected health information: Patients may request a change to their medical record if they feel that something is incorrect. The requests must be made in writing. Facilities must respond in a timely fashion. In some cases, the requests may be denied. -Right to receive an accounting of disclosures of protected health information: Patients may request a record of all the instances in which their personal information was disclosed. Each item in the record must include the date of disclosure, the name of the entity or person to which information was disclosed, a description of the information that was disclosed, and the reason for disclosure.

Disclosure without Authorization

-When a patient requests to see his or her own personal information: Patients may have access to their own medical record at any time. -When permission to disclose is obtained: If a patient is admitted to the hospital, the patient will be asked if his or her name may be listed in the directory. Then, if any guests request to see the patient by name, the guests can be directed to the correct room. -When information is used for treatment, payment, and health care operations: If a patient is referred from one doctor to another doctor, these two doctors may share the patient's health information. -When disclosures are obtained incidentally: Incidental information is information that is obtained accidentally, even when privacy precautions are taken. For example, if a doctor discusses a medical condition with a patient behind closed doors and someone outside the door overhears, this is considered incidental. When information is needed for research: Some health data may be released to researchers or for public health purposes. In these cases, identifying information, such as names, social security numbers, and addresses, has been removed from the data.

Disclosure without Authorization (continued) legal or public interest issues

-When information in a medical record must be provided to a court of law -When law enforcement needs medical records to identify a suspect or missing person -When reporting cases of abuse, neglect, or domestic violence -When a patient contracts a serious communicable disease, such as tuberculosis -When births and deaths occur -When information is needed to facilitate organ transplants from deceased donors

Physical Safe Guards

-include rules for providing a safe and hazard-free environment in which to store medical records. For example: -Doors should be locked. -Computer server rooms should be locked and accessed by authorized personnel only. -Any paper records should be stored in locked, fireproof cabinets

Transaction and Code Set Rule

States that all medical transactions and codes have become the same nationwide

Notice of Privacy Practice

When patients come to a medical facility for the first time, they must receive a copy of the facility's privacy policy

Release of Information

allow the facility to disclose medical information to authorized entities or people

Protected health information (PHI)

any individually identifiable health information about a patient

EMR

electronic medical record

Administrative Safeguards

include rules for managing employees who have access to protected health records. For example: -Policies must be in place regarding which employees are allowed to access information. -All employees should complete security awareness training.

Technical Safeguards

include rules for protecting electronic information. For example: -All medical records should be password-protected, and passwords should be updated regularly. Information that is transmitted electronically should be encrypted. -All computer systems must have effective anti-virus software.

Privileged communication

information that is shared within a protected relationship

Authorization

the permission that patients give in order to disclose protected health information. Several elements must be included in formal authorization. -Authorization must be in writing and in plain language. -Authorization must name the entities that are allowed to receive health information. Entities include health care providers, health insurance providers, and health care clearinghouses, who handle insurance claims. -Authorization must state the people that are allowed to view health information, such as a spouse or other relatives. -Authorization must state the extent of health information that approved entities and people are allowed to access. -Authorization must include a statement that patients have the right to refuse authorization. As a result, health care providers have the right to limit treatment to that patient. -Authorization must have an expiration date. -Authorization must be signed and dated by the patient.

Disclosure

the release, transfer, or provision of access to protected health information