Lesson 3: Confidentiality In Allied Health

Mental Health (section 3.6)

Privacy of medical records is important for people with mental illnesses. Patients fear that if employers or others find out that they're being treated for such illness, the consequences may be job loss, lack of credit opportunities, and social isolation. These sorts of fears may discourage some from seeking mental healthcare in the first place. Under federal and state law, and pursuant to licensing requirements much more documentation is required for mental health records than for other types of medical records. Any psychiatric facility receiving Medicare funds is required to comply with the special record requirements created under Medicare conditions of participation regulations. The regulators not only create content requirements but also, in effect, create treatment requirements because collections of the required data requires, to some degree, diagnostic and therapeutic activities. There may be both official record that meets legal requirements and also a personal record that contains information not required in the official record, such as the therapists notes. In some jurisdictions, the personal record may not be subject to discovery.

Mental Health part II (section 3.6)

Reproduced from 42 CFR 482.61: o The medical records maintained by a psychiatric hospital must permit determination of the degree and intensity of the treatment provided to individuals who are furnished services in the institutions. Reproduced from 42 CFR 482.61: o The medical records maintained by a psychiatric hospital must permit determination of the degree and intensity of the treatment provided to individuals who are furnished services in the institutions. Development of Assessment/Diagnostic Data: (a) Standard: Development of assessment/diagnostic data. Medical records must stress the psychiatric components of the records, including history of findings and treatment provided for the psychiatric condition for which the patient is hospitalized. 1. The identification data must include the patient's legal status. 2. A provisional or admitting diagnosis must be made on every patient at the time of admission and must include the diagnoses of intercurrent diseases as well as psychiatric diagnoses. 3. The reasons for admission must be clearly documented as stated by the patient and/or as stated by the patient and/or others significantly involved. 4. The social service records, including reports of interviews with patients, family members, and others, must provide an assessment of home plans and family attitudes, and community resource contact as well as a social history. 5. When indicated, a complete neurological examination must be recorded at the time of the admission physical examination. Psychiatric Evaluation: (b) Standard: Psychiatric evaluation. Each patient must be receive a psychiatric evaluation that must- 1. Be completed within 60 hours of admission 2. Include a medical history 3. Contain a record of mental status 4. Note the onset of illness and the circumstance leading to admission 5. Describe attitudes and behavior 6. Estimate intellectual functioning, memory functioning, and orientation 7. Include an inventory of the patient's assets in descriptive, not interpretative, fashion. Treatment Plan: (c) Standard: Treatment Plan. 1. Each patient must have an individual comprehensive treatment plan that must be based on an inventory of the patient's strengths and disabilities. This written plan must include- i. A substantiated diagnosis ii. Short-termed and long-range goals iii. The specific treatment modalities utilized iv. The responsibilities of each member of the treatment team v. Adequate documentation to justify the diagnosis and the treatment and rehabilitation activities carried out. 2. The treatment received by the patient must be documented in such way to assure that all active therapeutic efforts are included. Psychiatric Evaluation: (d) Standard: Recording progress. Progress notes must be recorded by the Doctor of Medicine or osteopathy responsible for the care of the patient as specified in sec. 482.12 (c), nurse, social worker, and, when appropriate, others significantly involved in active treatment modalities. The frequency of progress notes is determined by the condition of the patient but must be recorded at least weekly for the first two months and at least once a month thereafter and must contain recommendations for revisions in the treatment plan as indicated as well as precise assessment of patient's progress in accordance with the original or revised treatment plan. Discharge Planning & Discharge Summary: (e) Standard: Discharge planning and discharge summary. The record of each patient who has been discharged must have a discharge summary that includes a recapitulation of the patient's hospitalization and recommendations from appropriate services concerning follow-up or aftercare as well as brief summary of the patient's condition or discharge.

Substance Health part II (section 3.6)

The same prohibition against patient identification that applies to substance abuse usually applies to mental health. Similar rules apply regarding disclosure. The applicable state law should be examined to determine what's required in a written authorization from the patient. State law may allow disclosure without circumstances spelled out by law or regulation. Court orders and subpoenas may authorize as well.

Dual functions of Medical Records: (section 3.1)

- Medical records serve two important functions: providing information for patients' care and evidence in malpractice suits. Medical coders extract information from the medical records and assign codes to the medical data. Medical Records as Patient History: · Patients' medical history · Patient's reports and medications · Details for overall care Medical Records as Legal Evidence: o Documentary evidence: papers and documents such as medical records o Testimonial evidence: witness statements o Real evidence: tangible things, such as scalpel o Demonstrative evidence: Things that help illustrate a testimony, such as a chart, x-ray, recording or model

Medical Records' Rules and Requirements: (section 3.2)

- Rules concerning medical records can be approached from three perspectives: the content of the record, retaining the record securely, and the destruction of the record. Requirements for the contents of medical records, apart from what the healthcare provider thinks is relevant to diagnosis and treatment, come from a variety of sources. Many of these requirements are board, but some are very specific. Statutory/Regulatory requirements: statues and regulations pertaining to medical care and payment for medical care may require the creation and maintenance of certain records. For example, participation in Medicare may require that medical records contain certain information. State laws and regulations also may require that certain information appears in medical records. Accrediting Standards: Organizations such as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) have accrediting standards that address medical records. Because accreditation is so important hospitals comply with the requirements. Other organizations, such as American Academy of Professionals Coders (APPC) and the American Health Information Management Association (AHIMA), provide ethical and professional standards for employees in health information management such as medical coders. Institutional Standards: In addition to requirements imposed laws through statutes and regulations, and in addition to record requirements that must be met to keep accreditation, individual institutions have their own standards and procedures that apply to medical records. Professional guidelines: Health professional organizations, such as the APPC and the AHIMA, may publish guideline for medical records. Although such guidelines aren't laws, they can be practical aids in complying with the law. Medical records must be authentic. The author of a medical record is the medical provider who has created the data that appear in the record. The provider may write directly on the record, dictate an audio recording (to be transcribed by a medical transcriptionist), or enter the medical data using keyboard entry or keyless entry. Authentication is the confirmation of the content of an entry in a medical record. It acts as verification of the accuracy of the information. An entry could be authenticated with a signature, an initial, or with a computer-generated code. Physical entry of the data may be delegated. Authentication, on the other hand, must be performed by the person who creates the data. This requirement is logically required by the very notion of authentication- that is, only the person who created the information can truly verify it. A physician may dictate the details of a patient's history, physical examination, and medical decision making into a handheld dictation device. The physician's voice recording is later retrieved by a medical transcriptionist, who types the dictation into the form of a medical report. The physician then authorizes the medical report. A medical coder retrieves information from the typed medical report and assigns codes to it. These codes determine the amount that the insurance company will pay the physician for the services provided to the patient. The authentication requirement is essential to establish the business record hearsay exception. A necessary part of the foundation for the business exception is that the record was created by a person with firsthand knowledge of what's being record. Time matter where medical records are concerned. Ordinarily, healthcare providers who make entries in medical record must do so at the time that event occurs. Not only is this required for licensing and accreditation, but entries that aren't made contemporaneously raise question about the reliability and accuracy of the record. Juries may be suspicious that late entries to be a record were made to conceal medical malpractice. Medical records must be as complete as possible. Incomplete records can pose as a danger to patients. Health professionals rely on the accuracy and completeness of medical records, and mistakes or omissions can cause medical malpractice. Omissions from a medical record can make it impossible for a medical provider to prove that no mistakes were made. Patients can also request that corrections are made to their medical records. Both federal and state laws exist regarding corrections initiated by patients. According to the federal Health Insurance Portability and Accountability Act (HIPPA) patients have the right to have errors corrected in their medical records. HIPPA establishes the procedure for requesting corrections and responding to them. If state law requirements are stricter, those must be complied with as well, but HIPPA creates a minimum requirement for all states. What happens if a healthcare provider disagrees with correction? · if a healthcare provider doesn't want to make a change requested by a patient, the patient is entitled to a written notice of the doctor's decision. The patient also has the right to have included in the record a note of the patient's disagreement with what appears there. If a healthcare provider fails to comply with these rules, the patient can sue and recover damages, attorney fees, and costs. There's no clear answer to the question of how long records must be retained. Available storage space to house paper records often becomes a problem. The majority of records with which medical coders work on a daily basis, however, are electronic records. Storage space becomes much less of an issue with prevalence of electronic records. States may have laws that require medical records to be preserved for a certain period of time. Medicare regulations require that providers retain records for a period of time a party has for bringing a lawsuit for professional negligence. If records are destroyed before the statute of limitations runs out, it could adversely affect a healthcare provider sued for malpractice. State statute of limitations vary in length. If a state has not relevant statue, Medicare suggests the provider keep records for five years. The American Health Information Management Association (AHIMA) recommends keeping records for 10 years. Other considerations: As you can imagine, medical records are an extremely important part of a medical malpractice case. In fact, these records may be the only defense to a malpractice action. Therefore, medical records should be kept indefinitely, or at least for 7-10 years after the data of last treatment. Minors present a special problem because the statute of limitations doesn't begin to run until they become adults. For example, suppose a 5-year-old boy has a potential malpractice claim. The statute of limitations in his state is two years, and the age of majority (when a person becomes an adult) is 18. In this case, the statute wouldn't run out until they boy turned 20 years old. Policies in the workplace: Most physicians, hospitals, and other organizations that provide healthcare have set policies for the retention of their medical records. You must become familiar with the policies of your place of employment and adhere to them strictly. - When the point comes that medical records should no longer be destroyed: 1. The method to be used for destruction of physical records- for example, shredding or burning- may be required or recommended by statute or regulation. Laws may also require that the patient and/or licensing authorities be notified before a patient's record is destroyed. Other laws may require that the owner of the records create an abstract of the patient's data before destroying the record. § An abstract is an summary of essential points 2. Apart from the specific requirements of statutes and regulations, the privacy of medical records must be preserved. Many healthcare providers contract out records destruction to a third party. In such cases, the healthcare provider is still responsible for ensuring that appropriate methods and safeguards are used to ensure the privacy of the records. 3. An accurate record of the destruction of records should be retained. A dated certificate of destruction should document that records were properly destroyed in the ordinary course of business. Proof that records were properly destroyed may be necessary if government agencies raise a question about missing records of if missing record become an issue in a medical malpractice case. The raise suspicions (and permit a jury to infer) that the records were destroyed to conceal malpractice. 4. If a medical practice or health institution goes out of business, there's no problem with what to do with their records. In some states, records might have to be transferred to another healthcare provider or to a licensing agency for storage, and notice to the licensing agency may be required. If records involve substance abuse, federal regulations require the patient's consent to transfer the records to another substance abuse program or to retain them for a specified period of time before destroyed.

Special Rules: (section 3.4)

- The Privacy Rule providers special rules regarding psychotherapy notes that limit use or disclose without consent. Expect when psychotherapy notes are used by the originator of those notes to carry out treatment, or by the covered entity for certain other limited healthcare operations, uses and disclosures of psychotherapy notes for treatment, payment, and healthcare operations require the individual's authorization. Disclosure of PHI is permitted in the following cases. i. To a patient if the patient or his or her representative requests it (certain exception may apply- for example, if the information would be harmful to a mentally ill patient.) ii. Uses and disclosures for which the patient has been given the opportunity to agree or object to meet requirements of other laws, regulations, and court orders, including but not limited to workers' compensation laws. iii. For certain public health purposes iv. To government agencies regarding victims of abuse, neglect, and domestic violence v. To health oversight agencies vi. In a judicial or administrative proceeding if a court order or subpoena provides certain assurance regarding notice to the individual or if a protective order is provided. vii. To law enforcement when required by law and under other specific circumstances viii. For certain funeral home and organ transplant purposes - A key idea in the final HIPPA Privacy Rule is that covered entity should release only the minimum necessary health information needed to accomplish the purpose of the disclosure. Here's what the Department of Health and Human Services has stated with regard to the minimum necessary requirement: § "The minimum necessary standard a key protection of the HIPPA Privacy Rule, is derived from confidentiality cases and practices in common use today. It is based on sound current practice protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit necessary or inappropriate access to and disclosure of protected health information. The Privacy Rule's requirement for minimum necessary are designed to be sufficiently flexible to accommodate the carious circumstance of any covered entity. § The minimum necessary standard applies in all situations expect · Disclosures related to treatment · Disclosures to the patient or his or her representative · Disclosures to the Department of Health and Human Services in certain circumstances · Disclosures required by law or for compliance with HIPPA laws - Patients may request alternatives to the manner in which healthcare communications are made. For example, a patient may ask that certain mailing addresses and phone numbers be used to communicate information. When a patient makes a reasonable request, the healthcare entity involved should accommodate the request if the patient claims that doing otherwise would endanger the patient. Along the same lines, healthcare providers may want a patient to identify persons, such as spouses or family members, to whom healthcare information can be communicated. For example, the results of your lab works and tells your spouse, "Everything is fine," that probably would constitute disclosure of protected health information. Setting up appointments might also be kind of disclosure, so healthcare providers should protect themselves by having patients identify whether anyone else can receive health information.

Human Immunodeficiency Virus (HIV) (section 3.7)

> The Centers for Disease Control and Prevention is one of the major operating components of the Department of Health and Human Services. The CDC serves as the national focus for developing and applying disease prevention and control and applying disease prevention and control, environmental health, and education activities designed to improve the health of the people of the United States. > The CDC estimates that in 2006, the number of people with AIDS living in the United States and dependent areas was 48,871. In 2014, that number grew to an estimated 1,144,500 people over the age of 13. Latino and black men, homosexual men of any race remain disproportionately represented in this estimate. > The estimated number of people with AIDS who died in the United States and dependent areas in 2011 was 13,384, which is a tremendous decrease from pervious years. > The number of HIV infections has remained around 50,000 cases per year since 2010. The number of diagnoses, however, is increasing every year. This means that a larger portion of people with HIV are aware of their infection and can begin treatment > The virus responsible for AIDS is transmitted in four common ways: 1. High-risk sexual contact 2. Intravenous drug use 3. Transmission from mother and child around time of birth 4. Blood transfusions and other unknown causes. - Because of the stigma attached to AIDS and HIV, complex rules exist to protect the privacy of those being tested and treated for this disease.

Occupational Safety and Health Administration (OSHA): (section 3.5)

> The Occupational Safety and Health Administration (OSHA) is responsible for enforcing safety rules in the workplace. OSHA was created by Congress under the Occupational Safety and Health Act of 1970, and is part of the Department of Labor. > The basic premise of the OSH Act is that workers have the right to be protected from situations at work that are known to be potentially able to cause injury or death. Employers have a responsibility to provide a safe, hazard-free working environment. > The OSH Act covers employees in the private sector and many employees in the public sector. The Act covers all 50 states, the District of Columbia, and several additional territories and jurisdictions. There are two levels of OSHA jurisdictions: state and federal. The federal OSHA program provides a minimum level of protection- therefore, state-run health and safety programs must be at least effective as federal OSHA, but they can provide more protection. Whether employees are covered at the state level or federal level depends on their employer (public vs. private) and state of residence. > Workers who are self-employed or who work on a farm owned by a immediate family member are not covered under OSHA. Additionally, if there are hazards in the workplace that are regulated by another federal- agency- such as the Federal Aviation Administration or the Coast Guard, for example- they're not covered under OSHA. > OSHA standards cover a variety of industries, including construction, agriculture, maritime, and general industry. Examples of OSHA standards include: · Protecting workers from falls · Preventing exposure to infectious disease (note that this doesn't include catching a cold from coworkers) · Ensuring that workers can safely enter confined areas of the workplace · Preventing exposure to harmful substances, such as asbestos · Supplying safety equipment · Providing training for dangerous jobs > Based on the standards established by the OSHA, workers have the right to: I. Ask OSHA to inspect their work area to make sure it's free from potential dangers II. Access the results of any tests designed to pinpoint dangers in the workplace III. Review information about OSHA and workplace hazards in clear language that they can understand IV. See records of injuries and illnesses that occurred in the workplace V. Get copies of their own medical records VI. Exercise the above rights to a danger-free workplace without fear of retaliation or discrimination.

What is a Medical record (section 3.2)

A medical record is a document that includes a patient's history, condition, diagnostic and therapeutic treatment, and the results of the treatment. A medical record may include detailed patient information that may be personal, medical, or financial in nature. Medical records may be paper or electronic. Most of the laws and principles related to medical records were developed for traditional paper records. The particulars for handling electronic records may differ from those that pertain to handling the paper record. o The creation and maintenance of medical records are affected by statutes, regulations accrediting requirements, institutional requirements, and office policies. Medical records may have both clinical purposes and nonclinical uses. Clinical uses: Medical records are repository of information that caregivers can use in diagnosing and treating medical problems. They also offer a way for medical providers to exchange information about patients. Medical records may be used by medical institutions to monitor performance and quality. Nonclinical uses: Medical records include information that may relate to third parties who have a financial interest in a patient's medical condition. These third parties may include payers (the ones who ought pay, such as insurance companies) and employers deciding whether or not a patient is disabled. Medical records also are used in scientific studies. - Another nonclinical use of medical records involves the potential commercial use of the information they contain n. The American Medical Association (AMA) has cautioned physicians about pharmaceutical company proposals that might comprise patient confidentiality arrangements. - A very important use of medical records is as evidence in legal disputes in which the condition of a patient or the action of medical care providers is at issue. In other words, medical records can serve as evidence in malpractice suits.

Records in possession of Government Agencies: (section 3.3)

Federal statutes and regulations apply both to healthcare providers working for the federal government and to private healthcare providers participating in government program or receiving federal funds. Open Records Acts: The Freedom of Information Act (FOIA) is a federal law intended to provide access to government records. Expectations in law create privacy protections for medical information and thereby protect the privacy of health information in the hands of state agencies. Basically, there acts create access to government records, but also create exceptions to safeguard medical information. Privacy Acts: Another federal law, the Privacy Act of 1974, prohibits disclosure of certain medical information by government agencies unless the patient gives written consent. Some government agencies, such as the Social Security Administration and the Department of Health and Human Services, release data they've collected for purposes of research. When this happens, statutes require that the information be stripped of any data that might identify the patients involved. The Privacy Act also requires the government to keep record of disclosure of information. Additional statutory protections apply to certain specific types of information, such as information about drug and alcohol abuse treatment and participation in Medicaid. The rules apply not only to government agencies but also private healthcare providers who accept federal funds. States also may have privacy statutes similar in structure to the federal Privacy Act.

Patient Information Privacy: (section 3.4)

Information concerning a patient's health, provision of healthcare, and payment for healthcare is protected under the Privacy Rule. According to HIPPA Protected health information (PHI) "Includes any individually identifiable health information." Identifiable information is data about a specific person. Health information is considered identifiable if it "could be expected to allow individual identification." In other words, if you can look at health information and relate it to a specific individual, that information is identifiable. § De-identified information (that is information stripped of data that may identify an individual) isn't covered by the privacy rule- provided the healthcare provider doesn't have actual knowledge that even after stripping it of identifiers, the information could be used alone or in combination with other information to identify the patient. In other words, de-identified information can't contain something unique that would allow it to be linked to a specific patient. For example, suppose a man survives a serious car accident because of the heroism of a doctor on call in the emergency room. Because this story was reported by the news media, information about his case may be able to identify him as the man in the accident, even if identifying information is removed from his record. - Under the Privacy Rule, the following factors are labeled as individual identifiers: § Names § Geographic identifies smaller than state, like county or zip code § Dates (except year) § Ages greater than 89 § Phone numbers § Fax numbers § Email addresses § Social security numbers § Medical record numbers § Health plan beneficiary numbers § Account numbers § Certificate and license numbers § Vehicle identifiers and serial number, including license plate numbers § Medical device identifiers and serial numbers § URLs and Internet protocol (IP) addresses § Biometric identifiers, including fingerprints and voiceprints § Full face photographs § Any other unique identifiers - A limited data ser is middle ground between identifiable and de-identified information. In a limited data set, most identifying information has been removed. It must notice include any of the individual identifiers. Limited data sets don't directly identify a patient, but the may contain some identifiers. The following identifiers may be included as part of a limited data set: · Geographic data (town, city, state, and zip code, but no street address) · Dates relating to an individual (birth date, admission and discharge dates) · Unique identifying numbers, characteristics, or codes other than those listed under individual identifiers - Use of such data doesn't require patient authorization, but whoever receives the data must sign the agreement to restrict its use promising to safeguard the information and releasing only the minimum necessary amount of information. For example, patient authorization wouldn't be required for a limited data set that contained city, state, zip code, age, birth date, admission and discharge dates, and date of death. Such information, however, can be authorized for public health, research, and healthcare purpose only - The bottom line is that protected health information is covered by the privacy rule unless it's been stripped of identifiers or is a limited data set and the recipient agrees to certain restrictions and safeguards. - According to the Privacy Rule, a covered entity may use or disclose PHI for treatment, payment, and healthcare operations. This type of disclosure is the broadest permitted disclosure. It's also the disclosure most pertinent to a medical office. Medical coders must safeguard the information in the patient's medical record under the terms of the Privacy Rule. Therefore, you should be familiar with the definitions of treatment, payment, and healthcare operations in the privacy rule. The definitions from that rule are summarized here. Treatment: treatment means the provision, coordination, or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient from one healthcare provider to another. Payment: payment encompass the activities of healthcare providers to obtain payment or be reimbursed for their services and the activities of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare. In addition to the general definition, the privacy rule provides examples of common payment activities which include, but aren't limited to, Ø Determining eligibility or coverage under a plan and adjudicating claims Ø Risk adjustments Ø Billing and collection activities Ø Reviewing healthcare services for medical necessity, coverage, justification of charges, and the like § Utilization review activities § Disclosure to consumer reporting agencies (limited to specified identifying information about individuals, their payment history, and identifying information about the covered entity) Healthcare options: Healthcare operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listen in the definition of "healthcare operations at 45 CFR 164. 501, include 1. Conducting quality assessment and improvement activities, population -based activities relating to improving healthcare or reducing costs, and case management and care coordination. 2. Reviewing the competence or qualification of healthcare professionals, evaluating provider and health plan performance, training healthcare and non-healthcare professionals, accreditation, certification, licensing, or credentialing activities. 3. Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits; and ceding, securing, or placing a contract for reinsurance of risk relating to healthcare claims. 4. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs 5. Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity. 6. Business management and general administrative activities, including those related to implanting and complying with Privacy Rule; customer service; grievance resolution; the sale, transfer, merger, or consolidation of all part of the covered entity with another covered entity; and a fundraising for the benefit of the covered entity. - The Privacy Rule allows covered entities to use or disclose PHI, without first obtaining a patient's consent for the following purpose: 1. For its own treatment payment, and health operations activities. For example, a hospital may use PHI to provide healthcare to an individual and may consult with other healthcare providers about individual's treatment. Also, a healthcare provider may disclose PHI about an individual as part of a claim for payment to a health plan. 2. For treatment activities of healthcare provider. For example, a general practitioner may send a copy of an individual's medical record to a specialist who needs the information to treat the individual, or a hospital could send a patient's healthcare instructions to a nursing home to which the patient is transferred. 3. For use by another covered entity or healthcare provider (including providers not covered by the Privacy Rule.) for the payment activities of the entity that receives the information. For example, a physician may send a individual's health plan coverage information to a laboratory that needs the information to bill for services it provided to the physician with respect to the individual, or a hospital emergency department may give a patient's provider that transported the patient to the hospital so the ambulance provider can bill for its services. 4. For certain healthcare operation of the entity that receives the information if (1) each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship; and (2) the disclosure is for the quality-related healthcare operation as defined in applicable regulations or for the purpose of healthcare fraud and abuse detection or compliance. 5. For any healthcare operations of an organized healthcare arrangement of another covered entity that participates in the organized healthcare arrangement.

Disclosure of Health Information: (section 3.4)

Patients don't own their medical records. Healthcare providers create medical records and therefore own those records. However, the patient and others may have a right to access the information in the records. HIPPA gives patients the right to access their healthcare information and determine who else may have access. Depending on the state, statutes similar to HIPPA, licensing regulations, and/or judicial options may also recognize that patients have rights to access and disclose their healthcare information. The regulations in HIPPA apply to three groups of individual and corporate entities, known as covered entities. A covered entity is an organization that handles protected health information in any capacity. Healthcare providers: (persons, businesses, and entities) that furnish, bill, or receive payment for healthcare in the ordinary course of business and transmit any of these transactions electronically. Health plans: any individuals or groups that provide or pay the cost of medical care, including public and private health insurance issuers, employee benefit plans, Medicare, Medicaid, and so on. Healthcare clearinghouses: public or private entities that either process or facilitate the processing of health information. - Presently, HIPPA Privacy Rule require that patients be given a notice of use and disclosure of patient-specific information. Patients must also be given the opportunity to restrict this information. Providing notice of use and disclosure, which is required for every patient that health provider treats, is part of the standard procedures for new patients. Regarding the notice requirements, the Department of Health and Human Services has made the following statement: The HIPPA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. - A notice of use and disclosure must contain the following information: · The way in which the covered entity may use and disclose protected health information about individual · The individual's rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to covered entity. · The covered entity's legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. · Whom individuals can contact for further information about the covered entity's privacy policies. - In addition, covered entities that provide direct treatment to patients must also meet the following requirements: o The provider must give the notice the individual no later than the date of first service delivery (after the April 14th, 2003, compliance date of the Privacy Rule) and, except in an emergency treatment situation make a good-faith effort to obtain the individual's written acknowledgment of receipt of the notice. If acknowledgment can't be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it wasn't obtained. o When first service delivery to an individual is provided over the Internet, through email, or by other electronic means, the provider must send an electronic notice automatically and contemporaneously in response to the individual's first request for service. The provider must make a good-effort to obtain a return receipt or other transmission from the individual in response to receiving the notice. o In an emergency treatment situation, the provider must give the notice as soon as it's reasonably practicable to do so after the emergency situation has ended. In situations like these, providers aren't required to make a good- faith effort to obtain a written acknowledgment from individuals. o The provider must make the latest notice (that is, the one that reflects any changes in privacy policies) available at the provider's office or facility for individuals to request to take with them. The notice must be posted in a clear prominent location at the facility. A covered entity may email the notice to an individual if the individual agrees to receive an electronic notice. Patient may request restrictions on the use of information, but healthcare providers don't have to agree to the restrictions if the disclosure and use would be otherwise under the final version of the Privacy Rule. The most common sharing of information occurs among healthcare practitioners, in order to treat the patient, and between healthcare providers and Insurance Companies. These two types of sharing are permitted under the Privacy Rule. Under HIPPA, patients may require an accounting of how their information has been used and disclosed.

The Concepts Governing Rules of Admissible Evidence: (section 3.1)

Relevance: - Evidence is relevant if it tends to prove or disprove an issue significant to the case. - Irrelevant evidence may be objected to by opposing attorney. Competence: - Competence evidence refers to the evidence the court should accept as proof § The witnesses understand the duty to tell the truth and take an oath to speak truthfully § The witnesses have personal knowledge about the subject of their testimony § The witnesses recall what they perceived § The witnesses are able to communicate what they perceived - A doctor, considered an expert witness and may give a personal opinion - To establish personal knowledge, the attorney may ask a healthcare professional to confirm that he or she: · Works in the office in question · Was working in the office at the date and time in question · Knowns and recognizes the patient in question · Was present in the room when the event occurred · Was able to see what was happening and was, in fact, observing. Hearsay: § Hearsay is considered secondhand evidence in which witnesses aren't telling what they know personally rather what others have said to them. It can be oral or written. § Two requirements for the exception: · There must be evidence that the records were made during business hours at or near the time and by a person with knowledge of the information · Records must be accurate and trustworthy- this may require additional testimony. Doctor-Patient Privilege: - Represents a relationship in which a patient's medical history, conditions and related information can't be made known without the patient's permission. It prevents forced or unauthorized disclosure of confidential health information to be released in a proper manner, the information can be released. When a patient doesn't give such authorization, legal counsel should be consulted regarding whether privilege should be asserted. Even if a patient signs an authorization, that signature doesn't necessarily mean that all information can be released. Some information must be referenced specifically, and the release itself may limit the scope of information that can be released. Court Orders and Subpoenas: § Court orders to release medical records are used when releasing the information without such an order would violate statutes or regulations. A valid court order identifies the court issuing the order, the parties to the case, the case number, and limitations on disclosure. The court order must be signed by the judge presiding over the case. The person releasing the information should make note of any limitations on the scope of release. If the information released exceeds the limits of the order, a breech of confidentiality may exist. Under the Health Insurance Portability and Accountability Act (HIPPA), protected health information may be disclosed in a judicial or administrative proceeding if the request for the information is made through an order from a court or administrative tribunal. § The term subpoena means a command issued by the court. The command may be a subpoena ad testificandum, which commands a witness to appear and give a testimony; a subpoena duces tecum, which commands a witness to produce documents or things; or both. § A subpoena duces tecum is used to compose the release of medical records. Unlike a court order subpoenas by themselves may or may not be sufficient to authorize release, depending on the jurisdiction. Some jurisdictions also require a written authorization from the patient. If the information involves treatment for substance abuse, mental health treatment, or AIDS, additional rules may apply. § Subpoenas are subject to valid defenses against them, and the healthcare provider may be under duty to resist the subpoena. However, a health information manager shouldn't ignore the subpoena. All medical officials should have procedures in place for properly responding to subpoenas. - if you have to answer to a subpoena, make sure you follow the precautions: 1. determine if subpoenas issued in the jurisdiction also require written consent from the patient. 2. Determine if the information requested involves treatment for substance abuse, mental health, AIDS, or other special types of information that have additional confidentiality requirements. 3. Refer questionable requests to counsel for advice on how to respond. § If the attorney decides that the information shouldn't be released, he or she will notify opposing counsel. A show cause hearing may result, in which the court required the health information manager to do one of two things: 1. Justify the refusal to release 2. File motion to quash the subpoena, which is an objection to disclosing the records. § The motion to quash a subpoena may also result in a hearing in which refusal to release information will need to be justified. Counsel also may advise parts, but not all of the record can be released. In such cases, the health information manager can censor or excise the parts of the record that shouldn't be released. § Under HIPAA, protected health information may be disclosed in a judicial or administrative proceeding pursuant (in accordance with) a subpoena if certain assurances regarding notice to the individual or a protective order is provided.

Ethical Basis of Confidentiality Obligations (cont.): (section 3.3)

Today, other factors must be considered in the confidentiality issue. For example, third parties such as insurance companies and managed- care organizations, are made frequently involved in the delivery of and payment for healthcare. This involvement has made ethics of confidentiality more complicated by giving certain persons- who aren't party to the doctor-patient relationship- an interest in medical information. In addition, electronic health information systems increase the ease with which health information may be transmitted. Confidential information also is disseminated through clinical repositories and shared databases. Although sharing this information allows patients to be treated more efficiently and safely, physicians are challenged to utilize this technology while honoring and respecting patient confidentiality.

Genetic Information (section 3.6)

t Genetic testing results specific to an individual t Manifestation of disease in a family member t Genetic information of an embryo or fetus t The genetic information Nondiscrimination Act prohibits health insurance discrimination based on genetic information t Health insurers: prohibited from.... § Premium adjustments § Enrollment restrictions § Genetic testing requests t State laws: o GINA + State laws § Many states have enacted legislation that protects individuals from genetic discrimination and the act provides a floor below which protections may not fall. Protections vary state to state. § The Genetic Information Nondiscrimination Act protects individuals from employment discrimination based on genetic information. t Employment Discrimination: protections apply to... o Employers o Employment agencies o Labor organizers o Labor committees · Prohibited from: o Genetic info requests o Requiring genetic testing o Purchasing test results Exceptions apply when required for: > Compliance with medical and family leave laws > Monitoring of biological effects of toxic substances > Genetic analysis for law enforcement Federal laws: the act amends other federal laws with regard to handling of genetic information to make them consistent with the protections created in the act, Exceptions to protections include: Genetic testing requests by healthcare professionals Insurance discrimination based on manifested disease Does not apply to disability or life insurance The Genetic Information Nondiscrimination Act Research requirements: · Written notice · Written consent (employee consent) · Regulatory compliance · Identity protection · Information mitigation

Risk and Quality Management of Electronic Information

t Very few medical practices today use paper records only, as electronic records occupy very little physical space, and their information can be transferred instantly from one computer to another. t Some states have even passed laws dealing directly with digital imaging in the context of storage media for health information. t Electronic medical-record systems can provide instant access to a patient's complete health records. Medical coders routinely access electronic medical records to retrieve or abstract key pieces of information and to assign codes to them. t In the event a patient needs to see multiple healthcare practitioners related to a diagnosis, a medical coder may be able to assign additional codes to support the medical necessity of the services provided. t H-I-P-A-A, also known as HIPAA, has created national standards for submitting all electronic healthcare transactions to any health plan in the United States—and the health plan must accept it. These standards aim to make electronic data interchange, or EDI, a viable and preferable alternative to paper processing for both healthcare providers and health plans and typically supersede any conflicting state law. t The HIPAA national standards apply to any EDI. Information stored in other formats must be translated into the standard formats prior to electronic transmission. t In addition to federal and state law, the standards of licensing authorities and accrediting agencies may apply. Some states have legislated specifically regarding the practice of creating and storing medical information electronically. Where HIPAA rules conflict with state law, federal law and regulations preempt the conflicting state rules. t You'll now learn about some considerations related to the use of electronic medical records. These include the following: t Authentication of Electronic Records t Biometric Identification t Admissibility of Electronic Records t Secure Access o The same rules about authorship and authentication of paper medical records apply to computerized records. Entries are created through t © 2019 Penn Foster, Inc. t keystrokes or by keyless data entry. t For records created electronically, a coded computer-generated signature can authenticate entry. Coded computer-generated signatures, passcodes, or passwords help establish the identity of personnel making or modifying entries. t Biometrics refers to technologies that identify people through fingerprints, retinal patterns, and voice patterns. Biometrics can be used to identify a patient and simplify secure access to records. t Fingerprints can identify a patient who is physically present; voice recognition software can help verify the identity of a patient over the phone. This prevents health identity fraud. t The reliable authentication process of biometrics isn't subject to the reliance on remembering a specific password or the potential abuse that password sharing allows. t Medical records can be used as evidence in any court case in which the physical or mental condition of a person is at issue. Admissibility of medical records is a key issue, as they might be objectionable as hearsay. t A medical record consists of statements by doctors, nurses, and other healthcare professionals. If a medical record can't be introduced in a case, everyone who made entries into the record would have to be called as witnesses to testify. t Those involved in the case need to answer a few key questions to prove the validity of the medical records submitted as evidence. t To answer these questions and avoid an objection based on hearsay, courts may use the business records exception. For a record to comply with this exception, there must be evidence that it was made in the ordinary course of business, at or near the time the event occurred, and it must have been made by a person with knowledge of the information in the record. t To establish a foundation for the evidence, the custodian of the records is called as a witness. This person would have to be familiar with the hardware and software of the system, the features used to maintain security and reliability of the data, the manner in which data is entered and authenticated, and the process used to verify the trustworthiness of the paper version of the electronic data. t HIPAA rules on security apply to all health information and are evolving. The Medicare Conditions of Participation, the standards of the Joint Commission on Accreditation of Healthcare Organizations, and most state licensing laws also have rules regarding security. t The issues with electronic information are basically the same as those with paper records: Who should have access? t Security breaches of medical records can be reduced by: t Using good passwords, changing them frequently, and not sharing o them t Using biometrics instead of passwords t Creating different levels of access based on the need to know t Training employees in safe practices, such as logging off immediately after access t Installing appropriate software to guard against hacking, spyware, viruses, and so on t Backing up files o Storage of data, whether by a healthcare facility or a third party, must also be secure and in compliance with all HIPAA rules. t © 2019 Penn Foster, Inc. t Some healthcare providers may exchange information with patients through email, web chats, videoconferencing, and so on. t Electronic communication of health information must conform to the rules of Medicare Conditions of Participation, HIPAA regulations, substance-abuse record laws and regulations, and accrediting standards of the Joint Commission on the Accreditation of Healthcare Organizations. t Because such communications are inherently insecure, they may need to be encrypted. Also, the forwarding of email constitutes redisclosure, which is forbidden for certain types of healthcare information. t When the Internet is used in treating a patient, medical licensure issues come into play. For example, most states require that a physician have a license in each state where the patients live or where the physical care is being given. Some states offer special telemedicine and teleradiology licenses. t Because these are new fields, medical boards are just beginning to address the licensing concerns. Physicians practicing telemedicine and teleradiology need to protect themselves by obtaining either a full medical license or both a telemedicine license and teleradiology license in each state where they intend to practice.

Ethical Basis of Confidentiality Obligations: (section 3.3)

§ Confidentiality of patient information has been an ethical obligation in medicine since its very origin. Consider the Hippocratic Oath. The Hippocratic oath, which pertains to the ethical practice of medicine, is an oath traditionally taken by physicians. According to tradition, the oath was written in the fourth century B.C.E. by Hippocrates, the father of medicine, or by one of his students. Part of the oath states, "What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which no account one must spread aboard, I will keep to myself, holding such things shameful to be spoken about." Even in the fourth century B.C.E., Physicians had a duty to keep medical information confidential. Today physicians must take an updated version of the Hippocratic Oath. § Today physicians' duty to maintain confidentiality means that they may not disclose any medical information revealed by a patient or discovered by the physician in connection with the treatment of a patient. The AMA's code of Medical Ethics states that the information disclosed to a physician during the course of a doctor-patient relationship is confidential to the utmost degree. According to the AMA's council on Ethical and Judicial Affairs, the purpose of the physician's ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full frank disclosure of information to the physician, knowing that he or she will protect the confidential nature of the information disclosed. Full disclosure gives the physician information to diagnose conditions properly and to treat the patient appropriately. Consequences:The AMA's ethical guideline aren't legally binding although courts have used ethical obligations as the basis for imposing confidentiality is a legal obligations. However, maintaining patient confidentiality is a legal duty as well as an ethical duty. Courts generally allow a cause of action for breach of confidentiality against a treating physician who divulges confidential medical information without proper authorization from the patient. A breach of confidentiality ethics can also result in disciplinary action against a physician by the AMA.

Quality Management (section 3.8)

§ Is controlled by peer review committees. These committees consist of health professionals who monitor the quality and use of healthcare services. A typical method of doing so is through an adult review of patient information. The committee looks for patterns of activity that indicate guideline aren't being followed. The group then suggests a proposed remedy. § Because the professionals on such a committee are evaluating their peers, they may hesitate to be frank, or they may even fear lawsuit's or retaliation on the part of those who are unfavorably evaluated. To remedy this problem, states have adopted peer review laws. Most peer review laws allows only committee members to have access to deliberations of the committee. Anyone not on the committee is prevented from accessing this information. In other words, the peer review laws give the committee a legal status similar to the doctor-patient privilege. § Some peer review laws also protect committee members form lawsuits, granting them partial a court order disclosure where information essential to the public interest can't obtained in any other way. § The National Practitioner Data Bank (NPDB) was created for two purposes: first, to improve quality of healthcare by encouraging state licensing boards, hospitals, other healthcare entities, and professional societies to identify and discipline those who engage in unprofessional behavior; and second, to restrict the ability of incompetent physicians, dentists, and other healthcare practitioners to move from state to state without disclosure or discovery of previous medical malpractice payments and adverse-action history. Adverse actions can involve suspension or removal of licensure, clinical privileges professional society membership, and exclusions from Medicare and Medicaid. 1. Information required to be reported to the NPDB is applicable to physicians and dentists and in some cases, other practitioners who are licensed or otherwise authorized by a state to provide healthcare services. Here are the types of information that must be reported: Medical malpractice payments: Each entity that makes, a medical malpractice payment for the benefit of a physician, dentist, or other healthcare practitioner in settlement of, or in partial or complete satisfaction of, a written claim or judgement against that practitioner, must report certain payment information to the NPDB. Adverse licensure actions: State medical and dental boards must report certain disciplinary actions related to professional competence or conduct taken against the licenses of physicians or dentists. Such licensure actions include revocation, suspension, censure, reprimand, probation, and surrender. Adverse clinical privileges actions: Mandatory reporting. Hospitals and other eligible healthcare entities must report professional review actions that adversely affect a physician's or dentist's clinical privileges for a period of more than 30 days. Voluntary reporting. Hospitals and other healthcare entities may report adverse actions taken against the clinical privileges of licensed healthcare practitioners other than physicians and dentists. Adverse professional membership actions: Mandatory reporting. Professional societies must report specific information when any professional review action, based on reasons related to professional competence or conduct, adversely affects a professional membership of a physician or dentist. Voluntary reporting. Professionals societies related to health disciplines other than medicine and dentistry may similarly report adverse action taken against the membership of their healthcare practitioners. 2. Anyone paying medical malpractice who fails to report these payments in accordance with section 421 (c) of the Health Care Quality Improvement Act of 1986 is subject to a civil money penalty of up to $11,000 for each payment involved. Other penalties apply to hospitals and healthcare entities that fail to report malpractice payments, including losing their immunity for liability for period of three years. 3. According to the NPDB Guidebook, a query is a request for information submitted to the NPDB by an eligible entity or authorized agent. The NPDB is available to provide information on the professional competence and conduct of physicians, dentists, and, in some cases, other healthcare practitioners. This information is available to state licensing boards; hospitals and other healthcare entities, including professional societies; federal and state agencies; and other as specified in the law. Mandatory querying: Hospitals must query the NPDB in accordance with following guidelines: 1. When a practitioner applies for privileges 2. Every two years for practitioners on the medical staff or those holding privileges 3. When a practitioner wishes to add or expand existing privileges 4. When a practitioner submits an application for temporary privileges Voluntary querying: the following guidelines are given for voluntary querying: 1. Hospitals may query at other times as necessary for professional review activity. 2. Other healthcare entities that provide healthcare services and have formal peer review process, including professional societies, may query when (a) entering an employment or affiliation relationship with a physician, dentist, or other healthcare practitioner, or (b) in conjunction with professional review 3. State licensing boards may query at any time on physicians, dentists, and other healthcare practitioners 4. Healthcare practitioners may self-query at time 5. Plaintiff's attorneys or plaintiffs representing themselves may query under certain circumstances. 4. Any hospitals that doesn't query on a practitioner (1) at the time the practitioner applies for a position on its medical staff or clinical privileges at the hospital, and (2) every two years concerning any practitioner who is on its medical staff or has clinical privileges at the hospital, is presumed to have knowledge of any information reported to the NPDB concerning the practitioner. A hospital's failure to query on a practitioner may give a plaintiff's attorney or plaintiffs representing themselves access to NPDB information on that practitioner for use in litigation against the hospital.

Substance Abuse (section 3.6)

¯ The term substance abuse refers to the excessive use (or abuse) of alcohol and drugs. Information related to the treatment of persons for substance abuse is clear and specific. If you work in a facility that handled the treatment of individuals with a substance abuse problem, you should be familiar with these laws and with your facility's procedures. ¯ Two federal laws are important in the area of releasing information related to substance abuse: 1. The Drug Abuse Prevention, Treatment, and Rehabilitation Act 2. The Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970. ¯ Criminal penalties may apply to the violation of these laws. The conditions of the acts apply to all treatment programs that receive assistance from the federal government. Therefore, you must first find out if the program where you work is funded in part or whole with federal money. ¯ The key idea behind both laws is that patient authorization is required before making disclosure and that disclosure rules are much stricter than those for other conditions. Without authorization, a facility can't acknowledge the current or past presence of any individual being treated under the facility isn't publicly identified as substance abuse facility only. In other words, information can be released stating that a patient was admitted to a hospital but not that a patient was admitted to the substance abuse unit of that hospital. To avoid improper disclosure of information, a uniform method of responding to inquiries should be developed with the assistance of an attorney. ¯ Patients with substance abuse problems must be given notice of federal confidentiality requirements upon, or shortly after, being admitted. The facility giving the notice should document the fact that such notice was given. The policy behind this rule is that patients can't seek to enforce rights they don't know about and that knowledge of confidentiality will make patients feel safer about disclosing information helpful to diagnosis and treatment. · Patient Authorization: If a patient authorizes disclosure, the disclosure must be in writing, and must contain the following information · Name of patient · Name of program making the disclosure · Name of person or facility to which information is disclosed · The purpose of disclosure · Dated signature of patient, parent or guardian (where applicable), or signature of person authorized (where applicable) · Statement that consent is subject to revocation at any time except to the extent that the program making disclosure has already taken action in reliance on it. · Date, event, or condition that will terminate the consent (if not revoked earlier) ¯ For substance abuse situations, some specific requirements exceed what's normally required for a release under HIPPA's final Privacy Rule. For example, the purpose of the disclosure and specific details on what information is to be released must be provided. Therefore, a medical office that deals with substance abuse information should have different authorization form drafted specifically to meet the requirements of federal substance abuse regulations. ¯ Whether a minor can authorize the release of substance abuse information depends on state laws regarding the minor's ability to consent treatment. If parental consent is required, then both the minor patient and the parent should sign the release. ¯ In addition, a notice prohibiting redisclosure must accompany any release of substance abuse information. In other words, whoever receives the information may not disclose it the others without express written consent of the patient. However, in some instances, patient consent isn't necessary. Regulations provide for the following language to be used: · "Information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making only further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient." ¯ The consent requirement for the release of information regarding substance abuse has limited expectations. For example, in the event of an urgent threat that requires immediate medical intervention, information may be released without authorization. The circumstances surrounding such release should be carefully documented. · Research: The release of substance abuse information for research purposes is appropriate, provided special requirements are met. Patients- specific information may not be released unless it's determined that the researcher is qualified to conduct the research and has a research protocol that (1) ensures the security of the information and (2) prohibits redisclosure. The researcher may not identify individual patients in the report. Audits By Government Agencies or Private Payers: The release of substance abuse information is appropriate, provided certain requirements are met. The requestor must be taking action on behalf of one of the following individuals or organizations: · The government agency that provides financial assistance program or that legal responsibility to regulate the program · The third-party payer · The peer-review organization · The private organization · The persons qualified to conduct the audit as determined by the program director Court order & Subpoenas: Court orders and subpoenas. A court order can authorize the release of substance abuse information that otherwise wouldn't be subject to disclosure. However, unless the healthcare provider involved is also party to the proceeding, the release of such information isn't ordinarily required. A subpoena is a command, but it's not an order of the court authorizing release. ¯ Federal regulations require applications for court orders to § Refer to the patient by a fictitious name and to not otherwise disclose patient identifying information unless the patient is the applicant, the patient has given written consent, or the record has been ordered sealed. § Give notice of the application to permit the patient and person holding records to respond in writing or appear in person. ¯ If evidence is reviewed at any stage, it must be in the judge's chamber or similar manner to prevent disclosure of patient information to anyone other than the patient, the holder of the information, or a party to the proceeding. ¯ Order permitting disclosure under federal regulations must limit disclosure to information essential to fulfill the objective of the order limit disclosure to persons whose needs for the information is the basis of the order, and include other measures necessary to limit disclosure, such as sealing records. ¯ State laws on these types of records may be stricter than federal law and may address matters not addressed in federal law. In such cases, both state and federal law requirements must be met. ¯ A health information manager should be advised by counsel on how to respond to requests accomplished by a court order, a subpoena, or both. Compliance with these laws, as well as HIPPA regulations, is required. ¯ If the program closes, the records must be destroyed unless the patient consents in writing to their transfer to another facility or the applicable statute of limitations requires that they be retained.

Testing (section 3.7)

· Many people who have been infected with HIV initially have few if any, symptoms. HIV symptoms such as fever, headache, muscle and joint pain, sore throat, rash, and diarrhea, mimic the symptoms of flu and other less-harmful conditions. Therefore, testing may be the only way to know whether a patient is infected with HIV. - When HIV enter a body, the immune system produces antibodies. While the antibodies can't fight off the infection, their presence can signal that the patient has HIV. Most HIV tests are designed to detect these antibodies. Another type of HIV testing, not yet in widespread use, tests for genetic material of HIV., tests for genetic material of HIV., tests for genetic material of HIV. · HIV tests for antibodies can be performed on blood (the most common method) or on other body fluids like urine and saliva. Some tests take a few days for results, but rapid HIV test can give results in about 20 minutes. HIV tests that indicate a positive result must be followed up by another test to confirm the positive result. Results of this second test can take a few days to a few weeks. · Enzyme immunoassay (EIA), used on blood drawn from a vein, is the most common screening test used to look for HIV antibodies. An EIA test that shows a positive will be followed by tests to confirm those results, such confirmatory tests include the western blot assay (IFA). RNA tests, which look for genetic material of the virus, can be used in screening the blood supply and detecting rare very early infection cases when antibody tests are unable to detect antibodies to HIV. · Consumer- controlled test kits (popularly known as home testing kits) were first-licensed in 1997. Tests typically involve collecting a sample. For example, a person can prick his or her own finger with a special device and place drops of blood on a specially treated card. The individual then mails the card to a licensed laboratory to be tested. Customers are given an identification number to use when phoning for the results. Callers may speak to a counselor before taking the test, while waiting for the test results, and when the results are given. Individuals receiving a positive test result are provided referrals for a follow-up confirmatory test, as well as information and resources on treatment and support services. · Most HIV testing is voluntary. Even so, the process is subject to various state and federal laws. Generally, applicable state or federal law may require. § Consent to be in writing § Pretest counseling, including an explanation of the tests being used, methods by which HIV is transmitted, and method to reduce the risk of transmission. § Disclosure of the results, including disclosure of the need for additional testing methods by which HIV is transmitted, methods to reduce the risk of transmission, and referral to appropriate healthcare services and support groups o Reporting of positive test results to appropriate public health authorities. Anonymous Testing: Some states have passed laws that allow anonymous testing to encourage those fear discrimination and stigma to be tested while concealing their identities. Such testing may be unavailable in certain circumstances- for example when determining eligibility to donate blood. Routine Testing Versus Privacy laws: The CDC has recommended routine HIV testing for all American between 13 and 64 as a regular part of their healthcare. The test would be performed unless the patient specifically refuses. The CDC has also recommended eliminating patient consent requirements for HIV testing and pretest counseling. The CDC estimates that two-thirds of the approximately 40,000 new cases each year in the United States occur in people who are unaware of their infection. Many states privacy laws are in conflict with the CDC's recommendations. To implement routine HIV testing, states would have to change requirements for specific consent to HIV testing, written consent process. Many HIV advocates say eliminating pretest counseling and written consent would reduce opportunities to educate patients about the disease and its risk factors. Mandatory testing: certain individuals present health threats to others. Therefore, statutes or court orders may order mandatory testing for certain classes of people. Examples of groups that might be subject to mandatory testing as class include prisoners and those convicted of sex crimes. New Jersey recently adopted a law requiring pregnant women to be tested for HIV and newborns to be treated if the mother's status isn't known. Mother may opt out of the testing, but the choice to opt is recorded in the women's medical record. The testing of employees is the controversial area of mandatory testing. State law varies considerably on this concept. Among the possibilities are a prohibition of mandatory testing in certain defined situations. Examples of defined situations are jobs in which not having HIV might be a bona fide (good faith) job qualification or jobs in which having HIV might pose a direct threat to contested, the employer usually bears the burden of proving the needs for such testing. Healthcare providers have a particular interest in not being the mean by which infectious diseases spreads. As a result, hospitals and healthcare facilities have at times attempted to require HIV and AIDS testing of workers if it's believed that the workers have been exposed to HIV or AIDS. If employers don't have a reason to think workers might have HIV or AIDS, such testing may not be permitted. The Key question in justifying such testing is whether employees pose a threat of transmission. This determination may depend on the type of work an employee does. For example, a person working the telephone switchboard at a hospital isn't likely to transmit HIV to another person in facility. However, someone directly involved in the care of patients is more likely to pose a threat of transmission. In some states HIV and AIDS are classified as disabilities. Under the Americans with Disabilities Act or similar state laws, employers in those states may be required to provide reasonable accommodations for employers with either HIV or AIDS. Confidentiality of HIV Information: § Generally, both the identity of a patient and the result of an HIV tests are protected by state confidentiality laws up to the point when reporting to health authorities is required. When information is disclosed, rules against redisclosure are likely to exist. Release authorizations for HIV information than a general release would require. If the confidential information relates to AIDS or HIV, the potential damage to a patient is significantly higher because of the stigma and potential for discrimination. Therefore, the lawsuits may be more serious as well.

Risk Management (cont.d) (section 3.8)

· Professional standards, accrediting standards, and various state and federal laws require that certain information be entered and maintained in patient records. In a medical malpractice case, one of the first things the plaintiff's attorney wants to look at is the medical record. Often, a case may be won or lost based on something that appears (or fails to appear) in medical records. Therefore, one way managers of health information contribute to risk management is making sure that rules concerning patient records are complied with. · Medical records are often shared by a variety of medical providers in the process of treating patients. Throughout this process, a number of risk management concerns can arise: 1. Confidentiality must not be comprised by providing access to those who aren't qualified to access the records. 2. Easy access for purpose of medical treatment is necessary to promptly and correctly treat a patient 3. Records must be secure against alternation or destruction 4. Records must be retained for a period no less than the statute of limitations or as otherwise required by law. · Failure to adhere to the first-point can result in a lawsuit for improper disclosure. Failure on the second and third points can result in malpractice. Failure on the fourth point could result in a lawsuit for negligent loss of records. · How can these risks be managed? HIPPA requirements suggest some answers: 1. Educate and train all persons who have access to records 2. Create clear policies and procedures that protect the security of records. HIPPA requires both the existence of written policies that comply with the final Privacy Rule and training for all those handling medical information. 3. Make sure that policies and procedures are followed in all instances. HIPPA "privacy official" responsible for developing and implanting privacy policies and procedures. · HIPPA also requires that the facility maintain "reasonable and appropriate administrative, technical and physical safeguards" to prevent intentional and unintentional disclosure in violation of the Privacy Rule. An example of an administrative safeguard might involve specifying that only certain persons may pull medical files or that medical files not in use must be filed immediately. An example of a physical safeguard might be locking the room in which medical records are stored. · HIPPA also requires that healthcare facilities keep the following information for six years. § Records of privacy policy notices § The facility's privacy practices § Records of dispositions of complaints about compliance with the final privacy rule. § Other similar types of information · Incidents that require reporting are defined in the procedures manuals for healthcare facilities. Incidents can include not only mistakes in providing care, but also things such as patient injuries, unrelated to care, such as falls. Incidents can involve patients, employees, visitors, or intruders. In a sense, anything that happens outside of what should be the norm or could harm a person or property will likely be classified as an incident. · Risk managers are very concerned about proper documentations of adverse incidents that occur during the treatment of a patient. Such documentation takes the form of an incident report. The procedures for each healthcare facility should define what must be included in a incident report. Typical information includes a description of the incident (including date and location), identification of the parties involved, observations, and steps taken in response to the incident. · An incident report severs two general purposes. One relates to risk management as such- documenting the incident and spotting potential litigation problems. The other purpose relates more to quality control. Incident reports can prompt steps to improve quality by initiating changes in procedure, education of employees, and the like. Using this information, the risk manager can study patterns of activity that seem to create risk and come up with practices, policies, and procedures to reduce risks. For example, if several individuals had slip-and-fall incidents at the front door, the risk manager would want to know if some hazard, like a tear in a rug, narrow steps, or inadequate lighting, was causing the problem. If there had been several instances of inadvertent disclosure of electronically stored information, the manager might want to look at the password policy. · An important question regarding an incident report is whether it can be subject to discovery by a plaintiff during litigation. Two methods may be used to avoid discovery: attorney-client privilege and work product doctrine. Attorney- client privilege: The most likely way of preventing an incident report from being discovered is by invoking attorney-client privilege. A key attorney-client privilege is to whom the report is disseminated. If its given only to the attorney who is representing the healthcare provider (or in some jurisdictions, only the attorney and the healthcare provider's insurance carrier), an incident report is more likely to be protected by attorney-client privilege. However, even if the report itself isn't subject discovery, the information in the report can be subject to discovery by other means- for example, by deposing witnesses to the incident. Since discoverability of the report is such an important issue, healthcare providers should have policies in place to make sure that the privilege applies. Such policy might include the following requirements: o Specifying the content of the report o Labeling the report "confidential: o Addressing the report to the hospitals attorney o Limiting disclosure of the report to persons other than the attorney o Not including the incident report as part of any medical record. · Staff members may receive training on how to prepare an incident report in a way that. Makes it less likely to be discoverable in litigation. Work Product Doctrine: Another potential shield against discovery is the work product doctrine. In many cases, documents created for the purpose of pending litigation are protected from discovery under the work product doctrine. However, the argument that every event in which a patient is endangered may lead to litigation doesn't necessarily mean that incident reports are protected under the work product doctrine because other reasons also exist for collecting and recording such information. For example, a hospital had a "business purpose" - that is, an interest in developing management systems for the prevention of errors- for which this kind of information could be collected. Whether the work product doctrine will protect specific incident reports from discovery may depend upon whether litigation was pending or had been threatened at the time they were created.

Risk Management (section 3.8)

· Risk management identifies areas of risk to medical service providers. As part of the process, those involved in risk management perform loss prevention and loss reduction. Risk management as a whole often has a primary concern the reduction or liability exposure. Risk management is used in many professions and services. It has become very important in the healthcare field because of the increase in medical malpractice cases. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) requires hospitals to implement risk management programs. State laws also creates risk management requirements for healthcare institutions. Loss Prevention: Loss prevention is a planned, systematic, and proactive process. In the area of healthcare, providers such as situations that may result in potential liability for hospital, its employees, physicians, and even other healthcare providers. Identifying situations of potential risk before the risk has manifested as an actual problem is important because the cost of preventing problem is usually less than the cost of damage resulting from those problems. Loss prevention activities also consist of planning and presenting regular educational programs to employees. Education may include orientation of employees to new positions, regular continuing education, and targeted training geared toward reducing specific risks. Loss reduction: Loss reduction involves the steps taken after an event or incident occurs. Its aimed at minimizing the adverse impact of event or incident. An effective loss reduction program attempts to minimize the impact of incidents by identifying and responding to them quickly.

Adoptions (section 3.6)

Ë Because adoption records are confidential, the information there in generally can't be disclosed, or disclosure is limited to very specific information. However, adoptees, adoptive parents, and others may want access to medical information about a party to an adoption-specifically, information that's potentially relevant to a medical condition of the adoptee. Litigation and a court order may be necessary to authorize such release. § Most states have instituted procedures by which parties to an adoption mat obtain nonidentifying and identifying information from an adoption record, while still protecting the interests of all parties. A brief summary of state laws, adapted from information available through the Department of Health and Human Services, current through 2012, is presented here. Ë Nonidentifying information is generally limited to descriptive details about an adopted person and about the adopted person's birth relatives. Such information is provided to adopting parents at the time of adoption. Nonidentifying information may include the following factors: o Date and place of the adopted person's birth o Age of the birth parents and general physical description, such as eye and hair color o Race, ethnicity, religion, and medical history of birth parents o Education levels of the birth parents and their occupation at the time of adoption o Reason for placing the child for adoption o Existence of other children born to each parent Ë All 50 states and American Samoa have provisions that allow access to nonidentifying information by an adoptive parent or a guardian of an adopted person who is still a minor. Nearly every state allows the adopted person to have access to nonidentifying information about birth relatives, generally upon written request. The adopted person must be an adult, usually at least 18 years of age, before he or she may access this information. Ë Approximately 27 states allow birth parents access to nonidentifying information, generally to the health and social history of the child. In addition, some states give such access to adult birth siblings. Policies on what information is collected and how that information is maintained and disclosed vary from state to state. Ë A few jurisdictions are more restrictive about the release of information from adoption records. For example, New York, Oklahoma, and Rhode Island require the person seek nonidentifying information is available through a registry or the court or agency that handled the adoption. Guam requires a party to petition the court before any information can be released. Ë Nonidentifying information generally includes medical and health information about a child and the child's birth family that existed at the time of the adoptive placement. What about health information generated after the adoption? Statutes in Alabama, Illinois, Kansas, Maryland, Minnesota, Mississippi, and Wyoming allow the adoptive parents to request the state adoption registry to contact the birth parents for additional health information any time after the adoption when there's a medical need. Ë In reference to adoptees, the term identifying information refers to any data that may lead to positive identification of an adopted person, the birth parents or other birth relatives, identifying information includes the current name of the person, addresses, employment, and so on. Ë Statutes in nearly all states permit the release of identifying information when the person whose information is sought has consented to release. Many states ask birth parents to specify at the time of consent or relinquishment whether they're willing to have their identity disclosed to the adopted person when he or she is age 18 or 21. - No Consent on File: If consent isn't on file, the information may not be released without a court order documenting good cause to release information. A person seeking a court order must be able to demonstrate with clear and convincing evidence a compelling reason for disclosure that outweighs maintaining the confidentiality of a party to an adoption. - Biological siblings: Access to information isn't always restricted to birth parents and children. More than 30 states allow biological siblings of an adopted individual to seek and release identifying information upon mutual consent. - Examples of State Restrictions: Some States have imposed limitations on the release of identifying information. For example, Arkansas, Mississippi, South Carolina and Texas require adopted people to undergo counseling about the possible consequences of contact with their birth family before any information is disclosed. In Connecticut, the release of identifying information is prohibited if its determined that the requested information would be seriously disruptive to any of the parties involved. Ë A mutual consent registry is one method many states use to arrange the consents required for the release of identifying information related to adoptions. A mutual consent registry is a system whereby individuals directly involved in adoptions can indicated their willingness or unwillingness to have their identifying information disclosed. Ë Approximately 30 states have established some form of mutual consent registry. Procedures for these registries vary significantly by state. To release identifying information most registries require the consent of at least one birth parent and adopted person over the age of 18 or 21, or of adoptive parents if the adopted person is still a minor. Most states that have registries require the parties seeking to exchange information to file affidavits consenting to release their personal information. However, eight states will release information from the registry upon request, unless the affected party has filed an affidavit requesting nondisclosure. **** An affidavit is a written document in which the signer swears under oath before an authorized person that the statements in the document are true. Ë States that haven't established registries may use alternative methods for disclosing identifying information. Search and consent procedures authorize a public or private agency to assist a party in locating birth family members to determine if they consent to release of information. Ë Some states have a search-and-consent procedure called a confidential intermediary system. In this system, a person is certified by a court as a confidential intermediary, which allows him or her to have access to sealed adoption records for the purpose of conducting a search for birth family members to obtain their consent for contact. Other states use an affidavit system through which consent to release of identifying information of their nonconsent to be contacted or to be releasing identifying. The written permission may be referred to as consent, wavier, or authorization form. Ë Because laws regarding information related to adoptions vary- and are subject to change- people in charge of health information need to know the specific laws that apply in their state and with assistance of attorneys create procedures for responding to requests. When the situation is an alleged emergency or if it's unclear how the request should be handled, an attorney's advice should be sought.

OSHA Compliance Process (section 3.5)

Ø Employees can file a complaint if they feel their represents a hazard or dangerous conditions exist that aren't being addressed by their employer. Employees may choose to remain anonymous when they file their complaint. However, its illegal for an employer to retaliate against an employee who has filed a complaint with OSHA. Employees who believe that they have been demoted, transferred, fired, or discriminated against because they filed a complaint with OSHA can also file a discrimination complaint. Employees have several options for filling their complaint with OSHA. They can file it online; download the complaint form, complete it, and fax or mail it in; or call a local regional OSHA office. Additionally, if the hazard poses an immediate threat to life, employees can call 1-800-321-OSHA. Ø OSHA has a separate form for whistleblower complaints. A whistleblower is an employee who informs OSHA of illegal activity. OSHA is responsible for protecting whistleblowers under 21 different federal statutes, including laws applying to > Environmental and nuclear safety > Transportation > Consumer products o Each whistleblower statute has its own filing deadline. Depending on the statute, employees acting as a whistleblower may have 30, 60, 90, or 180 days to file complaint, depending on the statute under which they're filling. o Employees need to provider enough information for OSHA to determine whether a violation has occurred. Employees do not need to know before-hand whether a violation has occurred. Ø The role of OSHA in medical coding and other health information management professions is minimal because of the nature of the work environment and the work performed. Medical coders work in an office, hospital, or from a home office. Since these areas typically don't contain hazardous chemicals or material that may present a clear and present danger, the potential for filling a complaint with OSHA is unlikely. Chemicals in the hospital setting are usually found in the laboratory so there's little likelihood that the medical coder or biller would encounter someone handling chemicals near the billing department.