HCA 201: Health Information Management
"Health information" - defined
"Any information, whether oral or recorded in any form or medium that (A) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individuals"
Security
"technological, organizational, and administrative safety practices" to protect the data system and prevent unwarranted use.
Providers and institutions that disclose health information in an unauthorized manner may be liable for:
(1) Defamation; (2) Invasion of privacy; or (3) Breach of implied contract to respect confidentiality.
Under HIPAA, a provider may release a patient's records with a subpoena (but without a court order) if and only if either of the following occurs:
1. Apatientauthorizationaccompaniesthesubpoena. 2. The party issuing the subpoena has made a reasonable effort to give the patient notice of the request. • If in doubt, the provider can petition the court to determine if the records must be turned over.
Health records used to be denied to patients as a matter of routine because:
1. Records are technical and difficult for patients to understand. 2. Revealing information could negatively affect the health of a patient. 3. The privacy of third parties, like healthcare providers, is important.
Patients have a right to:
1. View and copy health records 2. Have copies sent to a different provider 3. Appoint someone to examine the records
privacy
A person's "claim to limit access by others to some aspect of personal life."
health information
Generally, it includes all information gathered about a patient.
HIPAA and patient control of records
HIPAA allows patients to obtain an accounting of the disclosures of health information other than for treatment, payment, or routine healthcare operation.
Record completion
Health information management policies should require that doctors complete records within a reasonable period of time (e.g. 30 days from discharge) or that disciplinary measures be prescribed.
Covered entity
Healthcare provider, health insurance plan, or clearing house (i.e. billing company) that transmits any health information in an electronic form
Records are also used in litigation proceedings.
Inclusion or absence of health information in a record can have malpractice implications.
Lien Statutes
Lien statutes allow hospitals to recover medical expenses from awards paid to a patient by a tortfeasor who causes the related injury. • About 1/3 of states have lien statutes. • Tortfeasors can access a patient's medical information without authorization to determine the legitimacy of medical bill.
Retaining Records
Local laws and standards applicable to different health care entities determine the length of time records must be retained.
Hospital record contents
Medical history • Admitting diagnosis • Consultations and tests • Complications • Informed consent • Physicians' orders • Nursing notes • Medication records • Discharge summary • Follow up care instructions • Final diagnosis
Authentication
Records must be "authenticated" - dated and signed/verified: • Electronic signature • Written signature and initial • Unique rubber stamp signature • Unique computerized key
Form and Content
Specific form and content of patient records can be dictated by: • State statutes and the rules & regulations of healthcare licensing agencies. • Joint Commission accreditation. • Federal Medicare Conditions of Participation
Health care facilities and doctors must maintain records of any time this information is disclosed to government agencies, accrediting agencies, or anyone else.
The accounting must include the information disclosed, the entity that received the information, the date of disclosure, and the reason for the disclosure.
Confidentiality
Trust between individuals in a patient-physician or similar relationship.
"Super-confidentiality"
With certain medical issues (e.g. HIV, substance abuse, mental health), there is a greater risk of stigma.
Health information privacy
a person's claim to control the way "in which health information is collected, used, stored, and transmitted."
Subpoena duces tecum
an order requiring a witness to bring documents to a court or other tribunal.
Security breaches
in this day and age security breaches are becoming more common
There is state by state variation in the length of time.
• At least 5 years under Medicare Conditions of Participation • American Hospital Association recommends 10 years. • The format in which records must retained also varies from state to state.
HIPAA privay breaches
• Breaches can result in penalties from $100 (accidental disclosure of PHI) to $50,000 (disclosure of PHI due to willful neglect). • Criminal penalties could include serious fines and imprisonment.
Scope of PHI disclosure
• Disclosure should be limited to that which is "reasonably necessary to achieve the purpose for which the disclosure is sought" (45 CFR 164.514).; so bare minimum
Denying a request for a record and correction of errors is now justified only "for cause":
• Disclosure would likely endanger life or safety of a patient or another person. • Information is in psychotherapy notes. • Information was compiled for use in a legal proceeding.
Inaccuracies should be corrected ASAP by:
• Drawing a line through the error, leaving original legible • Explaining reason for change • Dating and authenticating the correction
HIPAA (Health Insurance Portability and Accountability (HIPAA) Act of 1996)
• Federal law that, among many other things, protects the contains provisions to protect the privacy and security of certain health information. Requires providing information to patients about the privacy and security of their health data
Records & malpractice
• Good records are critical for the quality of patient care. • Records should be complete, accurate, and legible.
HIPAA and State Law
• HIPAA is a federal law. • Before HIPAA was passed in 1996, many states had laws protecting patients' privacy rights and guaranteeing access to information (like some of we just discussed). • HIPAA provides a minimum floor of protection.
Use and disclosure under HIPAA
• HIPAA requires plans and providers to give patients a notice of privacy practices that explains how their PHI will be maintained and used. • PHI can be used and disclosed for treatment and payment and routine healthcare operations, including utilization management and peer review. • Patients can prevent some uses of PHI e.g marketing, research, fundraising. • PHI may be disclosed to friends and family involved in patient care. • PHI may be disclosed with patient consent.
Protected health information
• Identifying information collected or used by a covered entity • Information with enough details to track a person, person's relative, or associate • Excludes: Aggregated information; encrypted information; "de-identified" information
When a state has laws different from HIPAA:
• If the state law is more protective, the state law trumps. • E.g. A state law that provides that patient records must be delivered to the patient in 10 days rather than 30 as demanded by HIPAA would prevail. • If the state law is less protective, HIPAA trumps. • E.g. A state law that provides that records can only be released to other providers and not patients, would be trumped by HIPAA.
Court order and subpoena
• It is permissible to share information in a health record without the patient's consent under a valid court order. • Under certain conditions, it is also permissible to share information in a health record with a valid subpoena.
Peer Review Statutes
• Peer review organizations can access records and other patient information without patient authorization. • This information must be held confidentially & cannot be disclosed.
Types of Health Records
• Photographic images • Radiographic images • Computer files • Internet files • Sound recordings • Paper files • Doctor's notes
Duty to warn third parties
• Providers have a common law duty to warn third parties of foreseeable risks of harm. • HIPAA allows this type of disclosure when the provider believes it is necessary to prevent a serious and imminent harm to someone or to the public and the disclosure is to someone who can prevent or reduce the threat. • This is usually limited to cases when the provider actually predicts/knows the patient to be a serious or imminent threat and when there is an indefinable victim.
Privacy breaches:
• Report an incident that affects 500 or more people • Notify individuals of unauthorized disclosure as soon as possible. • Major breaches listed on HHS website.
Types of Patient Information
• Test and lab results • Clinical findings • Insurance coverage • Medical history • Procedures performed • Demographic information • Patient problems • Treatment plans • Medications • Consent for treatment documents
Unauthorized disclosure
• The Hippocratic Oath requires maintaining confidential patient information. • Maintaining confidentiality of healthcare information may be tied to state licensing requirements.
Under state law, healthcare providers in most states own, possess, and control medical records.
• The patient (or his/her representative) does not have the right to physically possess the record. • This is supported by Joint Commission standards: "Original medical records are not released unless the hospital is responding to law and regulation" (2013 Hospital Accreditation Standards at RC-5).
Instances where disclosure is permitted
• There are instances where it is permissible for a healthcare provider or entity to share health information without a patient's consent. These instances include: 1. Court orders and subpoenas 2. Statutory reports 3. Peer review 4. Lien statutes 5. Duty to warn a third party
Federal laws require any entity receiving federal funds for drug and alcohol treatment programs to be bound by strict confidentiality.
• These laws include the Comprehensive Drug Abuse Prevention and Control Act of 1970; Drug Abuse Office and Treatment Act of 1972; and the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1983. • Generally, these laws provide that related information cannot be disclosed to family members or law enforcement without a patient's express written consent. • Disclosures without express written consent are permitted only to personnel who have a legitimate need to know the information for treatment and service or in an emergency.
State and federal laws exist to provide "extra" protection for medical records related to these conditions.
• These laws make it more difficult to permissibly reveal health information related to the particular condition. • Violating these requirements could lead to suit by the patient • Violating these requirements could constitute a criminal and/or civil offense.
Statutory reporting- States require providers to share certain types of health- related information with government agencies.
• These requirements are promulgated as an exercise of police power. • Providers may share health-related information when complying with these laws. • Information typically required to be reported: (1) vital statistics (e.g. births, deaths); (2) abortion; (3) diagnosis of infectious disease; (4) injuries that may be connected to criminal activity; (5) self-inflicted wounds; (6) drug abuse; (7) child or elder abuse. • The provider must still account for any such releases of patient data when a patient requests an accounting.
Patient's right to access health records
• Today, patients have a right to access the information in their health records under HIPAA. • State law may also provide access to third parties. • Retiring (or deceased) practitioners must make arrangements to make records available to patients.
•Photos may be taken for use in the medical record - but with written informed consent.
• Unauthorized photography and observation of patients can result in liability as (1) defamation; (2) invasion of privacy; and/or (3) breach of confidentiality. • Smartphones make this a more challenging issue.