Do you think there are problems with any of the HIPAA Privacy rule's exceptions to the authorization requirement? Do the exceptions minimize patient privacy? Are there too many exceptions? Are there other exceptions that you would include if you were asked to become involved in revising the law?
Exceptions to the HIPAA Privacy Polic
Although the privacy rule has placed stringent parameters around the transmission of personal health information, it is recognized that health providers are required to maintain and transmit PHI in the course of conducting business. There are several situations in which the medical facility is not required to notify the patient or obtain written express permission for a disclosure.
The scenarios that do not require written patient authorization are:
Protected health information is shared under the umbrella of TPO in almost every medical-related facility, from a large hospita,l to the corner drugstore and is defined below:
Treatment - This is defined as personal health information transmitted while in the act of providing, coordinating, or managing the health care of a patient. This includes consultations between doctors. An example is a primary care physician consulting with a specialist regarding a patient's diagnosis and treatment plan. Also included is information transmitted when referring a patient for outpatient laboratory testing or a diagnostic ultrasound.
Payment - This is defined as all activities that a provider of health service must undertake to receive payment for a health encounter. This includes submitting a claim to the patient's health plan for payment, checking patient eligibility and claim status, receiving and applying payment and rejections, as well as billing the patient for applicable co-pays and co-insurance.
Health Care Operations - In the course of business, a medical practitioner or establishment will engage in a number of administrative tasks to ensure the smooth and effective operation of the business. These tasks include audits of patient files, quality checks and improvement initiatives, staff competency and compliance evaluations, as well as administrative duties -- such as de-identifying PHI and creating data sets of patient information for research purposes.
Informal authorization is also acceptable in the case of discussing treatment and outcomes with a patient's spouse and family members that are involved in the patient's care. Informal authorization is also applicable for the purposes of notifying family members responsible for the patient about their location, condition, or death.
This usage of PHI is acceptable as long as the covered entity can assure that there exists in the organization a reasonable safeguard against the misuse of PHI. Also, it is critical that the information shared adhere to the "minimum necessary" rule that will be explained in an upcoming lesson.
The scenarios that fall under the umbrella of public trust are as follows:
- Required by Law - Information may be provided by a covered entity to law enforcement officials to fulfill a court order, statute, or legal regulation.
- Public Health Activities - Covered entities can reveal protected health information to 1. Public health officials who are responsible for monitoring and stopping the spread of disease or injury. 2. FDA-regulated companies if there is data that would support the monitoring of effectiveness or adverse events related to their products. 3. Individuals who may have been exposed to transmittable diseases that are tracked by the government and require reporting. 4. Information may be released to employers regarding employees in order to evaluate work-related illnesses or claims, manage workers compensation claims, and OSHA violations.
- Victims of Abuse, Neglect, or Domestic Violence - In cases of suspected abuse, it is permissible to report the incident to the authorities, including providing protected health information.
- Health Oversight Activities - Personally identifiable health information may be released to government agencies that are responsible for providing oversight for the health care system, including government health programs, such as Medicare and Medicaid.
- Judicial and Administrative Proceedings - PHI may be disclosed to the court system in response to a subpoena, court order or administrative tribunal. Notice should be sent to the subject of the order that their information has been shared.
- Law Enforcement Purposes - Protected health information may be shared with law enforcement officials under the following circumstances: 1. As required by law to adjudicate warrants or subpoenas. 2. To locate a suspect, witness, or fugitive. 3. Provide law enforcement officials with information on the victim, or suspected victim, of a crime. 4. To notify law enforcement in the case of a suspicious death, which may have resulted from criminal activity. 5. As evidence of a crime that occurred in the facility of a covered entity. 6. A covered entity may provide PHI in the case of an emergency involving one of its patients, even if the incident occurred offsite. Also to inform law enforcement about a possible crime, victims, perpetrators, or location thereof.
- Decedents - In the case of death, PHI can be disclosed to the coroner's office for identification purposes, and to determine the cause of death. PHI many also be released to the funeral home as needed.
- Organ Donation - PHI can be released by covered entities to facilitate the donation of cadaver organs and tissue.
- Research - PHI can be released in the case of medical research, provided the researchers warrant that the information is necessary for the preparation or execution of the research study and will not be used in any other way.
- Serious Threat to Health and Safety - PHI can be released without consent to law enforcement officials to aid in the capture of an escaped prisoner or a violent criminal. Protected health information can also be released if there is credible reason to believe that there is an imminent threat to an individual or the public at large.
- Essential Government Functions- Covered entities are allowed to release protected health information for the completion of government duties and functions, including military missions, national security initiatives, protection of the President, for evaluating State Department employees and providing health services to inmates.
- Workman's Compensation- Covered entities may release PHI without authorization in the course of evaluating and certifying employee injury claims.
Food for Thought
Were you aware that there were so many instances in which PHI
could be shared without patient authorization?
What are your thoughts regarding this?
Does this make you look at your own health information
differently?
Conclusion
Although the HIPAA privacy policy strives to protect patients and limit disclosures of PHI, it also acknowledges that there are some instances in which disclosure is necessary to maintain the law, protect public interest, and expedite medical care.
Do you think there are problems with any of the HIPAA Privacy rule's exceptions to the authorization requirement? Do the...
Do you believe that the 12 public interest and benefit exceptions to the authorization requirement are warranted? Statt at Community Hospital, a 200-bed facility, has been busy with HIPAA Privacy Rule issues recently. Community Hospital is regularly surveyed by the city safety department for compliance with local codes related to issues such as fire and water safety. Community Hospital's privacy officer has issued an unsigned business associate agreement to the department of health, instructing the chief of its survey office...
Do you think more regulations should be added to HIPAA privacy rules to protect the patient and set limits for new technology?
Do you think we have enough privacy for patients' healthcare data with our current rate of use of technology? Do you think more regulations should be added to HIPAA privacy rules to protect the patient and set limits for new technology? (EMR- personal data, EKGs-enter patients personal data for printable report, wearables, phone apps, emails, etc.)
Protecting Health Care Privacy The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among other things) the privacy of health information. Its Title 2 regulates the use and disclosure of protected health information (PHI), such as billing services, by healthcare providers, insurance carriers, employers, and business associates Email is often the best way for a hospital to communicate with off-site specialists and insurance carriers about a patient. Unfortunately, standard email is insecure. It allows eavesdropping, later retrieval of messages...
1. In your opinion, why do we need to have laws protecting patients’ privacy? 2. If you were in a position to change health care confidentiality law, what changes, if any, would you make and why? 3. Identify one of the standards of the Health Insurance Portability and Accountability Act (HIPAA) and explain how it applies to your profession.
When you call a provider's clinic, does any of the following aggravate you? Do you think other people are aggravated by these things? a. Being put on hold right away or too often b. The administrative medical assistant asking too many questions c. Not enough appointment time choices; that is, you have to wait too long for an appointment d. Not getting a real person, having to listen to menu choices and make selections? e. other; __________________________________________________________ Then, when you...
In 2013, the Health Insurance Portability and Accountability Act (HIPAA not HIPPA) turned 10 years old and has changed how healthcare responds to, use and share patient information however there are still instances where healthcare workers violate the privacy and security law. This week you are asked to find a recent article of a HIPAA or HITECH Act breach. Be sure to summarize what the violation was and what the consequences were, if any. Include the facility or provider and...
ction. 3) What kind of limits, if any, do you think should be imposed upon “artificial” methods of reproduction? 4) How could the Categorical Imperative from Duty Ethics apply to deciding whether to follow a Do Not Resuscitate Order when the family of the patient opposes it? 5) Discuss the concept of hospice care from a Utilitarian perspective. 6) Sort through the ethical question of whether it is justifiable to transplant an organ solely for the purpose of extending a...
Please Note: Anything you think is relevant to post your understanding of The Scientific Method. Include in the discussion which topic and episode you selected, and why you chose it. Or watch any of the listed episodes on Youtube After reviewing the material in this unit on The Scientific Method, select one episode of the following to view: 1. Myth Busters 2. NCIS 3. Tanked 4. Law & Order 5. Nova Or anything you think is relevant to post your...
What do you think a provider would recommend as pain management for that patient? Would it be over-the-counter or require a prescription? What would be the recommended adult dosage? Would there be concerns regarding how long the medication could safely be used? Might there be options other than medications which might help with pain? A patient comes in with severe wrist pain. The pain started shortly after the patient fell down the stairs. When asked to rate their pain on...