Abstract
According to US
Department of Health and Human Services, agencies create regulations under the
authority of Congress to help government carry out public policy. One of which
is the Health Insurance Portability and Accountability Act’s privacy policy
which establishes nationwide standards as regards the use and disclosure of
protected health information. This paper will examine it enactment, content and
subsequent adjustments/accommodations since establishment in 1996, with a focus
on entities or business associate, in charge of any form or media, whether
electronic, paper, or oral. The vast amounts of people’s digitized records
already collected for billing and claims, in various specialized databases can
be a two-edged sword: it has a potential for discovering more about disease
processes and care outcomes on the other hand, these also create possibilities
for excluding the individual(s) on the records from care. The choice of how
providers handle this information is the focal point of the paper.
Introduction
Protected Health
Information also known as Personal Health Information is personally
identifiable health information that is covered by H.I.P.A.A. created in 1996
(Brown, 2015). H.I.P.A.A. was put forward by Congress and Bill Clinton signed
it into law during his presidency. PHI protects information like: Name, Date of
Birth, Telephone, Address, Email, URL, Account Details, Medical record, Social
Security Number, Personal health device details, Automobile Information,
Fingerprint/Life-scan, Passport photo, Voice ID, other
demographic/non-demographic data that is uniquely identifying. This addresses
the information that is in the care of covered entities and such, are protected
by the federal act, it provides patients with various rights as regards to said
information. “The regulation does not require a data set to include a certain
number of identifiers to be considered PHI. It specifically states that if
information identifies an individual, it is PHI” (“Q&A: What Information”,
2011). In the instance where “Name” of the patient that received care is
associated with the care gotten and the hospital, that IS demographic
information and it is taken as PHI. In this day and age, where most things are
digital or going digital through the increasing use of computers and devices, H.I.P.A.A.’s
response is the H.I.P.A.A. Security Rule which deals with electronic P.H.I.;
applying to healthcare plans, healthcare clearing-houses, electronically
transmitted information by healthcare provider, has to do with patient’s
transactions, hence laying down security standards for electronically stored
PHI.
ACTs
Federal
Pre-H.I.P.A.A., there
have been many Health Privacy Statutes and Orders regulation attainment and disclosure.
To name a few, The Freedom of Information Act (FOIA), Privacy Act (protecting
patient’s records in the care of government agencies, Family Educational Rights
and Privacy Act, Veterans Omnibus Health Care Act, Clinical Laboratory
Improvements Amendments, Public Service Act, Health Omnibus Program Extension,
Public Health Service Act, Federal Confidentiality Requirements for Substance
Abuse Patient Records, Section 543, Americans with Disabilities Act, etcetera.
Because the American society in general is one that values freedom, choice, and
privacy, these laws are merely extensions and reflections of the cultural values
of the society codified or not, though these does not take away from its
complexity for the healthcare professional.
“The Health Insurance
Portability and Accountability Act (H.I.P.A.A.) was
developed in 1996 and became part of the Social Security Act. The initial primary
purpose of the H.I.P.A.A. is to protect health care coverage for individuals
who lose or change their jobs” (Bowers, 2001).
Under the Administrative Simplification Act
Title II: Due to the greater the level of automation in a healthcare facility,
the greater the need for ensuring security of the network infrastructure.
Administrative
simplification section addresses privacy of individual’s health information,
provides for physical and electronic security of PHI, it breaks down the rights
of individual’s access to PHI and disclosure. Note H.I.P.A.A. doesn’t directly
address treatment consent (Orlowski, 2013).
The Health Information Technology for Economic and Clinical Health Act. (HITECH) over a decade after H.I.P.A.A., it is
another federal medical record privacy measure regulating healthcare provider’s
actions. Also, after H.I.P.A.A., came a different federal regulation called Genetic Information Nondiscrimination Act
(G.I.N.A.) extending in detail, the “providers” not specified in H.I.,
especially those with access to P.H.I. and restricting use of genetic
information by health plans for underwriting. Then recently, days ago it was
ruled that there be the addition of whether or not a patient suffers
drug/alcohol addiction present or past.
State:
States across the country
each have privacy acts both within and without the industry and the general/common
tone is similar to that of H.I.P.A.A., some preceding H.I.P.A.A. itself while
others came afterwards. For example, California’s version of “H.I.P.A.A.” which
is the Confidentiality of Medical Information Act, is under sections of the
Civil Code (the data breach) and Health & Safety Code. Even though it has various
similar aspects to H.I.P.A.A. it was rather progressive and ahead of the curve
in that it was created in the 1970s over two decades before H.I.P.A.A.”
Within said State, there
is also the Insurance Information and Privacy Act: which prohibits unauthorized
disclosure of personal information by insurers and affiliated entities; hence
creating standards for collection, use and disclosure of information attained as
in relation to transactions carried out by insurance agents, institutions, support
organization etcetera Note, the patient has the right of ensuring the type of
information, the content’s accuracy, approval of sharing the PHI and best of
all get an explanation of a declined underwriting decision before getting or
while under the insurance policy.
Information Practices
Act: this covers handling and use of personal information by state agencies.
Giving the individual whose information is being used, the right to know and
request the names of those who accessed it.
Online Privacy Protection
Act: addresses websites that collect personally identifiable information of any
kind, requiring the site to notify the individual of what data is being
collected (“The Law and Medical Privacy”, n.d.).
REALITY
More and more digitized
patient’s information would make it possible for researchers and providers to
get a chance to find out more about ailments processes and expected
consequences. Simultaneously these records offer possibilities of exclusion of
individuals from care (for example insurance) or for breeches of
confidentiality caused by human error or theft. This continued tradeoff will
repeatedly come up in policy analysis and decision making (McLaughlin &
McLaughlin, 2015). A way found researchers around this issue is “Pseudonymization, it is a method “used to
replace the true identities (nominative) of individuals or organizations in
databases by pseudo-identities (pseudo-IDs) that cannot be linked directly to
their corresponding nominative identities” (Claerhout and De
Moor). “The benefit of using pseudonymization in health research is
that it protects individuals’ identities while allowing researchers to link
personal data across time and place by relying on the pseudo-IDs.” (as cited by
Nass et al, 2009).
Exemptions for Disclosure
The content of PHI may be
disclosed to the individual who is the subject of the information, he/she may
access the information.
“A covered entity must
disclose protected health information in only two situations: (a) to
individuals (for their personal representatives) specifically when they request
access to, or an accounting of disclosures of their protected health
information; and (b) to HHS when it is undertaking a compliance investigation” (“The
H.I.P.A.A. Privacy Rule”, n.d.)
Another is that an
individual’s PHI can be disclosed immediately after death “1. To law
enforcement: when there is a suspicion that death resulted from criminal
conduct. 2. To coroners or medical examiners and funeral directors. 3. For research
that is solely on the protected health information of decedents. 4. To organ
procurement organizations or other entities engaged in the procurement, banking
and such. 5. To family and friend(s) in charge of care when individual was
alive” (Snell, 2015).
Finally, it can also be
fully and legally disclosed, 50 years after their death, as it is no longer
protected as such under H.I.P.A.A.
Restricted Restriction
H.I.P.A.A. laws cover
health information with a large number of specific entities for example Doctor,
Nurse, Other Healthcare Entities. But it does not cover social media network,
chat rooms, website, health/non-health applications, Google and similar online
activities participated in by the individual mostly unwittingly.
In March this year, under
Trump came an initiative called MyHealthEData to further promote access and use
of HER data by its owner (the patient), even insurance claim(s) all towards the
improvement of care (“H.I.P.A.A: Impacts”, 2018).
There are various ways PHI
can be violated by the [provider or healthcare professionals) and here are a
few common ways:
1.
Healthcare professionals/employees openly
disclosing information with friends, family and co-workers.
2.
E.H.R. mishandling, this is usually hard
copies for example x-rays, charts, file and so on.
3.
Illegal access to patient’s records by
healthcare professional for whatever reason, rational or otherwise, without
consent then it is illegal.
4.
Social breaches, these are more prominent
in closer knit areas and populace, where neighbors show concern and healthcare
professionals are usually related and see sharing patient’s records as no breach.
5.
Use of personal systems outside the office/facility
to access patient’s information may lead to a violation if the content is
visible to non-authorized personnel like family and friends or even strangers.
6.
Media, this includes social media, texting
and others, even in instances where the patient’s name or identifier is
omitted, they might still be recognized as a countless number of people may see
it and this may include patient’s family and friends.
7.
Ignorance of what H.I.P.A.A. entails, from
little or no training, especially auxiliary members of the team for example
interns, volunteers’ etcetera (Zabel, 2018).
Safeguards
Physical: The securing
files in locked cabinet or rooms, server room should come with restricted
access. Only staff or contractors have access to record rooms. Avoid putting
files within reach of patients, families, friends or passerby. Providers should
refrain from using real names when discussing with other healthcare
professional in presence of others.
Electronic: Use of
passwords, user accounts to track who uses what, where and when to better
manage access and plug holes if any exist.
Network: Purchase, use
and maintenance of internet security for databases. Trained IT experts to
maintain and monitor security of all devices both software and hardware alike
that contain such confidential information. According to Koegler, all EHR data
should be encrypted and all possible points of intrusion should be covered
(2017).
Covered
Entities(associates): Ensure affiliated entities in the healthcare industry
carry out the same measures, a basic standard is non-negotiable, safety
precautions must be adhered to when handling patient’s files, as this could
result in criminal and civil fines for the provider, also loss of reputation
(Zabel, 2016). For example, the successful lawsuit against pharmacist employee
and Walgreens resulting in $1.44 million fine for the violation of H.I.P.A.A.
in 2013, because in this case, H.I.P.A.A. was used to establish standard of
care (“A New Way to Sue”, 2013). It is worthy to note; an eventual uniformity of federal regulations and
requirement is H.I.P.A.A.’s aim as the Act doesn’t alter state laws pertaining
to public health.
A person named Sean Myers
died some days after returning home from a stint in the hospital due to a blood
clot complication that could have been avoided if physician had talked to his
parents, one of whom had a history of blood clots. Was this death avoidable?
where does the physician draw the line and do what is best for patient
especially as when what’s best for patient might not be so for H.I.P.A.A. compliance
(Andrews, 2016). This is only one of millions of instances where decisions are
not clear-cut, but whenever there is class between state and federal, then
federal supersedes. Still, as a healthcare professional, the onus is on us to
make sound judgement based on facts, integrity, unwavering moral compass that
is beyond reproach and continuous updating of skills, training, humane
application of knowledge, is priority as it is relevant to health regulations
compliance.
Reference
A New Way to Sue
Health Care Professionals Using HIPAA? (2013). Retrieved from http://thehealthcareblog.com/blog/2013/09/06/a-new-way-to-sue-health-care-professionals-using-hipaa/
Andrews, M. (2016). Parents May Be Refused Details
of Adult Children's Medical Care. Retrieved from https://www.npr.org/sections/health-shots/2016/05/31/479751997/parents-may-be-refused-details-of-adult-childrens-medical-care
Bowers, D. (2001). The Health Insurance
Portability and Accountability Act: is it really all that bad? Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1305898
Brown, M. (2015, January 10th). What is
Protected Health Information? Retrieved from https://www.truevault.com/blog/protected-health-information.html
Q&A: What information
needs to be compromised to constitute a HIPAA breach? (2011). HIM-HIPAA
Insider. Retrieved from http://www.hcpro.com/HIM-262417-865/QA-What-information-needs-to-be-compromised-to-constitute-a-HIPAA-breach.html
Gresham, G. & Orlowski, A. (2013).
Coming of Age in The Healthcare System: Confidentiality, Capacity and Consent.
University of California Television. Retrieved from https://www.eff.org/issues/law-and-medical-privacy
H.I.P.A.A: Impacts and State Actions
(2018) Retrieved from http://www.ncsl.org/research/health/hipaa-a-state-related-overview.aspx
Koegler, S. (2017). Health Care
Providers Need to Comply with HIPAA Regulations and Address These Five Critical
Security Issues. Retrieved from https://securityintelligence.com/health-care-providers-need-to-comply-with-hipaa-regulations-and-address-these-five-critical-security-issues/
McLaughlin,
C.P. & McLaughlin, C.D. (2015). Health Policy Analysis: An Interdisciplinary Approach.
Jones and Bartlett. 2nd ed.
Nass,
S.J. et al (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving
Health Through Research. Retrieved from https://www.ncbi.nlm.nih.gov/books/NBK9579/
Q&A: What information
needs to be compromised to constitute a HIPAA breach? (2011). HIM-HIPAA
Insider. Retrieved from http://www.hcpro.com/HIM-262417-865/QA-What-information-needs-to-be-compromised-to-constitute-a-HIPAA-breach.html
Snell, E.
(2015). How Do HIPAA Regulations Apply After Death? Retrieved from https://healthitsecurity.com/news/how-do-hipaa-regulations-apply-after-death
The
Law and Medical Privacy (n.d.) Electronic Frontier Foundation. Retrieved from
https://m.youtube.com/watch?v=ZsvxzZiQwEs
The
HIPAA Privacy Rule (2015). Office for Civil Rights (OCR). Retrieved from
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
US
Code 42 (20 ), Legal Information Institute. Cornell University Publication.
Retrieved from https://www.law.cornell.edu/uscode/text/42/1320d-6