To prevent abuse and maintain a balance of power, the U.S. Constitution divides the federal government into three branches: the legislative branch to write laws, ⁴⁷ the executive branch to execute laws, ⁴⁸ and the judicial branch to interpret laws. ⁴⁹ The legislative branch is Congress, divided into the House of Representatives and the Senate. The executive branch consists of the president and administration. The judicial branch is composed of the court systems. Each branch plays a constitutionally determined role in determining the law and is prevented from becoming too powerful by the checks and balances provided by the other two. Each state system mirrors that of the federal system with its governor, legislature, and court system.

At the federal level, Congress proposes laws that, once enacted, become statutes that are controlling throughout the nation. The statutes may be accompanied by federal funding, such as the Homeland Security Act or Medicare and Medicaid, or they may be “unfunded mandates” such as the Emergency Medical Treatment and Active Labor Act (EMTALA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). State legislatures propose and enact state laws in the same manner.

The president and governors are responsible for enforcing the laws, and such enforcement is performed in large part through administrative agencies. Often referred to as the “fourth branch of government” because of their considerable political power, administrative agencies promulgate, interpret, and enforce agency rules and, as such, have quasi-executive, quasi-legislative, and quasi-judicial authority.

Federal agencies such as the Centers for Medicare and Medicaid Services (CMS) (formerly called the Health Care Financing Administration, or HCFA), the Occupational Safety and Health Administration (OSHA), the National Labor Relations Board (NLRB), and the Food and Drug Administration (FDA) are responsible for oversight of issues that affect emergency departments (EDs). At the state level, state licensing boards, state health departments, offices of the attorney general, and child protective services are examples of state agencies regulating many issues that affect emergency nursing.

The judicial system is divided into federal and state courts. The federal courts resolve disputes regarding federal law or the U.S. Constitution and are divided into district courts sitting in each state. Each district court’s decisions may be appealed to one of 10 respective circuit courts. The U.S. Supreme Court is the final authority for circuit court conflicts. ⁵⁰ Again, the state systems mirror that of the federal system, with trial, appellate, and final appeals courts. State courts hear disputes regarding state laws, including civil cases such as medical malpractice (Table 3-1).

The mission of Department of Health and Human Services (HHS) is to improve the health and well-being of all people affected by its programs. The Office for Civil Rights (OCR), is responsible for ensuring that people have equal access and opportunity to participate in and receive services from all HHS programs without facing unlawful discrimination and that the privacy of their health information is protected while ensuring access to care. OCR safeguards federal funds by ensuring that HHS-financed programs do not support unlawful discrimination.

Among others, OCR enforces Title VII of the Civil Rights Act of 1964, prohibiting discrimination on the basis of race, color, and national origin; Section 504 of the Rehabilitation Act of 1973, prohibiting discrimination on the basis of disability by recipients of financial assistance; and Title II of the Americans with Disabilities Act as it applies to health and human service activities of state and local governments. ¹⁹

OCR requires hospitals to communicate effectively with patients, family members, and visitors who are deaf or hard-of-hearing and to take reasonable steps to provide meaningful access to their programs for persons who have limited English proficiency. These laws are further supported by Joint Commission standards, which also require hospitals to collect information about patients’ language and communications needs.

Under OCR guidelines EDs must (1) promptly assess the communication needs of deaf and hard-of-hearing patients, (2) secure the services of qualified interpreters as quickly as possible, and (3) use other aids to augment effective communication with deaf and hard-of-hearing patients. ³⁴“Qualified sign language interpreter,” “oral interpreter,” or “interpreter” means a person who is able to interpret competently, accurately, and impartially, both receptively and expressively, using any specialized terminology necessary for effective communication in a medical setting to a deaf or hard-of-hearing patient or companion. Use of volunteers or family members as translators may not meet the required standards and may violate privacy laws.

For patients with limited English proficiency (LEP), hospitals must (1) assess the language needs of the population, (2) write policies addressing language access, (3) train staff in the policies, and (4) oversee the language assistance program. ³⁴ The Department of Justice (DOJ) has specifically defined appropriate auxiliary aids and services and outlined services for which interpreters are deemed critical. ⁴³ They are listed in Box 3-1.

Patients who think the hospital has violated antidiscrimination laws can make formal complaints to the DOJ. The DOJ investigates complaints and can file enforcement lawsuits in federal court. Alternatively, the DOJ can negotiate settlement agreements for corrective action plans and assess financial penalties. A noncompliant hospital can be fined up to $55,000 for a first violation and up to $110,000 for subsequent violations. In addition, a hospital may be ordered to pay damages to the complainant. ²¹

In addition to communication among providers, written records of patient care are kept to meet legal, regulatory, managed care, and billing requirements. In the event of a malpractice lawsuit, the medical record is also used as evidence of the care provided.

Congress had concerns about health care fraud and abuse, the portability of health insurance, and the potential for compromising patient privacy regarding personal medical information through the use of electronic media for collecting claims data and payments. In response to these concerns, Congress enacted the Health Insurance Portability and Accountability Act of 1996 on August 21, 1996.

HIPAA required HHS to develop rules for ensuring standardization of electronic patient health information, including administrative and financial data; unique health identifiers for individuals, employers, health plans, and health care providers; and security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present, or future.

Pursuant to HIPAA’s mandate, HHS was to promulgate rules to be effective in February of 1998 with compliance required by 2000. The rules underwent many revisions, however, and the final version of the privacy regulations was not issued until December 2000. They went into effect on April 14, 2001, with compliance not required until April 14, 2003.

HIPAA’s privacy regulations require that covered entities protect personal health information (PHI) from disclosure and that access to PHI be limited to authorized entities with access restricted to the information necessary. Covered entities are health care providers conducting certain transactions in electronic form, health care clearinghouses, and health plans.

HIPAA provides patients with the right to access and make changes in their medical records while restricting access by others. Patients also have the right to information regarding how their records have been accessed. Formal notices of an institution’s privacy practices are required. In addition, covered entities are required to assign a privacy officer who is responsible for administering the institutional privacy program and ensuring compliance. Covered entities are also required to educate all workers on privacy policies and procedures and to discipline infractions of those policies and procedures.

Hospitals are required to update their systems so PHI is protected. When instituting EMR, it is necessary to design computerized systems in a manner that limits medical record access to authorized persons. Password protection or data encryption may be necessary. Policies and procedures must be developed to protect e-mailed and faxed data. The Federal Communications Commission requires every page of every facsimile to have identifying information, including name of the business sending the fax, the date, the time, and the telephone number of the sending machine. ⁸ Computers should have the hard drives reformatted before recycling to prevent the inadvertent transmission of PHI. Confidentiality statements should be included in all e-mail or fax transmissions. Security measures must be instituted to verify users.

HIPAA does not create a private right of action, meaning that patients cannot directly sue providers for HIPAA violations. ²³ The law does create both criminal and civil sanctions, however, for improper use or disclosure of PHI. Patients may make formal complaints to OCR. OCR reviews evidence about the complaint and may determine that there was no Privacy Rule violation. If the evidence indicates that there was a violation, OCR attempts to resolve the complaint by obtaining voluntary compliance, a corrective action plan, or a resolution agreement.

OCR may refer complaints to the DOJ for criminal investigation in cases involving the knowing disclosure or obtaining of PHI. Noncompliant organizations can be fined up to $100 per violation and up to $25,000 in a calendar year. ⁵“Knowingly” obtaining or disclosing PHI can lead to fines up to $50,000, as well as 1 year in prison. Using false pretenses to commit offenses can allow for penalties up to $100,000 in fines and up to 5 years in prison. Committing offenses with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm can allow for fines of $250,000 and up to 10 years in prison. ⁴¹

Between April 14, 2003, when the law went into effect, and July 31, 2007, a total of 29,276 complaints were made, 79% of which were resolved. There have only been four criminal prosecutions since the law went into effect. ⁴⁴ The compliance issues investigated most frequently were impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, uses or disclosures of more than the minimum necessary PHI, and lack of or invalid authorizations for uses and disclosures of PHI.

Confusion and misinterpretation of the Privacy Rule have resulted in the inappropriate withholding of information. ^{35. and 45.} HIPAA does not prohibit the disclosure of PHI in all circumstances and explicitly allows disclosure when required by law and for health oversight, law enforcement, crime reporting, military and veterans’ activities, national security and intelligence activities, organ and tissue donation, abuse and neglect reporting, judicial and administrative proceedings, public health surveillance, public health and safety, public benefits programs, treatment, payment, health care fraud reporting, health plan audits, health care operations, and certain research purposes. ⁶

The U.S. Constitution specifically dictates that when there is conflict between federal and state law, federal law prevails when preemption is the clear and manifest purpose of Congress. ³⁸ As federal law, HIPAA supersedes state privacy statutes. However, HIPAA only establishes minimum privacy protections and outlines basic principles for protecting PHI while recognizing that state law may impose more stringent requirements. State privacy laws are not preempted by HIPAA when the state law offers greater privacy protection or when the state law requires reporting. ⁴