Privacy in the Physician’s Office
Learning Objectives
1. Define, spell, and pronounce the terms listed in the vocabulary.
2. Explain how the HIPAA Privacy Rule benefits the healthcare industry and patients.
3. Explain the difference between Title I and Title II of the Privacy Rule.
4. List the rights of patients under the Privacy Rule.
5. List the elements that must be included in a Notice of Privacy Practices.
6. Briefly explain what is expected of healthcare providers under the Privacy Rule.
7. Describe an incidental disclosure.
8. List the three instances when a parent is not considered the child’s representative.
10. Discuss the role of the Notice of Privacy Practices in emergencies.
Vocabulary
avert To see coming and ward off or avoid.
bleak Not hopeful or encouraging.
complainant (kuhm-pla′-nuhnt) The person making a complaint against another person and/or organization.
covered entities As defined by HIPAA, organizations that transmit information in an electronic form during a transaction.
divulge (duh-vuhlj′) To make known, as a confidence or secret.
electronic fund transfer (EFT) The movement of funds between different accounts in the same or different banks using wire transfer, automated teller machines (ATMs), or computers, without the use of paper documents.
electronic remittance advice (ERA) An explanation that accompanies checks and relays details of the payment sent to the provider from the insurance company or other third-party provider.
healthcare providers Providers of medical or health services, individually or as organizations, that furnish, bill for, or are paid for services or products.
incidental disclosure A secondary use of health information that cannot reasonably be prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted.
individually identifiable health information Any part of a patient’s health record that is created or received by a covered entity.
inferred Derived as a conclusion from facts and premises.
Office for Civil Rights (OCR) The division of the federal government that enforces privacy standards.
Office of the Inspector General (OIG) An office of the U.S. Department of Health and Human Services that conducts audits, investigations, and inspections involving laws pertaining to health and human services.
personal health information (PHI) The patient’s own information that pertains to his or her health.
preclude To rule out in advance.
prevalent Generally or widely accepted, practiced, or favored.
privacy officer A person designated to ensure compliance with privacy standards for a covered entity.
protected health information (PHI) Any individually identifiable health information that may be transmitted and/or maintained in electronic form.
verbiage A manner of expressing oneself in words.
Scenario
Sabrina Ragland, a medical assistant with 12 years of experience, works for a gastroenterologist, Dr. Tim Taylor. Her mother-in-law, Elsa Ragland, has been a registered nurse (RN) for 40 years. For more than half of her career, Elsa has worked for a local internist, Dr. Royce Berry. A casual comment at a Ragland family picnic resulted in a medical professional liability lawsuit based on violation of patient privacy. Sabrina’s and Elsa’s careers were jeopardized by a simple exchange of what seemed to be innocent information.
Vivian Adams, a 42-year-old hospital insurance biller, saw Dr. Berry in his office for pain in the lower left quadrant. Ms. Adams was not a new patient, but she had not visited the office in approximately 2 years.
When she arrived for her appointment, she was presented with the office privacy policy and was asked to sign the document. Vivian glanced through it, signed it, and saw the doctor. He performed an examination and found that Vivian likely was suffering from irritable bowel syndrome (IBS); he then prescribed medication. Ms. Adams called the physician 1 week later, complaining that she was no better. Dr. Berry changed her medication without seeing her and did not hear from her again, other than her requests for refills of the IBS medication.
After 6 months with no improvement, Ms. Adams went to Dr. Taylor; he performed several diagnostic tests and told Ms. Adams that she had colon cancer. She was given a bleak prognosis. She told Dr. Taylor that she blamed Dr. Berry for not being more thorough in his testing. Sabrina was in the room and heard the comment.
That weekend at the picnic, Sabrina mentioned Ms. Adams to her mother-in-law and stated that the patient might sue Dr. Berry, although the patient never said those words. Elsa defended Dr. Berry and proclaimed that he was a good doctor, then expressed her hope that Ms. Adams would not sue her employer. One week later, Elsa was in a grocery store and saw Ms. Adams. Elsa immediately expressed her sympathy about the diagnosis and then asked whether there was anything she could do. Her intent was to be kind and to try to avert litigation against Dr. Berry. Her gesture might have been well received had Ms. Adams’ daughter, Terri, not been with her. Terri was not yet aware that her mother had been diagnosed with cancer. Ms. Adams had told no one about her illness at that point. After the incident at the grocery store, the first person Ms. Adams called was her attorney.
While studying this chapter, think about the following questions:
The creation of privacy and security laws was a huge step toward more efficient healthcare and faster reimbursements. However, technology often forces organizations to move forward somewhat quickly. Healthcare facilities with already strapped budgets sometimes view such innovations as a hindrance. Compliance officers at larger facilities may wonder whether additional federal regulations are necessary.
Many healthcare workers believe that they can say nothing to anyone, about any patient, at any time. When employees of the physician’s office gain an understanding of the compliance HIPAA requires, they can feel secure in their dealings with patients and other individuals.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996. The act is a group of laws that affect employees of healthcare facilities, insurance companies, or other covered entities and the patients they serve. The federal government required all covered entities to be in compliance with HIPAA by April 14, 2003 (small healthcare plans received an extra year to comply). As technology advances and health records become computerized, legislation dealing with privacy is imperative. HIPAA was developed partly to help ensure the confidentiality of medical records. The statute applies to records created or maintained by healthcare providers, health plans, and healthcare clearinghouses that engage in certain electronic transactions. The Office for Civil Rights, a division of the Department of Health and Human Services (DHHS), oversees the administration of HIPAA.
HIPAA’s Privacy Rule includes the following requirements.
Many healthcare organizations are concerned about the cost of implementing and maintaining measures for complying with the privacy regulations. However, the benefits of the Privacy Rule far outweigh the inconveniences of compliance.
Effect of the HIPAA Privacy Rule
The HIPAA Privacy Rule created national standards to protect individuals’ medical records and other personal health information (PHI). This group of laws was the first enacted to protect patients’ privacy. The Privacy Rule benefits both patients and healthcare providers:
• Patients have more control over their medical records.
• Patients are able to make informed choices about the use of their PHI.
• Boundaries are set on the use and release of health records.
Under the few laws that existed before the HIPAA Privacy Rule, personal health information could be distributed to others without notifying the patient or obtaining his or her authorization, even if the information exchange had nothing to do with the patient’s medical treatment or healthcare reimbursement. A health plan could pass patient information to a financial lender, who might then deny the patient a home mortgage or credit card based on the health history. Employers could obtain health information and use it in personnel decisions. Because computers make information exchange so much easier, laws had to be enacted to protect patients’ privacy.
Note that the abbreviation PHI has more than one meaning in medical terminology. PHI stands for both personal health information, which relates to the patient, and protected health information, which relates to information transmitted electronically. Always consider the context in which these abbreviations are used when interpreting information related to the electronic medical record.
Title I and Title II Provisions
HIPAA has two provisions, Title I and Title II. Title I covers insurance reform, and Title II deals with administrative simplification. Title I limits the use of pre-existing health conditions, which in the past prevented an employee from obtaining health insurance coverage or limited that coverage. If an individual left a job with insurance coverage and attempted to secure new coverage, a pre-existing health condition often would preclude that person from obtaining coverage for that illness. Many individuals were refused any coverage at all, especially if the condition was a serious one, such as a heart condition or high blood pressure. Today, because of HIPAA laws, discrimination against individuals in poor health now or in the past is prohibited. The regulations limit the use of pre-existing condition exclusions and guarantee that certain individuals can purchase healthcare insurance after leaving or losing a job.
The Consolidated Omnibus Budget Reconciliation Act (COBRA) was passed by Congress in 1986. COBRA provides certain former employees, retirees, spouses, former spouses, and dependent children with group health coverage. The premium usually is higher than that paid during employment but still usually lower than for individual health coverage. Most people who lose their job for any reason have difficulty paying for COBRA coverage.
Certain criteria must be met to qualify for COBRA coverage. The company must have at least 50 employees to be required to offer COBRA to its employees. The employees need not all be full-time workers; certain calculations allow part-time workers to be counted to reach the 50-employee benchmark. Also, the employee must be a “qualified beneficiary” to receive COBRA benefits. A qualified beneficiary is an individual who was covered under the healthcare plan the day before a qualifying event. A qualifying event is an incident that would cause an employee to lose healthcare coverage.
The goal of Title II is to reduce administrative costs in the healthcare industry. Often goals sound simple, but many steps must be taken to reach a goal. Many different objectives must be met to simplify the administrative costs involved in patient care. Several agencies must work together and agree on various regulations. They must share information and resources. Agencies must compromise and “give and take” when forming policies or working toward administrative goals.
Provisions of Administrative Simplification
Electronic media are used daily in modern physicians’ offices and healthcare facilities. Because computer use has become prevalent, patients have begun to express concern about who sees protected health information (PHI) and what is done with that information.
Title II of HIPAA has two parts:
The second part of the administrative simplification provision deals with the privacy, confidentiality, and security of PHI and is the focus of this chapter.
Patients’ Rights
Separate from the Patient’s Bill of Rights, HIPAA provides for several patients’ rights:
• The right to notice of a facility’s privacy practices
• The right to have access to, view, and obtain a copy of their PHI
• The right to restrict certain parts or uses of their PHI
• The right to request that communications from the facility be kept confidential
• The right to request that the facility amend the PHI
• The right to receive notice of all disclosures of their PHI
These rights are the heart of the HIPAA Privacy Rule. They must be protected by all involved in the healthcare profession.
Right to Notice of Privacy Practices
Patients have the right to a copy of the Notice of Privacy Practices used in the physician’s office (Figure 17-1). A copy of this document also must be prominently displayed in the office. These privacy practices are developed by the individual facility and must be written in language that patients will understand. Patients should be given a copy of the Notice of Privacy Practices and should sign an acknowledgment that they received it. If a patient refuses to sign the acknowledgment, the medical assistant can note that the document was offered to the patient and the person refused to sign. This proves due diligence on the part of the office and that a good faith effort was made to provide the patient with privacy information. Most patients sign the document. Be prepared to explain the Notice of Privacy Practices to patients. It must include: