Privacy in the Physician’s Office



Privacy in the Physician’s Office


Learning Objectives



Vocabulary


avert To see coming and ward off or avoid.


bleak Not hopeful or encouraging.


business associates Individuals or organizations that perform or assist a covered entity in the performance of a function or activity involving the use or disclosure of individually identifiable health information.


complainant (kuhm-pla′-nuhnt) The person making a complaint against another person and/or organization.


covered entities As defined by HIPAA, organizations that transmit information in an electronic form during a transaction.


divulge (duh-vuhlj′) To make known, as a confidence or secret.


due diligence The effort made by an ordinarily prudent or reasonable party to prevent harm to another party or oneself; doing everything possible to prevent something negative from happening; also called due care.


electronic fund transfer (EFT) The movement of funds between different accounts in the same or different banks using wire transfer, automated teller machines (ATMs), or computers, without the use of paper documents.


electronic media The means of electronic transmission, including the Internet, private networks, dial-up phone lines, and fax modems; includes information moved from one place to another while stored on an electronic device.


electronic remittance advice (ERA) An explanation that accompanies checks and relays details of the payment sent to the provider from the insurance company or other third-party provider.


healthcare providers Providers of medical or health services, individually or as organizations, that furnish, bill for, or are paid for services or products.


incidental disclosure A secondary use of health information that cannot reasonably be prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted.


individually identifiable health information Any part of a patient’s health record that is created or received by a covered entity.


inferred Derived as a conclusion from facts and premises.


Office for Civil Rights (OCR) The division of the federal government that enforces privacy standards.


Office of the Inspector General (OIG) An office of the U.S. Department of Health and Human Services that conducts audits, investigations, and inspections involving laws pertaining to health and human services.


personal health information (PHI) The patient’s own information that pertains to his or her health.


preclude To rule out in advance.


prevalent Generally or widely accepted, practiced, or favored.


privacy officer A person designated to ensure compliance with privacy standards for a covered entity.


protected health information (PHI) Any individually identifiable health information that may be transmitted and/or maintained in electronic form.


transactions As defined by HIPAA, transmissions of information between two parties to carry out financial or administrative activities related to healthcare.


verbiage A manner of expressing oneself in words.


Scenario


Sabrina Ragland, a medical assistant with 12 years of experience, works for a gastroenterologist, Dr. Tim Taylor. Her mother-in-law, Elsa Ragland, has been a registered nurse (RN) for 40 years. For more than half of her career, Elsa has worked for a local internist, Dr. Royce Berry. A casual comment at a Ragland family picnic resulted in a medical professional liability lawsuit based on violation of patient privacy. Sabrina’s and Elsa’s careers were jeopardized by a simple exchange of what seemed to be innocent information.


Vivian Adams, a 42-year-old hospital insurance biller, saw Dr. Berry in his office for pain in the lower left quadrant. Ms. Adams was not a new patient, but she had not visited the office in approximately 2 years.


When she arrived for her appointment, she was presented with the office privacy policy and was asked to sign the document. Vivian glanced through it, signed it, and saw the doctor. He performed an examination and found that Vivian likely was suffering from irritable bowel syndrome (IBS); he then prescribed medication. Ms. Adams called the physician 1 week later, complaining that she was no better. Dr. Berry changed her medication without seeing her and did not hear from her again, other than her requests for refills of the IBS medication.


After 6 months with no improvement, Ms. Adams went to Dr. Taylor; he performed several diagnostic tests and told Ms. Adams that she had colon cancer. She was given a bleak prognosis. She told Dr. Taylor that she blamed Dr. Berry for not being more thorough in his testing. Sabrina was in the room and heard the comment.


That weekend at the picnic, Sabrina mentioned Ms. Adams to her mother-in-law and stated that the patient might sue Dr. Berry, although the patient never said those words. Elsa defended Dr. Berry and proclaimed that he was a good doctor, then expressed her hope that Ms. Adams would not sue her employer. One week later, Elsa was in a grocery store and saw Ms. Adams. Elsa immediately expressed her sympathy about the diagnosis and then asked whether there was anything she could do. Her intent was to be kind and to try to avert litigation against Dr. Berry. Her gesture might have been well received had Ms. Adams’ daughter, Terri, not been with her. Terri was not yet aware that her mother had been diagnosed with cancer. Ms. Adams had told no one about her illness at that point. After the incident at the grocery store, the first person Ms. Adams called was her attorney.


While studying this chapter, think about the following questions:



The creation of privacy and security laws was a huge step toward more efficient healthcare and faster reimbursements. However, technology often forces organizations to move forward somewhat quickly. Healthcare facilities with already strapped budgets sometimes view such innovations as a hindrance. Compliance officers at larger facilities may wonder whether additional federal regulations are necessary.


Many healthcare workers believe that they can say nothing to anyone, about any patient, at any time. When employees of the physician’s office gain an understanding of the compliance HIPAA requires, they can feel secure in their dealings with patients and other individuals.


Health Insurance Portability and Accountability Act


The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996. The act is a group of laws that affect employees of healthcare facilities, insurance companies, or other covered entities and the patients they serve. The federal government required all covered entities to be in compliance with HIPAA by April 14, 2003 (small healthcare plans received an extra year to comply). As technology advances and health records become computerized, legislation dealing with privacy is imperative. HIPAA was developed partly to help ensure the confidentiality of medical records. The statute applies to records created or maintained by healthcare providers, health plans, and healthcare clearinghouses that engage in certain electronic transactions. The Office for Civil Rights, a division of the Department of Health and Human Services (DHHS), oversees the administration of HIPAA.


HIPAA’s Privacy Rule includes the following requirements.



• Patients must give specific authorization before entities covered by the regulation can use or disclose protected information in most nonroutine circumstances, such as releasing information to an employer or for use in marketing activities. Doctors, health plans, and other covered entities must follow the rule’s standards for the use and disclosure of personal health information.


• Covered entities generally must provide patients with written notice of their privacy practices and patients’ privacy rights. The notice must include information that might be useful for patients choosing a health plan, physician, or other provider. Patients generally are asked to sign or otherwise acknowledge receipt of the privacy notice from direct treatment providers.


• Pharmacies, health plans, and other covered entities must obtain an individual’s specific authorization before sending marketing materials. Pharmacies and other covered entities are explicitly forbidden to sell personal medical information to a business that would market its products or services under a business associate agreement. Physicians and other covered entities are allowed to communicate freely with patients about treatment options and other health-related information, including disease management programs.


• Ultimately, patients generally will be able to access their personal medical records and request changes to correct any errors. In addition, patients generally could request an accounting of nonroutine uses and disclosures of their health information. Remind patients that they may be charged for copies of their medical record; this is an ethical practice for the physician’s office.


Many healthcare organizations are concerned about the cost of implementing and maintaining measures for complying with the privacy regulations. However, the benefits of the Privacy Rule far outweigh the inconveniences of compliance.


Effect of the HIPAA Privacy Rule


The HIPAA Privacy Rule created national standards to protect individuals’ medical records and other personal health information (PHI). This group of laws was the first enacted to protect patients’ privacy. The Privacy Rule benefits both patients and healthcare providers:



Under the few laws that existed before the HIPAA Privacy Rule, personal health information could be distributed to others without notifying the patient or obtaining his or her authorization, even if the information exchange had nothing to do with the patient’s medical treatment or healthcare reimbursement. A health plan could pass patient information to a financial lender, who might then deny the patient a home mortgage or credit card based on the health history. Employers could obtain health information and use it in personnel decisions. Because computers make information exchange so much easier, laws had to be enacted to protect patients’ privacy.


Note that the abbreviation PHI has more than one meaning in medical terminology. PHI stands for both personal health information, which relates to the patient, and protected health information, which relates to information transmitted electronically. Always consider the context in which these abbreviations are used when interpreting information related to the electronic medical record.


Title I and Title II Provisions


HIPAA has two provisions, Title I and Title II. Title I covers insurance reform, and Title II deals with administrative simplification. Title I limits the use of pre-existing health conditions, which in the past prevented an employee from obtaining health insurance coverage or limited that coverage. If an individual left a job with insurance coverage and attempted to secure new coverage, a pre-existing health condition often would preclude that person from obtaining coverage for that illness. Many individuals were refused any coverage at all, especially if the condition was a serious one, such as a heart condition or high blood pressure. Today, because of HIPAA laws, discrimination against individuals in poor health now or in the past is prohibited. The regulations limit the use of pre-existing condition exclusions and guarantee that certain individuals can purchase healthcare insurance after leaving or losing a job.


The Consolidated Omnibus Budget Reconciliation Act (COBRA) was passed by Congress in 1986. COBRA provides certain former employees, retirees, spouses, former spouses, and dependent children with group health coverage. The premium usually is higher than that paid during employment but still usually lower than for individual health coverage. Most people who lose their job for any reason have difficulty paying for COBRA coverage.


Certain criteria must be met to qualify for COBRA coverage. The company must have at least 50 employees to be required to offer COBRA to its employees. The employees need not all be full-time workers; certain calculations allow part-time workers to be counted to reach the 50-employee benchmark. Also, the employee must be a “qualified beneficiary” to receive COBRA benefits. A qualified beneficiary is an individual who was covered under the healthcare plan the day before a qualifying event. A qualifying event is an incident that would cause an employee to lose healthcare coverage.


The goal of Title II is to reduce administrative costs in the healthcare industry. Often goals sound simple, but many steps must be taken to reach a goal. Many different objectives must be met to simplify the administrative costs involved in patient care. Several agencies must work together and agree on various regulations. They must share information and resources. Agencies must compromise and “give and take” when forming policies or working toward administrative goals.



Provisions of Administrative Simplification


Electronic media are used daily in modern physicians’ offices and healthcare facilities. Because computer use has become prevalent, patients have begun to express concern about who sees protected health information (PHI) and what is done with that information.


Title II of HIPAA has two parts:



The second part of the administrative simplification provision deals with the privacy, confidentiality, and security of PHI and is the focus of this chapter.


Patients’ Rights


Separate from the Patient’s Bill of Rights, HIPAA provides for several patients’ rights:



These rights are the heart of the HIPAA Privacy Rule. They must be protected by all involved in the healthcare profession.


Right to Notice of Privacy Practices


Patients have the right to a copy of the Notice of Privacy Practices used in the physician’s office (Figure 17-1). A copy of this document also must be prominently displayed in the office. These privacy practices are developed by the individual facility and must be written in language that patients will understand. Patients should be given a copy of the Notice of Privacy Practices and should sign an acknowledgment that they received it. If a patient refuses to sign the acknowledgment, the medical assistant can note that the document was offered to the patient and the person refused to sign. This proves due diligence on the part of the office and that a good faith effort was made to provide the patient with privacy information. Most patients sign the document. Be prepared to explain the Notice of Privacy Practices to patients. It must include:


Stay updated, free articles. Join our Telegram channel

Apr 6, 2017 | Posted by in MEDICAL ASSISSTANT | Comments Off on Privacy in the Physician’s Office

Full access? Get Clinical Tree

Get Clinical Tree app for offline access