Confidentiality in Allied Health

Confidentiality in Allied Health

Objectives: Analyze the court's role in healthcare (HC) information and litigation Examine patient's (px) medical record requirements and common issues Summarize the common-law basis for confidentiality Apply privacy rules (PR) to px information  Describe OSHA's safety rules Identify special types of health information Recognize special rules and social-policy issues of HIV px's Evaluate risk management's effect on quality and electronic medical records

Health Information and the Courts

Medical Record - document that includes a px's history, condition, diagnostic, and therapeutic treatment and the result of the treatment  as patient's history - contains medical history, report and medication, and details for overall care as legal evidence  documentary evidence - paper or documents such as medical record testimonial evidence - witness statements real evidence - tangible things e.g scalpel demonstrative evidence - help illustrate a testimony e.g charts, x-ray, recording, or model Admissibility of Evidence Relevance evidence - if it tends to prove/disprove an issue significant to the case Competent evidence - the evidence the court should accept as proof Hearsay - secondhand evidence in w/c witnesses aren't telling what they know personally rather what others have said to them Exception Requirements:  ​​​​​​​there were evidence that records were made during business hours at/near the time and by a person w/knowledge of the info record must be accurate and trustworthy -- may require additional testimony

Doctor-Patient Privilege - a relationship in w/c px's medical history, conditions, and related information cannot be made known without the px's permission; obligation of physicians not to testify about statements made to them by their px Court order - used when releasing the information; w/o this order, statutes or regulations would be violated; valid court orders identifies: court issuing the order parties to the case case number limitations on disclosure signed by judge Subpoena - a command issued by the court subpoena ad testificandum - witness is ordered to appear and give testimony subpoena duces tecum - witness is ordered to produce documents or things Precautions in answering a subpoena: if it requires written consent from the px if the info requested involves treatment for substance abuse, mental health, AIDS, or other special types of info having additional confidentiality requirement refer to counsel for advice on how to respond to questionable requests

Health Information Manager should: Justify the refusal to release File a motion to quash the subpoena (an objection to disclosure of information  

Creating and Maintaining Medical Records

Clinical Uses:  repository use in diagnosing and treating medical problems way to exchange info about px's to monitor performance and quality Nonclinical Uses: info for 3rd parties who have financial interests in px's medical condition: insurance companies, employers deciding if px is disabled scientific studies potential commercial use of info (pharmaceuticals) evidence for legal disputes   Author of the medical record = the medical provider who has created the data that appear in the record Authentication - confirmation of the content of an entry in a medical record; performed by the person who created the data Requirement  - essential to establish the business records hearsay exception (record is created by the person w/firsthand knowledge of the record

HC providers who make entries in a medical record must do so at the time that the events occur late entries raise questions about reliability and accuracy Incomplete records pose danger to the px  The person who made an error should also make the correction single line through the error (must still readable), write "error" next to it, and initials of the person making the correction (the one who inputted the error) in electronic data, "addendum" are generally inserted Medicare regulations require that providers retain record for a period equal to the applicable statute of limitations 5 yrs for state without relevant statute (Medicare) should be kept indefinitely or at least for 7-10 yrs after date of last treatment minors need to reach age of majority (when person becomes an adult)

Patients have the rights to have errors corrected in their medical record If HC worker disagrees with the correction: px entitled to written notice of the doctor's decision px also have the right to have included in the record a note on the px's disagreement with what appears there HC provider's failure to comply = px can sue and recover damages, atty fees, and costs Abstract - summary of essential points Certificate of destruction - document that records were properly destroyed in the ordinary course of business Freeing Storage Space:  Notify licensing authorities of intent to destroy Compile abstract Create dated certificate of destruction Destroy/shred/burn

Confidentiality and Govt. Medical Records

Hippocratic Oath - ethical practice of medicine, is an oath traditionally taken by physician Duty to maintain confidentiality - physicians may not disclose any medical information revealed by px or discovered in connection with the treatment of the px AMA's Code of Medical Ethics - info disclosed to a physician during the course of doctor-patient relationship is confidential to the utmost degree allowing the px to feel free to make a full and frank disclosure of the info to the physician knowing that he/she will protect the confidential nature of the info disclosed Legal basis of confidentiality = right of privacy derived from Constitution, statutes, and common law All 50 states have some form of doctor-patient privilege Informed Consent - process of communication b/w a doctor explaining the factors involved in a recommended medical process resulting to patient's authorization/agreement to undergo the process Substituted Consent - an authorized person makes the decision for the person who is unable to do so    

Freedom of Information Act (FOIA) - a fed law intended to provide access to govt. records and also creating exceptions to safeguard medical info Open Record Statutes - create exception for medical info thereby protect the privacy of health info in the hands of state agencies Privacy Act of 1974 - fed law prohibiting disclosure of certain medical information by govt. agencies without consent; requires govt. to keep records of disclosure of info

Disclosure of Health Information

Health Insurance Portability and Accountability Act (HIPAA) of 1996 - streamline the processing of HC claims, increase productivity, cut administrative costs, and reduce paperwork by submitting claims electronically Healthcare providers own medical record because they made it HIPAA regulations apply to individuals and covered entities - org that handles protected health info in any capacity: Healthcare providers Health plans - provide or pay the cost of medical care  Healthcare Clearinghouse - process or facilitates the processing of health information HIPAA PR requires the px's be given a notice of use and disclosure of patient-specific information Patient Information Privacy - info concerning a px's health, provision of care, and payment  for HC is protected under privacy rule Protected Health Information (PHI) - includes any identifiable health information Identifiable Information - data about a specific person De-identifiable Information -information stripped of data that may identify an individual (not covered by PR) Limited Data Set - middle ground b/w identifiable and de-identifiable information;

Treatment - the provision, coordination, or management of HC and related services by one or more HC providers including the coordination or management of HC by a HC provider w/a 3rd party Payment - activities of HC providers to obtain payment or be reimbursed for their services and the activities of a health plan to obtain premiums, to fulfill, their coverage responsibilities and provide benefits, under the plan, and to obtain or provide reimbursement for the provision of HC Healthcare Operations - certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment Privacy Rule provides special notes regarding psychotherapy notes that limit use or disclosure without consent To meet the requirement of other laws, regulations, and court orders, including but not limited to worker's compensation laws, disclosure of PHI is permitted The minimum necessary standard , a key protection of the HIPAA PR, is derived from confidentiality codes and practices in common use today When there are issues with minors and parent representative, the subject matter falls on the hand of the physician if the state is silent Public Health Authorities - agency of the US govt. ; covered entities are: state territory political subdivision Native American tribe Entity acting under authority

OSHA Safety Rules

Occupational Safety and Health Administration (OSHA) - created by Congress, it is the entity responsible for enforcing safety rules in the workplace; under the Occupational Safety and Health Act of 1970 NOT COVERED: self-employed, farmer working under immediate family member, hazard in workplace covered by other federal agencies Whistleblower - employee who informs OSHA of illegal activity (statutes may be 30, 60, 180 days)

Adoption HIV Substance abuse Mental Health Genetic Information Non-identifying information - descriptive details about an adopted person and about the adopted person's relatives; provided to adoptive parents at the time of adoption All 50 states and American Samoa have provisions that allow access to non-identifying info by an adoptive parent/guardian of adopted person who is still a minor Nearly every state allows adoptive person to have access to non-identifying information about birth relatives, generally upon written request (must be at least 18 yo) Mutual Consent Registry - system whereby individuals directly involved in adoptions can indicate their willingness/unwillingness to have their identifying info disclosed Affidavit - written document in w/c the signer swears under oath before an authorized person that the statement in the document are true

Special Types of Health Information

Search-and-consent procedures authorize a public/private agency to assist a party in locating birth family members to determine if they consent to the release of information Confidential Intermediary System - search-and-consent procedure wherein a person is certified by the court as a confidential intermediary, w/c allows him/her to have access to sealed adoption records to search for the birth family to obtain consent for contact Substance abuse - refer to excessive use of alcohol/drugs Federal Law Important for Substance Abuse Information Drug Abuse Prevention, Treatment, and Rehabilitation Act Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 Patients with substance abuse problems must be given notice of federal confidentiality requirement upon shortly after, being admitted Treatment Program - can include general medical care facilities if it includes an identified unit of diagnosis, treatment, or referral or if it employs medical staff whose primary duty is to provide such services Notice of prohibiting redisclosure must accompany any release of substance abuse information There may be both official record (with legal requirements) and personal record (with therapist's notes, etc.) Each patient must receive a psychiatric evaluation that must be completed within 60hrs of admission

Genetic Information Nondiscrimination Act (GINA) 2008 - prohibits health insurance and employment discrimination based on genetic infomation Exceptions when info is required to: compliance with medical and family leave laws monitoring biological effects of toxic substances in the workplace genetic analysisis for law enforcement Protection does not apply to disability or life insurance Human immunodeficiency Virus (HIV) - suppresses indivudual's immune systems making them more vulnerable to other diseases Center for Disease Control and Prevention (CDC) - seves as the national focus for developing and applying disease prevention and control, environmental health and education activities designed to improve the health of the people of US HIV Transmission High-risk sexual contact Intravenous drug use Mother to child around the time of birth Blood transfusion and other unknown causes Blood tests are the most common method of testing for HIV Enzyme Immunoassay - most common screening test used to look for HIV antibodies Rapid HIV tests can give result in about 20 mins

Consumer-controlled test kits - home test kits licensed in 1997; collecting fluid samples (blood) Generally, state or federal law may require: written consent pretest counseling disclosure of the results and disclosure for additional testing, etc. reporting of positive test results to appropriate public health authorities CDC has recommended routine HIV testing for all Americans between the age 13-64 as a regular part of their healthcare Statutes or court orders may order mandatory testing for certain classes of people e.g prisoners, individuals convicted of sex crimes In certain defined situations mandatory HIV testing can be applied to workers such as it will affect the  working environment of the positive individual; employers need to have to show bona fide job related reason for testing In some states HIV and AIDS are classified as disabilities; under Americans with Disabilities Act or similar state law, employers may be requited to provide reasonable accommodations for employees with HIV/AIDS  Privacy protections do not prohibit healthcare providers from reporting positive HIV results to public health authorities  

Risk management - identifies areas of risk to medical service providers for reducing liability exposure Joint Commission on Accreditation of Healthcare Organization (JCAHO) - requires hospitals to implement risk management programs Loss Prevention - identify those activities, problems, and situations that may result in potential liability for the hospital, its employees, physicians, and even other healthcare providers Identifying situations of potential risks before its manifestation is more important because costs of preventing problem is usually less than the cost of damage from the problem Loss reduction - steps taken after an event or incident occurs; effective when it attempts to minimize the impact of incidents by identifying and responding to the problem quicky Risk Management Concerns: Confidentiality must not be compromised Easy access for treatment is necessary Records secured from alteration or destruction Records must be retained for a period no less than the statute of limitation or otherwise required by the law Privacy official - responsible for developing and implementing privacy policies and procedures

Risk, Quality, and E-Record Management

Administrative safeguards - example: specifying only certain persons may pull medical files or medical files not in use must be filed immediately Technical Safeguards - example: use of password to access medical info stored electronically Physical Safeguards - example: locking the room in which the medical records are stored HIPAA also required that healthcare facilities keep ff. information for 6 years: records of privacy policy practices and procedures facility's privacy practices notices disposition of complaint records about compliance with the final privacy rule other similar types of info Incident Report - a form of proper documentation that risk managers must do to document adverse incidents that occur during the treatment of a patient Incident - anything that happens outside the norm that harms or could harm a person/property Purpose of Incident Report:  Risk management Quality control

Typically, information that should be included are: description of the incident (with time and location) identification of the parties involved observations steps taken in response to the incident Method to be taken as response to discovery by a plaintiff: Attorney-Client Privilege - most likely to be protected by this privilege if it's given only to the attorney representing the healthcare provider Work Product Doctrine - documents created for the purpose of pending litigation are protected from discovery  Policy to ensure that the Attorney-Client privilege applies may include: specifying the content of the report labeling the report "confidential" addressing the report to the hospital's attorney limiting  disclosure of the report to persons other than the attorney not including incident report as part of any medical record Quality Management - controlled by peer review committees (HC professionals monitoring quality of HC services); auditing and reviewing 

National Practioner Data Bank (NPDB) - contains medical malpractice payment and adverse action reports on health care professionals Adverse actions - suspension or removal of licensure, clinical privileges, professional society membership, and exclusion from Medicare and Medicaid Entities that make medical malpractice payment for the benefit of the healthcare practitioner must report certain payment information to NPDB Anyone paying medical malpractice who fails to report in accordance to the Health Care Quality Improvement Act (1986) is subject to civil money penalty of $11,000.00 Query - a request for information submitted to the NPDB by an eligible entity or authorized agent National Standards for Electronic Healthcare Transactions - created by HIPAA; makes electronic data interchange (EDI) the preferred alternative to paper processing Biometric - technology that identifies people through bodily characteristics such as fingerprints, retinal patterns, voice patterns Biometric identification - can be used to identify a patient and simply secure access to records Business record exception - when the record was made during ordinary course of business, at or near the time the event occurred, made by a medical record custodian or person with knowledge of the information I nteh record  

Medical Records Custodian needs to know:  Hardware and software of the system features that make data secure and reliable method of data entry and authentication process to verify trustworthiness of the paper version of the data Ways to reduce security breaches: using good password and changing it  frequently using biometrics instead of password creating different levels of access based on the need to know training employees in safe practices installing appropriate software against hacking, spyware, viruses, etc. backing up files stopping data in accordance to HIPAA rules Medical Licensure Issues (Electronic Medical Care) Physicians need license in the state where the patient lives or where the physical care is being given physicians need to obtain full medical license or both telemedicine license and teleradiology license