HIPAA privacy: what is the dilemma?We were asked to respond to the concerns raised by Drs. Herman and Peel regarding the HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, privacy rule. In their article they contend: * Elimination of the consent requirement creates an open book for all Americans' medical records * HIPAA interferes with the physician-patient relationship physician-patient relationship Medical malpractice A formal or inferred relationship between a physician and a Pt, which is established once the physician assumes or undertakes the medical care or treatment of a Pt; the establishment of a PPR is 'automatic' in and creates new ethical conflicts for physician executives and * HIPAA privacy notices are inaccurate or incomplete Recognizing the privacy rule has generated some stress and confusion for physician executives, our conclusion is that the HIPAA privacy rule actually strengthens the physician-patient relationship and offers a new set of tools and resources for physician executives tasked with managing patient privacy issues within their organizations. Elimination of the consent requirement did not create an open book for all Americans' medical records. The HIPAA privacy rule granted all Americans a core set of federal rights and protections related to their medical record information while preserving those existing state laws that provide greater rights and protections. These regulations reinforce the long-standing ethical duty of all physicians to maintain patient confidentiality patient confidentiality Medical practice A Pt's right to privacy and freedom from public dissemination of information that the Pt regards as being of a personal nature. See HIPAA, Medical privacy. . The privacy rule provides a national framework from which to meet those ethical obligations while keeping in mind a need for balance between privacy and availability of information for the provision of and payment for health care. Elimination of the burdensome consent provision is one example of how this balance is being reached. Under earlier versions of the rule, regulators proposed a requirement that mandated written patient "consent" be obtained prior to any use or disclosure of protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (PHI phi n. Symbol  The 21st letter of the Greek alphabet.PHI, n See health information, protected. ). This included exchanges of routine information needed in order to simply make a referral to a specialist, or have a prescription filled. In the preamble A clause at the beginning of a constitution or statute explaining the reasons for its enactment and the objectives it seeks to attain. Generally a preamble is a declaration by the legislature of the reasons for the passage of the statute, and it aids in the interpretation of of the December 28th, 2000 final privacy rule, it was acknowledged that, "it would be difficult, if not impossible, for health care providers to treat their patients and run their business without being able to use or disclose protected health information for these purposes (treatment, payment and health care operations)." (65 Federal Register 82649 (Dec. 28, 2000)) After months of discussion and comment from a very broad range of constituents, including providers and patients, a reasonable determination was made that consent would not be required for exchanges for purposes of treatment, payment and health care operations (TPO (Twisted Pair Only) Refers to the use of twisted pair wire when other options are available. For example, a TPO suffix at the end of 3com Ethernet adapter model numbers indicates the card has only an RJ45 connector. ). Instead, providers would be required to make a good faith effort to obtain the patient's written acknowledgement (45 CFR CFR See: Cost and Freight [section] 164.520(c)(2)(B)(ii)) of receipt of the notice of privacy practices. The version also emphasized the providers' obligation to use and disclosure only the "minimum necessary" (45 CFR [section] 164.514(d)) information needed to effectuate ef·fec·tu·ate tr.v. ef·fec·tu·at·ed, ef·fec·tu·at·ing, ef·fec·tu·ates To bring about; effect. [Medieval Latin effectu the care, payment or health care operation associated with that exchange. This minimum necessary provision provides an added layer of scrutiny to the process of exchanging PHI. Both the "sender" and the "recipient" of PHI, have the burden of not only limiting the amount and type of information exchanged, but also the "use" of that information once exchanged. The HIPAA privacy rule places much greater constraints on the use and dissemination dissemination Medtalk The spread of a pernicious process–eg, CA, acute infection Oncology Metastasis, see there of PHI than ever existed prior to HIPAA. Furthermore, the privacy rule requires that prior to every exchange that the covered entity verifies the identity and authority of the person requesting the PHI. This validation process--another added layer of scrutiny--protects the patient from having his or her information disclosed to unintended or unauthorized recipients. Every covered entity with access to PHI, and every covered entity's business associates, are now subject to voluminous rules and procedures dictating who can receive PHI, how they can receive it, when they can receive it and why they can receive it. Prior to HIPAA, few states had any procedural protections in place, and even fewer states offered the patient any rights with regard to how their health care information was shared or maintained. No harm to physician/patient relationship The privacy rule does not interfere with the physician/patient relationship and does not create new ethical conflicts for physician executives. Physicians have long dealt with conflicts of interest. No group is more aware of this than physician executives, each of whom must balance the interests of their organization against the interests of their patients and patients' families. Physicians, indeed, have a duty to their patients first; however, this duty does not allow a physician to simply overlook other obligations to legitimate interests such as family members, hospitalization hospitalization /hos·pi·tal·iza·tion/ (hos?pi-t'l-i-za´shun) 1. the placing of a patient in a hospital for treatment. 2. the term of confinement in a hospital. utilization directors, insurance companies (who pay the bill) attorneys, etc. Physician executives now have a powerful added tool in their arsenal to protect and maintain patient privacy standards within their organization, as well as additional rules that allow for the protection and limited use of PHI for purposes of health care operations. The HIPAA regulations provide physician executives with greater authority to assert and maintain privacy standards on behalf of patients and families. Unlike the "Golden Rule," the HIPAA privacy standards impose specific duties and obligations upon all covered entities, including obligations to track the flow of PHI between entities and to provide an accounting to patients and families with respect to the sharing of PHI for any purpose other than TPO. It is clear that patients will not divulge health care information to physicians if there is no trust. A strong physician/patient relationship is vital to the successful diagnosis and treatment of the patient. HIPAA's privacy rule--a rule that codifies the obligations of each covered entity to protect and secure all patient information maintained by such organizations--enhances patient and family confidence in the integrity of the physician/patient relationship. However, the physician's obligation to the patient to provide confidentiality is an ethical obligation that is not absolute. For example, in the case Tarasoff v. Regents of the University of California Tarasoff v. Regents of the University of California, 17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 (Cal. 1976), was a case in which the Supreme Court of California held that mental health professionals have a duty to protect individuals who are being threatened with bodily (17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 (Cal. 1976)) the court ruled that a psychotherapist psy·cho·ther·a·pist n. An individual, such as a psychiatrist, psychologist, psychiatric nurse, or psychiatric social worker, who practices psychotherapy. has a positive duty to take reasonable steps to protect third parties from harm, stating "the protective privilege (of confidentiality) ends where the public peril begins." Physicians are required to report such things as suspected child or elder abuse Elder Abuse Definition Elder abuse is a general term used to describe harmful acts toward an elderly adult, such as physical abuse, sexual abuse, emotional or psychological abuse, financial exploitation, and neglect, including self-neglect. , gunshot wounds, STDs, or other infectious diseases infectious diseases: see communicable diseases. . SARS, for example, would be a reportable event. Privacy notices HIPAA privacy notices should not be inaccurate or incomplete. "Consumers do not what to be barraged with an excess of paperwork even if the intent is protect their privacy," wrote Rick Pollack pollack: see cod. pollack or pollock Either of two commercially important North Atlantic species of food fish in the cod family (Gadidae). of the American Hospital Association American Hospital Association (AHA), n.pr a nonprofit national organization of individuals, institutions, and organizations engaged in direct patient care. The association works to promote the improvement of health care services. in a letter to George W. Bush dated Dec. 4, 2001. The HIPAA privacy rule requires that each covered entity provide patients with a Notice of Privacy Practices intended to inform patients of the routine uses and disclosures of their health care information and provide them with contact information should they desire more specific information. Of more importance, patients now have a uniform statutory right to an accounting of those uses and disclosures as well as the right to seek specific restrictions in the use and disclosure of their protected health information. Health care consumers are overwhelmed o·ver·whelm tr.v. o·ver·whelmed, o·ver·whelm·ing, o·ver·whelms 1. To surge over and submerge; engulf: waves overwhelming the rocky shoreline. 2. a. with state and federal paperwork required to initiate even the simplest clinical encounter. Patients have limited capacity for additional detail. HIPAA recognizes this and allows patients more access to detailed information should they want or need such detail. Privacy notices should accurately inform patients as to how their PHI will be used, reflecting both state and federal requirements intended to maintain privacy and confidentiality of those records. If privacy notices do not meet those standards, they are not meeting the intent of HIPAA It is important for physicians to know their state health laws, as well as the federal privacy laws. However, no law can be written so carefully that it cannot be abused by individuals who choose to act in an inappropriate manner. Before HIPAA and after HIPAA that remains true. Therefore, it is the ethical duty of all physicians to maintain patient confidentiality and to only allow that information to be used in matters of patient care that promote the interests of the patients. IN THIS ARTICLE ... But others say the HIPAA privacy rule actually strengthens protection for patients and improves the physician/patient relationship. Richard Stubbs Richard Stubbs (born 1958 in Brighton, Victoria) is an Australian comedian. Stubbs started his career in radio in the early 1980s on 3XY as part of the XYZoo team. Early in his television career, Stubbs appeared as a performer and a writer on , MD, MBA MBA abbr. Master of Business Administration Noun 1. MBA - a master's degree in business Master in Business, Master in Business Administration , CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment , FACPE FACPE Fellow of the American College of Physician Executives , is vice president of medical affairs at MultiCare Health System in Tacoma, Wash. He can be reached by phone at 253-403-1087 or by e-mail at richard.stubbs@multicare.org. [ILLUSTRATION OMITTED] Laird laird n. Scots The owner of a landed estate. [Scots, from Middle English lard, variant of lord, owner, master; see lord. A. Pisto is Associate General Counsel for MultiCare Health System. He can be reached by phone at 253-403-1186 or by e-mail at Laird.Pisto@multicare.org Cherbon VanEtten is the HIPAA Program Manager for MultiCare Health System. She can be reached by phone at 253-403-7244 or by e-mail at cherbon.vanetten@multicare.org. [ILLUSTRATION OMITTED] By Richard Stubbs, MD, MBA, CPE, FACPE, Laird Pisto, JD and Cherbon VanEtten |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion