Patient privacy involves a complex interplay between human behavior, organizational policies, laws/regulations, and technical aspects of computer security. Human behavior is not something informatics nurse specialists can predict or control with much success, so content here will focus on policy/law/regulation and security is covered at the link above.
Over the last decade the use and availability of healthcare technology (HIT) has made the public concerned with the confidentiality and privacy issues regarding their personal data and health records. The privacy issues surrounding the electronic communication between the patient and physician have become a global concern. Most patients are worried about hackers violating the trust and security of their electronic medical records (EMR). The Privacy Rule guides the national standards to protect the individuals’ personal health information (PHI) and allows patients to have increased access to their medical records. Critics of the HIPAA Privacy Rule are gravely concerned about the limits and the circumstances under which an individual’s protected health information may be used or disclosed by the healthcare entities. The confidentiality relationship, and “Primum non nocere” which was Hippocrates’s (380 – 460 B.C.) mantra has been part of the oath taken by every medical student worldwide during graduation ceremonies. The Hippocratic oath was first used by the French in 1804 for their medical students (Markel, 2004). Taking the oath did not become part of the American medical schools until 1906. This patient physician relationship is based upon trust and respect, first do no harm, and confidentiality is the main pillar of the sacred relationship.
The American Nurses’ Association (ANA) have their own opinion regarding patient privacy. A formal privacy position statement published by ANA (2006) states the advances in technology, such as EMR, health system database, Internet and telehealth have invited the intentional and unintentional contravene of privacy and confidentiality of patient privacy. “Protection of privacy/confidentiality is essential to the trusting relationship between health care providers and patient” (ANA, 2006).
1. the state of being private; retirement or seclusion.
2. the state of being free from intrusion or disturbance in one's private life or affairs: the right to privacy.
The Common Framework helps health information networks to share information among their members and nationwide while protecting privacy and allowing for local autonomy and innovation. It consists of a set of 17 mutually-reinforcing technical documents and specifications, testing interfaces, code, privacy and security policies, and model contract language. It was developed by experts in information technology, health privacy law, and policy, and has been tested since mid-2005 by Connecting for Health prototype teams in three states: California, Indiana, and Massachusetts. Each of the three prototype communities has made available its source code and testing interface.
Regional Health Information Organizations promote sharing of health care data and can take on many different forms. The Health Information Portability and Accountability Act of 1996 provides some guidelines for privacy protection. However, most states have stricter guidelines, causing difficulty when RHIOs form across these jurisdictions.
The price tag on lawsuits against entities in the "chain of breach" could cost a firm millions in defense costs, regardless of whether or not they are found liable. Entities should seek full defense and indemnity coverage for all data breach and privacy perils regardless of the source of liability or security framework. There is a separate and distinct insurer’s duty to defend and duty to indemnify. The insurer’s duty to defend the insured is broader than the duty to indemnify. The insurer’s duty to defend is triggered by the third party’s allegations, whereas the insurer’s duty to indemnify the insured is based on the established facts of the case and the specific terms of the policy. Given the potential multi-million dollar costs of defense, it may be worthwhile to purchase data breach coverage solely to pay for defense costs, although most entities that purchase have the intent of addressing catastrophic damages under the indemnity coverage part (Kalinich, 2008).
"HIPAA" is an acronym for the Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:
More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:
Who is affected? Virtually all healthcare organizations – including all healthcare providers, health plans, public health authorities, healthcare clearinghouses, and self-ensured employers – as well as life insurers, information systems vendors, various service organizations, and universities.
Are there penalties? HIPAA calls for severe civil and criminal penalties for non-compliance, including:
– fines up to $25K for multiple violations of the same standard in a calendar year – fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information
How are healthcare organizations affected? Broadly and deeply. Required compliance responses aren't standard, because organizations aren't. For example, an organization with a computer network will be required to implement one or more security authentication access mechanisms – "user-based," "role-based," and/or "context-based" access – depending on its network environment.
The Rules Under HIPAA
HIPAA's "Administrative Simplification" provision is composed of four parts, each of which have generated a variety of "rules" promulgated by the Department of Health and Human Services. The four parts of Administrative Simplification are:
The term "Electronic Health Transactions" includes health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions. In the past, health providers and plans have used many different electronic formats to transact medical claims and related business. Implementing a national standard is intended to result in the use of one format, thereby "simplifying" and improving transactions efficiency nationwide. Virtually all health plans must adopt these standards. Providers using non-electronic transactions are not required to adopt the standards for use with commercial healthcare payers. However, electronic transactions are required by Medicare, and all Medicare providers must adopt the standards for these transactions. If they don't, they will have to contract with a clearinghouse to provide translation services. Health organizations also must adopt standard code sets to be used in all health transactions. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding, for the purpose of reducing errors and duplication of effort. Fortunately, the code sets proposed as HIPAA standards are already used by many health plans, clearinghouses and providers, which should ease transition to them.
Privacy rules require a balance between a worker's reasonable expectation of privacy and an employer's need to maintain a safe, secure, and productive workplace. U.S. Constitution's Fourth Amendment, which prevents unreasonable searches and seizures, covers public employers only. However, some states have included privacy protections for private employees in their state constitutions
Some of the federal laws with which private employers must comply, including:Employers that obtain information about employees under the Americans and Disabilities Act, the Family and Medical Leave Act, and the Rehabilitation Act of 1973, must ensure the information is kept confidential. This information should be kept in a separate file.
Americans with Disabilities Act (ADA) allows an employer to require a physical exam only after the employer makes an offer of employment and only if the employer requires the exam of all potential employees in the same job category.
There are four types of drug testing: random, reasonable suspicion, pre-employment, and post-accident. The random drug testing is the hardest to justify, especially for jobs that have nothing to do with public safety. Reasonable suspicion drug testing requires that managers are well-trained to spot the signs of drug use, she said. She said post-accident drug testing should be limited to situations in which an employee caused significant damage to a person or to a piece of property/equipment.
Internal Investigations: Workspaces, Lockers, and Vehicles
The first step employers should take before beginning an internal investigation is to ask whether there is any law or rule that prevents the employer from gaining access to the information the employer seeks, Wilbur said. He said most rules in the privacy context involve the balance between the employee's reasonable expectation of privacy and the employer's reason for wanting the information. He noted that employers can lower workers' expectations of privacy with policies that put workers on notice. Topliff said that employers should have a policy that states that employees should have no expectation of privacy when they are using company property like computers and copiers. If an employer is monitoring employees, the employer should have a policy and communicate it to employees, she said. She said employers should also ensure that managers are good role models for employees in terms of the use of company property for personal use. When it comes to enforcement of policies related to personal use of company property, employers should consider whether the employee is getting his or her done, Topliff said.
Patient Protection and Rights
The new privacy regulations ensure a national floor of privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information. The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally. Key provisions of these new standards include:
References:
American Nurses Association. (2006). Position Statement: Privacy an
confidentiality. Retrieved March 26, 2007, from www.nursingworld.org
IT & Telecom. (2008). HB 1298. Retrieved March 31, 2008, from www.fridlnet.com/product
Kalinich, K. (2008). Insurance for breaches of data privacy and information security. AON. Retrieved March 31, 2008, from www.networkworld.com