Week 11: The Law in Consumer Health: Ethics, Privacy
advertisement
IUPUI School of Computing and Informatics S644 / I635 Consumer Health Informatics Week 11: The Law in Consumer Health: Ethics, Privacy, and Confidentiality PLEASE NOTE: NEXT WEEK IS AN INDEPENDENT STUDY WEEK: NO ACTIVITIES REQUIRED. I recommend that you take this time to work on your AIP. Contents Week 11 Learning Goals and Objectives....................................................................................................... 1 Week 11 Introduction ................................................................................................................................... 1 Week 11 Readings ......................................................................................................................................... 6 Week 11 Independent Learning Activities .................................................................................................... 6 Week 11 Forum Discussion ........................................................................................................................... 6 Week 11 Learning Goals and Objectives Define and discuss the ways in which legal issues including information ethics, privacy, and confidentiality impact on information delivery, sharing and usage in consumer health informatics. Understand and describe reasons why health consumers may have privacy concerns. Describe factors of online resources that are used to assure user privacy, as well as factors that may potentially violate consumer privacy. Understand the basic principles and applications of relevant legislation including HIPAA and others. Understand the basic principles and applications of the Patient Bill of Rights and other patient advocacy documents. Week 11 Introduction 1 Week 11 focuses on an extremely important area of consumer health: ethics, privacy, and confidentiality. The mini-lecture below provides information about HIPAA, the Privacy Rule, Patient Health Information (PHI) and other U.S. federal rules designed to protect patient privacy and confidentiality. Guest lecturer, Dr. Anna McDaniel: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of two Titles. Title I protects health insurance coverage for workers and their families when they change or lose their jobs. Title II requires the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and addresses the security and privacy of health information. HIPAA was first proposed with the simple objective to ensure health insurance coverage after leaving a job. In addition to these portability provisions, however, Congress added an Administrative Simplification section, with the goal of saving money. The Administrative Simplification section was requested and supported by the healthcare industry because it standardized electronic transactions and required standard record formats, code sets, and identifiers. Following this standardization effort, Congress recognized the need to enhance the security and privacy of individually identifiable health information in all forms. In 1999, Congress directed the Department of Health and Human Services (DHHS) to develop privacy and security requirements in accordance with HIPAA's Title II.1 With HIPAA and other federal laws protecting patients’ health information, there has been much confusion and misinformation. Below are some common myths about patient privacy: Health information cannot be faxed – FALSE Your information may be shared between healthcare providers by faxing the information. But, the organizations that send and receive your information by fax must have security policies regarding faxing. E-mail cannot be used to transmit health information – FALSE E-mail can be used to transmit information, as long as organizations have a means of protecting the electronic health information, such as encryption and decryption, which protect the information from unwanted access or tampering. Healthcare providers cannot leave messages for patients on answering machines or with someone who answers the telephone –FALSE 2 As long as the patient has given the okay for someone else to receive a message, and as long as the answering machine has an outgoing message that gives the person’s name or number for verification, a message may be left. Your provider will determine what the message may include, but a message CAN be left. Your name and location while in the hospital may not be given out without your consent – FALSE You must specifically ask not to be listed in a hospital’s directory if you do not want it known that you are a patient there. Your healthcare provider must have your approval to disclose your personal health information to another healthcare provider – FALSE Your provider can share your health information with another provider if there is a reason to believe you will receive care there. Your doctor can not discuss your care with your family members – FALSE Healthcare provides are permitted to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by you regarding your care or payment for healthcare. Your provider may also share relevant information with your family or other persons if it can reasonably infer, based on professional judgment that you do not object.2 The Privacy Rule is a federal regulation defining administrative steps, policies, and procedures to safeguard individuals' personal, private health information (protected health information or PHI). The Privacy Rule is designed to empower patients by guaranteeing them access to their medical records, giving them more control over how their PHI is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised. The rule is designed to protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses. The following types of health care organizations are defined as ‘covered entities’ by the Privacy Rule: 1. All health care providers who choose to transmit certain administrative and financial health information electronically 2. All health plans 3. All health care clearinghouses 3 Covered entities may disclose health information to persons or organizations they hire to perform functions on their behalf (e.g. legal or accounting services). These ‘business associates’ would not be permitted, under contractual obligation with the covered entity, to use or disclose protected health information in ways that would not be permitted of the covered entity itself. The rule defines ‘protected health information’ as health information that: 1. Identifies an individual and, 2. Is maintained or exchanged electronically or in hard copy. If the information has any components that could be used to identify a person, it would be protected. The protection would stay with the information as long as the information is in the hands of a covered entity or a business associate. The protections apply to individually identifiable information in any form, electronic or non-electronic. The paper progeny of electronic information is covered (i.e. the information would not lose its protections simply because it is printed out of a computer), and oral communications are also covered.3 The Privacy Rule may or may not preempt state law: “Pursuant to the HIPAA law, this rule will preempt state laws that are in conflict with the regulatory requirements with exceptions for certain public health functions and related activities. Stronger state laws (e.g. those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule will set a national “floor” of privacy standards that protect all Americans. However, certain states have more restrictive privacy provisions and these more restrictive provisions will continue to apply providing their citizens with additional protections.”4 All state laws are not preempted by the Privacy Rule: “HIPAA also carves out certain areas of state authority that are not limited or invalidated by the provisions of HIPAA: these areas relate to public health and state regulation of health plans. In terms of public health for example, Section 160.203(c) of the regulation states that State law is not preempted if, ‘The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”5 Despite legislation, threats to patient confidentiality still exist. Today, a rapidly changing health care delivery system, increased computerization of medical records, expanded use of data banks, and growing concern that information may be used to withhold 4 services or insurance coverage accentuate the need to understand the prerequisites of confidentiality. Also, as the understanding of genetics expands, one can expect the possible harmful or discriminatory actions resulting from knowledge of a person’s genetic code to multiply. Safeguards need to be enacted. Legislative proposals that address medical record confidentiality, however, are often inadequate. For example, a September 1997 proposal by the U.S. Department of Health and Human Services allowed states to adopt more protective privacy laws and also proposed harsher penalties for breaches in confidentiality. However, this same bill had loopholes that, in effect, broadened the number of agencies, including law enforcement agencies and private corporations that could have access to medical records. Trust is basic to a successful physician-patient relationship, and a guarantee of confidentiality is at the heart of this trust. Individuals should speak with their physicians, employee benefits manager, managed care provider, and insurance carrier to assure that their confidences are safeguarded.6 According to the U.S. Advisory Commission on Consumer Protection and Quality in the Health Care Industry Patient Bill of Rights, patients have the right to talk in confidence with health care providers and to have their health care information protected. Health consumers also have the right to review and copy their own medical records and to request that their physicians change their record if it is not accurate, relevant, or complete.7 References: 1 United States Department of Health and Human Services, Centers for Disease Control and Prevention. (2003, April). HIPAA Basic Facts. Available: http://www.cdc.gov/privacyrule/privacyHIPAAfacts.htm 2 American Health Information Management Association. (2006). myth: Personal Health Information: A Guide to Understanding and Managing Your Personal Health Information. Common Privacy Myths. Available: http://www.myphr.com/rights/common_myths.asp 3 United States Department of Health and Human Services, Centers for Disease Control and Prevention. (2003, April). HIPAA Basic Facts. Available: http://www.cdc.gov/privacyrule/privacyHIPAAfacts.htm 4 United States Department of Health and Human Services, Centers for Disease Control and Prevention, 2006. 5 Ibid. 6 American Psychiatric Association. (2006). HealthyMinds.org: Confidentiality. Available: http://healthyminds.org/confidentiality.cfm President’s Advisory Commission on Consumer Protection and Quality in the Health Care Industry. (1999). Final Report. Available: http://www.hcqualitycommission.gov/ 7 Additional Information is available at: 5 Fact Sheet: Privacy and Your Health Information http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/consumer_summary.pdf Fact Sheet: Your Health Information Privacy Rights http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/consumer_rights.pdf HIPAA Privacy Rule and Public Health http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm STORIES FROM THE ROAD: Electronic Health Records Improving Patient Care http://eng6811.wordpress.com/2010/09/22/stories-from-the-road-electronic-health-recordsimproving-patient-care/ Week 11 Readings Nielsen-Bohlman, pp. 301 – 307 Nelson & Ball, Chapters 1 and 2 Lewis, Chapter 12 Review the National Consumer Privacy Survey, 2005 Protected health information on social networking sites: ethical and legal considerations. Thompson LA. Black E. Duff WP. Paradise Black N. Saliba H. Dawson K. Journal of Medical Internet Research. 13(1):e8, 2011. Privacy and health in the information age: a content analysis of health web site privacy policy statements. Rains SA. Bosch LA. Health Communication. 24(5):43546, 2009 Jul. Week 11 Independent Learning Activities A. Please read the Patient Bill of Rights at: http://www.cancer.org/docroot/MIT/content/MIT_3_2_Patients_Bill_Of_Rights.asp B. View this YouTube presentation, considering HIPAA from the organizational /corporate perspective: Protecting Patient Privacy (2:50) http://www.youtube.com/watch?v=B0w0QTsNqbQ Week 11 Forum Discussion 6 This week's framing questions are: Describe and discuss the patient bill of rights. How can patients’ rights be guaranteed when implementing / using informatics applications? What is the responsibility of professional organizations or the federal government to informatics issues that are impacted by HIPAA and other legislation? Define and discuss the ways in which legal issues and legislation -- including information ethics, privacy, and confidentiality -- impact on information delivery, sharing and usage in consumer health informatics. What are some of the ongoing threats to patient confidentiality and privacy? Distinguish between REAL threats vs. IMAGINED threats. How do protective policies and procedures impact on the producers and distributors of consumer health applications on the web, via mobile app, etc.? Describe factors or features of consumer health resources that are used to assure user privacy, as well as factors/features that may potentially violate consumer privacy. PLEASE NOTE: NEXT WEEK IS AN INDEPENDENT STUDY WEEK: NO ACTIVITIES REQUIRED. I recommend that you take this time to work on your AIP. 7
