©2006 all rights reserved. health information management technology — second edition — an...

©2006 All rights reserved.

Health Information Management Technology

— Second Edition —

An Applied Approach

Chapter 15Legal Issues in Health Information Technology


HIM Legal Issues

• Compilation and maintenance of health records

• Ownership and control of health records, including use and disclosure

• Use of health records and health information in judicial proceedings


U. S. Legal System

• How are laws classified?• Public law• Private law

• How are laws made?• Constitutions• Statutes• Administrative law• Judicial decisions


U.S. Legal System (continued)

• How are legal disputes handled?• U.S. court system

• District courts• Courts of appeals• Supreme Court

• State court systems• Trial courts• Appellate courts• State supreme court


U.S. Legal System: How are legal disputes handled? (Continued)

• Dispute resolution• Administrative agencies• Arbitration• Mediation


U.S. Legal Process

• Bringing a lawsuit• Plaintiff(s)• Defendant(s)

• Counterclaim• Joinder• Crossclaim

• Complaint• Summons


U.S. Legal Process (continued)

• Discovery period• Deposition• Subpoena

• Subpoena ad testificandum• Subpoena duces tecum

• Trial• Post-Trial: appeal and collection of the

judgment


Medical Malpractice

• What is professional liability?• Medical malpractice• Physician-patient relationship

• Contract• Express• Implied

• Tort• Intentional tort• Negligence


Medical Malpractice

• Types of negligence• Nonfeasance• Malfeasance• Misfeasance

• Elements of negligence• Duty• Breach• Causation• Injury/Harm


Form and Content of the Health Record

• What legal requirements affect the form and content of the health record?• Statutory laws such as state and federal

statutes• Regulatory laws such as Medicare, HIPAA,

and public health reporting requirements• Standards by accrediting bodies such as the

JCAHO

• Failure to comply results in some type of penalty


Form and Content of the Health Record (continued)

• Guidelines for complying with statutory and regulatory laws and accreditation standards:• Policies and procedures should comply with

all laws and standards• Health records should be systematically

organized• Only authorized persons should document in

the health record• Policies should specify who can receive and

transcribe verbal orders



• Guidelines for complying with statutory and regulatory laws, and accreditation standards (continued)• Health record entries should be documented at

the time service is provided• Authors of all entries should be clearly identified• Only approved abbreviations and symbols

should be used in the health record• All entries should be permanent



• Guidelines for complying with statutory and regulatory laws, and accreditation standards (continued)• Policies and procedures for error correction

should be in place• Policies and procedures for addenda to the

record should be in place• Quantitative and qualitative analyses of health

records should be conducted• All laws and other requirements should be

reviewed and understood


Retention of Health Records

• When developing retention policies, consider:• Federal, state, and local statutes and

regulations for your institution type• Statutes of limitation for malpractice and

other claims• Retention standards of pertinent

accreditation body• Use of records within the organization


AHIMA Retention Guidelines

• Ensure that patient information is available to meet patient care needs, legal requirements, research, education, and other legitimate uses

• Develop a retention schedule that meets needs of patients, physicians, researchers, and other legitimate users and complies with all regulations and laws

• Develop guidelines that specify what information should be retained, the retention period, and the storage medium

• Maintain compliance documentation and develop policies and procedures for compliance documentation


HIPAA Definition

• Health Insurance Portability and Accountability Act (HIPAA) of 1996 • Focus of Title II (1 of 5 titles)

• Medical liability reform• Health care fraud and abuse prevention• Administrative simplification

• Privacy standards• Security standards• Transactions, identifiers and code set standards


HIPAA Terminology

• Protected Health Information (PHI)• Designated Record Set (DRS)• Use• Disclosure• Requests• Minimum Necessary• Treatment, Payment, and Operations (TPO)• Preemption


Entities Covered by HIPAA

• Covered entities• Healthcare providers, such as hospitals,

pharmacies, physician office practices, long-term care facilities, and clinics

• Health plans, such as insurance plans• Healthcare clearinghouses, such as billing

companies


HIPAA Applicability

• The HIPAA privacy rule applies to covered entities who engage in transmitting or performing any electronic transaction specified in HIPAA• Health claims and encounter information• Health plan enrollment and disenrollment• Eligibility for a health plan• Healthcare payment and remittance advice• Health plan premium payments• Health claim status• Referral certification• Coordination of benefits


HIPAA Applicability (continued)

• Business Associates (BAs)• What is a business associate?

• Disclosures of PHI to BAs• Business associate agreement (BAA)• Content of BAA



• Workforce Members• Who is considered a workforce member of

a covered entity?• Are contractors working in a covered entity

considered workforce members or business associates?



• De-identified information• Does not identify the individual• Not subject to the HIPAA privacy rule• What elements must be removed to de-

identify an individual?• Reidentification


HIPAA: Individual Rights

• The HIPAA privacy rule provides individuals with rights to provide some control over their health information• Right of access• Right to request amendment• Right to accounting of disclosures• Right to request restrictions• Right to request confidential communications• Right to complain of privacy rule violations


HIPAA: Individual Rights - Access

• Right of access• Own PHI contained in a designated record

set• Exceptions to access

• Psychotherapy notes• Information compiled for civil or criminal actions

• Denial of access• Not subject to review• Subject to review


HIPAA: Individual Rights - Access (continued)

• Access request• Provide request in writing (if previously informed of

this)• Timely response is required by the covered entity

• 30 days from receipt of request• Extension of time period

• 30-day extension• Must provide individual with written statement within

original 30-day time period• Written statement must include reason for delay and date

covered entity will complete its action

• Time period for records not maintained on site


HIPAA: Individual Rights - Access (continued)

• Charges• Reasonable fee may be imposed

• Copying, including supplies and labor• Postage, when individual has requested

information to be mailed• Preparation of an explanation summary, if

agreed to by the individual in advance

• Stricter state laws apply to fees


HIPAA: Individual Rights – Request Amendment

• Right to request amendment• May require the amendment request to be in

writing• Allowed reasons for denial of amendment request• Timely response to the request by the covered

entity• Process for denial of requests for amendment


HIPAA: Individual Rights – Accounting

of Disclosures • Right to accounting of disclosures• Disclosures that do not require an accounting

• Disclosures for TPO purposes• Individuals provided their own PHI• Incidental or otherwise permitted or required• Pursuant to an authorization• Use in a facility directory• To meet national security or intelligence

requirements


HIPAA: Individual Rights – Accounting of Disclosures (continued)

• Disclosures that do not require an accounting (continued)• To correctional institutions or law enforcement

officials• Disclosures that occurred before the HIPAA

privacy compliance date


HIPAA: Individual Rights – Accounting of Disclosures (continued)

• Information included in an accounting• Date of disclosure• Name and address of entity or person who

received the information• Brief statement of the purpose of the disclosure or

copy of individual’s written authorization or request

• Timely response to request for accounting• Fees for accounting of disclosures• Required documentation


HIPAA: Individual Rights – Request Restrictions

• Right to request restrictions on uses and disclosures of PHI to carry out TPO• Covered entity must permit such a

request, but does not have to agree to the requested restriction

• Termination of requested restrictions• Covered entity’s responsibilities


HIPAA: Individual Rights – Confidential Communications

• Right to request confidential communications• Alternative routing/destination or by alternative

method• Requests may be refused if information is not

provided as to how payment will be handled


HIPAA: Individual Rights – Complain of Violations

• Right to complain of privacy rule violations• Must inform individuals of right to complain at

covered entity level and to the U.S. Department of Health and Human Services


HIPAA Privacy Rule Documents: Notice of Privacy Practices

• Notice of Privacy Practices• Purpose• Availability of the notice• Required content• Acknowledgement by individual


HIPAA Privacy Rule Documents: Consent

• Consent• To use or disclose PHI for treatment,

payment and operations (TPO)• Optional document• Required content• Revocation


HIPAA Privacy Rule Documents: Authorization

• Authorization• Definition • Purpose• Content• Situations requiring an authorization


Authorization Not Required

• Required uses and disclosures without authorization• Access or accounting of disclosures

requested by individual or personal representative

• U.S. Department of Health and Human Services investigation, review, or enforcement action


Authorization Not Required (continued)

• Permitted uses and disclosures without authorization (patient HAS opportunity to informally agree or object)

• Directory of patients• Notification of family or friends


Authorization Not Required (continued)• Permitted uses and disclosures without

authorization (patient does NOT HAVE opportunity to agree or object). These uses and disclosures are permissive only and must not violate a stricter or more protective state law.

• Treatment, payment, and operations• To the individual• Incidental disclosures• Limited data set• Twelve public interest and benefit purposes


Authorization Not Required (continued)

Twelve public interest and benefit purposes• As required by law (e.g. reporting specified wounds)• Public health activities• Victims of abuse, neglect, or domestic violence• Healthcare oversight activities• Judicial and administrative proceedings• Law enforcement purposes• Decedents • Cadaveric organ, eye or tissue donation• Research• Threat to health or safety• Specialized government functions• Workers’ Compensation


HIPAA: Marketing

• Definition• General rule: use or disclosure of PHI for

marketing requires authorization• Marketing activities that do not require an

authorization• Occurs face-to-face with the individual• Concerns products or services of nominal value


HIPAA: Marketing

• Activities not defined as marketing per HIPAA (authorization not required)• Communications by covered entity about health-related

products and services provided by or covered as a benefit by the covered entity or a third party (must meet requirements)

• Communications for treatment of individual• Communications for case management/care coordination or

alternative treatments

• Remuneration to the covered entity must be disclosed

• Opt-out instructions


HIPAA: Fundraising

• Must inform individuals in Notice of Privacy Practices that PHI may be used for fundraising

• Instructions on opting out in future are required

• Prior authorization required if fundraiser targets individuals based on diagnosis, for instance, kidney patients targeted to raise funds for new kidney dialysis center


HIPAA Privacy Standards: Administrative Requirements

• Designation of privacy officer• Workforce training• Process for establishing privacy

safeguards• Process for handling privacy complaints• Standards for policies and procedures


Medical Staff Appointments and Privileges

• Facility is responsible for establishing policies and procedures to ensure reasonable care in medical staff appointments

• Credentialing for appointment and reappointment

• National Practitioner Data Bank formed by the Health Care Quality Improvement Act of 1986

• HIT role in medical staff privileges


Labor Laws and Unionized Personnel

• Collective bargaining defined

• National Labor Relations Act and other federal labor laws• Fair Labor Standards Act• Equal Pay Act• Equal Employment Opportunity Act• Age Discrimination in Employment Act• Occupational Safety and Health Act• Rehabilitation Act


Labor Laws and Unionized Personnel (continued)

• State Labor Laws• Right-to-work laws• Workers’ Compensation• Child labor laws• Minimum wage laws


Americans With Disabilities Act

• Federal law

• Scope of the law

• “Reasonable accommodations”: When is a requested accommodation not reasonable?

• Practical application of the law

©2006 all rights reserved. health information management technology — second edition — an...

Documents

health record policies

health record entries

standards health records

control of health records

judgment slide

permanent slide

legal system

statutory laws