Whenever I Try To Find Out About A Friend In The Hospital They Won't Tell Me Like They Did Years Ago And I See This Acronym HIPAA With Health Privacy Issues. What Is All Of This?
HIPAA is the Health Information Portability and Accountability Act. Congress passed the law in 1996, but the Privacy and Security portions were not signed into law until 2003. For purposes of this answer I am going to cover the Privacy and Security laws forward. In 2009 the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted to make the sharing of electronic medical records (EMR) or electronic health records (EHR) to be more efficient which includes “meaningful use”. “Meaningful Use” includes a financial initiative for doctors and hospitals to be fully in to using an EMR system. With an increase in electronic protected health information (ePHI) there is a greater concern that someone might “hack” into hospitals, health care plans and doctor’s offices. This would be disastrous on a larger scale than the Target store hack since it could involve more private information to include social security numbers.
Doctors offices are scrambling now to meet the deadlines not only to qualify for incentive payments but also to keep from losing on certain future payments. If you have been shown a computer at your doctors office to sign in on and look at your information or been given a web address to sign into a patient portal then you are experiencing at least a portion of your doctor working towards “meaningful use”. It is our natural preference to want to speak to a person about our health care because the black and white of what we may access does not answer all of our questions. Fear not, because human beings are still very necessary. When we are directed to use computers it may not necessarily be the idea of your doctor but rather a necessary direction that he or she must take based on governmental directives.
Those with certified EHR’s (beginning in 2011) are eligible for an additional $63,750.00 over six years and eligible participants must begin receiving payments once eligible by 2016. Medicare providers can start receiving a maximum of $44,000.00 over five years if eligible. Doctors who do not become eligible by 2015 will see a loss of one percent of Medicare payments increasing to three percent over three years.
The Stage I, “Meaningful Use” eligibility requires doctors to meet 19 of 24 objectives and eligible hospitals to have achieved 18 of 23 objectives to receive incentive money.
To the public it just seems that no one will tell us what we want to know about some people when we are genuinely concerned about their health and now we are being directed more towards computers than we may want. It seems like there is not much going on with the doctors or hospitals.
The truth is there is alot going on with doctors, hospitals and health plans. The groups are divided into the “Covered Entity” and the “Business Associate”. The “Covered Entity” is the doctor or hospital or health care plan. Those companies or individuals that have routine access to PHI or ePHI are “Business Associates”. Think about the folks that come in to repair the CT machine made by “ACME CT” (fictitious name) who are able to see ePHI of patients that have been given a CT examination. As an employee of “ACME CT” they are bound by the legal agreement between the covered entity and their company as Business Associate under a document called a “Business Associate Agreement”. If they were to note that a public official or celebrity had been scanned, an unscrupulous employee of “ACME CT” might share their diagnosis for a fee with some less than reputable publication. For you or me to have that same information shared may have a smaller pool of interested persons but nevertheless disastrous to us. Because the bad or negligent acts of a Business Associate also share liability with the Covered Entity, Covered Entities are especially cautious with who they hire as Business Associates and the terms of the Agreement which may include indemnification and mitigation clauses. When you think about it a “Covered Entity” could have hundreds or thousands of Business Associate Agreements needed; fortunately there are three general exceptions called the TPO exception. The “T” stands for treatment, so that includes all doctors, hospitals, pharmacies, imaging centers, etc. that need to share information in the treatment of a patient. The “P” exception is for Payment, so all of the health plans including Medicare and Medicaid are excluded so that ePHI and PHI can be shared. Finally, the “O” is operations which includes needed auditors, consultants, accountants, attorneys, quality improvement, etc. needed for “Operations”. Even within the “Covered Entity” itself the employees are guided by a “principal of minimum necessary”, where the employee ONLY looks at the information necessary to do their job and to treat patients. An employee that has access to computerized image databases has no reason to look at imaging studies not associated with a particular patient that they are assisting with the treatment of. It can even be a fireable offense if an employee is found to be looking at the medical images of others which may include their family members or even themselves.
Should a breach of PHI or ePHI occur the Covered Entity must notify within sixty days (1) the individuals whose information has been a part of the breach (2) the Secretary of Health and Human Services and if it involves more than five hundred people (3) the media. How awful this could be for the individuals and for a hospital, doctor or health plan that has worked hard for a good reputation. Many of the most recent breaches have occurred because of stolen laptops that have PHI/ ePHI on them. Penalties can run up to $1.5 million per year and can include imprisonment for wrongdoers. There have already been penalties to occur into the hundreds of thousands of dollars. Doctors, hospitals and health plans have hired Compliance Officers to work with Health Law attorneys to ensure that they are doing what is necessary to be inline with all of the laws and to be aware of the changes in the law.
“Covered Entities” are expending increasing amounts of money on Information Technology personnel and consultants, Compliance Officers and Health Law attorneys just to keep up with the laws and to continue receiving the maximum payments by health care plans. The next time you have to sign into a computer at your doctor’s office, that may not have been at the doctor’s initiative.
This article is informative only and not meant to be all inclusive. Additionally this article does not serve as legal advice to the reader and does not constitute an attorney- client relationship. The reader should seek counsel from their attorney should any questions exist.
"No representation is made that the quality of legal services performed is greater than the quality of legal services performed by other lawyers."
Ronald A. Holtsford, Esq.
Ronald A. Holtsford, LLC
7956 Vaughn Road, Box #124
Montgomery, AL 36116