Privacy of Medical Records
Study Guide
Ethical Issues
Like most privacy issues, the ethical questions posed here are controversial. These issues include:
- What information is considered private
- Who decides what information is private
- What are the rights of individuals
- What are the right of the health care industry
- Will employers and insurance companies use genetic profiling to discriminate
Catalyst
Most people require a certain amount of privacy. Everyone holds a certain information about themselves to be personal and to be shared with only people whom they trust. This is the major cause of medical privacy issues. Because doctors’ offices and hospitals keep records on each of their clients, the issue becomes, who has a right to access these records? The widespread use of databases and other technology to maintain this data has caused the medical privacy issue to blow up at an even greater rate. Now, not only do insurance companies and billing agencies have access to your medical records, but hackers can now access them also.
Content of Medical Records
Medical Records may include your medical history, details about your lifestyle such as smoking or involvement in high-risk sports, and family medical history. In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects. Information you provide on applications for disability, life or accidental insurance with private insurers or government programs can also become part of your medical file. So, it is easy to see why people consider information about their health to be highly sensitive.
Accessibility
Medical records are shared by people both in and out of the health care industry. These include:
- Insurance companies
- Government agencies
- Medical Information Bureau(MIB)
- Employers
- Subpoenaed for court
Generally, access to your records is obtained when you agree to let others see them. In reality, some situations offer no choice but to agree to the sharing of your health information in exchange for care and to qualify for insurance. Other places where identity may or may not be disclosed are:
- Health care operations, or the evaluations of hospitals or individual physicians
- Public health agencies for health research
- Direct marketers when you participate in informal health screenings
Electronic Medical Records/Electronic Health Records
An electronic medical record (EMR) is a medical record in digital format. In health informatics an Electronic Medical Records(EMR) are considered by some to be one of several types of EHRs (electronic health records), but in general usage EMR and EHR are synonymous.
Adoption of EMRs and other health information technology, such as computer physician order entry (CPOE), has been minimal in the United States. Less than 10% of American hospitals have adopted health information technology, while a mere 16% of primary care physicians use EHRs. The vast majority of healthcare transactions in the United States still take place on paper, a system that has remained unchanged since the 1950s. The healthcare industry spends only 2% of gross revenues on health information technology, which is meager compared to other information-intensive industries such as finance, which spend upwards of 10%. The following issues are behind the slow rate of adoption:
A major concern is the confidentiality of the individual records being managed electronically. According to the LA Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient's records during a hospitalization, and 600,000 payers, providers and other entities that handle providers' billing data have some access.
The possibility of patient data interception increases with multiple access points over an open network like the Internet. Protected Health Information (PHI), as it's referred to, is addressed under many local laws, as well as the Health Insurance Portability and Accountability Act (HIPAA). In the European Union (EU), several Directives of the European Parliament and of the Council protect the processing and free movement of personal data, including for purposes of health care. Those managing this information are required to ensure adequate protection is provided and that access is given only to authorized parties. Since electronic data may be physically much more difficult to secure, the growth of EHR creates new issues, as flaws in data security are increasingly being reported. Information security practices have been established for computer networks, but technologies like wireless computer networks offer new challenges as well.
Limits in software, hardware and networking technologies has made EMR difficult to implement in small, budget conscious, multiple location healthcare organizations. Most EMR systems were developed using older programming languages such as Visual Basic and C++ until recently. However, with many systems now being developed using Microsoft's .NET Framework and Java technology, EMRs can be securely implemented across multiple locations with greater performance and interoperability. Prior to the recent introduction of IEEE 802.11 g and n wireless technology access to large files such as MRI and X-Ray images was slow. With these new wireless technologies data can be securely transferred at speeds of up to 108 Mbit/s, across extended distances and in older buildings built with brick or concrete walls. Tablet PC technology has significantly improved over the recent years, Li-Ion/polymer batteries for battery life of up to 8 hours, biometric security, low-voltage processors and lighter weight solutions.
Medical records, such as physician orders, exam and test reports are legal documents, must be kept in unaltered form and authenticated by the creator.
- Digital signatures Most national and international standards accept electronic signatures. According to the American Bar Association, "A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer." With proper security software, electronic authentication is more difficult to falsify than the handwritten doctor's signature. However, as the recent rise in identity theft demonstrates, no security method can totally prevent fraud, so auditing information security will continue to be prudent when using EMR.
- Digital records such as EHR create difficulties ensuring that the content, context and structure are preserved when the records do not have a physical existence. As of 2006, national and state archives authorities are still developing open, non-proprietary technical standards for electronic records management (ERM).
Laws
Medical laws have been put into place for patient privacy protection. Under the Clinton Administration, the Health Insurance Portability and Accountability Act of 1996 was passed. Since then, there have been many amendments to the act, the most notable being one of Clinton’s last actions as president. On Dec. 28, 2000, Clinton administered changes to the HIPAA of 1996. These changes gave patients unprecedented rights to track their medical files. It implemented new criminal and civil sanctions for improper disclosure of medical records and it protects against unauthorized use of medical records for employment purposes. Although this last act gave patients unprecedented access and control of their medical records, some are not satisfied.
Health Insurance Portability and Accountability Act (HIPAA)
Title I: Health Care Access, Portability, and Renewability
Title I of HIPAA regulates the availability and breadth of group and individual health insurance plans. It amends both the Employee Retirement Income Security Act and the Public Health Service Act.
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title II of HIPAA creates several programs to control fraud and abuse within the health care system.
The Privacy Rule
The Privacy Rule took effect on April 14, 2003. It establishes regulations for the use and disclosure of Protected Health Information. Those covered have 30 days upon the request of the individual to disclose PHI. Also, they must disclose PHI when required by law, such as reporting suspected child abuse to state child welfare agencies. When authorized by the individual, a covered entity may disclose PHI for treatment, payment, or health care operations. However, a reasonable effort must be made to disclose only the minimum necessary information required. Individuals have the right to request that any inaccurate PHI be corrected. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also record disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI. An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).
The Transactions and Code Sets Rule
The HIPAA/EDI provision was meant to take effect from October 16, 2003 with a one-year extension for certain "small plans;" however, due to difficulty in implementing the rule, CMS granted a one-year extension to all parties. As of October 16, 2004, full implementation was not achieved and CMS began an open-ended "contingency period." No penalties for non-compliance were levied; however, all parties are expected to make a "good-faith effort" to come comply. CMS announced that the Medicare contingency period ended July 1, 2005. After July 1, most medical providers that file electronically will have to file their electronic claims using the HIPAA standards in order to be paid. There are exceptions for doctors that meet certain criteria.
Key EDI transactions used for HIPAA compliance are:
- EDI Health Care Claim Transaction Set
- EDI Retail Pharmacy Claim Transaction (NCPDP Telecommunications Standard version 5.1)
- EDI Health Care Claim Payment/Advice Transaction Set
- EDI Benefit Enrollment and Maintenance Set
- EDI Payroll Deducted and other group Premium Payment for Insurance Products
- EDI Health Care Eligibility/Benefit Inquiry
- EDI Health Care Eligibility/Benefit Response
- EDI Health Care Claim Status Request
- EDI Health Care Claim Status Notification
- EDI Health Care Service Review Information
- EDI Functional Acknowledgement Transaction Set
The Security Rule
The Final Rule on Security Standards took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans." It is meant to complement the Privacy Rule. The Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical.
The Unique Identifiers Rule (National Provider Identifier)
Providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the NPI to identify covered healthcare providers in standard transactions by May 23, 2007. Small health plans must use only the NPI by May 23, 2008. Effective from May 2006 (May 2007 for small health plans), all covered entities using electronic communications (e.g., physicians, hospitals, health insurance companies, and so forth) must use a single new National Provider Identifier (NPI). The NPI replaces all other identifiers used by health plans, Medicare (i.e., the UPIN), Medicaid, and other government programs. The NPI does not replace a provider's DEA number however or a provider's state license number or tax identification number. The NPI is 10 digits (may be alphanumeric), the last digit being a checksum. The NPI cannot contain any embedded intelligence; in other words, the NPI is simply a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "subparts" such as a free-standing cancer center or rehab facility.
The Enforcement Rule
On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations, however its deterrent effects seems to be negligible with few prosecutions for violations.
Responsibility for patient records is usually on the creator and custodian of the record, generally a health care practice or facility. The physical medical records are the property of the medical provider (or facility) that prepares them. This includes films and tracings from diagnostic imaging procedures such as X-ray, CT, PET, MRI, ultrasound, etc. The patient, however, according to HIPAA, owns the information contained within the record and has a right to view the originals, and to obtain copies under law. Additionally, those responsible for the management of the EMR are responsible to see the hardware, software and media used to manage the information remain usable and not degraded. This requires backup of the data and protection being provided to copies. It will also require the planned periodic migration of information to address concerns of media degradation from use.
Genetic Mapping
Genetic mapping, also called linkage mapping, can offer firm evidence that links a disease transmitted from parent to child to one or more genes. It also provides clues about which chromosome contains the gene and precisely where it lies on that chromosome.
More than 40 U.S. states have laws requiring hospitals to make available to insurance companies and researchers certain information about each visit they receive. With this information, hospital records can be obtained and all sorts of genetic testing can be done. This becomes extremely controversial because the laws are vague about what constitutes a research group.
Bibliography
News
Hospital Hacked - records stolen
New Tech Firms Eye Medical Privacy Market
Medical Net privacy? It's unhealthy
Guard Your Genetic Data from Those Prying Eyes
New Electronic Privacy Information Center
New U.S. Privacy Act outdated, hasn't kept up with technology, experts say
New Medical records security at risk
New FBI seeks stolen personal data on 26 million vets
New Cedars-Sinai Doctors Cling to Pen and Paper
Laws and Regulations
PROTECTING THE PRIVACY OF PATIENTS' HEALTH INFORMATION
President's Statement on Medical Privacy Information
Office for Civil Rights - HIPAA
The Medical Information Privacy and Security Act (MIPSA)
New TITLE 45--PUBLIC WELFARE AND HUMAN SERVICES
General
How Private Is My Medical Information
Does Government Need to Know if Grandpa Curses?
Guidelines for medical and health information sites on the Internet
Guidelines for the Clinical Use of Electronic Mail with Patients
Protecting Privacy In Computerized Medical Information (Office of Technology Assessment): Digest
Who Controls Your Medical Records?
Should Community Rights Override Individual Rights to Privacy?
Key Elements Needed to Protect Medical Information Privacy
New Develop a HIPAA Privacy Policy
New Health Insurance Portability and Accountability Act.