10 Times HIPAA May Not Apply

3評論

10 common emergency care situations where the Health Insurance Portability and Accountability Act of 1996 may be improperly invoked

Next year marks the 20th anniversary of the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA’s purpose is to protect the privacy and security of protected health information or “PHI.” PHI is individually identifiable information in any form relating to an individual’s healthcare, payment for healthcare, or physical or mental health condition. While serving as the protector of PHI, limiting disclosures without patient authorization, and generally ensuring that people’s private medical conditions are not broadcasted in public, HIPAA is often misunderstood and misapplied in practice. Incorrectly applied invocations of HIPAA can sometimes limit access to vital information and harm patients. A recent New York Times article detailed cases where important clinical information did not reach providers, all in the name of HIPAA.

When it comes to emergency medical care, complete information is vital to making the best clinical decision. Timely access to existing records often affects clinical actions, such as decisions to admit, order expensive imaging tests, or use narcotic pain relievers. For example, incorrectly using HIPAA as the reason for not sharing important information such as old EKGs or stress tests results for patients with chest pain or prior imaging results in patients with abdominal pain can cause providers to overuse inpatient and radiology resources. Unfortunately, pertinent information is often absent or kept protected during the emergency department (ED) visit, limiting easy access by providers.


廣告

當供應商不了解HIPAA適用to a particular situation, the kneejerk response is often to err on the side of caution. Certainly you’ve heard a colleague say, “That’s a HIPAA violation!” but have not been so sure yourself. Yet for providers, there is a real reason to be careful: HIPAA violations can carry significant penalties for individual and institutional providers (referred to under HIPAA as “covered entities”) and their “business associates” (individuals and organizations doing work on their behalf, e.g., claims processor or business manager).

談到灰色區域的情況時,重要的是要認識到,HIPAA並不旨在幹擾患者的醫療保健。在許多情況下,HIPAA允許在沒有患者授權的情況下披露PHI(見下圖1)。提供商可以自行決定使用任何適用的允許披露異常,但必須遵守相關要求。例如,“最小必要”規則要求用於非處理相關目的的PHI必須限於實現本公開預期目的所需的最小金額。換句話說,隻能公開相關信息。

HIPAAFIG1.


廣告

以下是eD的10個臨床情況,其中HIPAA通常調用以及HIPAA如何實際適用於這些情況。但是,請記住,每次對所謂的HIPAA違規的調查都是非常重要的。

情況#1:一個家庭成員要求詢問他們在ed中的親戚的狀態。
HIPAA說的是什麼:Providers may disclose “directory information” (i.e., patient’s location and general health status) if the caller identifies the patient by name. This exception permits callers to locate friends or family who may have been involved in an accident. Providers must first provide patients the opportunity to agree or object to the disclosure of “directory information.” If the patient is incapacitated, the provider must inform the patient that such disclosures were made and give the patient the opportunity to object to further disclosures as soon as practicable. This requirement protects, for example, victims of domestic abuse who may not want their whereabouts divulged to their abuser. This opportunity to object may be offered verbally or in writing, such as through the notice of privacy practices that is given to patients upon arrival in the ED.

Situation #2: A person identifying herself as a patient’s physician calls the ED provider to ask about their patient’s status.
HIPAA說的是什麼:Disclosures of PHI from one provider to another provider for treatment purposes are permissible without the patient’s authorization. The disclosing provider must use professional judgment to determine whether the requested PHI relates to the patient’s treatment by the requesting physician.

情況#3:新聞呼叫的成員詢問ED中的患者的狀態。
HIPAA說的是什麼:Location and general health status (i.e., directory information) can be disclosed if the requestor identifies the patient by name unless the patient has objected to such disclosures. This rule prevents inappropriate disclosures when, for example, a caller inquires about the status of “the gunshot victim.” A provider may disclose PHI to the media where necessary to identify, locate, or notify individuals responsible for the patient’s care, but media-initiated inquiries about a specific patient do not fall within this exception.


廣告

情況#4:患者在走廊床上,另一位患者忽視了他們的病史。
HIPAA說的是什麼:披露了“事件”一個許可證ted disclosure of PHI (such as disclosures for treatment purposes) are permissible. While HIPAA does not define exactly what “incident to” means, it requires that providers “reasonably protect” PHI with appropriate safeguards to limit incidental disclosures. This may include speaking quietly when discussing PHI or moving patients to private areas. For example, physicians discussing a specific patient’s case on a crowded elevator could be a HIPAA violation. In this situation, a reasonable safeguard – such as not disclosing PHI in a crowded, public setting – would be expected when the case could easily be discussed in a more private setting.

情況#5:提供商呼叫另一家醫院以獲得患者的記錄;該醫院要求提供者從授權披露的患者發送簽名表格。
HIPAA說的是什麼:大多數HIPAA的披露異常是允許的;意味著提供商在決定是否披露信息時可以使用專業判斷。如果記錄請求用於治療目的,則HIPAA允許披露到其他提供商,而無需患者授權,即沒有符合某些要求的授權文件。值得注意的是,HIPAA不要求在此示例中向請求提供商公開PHI。事實上,HIPAA隻需要在兩種情況下披露:對患者和美國衛生和人類服務部(HHS)進行合規目的。

情況#6:患者家屬要求醫療服務提供者不要將急診室中的嚴重診斷(即腦瘤)告知患者,該診斷是與患者家屬分享的,患者當時處於癱瘓狀態(即癲癇持續狀態),現在處於清醒和警覺狀態,因為患者家屬不認為患者無法處理該信息。
HIPAA說的是什麼:HIPAA requires providers to give a patient access to his/her PHI when the patient specifically requests it, unless the PHI or patient is subject to special protections or another law authorizes the provider to withhold the information (e.g., a state law further restricting disclosure of mental health information). Absent such a request and assuming the patient has not objected to the provider’s disclosure of PHI to family members, this situation raises ethical rather than HIPAA concerns. Providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures for such situations.

Situation #7: Emergency department staff calls a patient to provide a test result that resulted after the patient was discharged, but the patient is unavailable. The family member who answers the phone asks for the result stating that they will share it with the patient.
HIPAA說的是什麼:Disclosures to family and friends involved with a patient’s care are permissible under HIPAA. Patients must have an opportunity to agree or object to such disclosures while they are in the ED. However, providers may use their professional judgment to infer from the situation that a patient does or does not object. If, while in the ED, the patient agreed to disclosures to the family member and the provider determines that it is in the patient’s best interest, disclosure of the test results may technically be permissible. However, verifying the family member’s identity and determining whether the patient’s prior permission extends to this situation may not be possible. In these situations, providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures. For example, many facilities commonly would ask the patient to call the hospital for the results.

情況#8:警察將患者帶到創傷灣;複蘇後,警方詢問患者的地位。
HIPAA說的是什麼:在有限的情況下,未經患者授權,可向執法部門披露PHI。例如,如果一名執法官員要求對一名疑似犯罪受害者的患者進行PHI,而該患者由於喪失行為能力或其他緊急情況而無法同意披露,如果醫療機構確定披露符合患者的最佳利益,且執法官員表示:(1)需要提供PHI以確定其他人是否違法;(2) PHI不用於針對患者;(3) 即時執法活動取決於披露;(4)等待患者能夠同意披露會對活動產生重大不利影響。在規定的執法例外情況之外未經授權的披露必須限於目錄信息或通知患者家屬,除非患者反對此類披露。

情況#9:一個監督員為醫療問題帶來員工;治療後,主管要求更新員工的狀態。
HIPAA說的是什麼:In general, providers must have the employee’s authorization to disclose health-related information to an employer, unless the provider is treating the employee for a work-related illness or injury at the employer’s request. In that case, the provider may disclose pertinent findings only if the employer needs such information for reporting requirements mandated by law. Providers must alert patients to these types of disclosures, which can be done in their Notice of Privacy Practices. Providers may also disclose PHI without patient authorization to the extent authorized by laws relating to worker’s compensation programs providing benefits for work-related injury or illness.

Situation #10: The hospital CEO calls the ED to inquire for his personal concern about the status of a VIP patient.
HIPAA說的是什麼:目錄信息(例如,位置,一般的頭腦lth status) may be disclosed if the patient has not objected to such disclosures. Additional information may be disclosed if it is to be used for a “health care operations” purpose, which includes six broad categories of activities such as quality improvement and customer service. If information beyond directory-level information is sought for personal interest, such disclosures are impermissible. Depending on the policies and procedures of a particular organization, looking up a patient’s PHI without a permissible purpose may lead to disciplinary action in addition to any HIPAA related penalties.

*******

HIPAA attempts to balance individuals’ right to control access to their health information against providers’ need to exchange information for treatment, payment, and health care operations. While the previous 10 situations may sound familiar, many other situations may cause confusion. Despite common misperceptions, the HIPAA Privacy Rule vests fairly broad discretion in health care providers to exchange prudent amounts of patient information related to treatment, payment, and operations without written patient authorization. However, beyond these purposes, there are important exceptions, some of which require written patient authorization or an opportunity for the patient to object to the disclosure of information. To help, here are some practical considerations in determining how HIPAA applies to a particular ED situation. In addition, guidance on where to find additional information is in Figure 2.

HIPAAFIG2.

患者的最佳利益
HIPAA’s treatment, payment, and operations exceptions cover most routine healthcare activities. While providers may not be familiar with all the specifics of these exceptions, a basic guideline to help determine whether an exception applies is to consider whether the disclosure facilitates or improves patient care and is in the best interest of the patient. If failure to disclose would materially and adversely impact care, it is probable that the disclosure would be permissible under HIPAA.

Law v. Ethics
當允許的例外情況適用時,提供者可以使用其專業判斷來決定是否披露。然而,HIPAA並不禁止幾種可能的情況,但可能會引起倫理問題。例如,如上述情況#6所述,應患者家屬的請求,不向患者提供PHI。最終,披露信息必須符合患者的最佳利益。供應商在進行或選擇不進行許可性披露時,應遵循專業實踐標準及其組織的政策和程序。

Disclosures During v. After Treatment
當患者在ED中處理時,可能需要在沒有授權的情況下披露PHI。因此,EDS必須在抵達時提供隱私實踐通知的患者,以描述允許和所需的披露。放電後,HIPAA仍然適用。但是,在護理交付上下文之外的應用披露異常可能是複雜的和危險的。提供商應該了解具體護理環境如何如何改變披露異常,並且應考慮在治療期間征求患者的偏好,他們更喜歡如何以及向何種發出的發出的發出,例如測試結果。

特殊情況
HIPAA對未成年人和其他無能的博士致敬的國家法律。其他聯邦法律(例如,42 CFR第2部分)含有更多限製性要求,適用於PHI,如藥物濫用信息。州法律可能比HIPAA更嚴格或保護某些類型的PHI,例如艾滋病病毒相關信息。提供商應熟悉所有適用的法律及其組織的披露政策,並將其申請申請到所披露的具體類型的PHI。

Don’t Be Vague
HIPAA未規定與許可披露相關的流程。例如,沒有指定的方法來驗證提出請求的提供者的身份,也沒有詳盡的活動列表,這些活動符合治療、支付或手術的條件。供應商應就與這些情況相關的協議谘詢其組織的政策,並在進行披露時利用其最佳專業判斷。

推薦人

  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.); for purposes of this article, references to “HIPAA” are to the HIPAA Privacy Rule, 45 C.F.R. 164.500 et seq.
  2. HIPAA的用途作為沉默準則經常誤解了法律。NY Times 2015年7月17日。http://www.nytimes.com/2015/07/21/health/hipaas-use-as-code-of-silence-often-misinterprets-the-the-law.html?_r=0

關於作者

HEALTH POLICY SECTION EDITOR Dr. Pines is a practicing emergency physician and a Professor of Emergency Medicine and Health Policy at the George Washington University.

Elizabeth Gray,法學博士,MHA是喬治華盛頓大學米爾肯研究所公共衛生學院的高級研究員。

Jane Hyatt Thorpe, JD is an Associate Professor at the Milken Institute School of Public Health and Director of the Healthcare Corporate Compliance Program at George Washington University.

3評論

  1. Gretchen Boise, MDon

    The list of 18 print out with the corresponding CFR’s should be in every physician’s file in order to give a copy to the rare patient who refuses care due to HIPPA concerns. I had a lab tech who stuck herself on an IVDA patient’s blood, leave the office after she became concerned because she’d secretly taken and shown me the index patient’s identifying information to which I said they should be tested for Hepatitis C. Unfortunately, the employer wanted her to be seen by her private physician instead of us under workman’s compensation. The private physician did not want to get involved in a workman’s compensation case. The patient did eventually go to another of our Occupational Medicine clinics, but if I’d had this print-out, showing her #17, it may have appeased her so we could have continued with her own testing right away.

  2. ivette rosadoon

    家庭死亡,醫院沒有提供有法律權利的母親讓安排否收回她的國家,任何與她的40歲的人的下落的信息有關的任何資料,他的葬禮葬禮家庭Pickef Hea。最後,它掩蓋了他的女兒,她的家人讓他知道他們並不想。他們幾次到醫院,他們都知道情景。長話短說,在Hospits工作的遙遠的家庭成員試圖翻譯N HRKP它們。由於河馬法律,她被終止了。當適當的協議時,我沒有看到河馬法律是如何破壞的,因為他沒有像他一樣存在河馬法律。他們隻是想知道誰拿了身體。瘋狂的權利..在被家人操縱的女兒那裏可怕。想到任何人......我是人力兒,我覺得終止是不正確的。

  3. 勞拉·巴特爾斯on

    I was a patient seven months ago who was accused of being an “alcoholic” by the ER doctor who attended to me. I am not, but that didn’t matter to this doctor who saw liver damage and continued an assault on me, saying I was going to die unless I had a liver transplant, but I could forget about that happening because nobody would help someone who was an alcoholic.
    By the way, I didn’t test positive for alcohol, or any drugs, but that didn’t matter. To make matters worse, right after returning to work, my home business was closed down because of a complaint containing medical information that only a doctor would know. The complaint resulted in my license being revoked and I had to close my business. I still did not have a firm diagnosis of my condition. I had to sell off my business at loss, to pay for medical bills and had to sell future inheritance to cover expenses that come from lost wages, medical bills, and raising children. When I finally got my diagnosis everything was already taken away.
    I have autoimmune hepatitis, just like my mom and other family members. I am not an alcoholic which I was originally accused of, My business and reputation were destroyed. I never used to be depressed, but I cry all the time now. I only ever wanted meaningful purposeful work, and I grieve for all the ways that this was taken from me. This was done by the medical community. I have completely lost my trust in doctors and I feel like I can’t say anything. I am not taken seriously. I had to go to a doctor with my daughter today because she was hit by a semi-truck driver. I feel like I have PTSD. I can’t shake this feeling of mistrust that I have each time I need to step into a Health Care facility. How can this be right?

Leave A Reply

Baidu
map