Organizational Ethics and HIPAA

Introduction:

The multitude of existing laws and professional codes of ethics do not offer adequate privacy protection in today's healthcare environment.

Hippocrates required an oath of his students. In regards to privacy, that oath states, "all such should be kept secret." Unfortunately, that oath is no longer a sufficient bulwark. Information can now be rapidly disbursed and as a "product," has increased economic value. Hyppocrates did not have an office full of staff, computers, faxes, overnight express mail or the temptation of financial incentives. According to 1999 surveys, conducted by Louis Harris and Associates, 27 percent of those polled believed they had been victims of an improper disclosure of personal health information. Sound guardianship over healthcare records is central to the success of the professional-patient relationships. Hyppocrates knew this.

On August 14, 2002, the Department of Health and Human Services (DHHS) issued the final modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

There was a collective sigh of relief among providers "in the know" regarding several provisions that were re-worked to address what the DHHS termed "serious unintended consequences." Despite those alterations to HIPAA, affected providers are still confronted with making significant changes to their current procedures and protocols.

Cries and complaints will likely reach a crescendo in the spring of 2003 as the April 14 Privacy Rule compliance date approaches. Some of those voices can now be heard, as distress over the cost and time involved in complying, becomes palpable.

Admittedly, it seems out of character for those in the healthcare professions to complain about a rule that helps ensure their continued efficacy as providers. Of course, privacy is central to the patient/provider relationship. It can be argued that your personal health information is about as "personal" as information can be! Indeed, clinicians often need to know the intimate details of a patient's life to provide maximal and appropriate care.

Consider what would happen if patients withheld information because they lack confidence in the providers' ability to keep private information secure. Diagnosis, treatment and assessment of treatment effectiveness would become very difficult, if not impossible.

Some background is in order...

Title II of the Health Insurance Portability and Accountability Act is the Administrative Simplification Compliance Act (ASCA). The ASCA mandates rules in three areas, Privacy, Security and the Electronic Data Interchange. The Security rules have not been finalized and the Electronic Data Interchange Rule will go into effect October 16, 2003. Some provisions of the Privacy rule were changed since its introduction in December 2000. It is now finalized; the August 2002 version is the working document.

The following offers a brief description of the key aspects of the final modified Privacy standards.

Privacy Rule Terminology

There are several terms that warrant definition:

• Personal Health Information
• is any information received by a provider related to the health history, treatment or payment for such treatment.


• Individually Identifiable Information
• is a subset of Personal Health Information. It is information that specifically identifies the patient such as social security numbers.


• Protected Health Information (PHI)
• is both Personal Health Information and Individually Identifiable Information


• Use
• is a term in the privacy rule that describes the sharing, application and utilization of individually identifiable information by the workforce within a provider organization.


• Disclosure
• is the communication of information in any form to parties outside the organization possessing the information.


• Authorization
• refers to the written consent that a provider entity must obtain from a patient before using or disclosing protected health information for purposes other than treatment, obtaining payment or healthcare operations.


• TPO
• is the acronym for the permitted uses of protected health information. It stands for treatment, payment and healthcare operations.

The Patient Notice

Providers are required to give their patients a written Patient Notice, detailing their privacy rights as well as the provider's legal obligations. The notice must be written in easy to understand terms and must be available to anyone who requests it. Patients must be provided with the Patient Notice prior to their first treatment.

Additional requirements are:

• The Patient Notice must have a descriptive header. The recommended header is: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please Review it carefully."


• The notice must describe how the provider may use and disclose protected health information. Disclose whatever internal uses you intend to make of the information and disclosure may occur. This will be limited to treatment, payment and healthcare operations.


• The notice must describe the patient's right to request restrictions on the use and disclosure of protected health information.


• The notice must state a patient's right to obtain copies of his or her records and how to request changes


• The notices must describe how to file complaints concerning suspected violations and who to contact regarding such matters.


• The notice must state the patient's right to receive an accounting of how his or her protected health information has been used and disclosed.


• The notice should state the policy's effective date


• The notice may be provided electronically but a hard copy must be made available if requested.


• The notice must state that the provider will not use or disclose protected health information for purposes other than treatment, payment or healthcare operations without obtaining the patient's authorization.


• The notice must make note in general of any allowed marketing materials you might send to patients and describe provisions for requesting not to receive said materials.

Authorization for Disclosure and Use

Remember that a provider must obtain prior written authorization to use or disclose a patient's PHI for any purpose beyond treatment, payment or healthcare operations. The particular components required for a legitimate authorization vary with the intended purpose of the authorization. A provider can seek three types of authorization:

1. Authorization of disclosure for research.


2. Authorization of the provider organization's own uses and disclosures.


3. Authorizations of disclosures by a third party (other than the provider organization).

The authorization document for any of these three purposes should contain the following elements:

• Identification of the party or class of parties authorized to receive PHI;


• A description of the PHI to be used or disclosed;


• Identification of who will be authorized to make the requested use or disclosure of PHI;


• A description of each purpose of the requested use or disclosure;


• An expiration date;


• A statement of the patient's right to revoke the authorization and how to accomplish a revocation;


• A statement that information used or disclosed via this authorization may be re-disclosed by the recipient;


• Patient signature or patients authorized representative.

Marketing Issues

Regarding marketing activities, it is advisable to err on the side of caution. Certain activities are prohibited, such as selling patient lists to third parties without prior authorization from the patients. Generally speaking, if you are communicating a treatment option to a patient you can do so without ramification. However, you cannot send them discount offers or other incentives alone. You cannot communicate with them solely for the purpose of selling a third-party product that does not represent a legitimate care option for that individual.

Beyond these details, the privacy rules require covered entities to develop privacy policies and procedures, educate employees about these policies and procedures and designate a privacy officer. Providers must also take steps to ensure that any business associates with whom they have business dealings protect the privacy of health information.

At the core of it all is an expectation that organizations will make a reasonable effort to control the use and disclosure of protected health information. This is where the federal government is seeking to beef up Hyppocrates' efforts by requiring added protections under the law.

Clinicians and managers continue to feel frustrated by these new provisions. Many providers believe HIPAA is just the latest product of the federal government's endless desire to regulate healthcare. Some of this frustration stems from a lack of understanding about the revisions made in August 2002 and some arise from the view that the new rules are a long list of potential pitfalls. The final rule issued last summer eliminated the need for written consent to use PHI for routine uses.

Waiting Room Protocols

You can have a sign-in sheet but you cannot identify the reason for the visit on that sheet. You can call the patient's name in the waiting room.
These clarifications help, but they don't lessen the obligation providers have to protect PHI.

Analysis

The list of rules is lengthy and many believe it is excessive.

I believe the regulations our system produces reflect our societal values.
We hold privacy high among our rights. HIPAA gives legal voice to our desire for respect of our personal information.

We live in an information-hungry culture. Extra care must be taken with information given in trust by patients. Emotional stories exist about people's lives being devastated by breaches of health information privacy. The final rule published in the federal register describes several horror stories resulting from improper disclosures. Those disclosures occurred despite previous state laws and professional ethical standards. The evolution of healthcare management and technology has made new rules necessary.

Successful compliance with HIPAA will ultimately hinge on changes in provider organizational culture as much as following the rules. Taking extra measures to keep patient information secure would come more easily if we embraced the role of guardian.

If you were to gather a group of healthcare professionals to define what ethical values ought to drive provider organizations, respect for patient privacy will likely be on the list. Heightening the sense of this value to the level of guardianship could enhance an organization's Privacy rule compliance performance. Before you can attempt to mold respect for privacy into a sense of guardianship, you might review what the status of that ethic is in your organization.

First, seek out the organizational ethic. Is it pervasive or does it reside in just a segment of the organization? It is not impossible for the business management to have a view of respect for privacy that is more liberal than the clinicians. If there is not organizational consensus regarding what respect for privacy means, examine the issues and expectations, which create and maintain the various interpretations.

What an organization is actually doing reveals its true values. If an examination of policies and procedures reveals a difference between the routine actions of the organization and what is supposed to be the organizational ethic, then change is in order. Defining and communicating the organizational ethic is of paramount importance, and the organizational ethic should underlie the decision making process.

Importantly, values that are unacceptable need to be identified and eliminated from decision-making processes.

Making the case for accepting a strong respect for privacy ethic in a healthcare organization should go easily. As mentioned previously, the continued success of the organizational mission to provide effective care is contingent on the patients' belief that personal health information will be kept confidential.

Once the value is clearly defined and communicated, it is possible to heighten the sense of it within the organization. In this case, respect for patient privacy can be enhanced to guardianship. The key to achieving this is placing respect for patient privacy squarely on top of the organization's expectation list. In healthcare organizations, this spot is traditionally reserved for expectations regarding the of quality patient care. This type of change is in keeping with the spirit of the new privacy rules.

Examining underlying values that drive organizational behavior may seem like an additional layer of work, added to an already thick coat of compliance requirements! It is, of course, possible to create a convincing privacy compliance program without ever considering values.

Education and training can reduce potential violations. In fact, education and training are the most critical elements in any compliance effort. The applicable rules are numerous and intricate. All employees will need thorough and ongoing training on the regulatory requirements.

However, a great educational program alone won't ensure that employees will make the right decisions. Nothing can ensure that with certainty. It is possible though, through the development of an organizational ethic, to increase the odds of success. Further, the opportunity for success can be enhanced if management communicates the message that patient privacy is on equal footing with patient care and that neither can be compromised.

References and Resources

Health Care Financing Administration - HIPAA
Learn about group and individual insurance coverage under the Health Insurance Portability and Accountability Act of 1996 using interactive tools.

Guide to HIPAA
National Partnership presents this easy-to-read guide to the Health Insurance Portability and Accountability Act of 1996, complete with FAQs.