AB241816 Ch01-IM - gjhgjhg PDF

Preview

Summary

gjhgjhg...

Description

Fundamentals of Law for Health Informatics and Information Management Third Edition

Instructor’s Manual Chapter 1

Copyright ©2017 by the American Health Information Management Association. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, photocopying, recording or otherwise without prior permission from the publisher.

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

Chapter 1: Introduction to the Fundamentals of Law for Health Informatics and Information Management Background Healthcare in the United States is a complex, highly regulated industry governed by federal and state laws, and professional practice and accrediting body standards. These laws and standards define how healthcare is financed and delivered. Individuals responsible for managing healthcare data and information in paper or electronic form must have a clear understanding of the laws and standards that govern the delivery of healthcare, including those related to the privacy, confidentiality, and security of health information. In addition, they must be ready to accommodate the changes to laws, standards, and/or programmatic policies and procedures that support the growing use of electronically stored health information and health records. This chapter introduces the concept of law and the complexity of

issues surrounding the growing use of health information technology. It defines health information and health records, and discusses the types of records commonly used in healthcare. The concepts of privacy, confidentiality, and security are discussed in terms of their significance in protecting health information. The concepts of custodial responsibility and stewardship of health records are introduced. The chapter concludes with a discussion of information and data governance as an overall means for enterprise information management.

Learning Objectives •

Differentiate between the concepts of law, and the privacy, confidentiality, and security of health information



Discuss why protecting the privacy and confidentiality of health information is a challenge for health information management and informatics professionals

•

Discuss the difference between a paper health record, a hybrid record, and an electronic health record

•

Discuss the concepts of ownership and control of the health record, how these concepts relate to the concepts of health record custodianship and stewardship, and the roles and responsibilities of the custodian or steward of health records

Chapter Outline (insert)

Key Terms American Recovery and Reinvestment Act of 2009 (ARRA) American Society for Testing and Materials (ASTM) Business record Confidentiality Custodian Custodianship

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

Data security Electronic health record Electronic medical record Enterprise information management Health information exchange Health information technology Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health record Hybrid health record Information governance The Joint Commission Law Legal health record National Alliance for Health Information Technology Office of the National Coordinator for Health Information Technology Ownership Patient portal Personal health record Privileged communication Privacy Protected health information (PHI) Security Steward Stewardship System security

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

Chapter Discussion Questions 1. What is meant by law? (Bloom’s Level: 2) Law represents a set of governing rules designed to protect citizens living in a civilized society. Law establishes order, provides parameters for conduct, and defines the rights and obligations of the government and its citizens. It controls behavior that threatens public safety and sets penalties for disobedience. Law is divided into two types, public or private which collectively define, regulate, and enforce rights and duties among people and businesses. 2. What is health information and why is it important to protect? (Bloom’s Level: 3) Health information refers to the data generated and collected as a result of delivering care to a patient. Health information is often used as evidence in legal cases in which conflict arises and resolution is sought through the court system. Its primary use is for clinical care. However, secondary uses are numerous, such as public health reporting, population health studies, third-party reimbursement, and patient safety and quality improvement initiatives. The information generated on a patient’s episode of care comprises a patient’s health record or record of care. It is important to protect health information so that it is not used against an individual for any purpose. Its protection also enables an individual to be totally honest with his or her physician, thus affording the patient the best care possible. 3. How are health records maintained and what term is used to define when a record is half paper and half electronic? (Bloom’s Level: 2) Health records are maintained in either paper or electronic formats or a combination of both. The term hybrid health record refers to a record that consists of both paper and electronic records and media (for example, film, video, or imaging system) and uses both manual and electronic processes (AHIMA 2010). The record is usually composed of electronically stored information from numerous clinical information systems, such as laboratory, pharmacy, radiology, nursing, and other ancillary or administrative systems, along with paper documents. The data in the record may be handwritten, direct voice entry captured in a word-processing system, or from provider wireless devices such as handheld personal computers 4. What is the difference between an electronic health record and electronic medical record and how might they differ from paper records? (Bloom’s Level: 4) According to the definitions established by the National Alliance for Health Information Technology (NAHIT) in 2008, an electronic health record (EHR) is “an electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization,” whereas, an electronic medical record (EMR) is “an electronic record of health related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one healthcare organization.” The key difference in these definitions is that the EMR is considered an electronic record housed within an organization, whereas an EHR is thought to contain data or information from more than one organization.

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

Electronic records differ from paper records in any one or all of six key ways as discussed in figure 1.1. Students can pick any one of the areas to discuss. 5. What federal laws offer protection related to patient information? (Bloom’s Level: 4) One of the most notable federal laws addressing privacy and security for “protected health information” (PHI) is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR 160, 45 CFR 164). HIPAA rules were originally enacted to protect patient information as a result of increasing use of information technology in healthcare. Specific HIPAA privacy rules went into effect in 2002, followed by security rules in 2003. Subsequently, in 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) (42 USC 17921) of the American Reinvestment and Recovery Act of 2009 (ARRA) was passed to further promote the creation of a national healthcare infrastructure through adoption and meaningful use of EHR systems among healthcare providers and the sharing of health information through health information exchanges. HITECH widens the scope of privacy and security protections under HIPAA to include companies previously untouched by HIPAA, provides for more enforcement of the rule, and increases potential legal liability for non-compliance. HIPAA called for the organizations to identify privacy and security officers to help oversee an organizations compliance with the laws. 6. Why is privacy of patient information so important? (Bloom’s Level: 4) Privacy and confidentiality have historically been key components of the patient-provider relationship. Patients are encouraged to be truthful with their care providers regarding their mental and physical conditions because the truth is essential to the successful delivery of appropriate healthcare. Such truths, however, can place the patient in an extremely vulnerable position when intimate clinical and behavioral secrets are revealed or discovered as patient treatment is provided, test results are reported, and future options for care are discussed. Because of this, when a patient provides information and it is documented, there is an inherent trust that it will be kept private and protected from unauthorized access. 7. What is the difference between privacy and confidentiality? (Bloom’s Level: 4) According to the ASTM, privacy is a right of individuals to be left alone and to be protected against physical or psychological invasion or the misuse of their property. It includes freedom from intrusion or observation into one’s private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference. Confidentiality is the status accorded to data or information indicating that it is sensitive for some reason; therefore, it needs to be protected against theft, disclosure, and improper use, and must be disseminated only to authorized individuals or organizations with a need to know the information. 8. How is security related to privacy and confidentiality? (Bloom’s Level: 4) Security is related to privacy and confidentiality in that it pertains to the physical and electronic protection of information that preserves these concepts. 9. Who owns the patient health record and who controls the use of the information within the record? (Bloom’s Level: 4) Ownership of the health record has traditionally been granted to the healthcare provider who generates the record. However, state and federal laws have long upheld the right of the patient to control the information within the record. The HIPAA Privacy Rule (45 CFR 164.524–526) grants a

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

patient the right to access, view, copy, or amend the record. Even though healthcare providers may own the physical health record—regardless of the media in which it is contained—such ownership does not permit providers to share or sell patient-identifiable medical information. This is an important issue as healthcare organizations expand their use of EHRs and HIEs. 10. Describe the role of the custodian of health records and how it differs from the role of data or information steward. (Bloom’s Level: 2) The custodian of health records is responsible for the care, custody, control, and proper safekeeping and disclosure of health records. An official custodian is required by both federal and state rules of evidence that permit health records to be entered as business records in legal proceedings. The official custodian is authorized to certify (that is, verify that the record or information is what it purports to be), through affidavit or testimony, the normal business practices used to create and maintain the record. The custodian supervises the inspection and copying or duplication of records and can be called to testify regarding the authenticity of the record. In most organizations the HIM department director or their designee is usually identified as the custodian of record. However this designation may differ depending on who is responsible for and can explain the procedures for compiling and maintaining patient information and records. In comparison, the data or information steward’s role goes beyond the physical record to include responsibility for the overall integrity (accuracy, completeness, and timeliness) and security of electronic information and records. Stewardship is part of information governance and an organizations overall enterprise information management process. It requires leadership, responsibility, and governance to ensure the consistent application of, and compliance with policies across organization-wide distributed information systems.

Application Exercises Case Study—Assessing the Issue of Patient Privacy Beth is a recent graduate of an allied health program at the local community college. While in school, she had taken a course from a professor who she really admired and liked. In her first job out of school as a registration clerk at the hospital’s clinic, she happened to be assigned the professor to register as an outpatient for radiation therapy for a recently diagnosed cancer treatment. The two chatted as Beth input the professor’s information into the hospital’s EHR system. They talked about the course and how much Beth liked the course and the professor as a teacher. Beth thought about the professor all day and felt terrible to learn the professor was being treated for cancer. She knew many of her classmates also liked the professor, so after work she decided to contact her friends about the professor and suggest they send the professor a card. Beth shared the professor’s home address. 1.1. Assess what Beth has done in terms of the privacy, confidentiality, and security of the professor’s health information. Why shouldn’t Beth share the information with her classmates? (Bloom’s Level: 5) Response will vary by student but should relate to privacy, confidentiality, and security definitions mentioned in chapter as well as HIPAA and HITECH. Issues include how much easier it may have been for Beth to share this information because of an EHR system and the use of social media to communicate information.

2. Stewardship in Data and Information Governance

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

Outline differences between data and information governance and what role stewardship might play in the governance process. Prepare a PowerPoint presentation on the differences. (Bloom’s Level: 6) Response will vary by student.

Web-based Activities 1. Direct the students to the website of the National Alliance for Health Information Technology (NAHIT) to investigate their efforts in developing consensus-based definitions for the terms electronic health records, electronic medical records, personal health record, and other related health information technology terms. How has NAHIT defined these terms? Do you agree with the definitions? http://www.hitechanswers.net/wp-content/uploads/2013/05/NAHIT-Definitions2008.pdf

2. Direct the students to the website for the Office of the National Coordinator for Health Information Technology Health IT Privacy and Security Resources website to explore the many resources the ONC has made available. Scroll down to “Communication with Patients about Health Information Privacy and Security.” Click on “video” and view the two-minute video on “Your Rights Under HIPAA.” Given that we will discuss HIPAA and HITECH in much more detail throughout the course, what did you learn about your own right to access your health information from this video? https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources

Review Quiz Objective Questions with Answers Select the best response for each question below. 1. Privacy protection related to health information has been established in all but which one of the following ways? (Bloom’s Level: 2) a. b. c. d.

State laws Federal laws Court decisions Constitutional right

2. Jeff Hill has gone to this doctor to discuss possible treatment for lung cancer, which he does not want anyone to know he has. Jeff is reasonably assured his information will be confidential based on which of the following legal concepts? (Bloom’s Level: 4) a. b. c. d.

Closed communication Open communication Private communication Privileged communication

3. Privacy as a legal term is best described by which definition? (Bloom’s Level: 2) a.

Right of an individual to limit disclosure of personal information

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

b. c. d.

Protection of health information in a patient-provider relationship Physical and electronic protection of health information Prevents the stealing of electronically stored information

4. What is the legal term used to define the protection of health information in a patient-provider relationship? (Bloom’s Level: 2) a. b. c. d.

Access Confidentiality Privacy Security

5. The concept of confidentiality applies to which of the following? (Bloom’s Level: 4) a. b. c. d. e.

All data and information systems Automated, paper and verbal communications Clinical, financial and business records a and c All of the above

6. What is the legal term used to describe the physical and electronic protection of health information? (Bloom’s Level: 2) a. b. c. d.

Access Privacy Security Confidentiality

7. Who owns the health record? (Bloom’s Level: 2) a. b. c. d.

Patient No one Provider who generated the information Insurance company who paid for the care recorded in the record

8. The “custodian of health records” refers to the individual within an organization who is responsible for the following action(s): (Bloom’s: Level: 4) a. b. c. d. e. f. g.

Authorized to certify records Supervises inspection and copying of records Testifies to authenticity of records a and b a and c All of the above None of the above

9. What is the term used most often to describe the individual within an organization who is responsible for protecting health information in conjunction with the court system? (Bloom’s Level: 2) a. b.

Administrator of record Custodian of record

Copyright ©2017 by the American Health Information Management Association. All rights reserved.

c. d.

Director of record Supervisor of record

10. When someone is identified as an information steward, the individual is responsible for what activities? (Bloom’s Level: 4) a. b. c. d. e. f.

Integrity of electronic health record Protecting loss or destruction of electronic health record Security of electronic health record a and c b and c All of the above

Test Bank Questions Objective Questions with Answers Select the best response for each question below. 1. What term best describes the process of protecting citizens living in a civilized society that establishes order, provides parameters for conduct, and defines the rights and obligations of the government and its citizens? (Bloom’s Level: 2) a. b. c. d.

Law Rule Guideline Standard

2. When a patient record is composed of paper documents and electronically stored information from numerous clinical systems such as lab, radiology, pharmacy, and nursing, it is referred to as what type of record? (Bloom’s Level: 2) a. b. c. d.

Electronic health record Hybrid health record Electronic medical record Personal health record

3. What term best denotes health information on an individual that conforms to nationally recognized interoperability standards and that c...