+

TOPIC 8

LEGAL ASPECTS OF HEALTH

INFORMATION
MANAGEMENT
+
OUTLINES

 Legal and Regulatory Terms

 Maintaining the Patient Record in the Normal Course of Business
 Confidentiality of information and HIPAA Privacy and Security
Provisions
 Legislation that Impacts Health Information Management
 Release of Protected Health Information (PHI)
+
OBJECTIVES

• Identify and define health information legal and regulatory terms

• Maintain the patient record in the normal course of business

• Maintain confidentiality of protected health information (PHI)

• Comply with HIPAA privacy and security provisions

• Interpret legislation that impacts health information management

• Appropriate release protected health information (PHI)

+ LEGAL AND REGULATORY TERMS
 Law:
 A rule of conduct passed by a legislative body that is enforced
by the government and results in penalties when violated.
+
 Burden of proof
 Responsibility for proving harm

 Plaintiff
 The individual who initiates a civil complaint and has the burden of proof

 Defendant
 The individual against whom the complaints is brought

 Discovery
 The legal process lawyers use to obtain information about all aspect of a case

 Interrogatory
 A form of discovery that includes a list of written questions that must be
answered by the party served.
 Deposition
 A form of discovery used to learn answers to certain questions, obtain a
sworn statement from the deponent, observe a witness’s behavior and ability
to testify and discover weaknesses and strengths in each party’s case
+
SOURCES OF LAW
+
1. Administrative Law

 Includes regulations created by professional associations,

administrative agencies of government.

 Example:
Tribunal, minimum wages, Malaysian Medical Association (MMA)
+
2. Case Law (Common Law)

 Based on judicial decisions and precedent rather than on

statutes.
 Sometimes, applies only to situations where the facts of
a new case exactly match the facts of the case that was
previously decided.
 In other cases, the court makes a decision on a general
principle that may apply to many situations.
+
 Case Law Principles:
 Res gestae: “things done”
 Res ipsa loquitur: “the thing speaks for itself”
 Res judicata: “the thing is decided”
 Respondeat superior: “Let the master answer”
 Stare decisis: “to stand by things decided”
 Subpoena ad testificandum: Court order that requires an
individual to appear in court to testify
 Subpoena duces tecum: A written command or
direction, signed by the court of the clerk ordering an
individual to appear in court with documents.
+
3. Statutory Law
 Passed by a legislative body and it can be amended,
repealed or expanded by the legislative body (eg: tax)

 Statute of Limitations:
 Time period after which a lawsuit cannot be filed

 Medical Malpractice:
 Results when a healthcare provider acts in an improper or
negligent manner and patient’s result is injury, damage or
loss.
+
 Negligence:
 Failure to exercise the degree of care considered
reasonable under the circumstances, resulting in
an unintended injury to another party.

 Medical Liability (malpractice) insurance:

 Pays a lawsuit’s covered damages and defense
costs
+
MAINTAINING THE PATIENT RECORD IN THE
NORMAL COURSE OF BUSINESS
 Patient record is a legal business record
 Medical record to be admissible as evidence, it must:

a) Created by person within the business – has

knowledge of the acts, conditions, diagnoses, events or
opinions documented

b) Documented in the normal course of business

c) Generated at or near the time of patient care

d) Maintained in the regular course of business

+
Cont.

Comprehensive Guide to Electronic Health Records:

 (Meet the previous four principles)
 Type of computer used is accepted as standard and efficient
equipment
 Method of operation to create e-medical record is recorded
 Method and circumstances of preparing the record
 Information documented in the EMR has not been altered in any way
+
Cont.

 Maintaining records at an off-site backup storage

system in case the on-site system is damaged or
destroyed.
 Using an imaging system to copy documents that
contain signatures
 Ensuring that records, once in electronic form, cannot be
altered
 Safeguarding the confidentiality of records and
preventing access by unauthorized persons
 Allowing authentication of record entries via
electronic signature keys
 Implementing procedures for systems maintenance
+ CONFIDENTIALITY OF INFORMATION AND HIPAA
PRIVACY AND SECURITY PROVISIONS

Any information communicated by a patient to

a health care provider is considered Privileged
communication (Private)
Patient have the right to Confidentiality (The
process of keeping privileged communication
secret and means that information cannot be
disclosed without the patient’s authorization.
Breach of confidentiality (Occurs when patient
information is disclosed to other who do not
have a right to access the information)
Privacy and security provisions
+
HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996
 Is the first federal law in US that governs the privacy of health
information nationwide

 Contains 5 titles:

1) Title I-Health care access, portability and renew ability

2) Title II-Preventing health care fraud and abuse, administrative

simplification and medical liability reform

3) Title III-Tax-related health provisions

4) Title IV-Application and enforcement of group health plan

requirements

5) Title V- Revenue offsets

+
Cont.

 HIPAA ACT (1996) resulted for:

 Reducing health care fraud and abuse
 Reducing paperwork associated with health claims
processing
 Guaranteeing the security and privacy of health information
+
Cont.

 Portability aspect:
 Protects health insurance coverage for workers and their
families when they change or lose their jobs

 Accountability aspect:
 Protects health data integrity, availability and
confidentiality and has the greatest impact on health care
organization
+ Cont.
 Privacy Rule:
 Provisions that protect the security and confidentiality of health
information.
 Establishes standards to protect the confidentiality of
individually identifiable health information maintained or
transmitted electronically in connection with certain
administrative and financial transaction.
 Provides new rights for individuals with respect to protected
health information (PHI) about them and mandates
compliance by covered entities.
9
+ Patient Rights
Patient education Covered entities are required to provide patients with a clear written
on privacy explanation of how the covered entity may use and disclose their health
protections information.
Redisclosure of PHI The patient authorization to release PHI should include a general statement
that the health information may no longer be protected by the privacy rule
once it is disclosed by the covered entity.
Patient Access to Patients will be allowed to obtain copies of their records and to request that
their records amendments be made to documentation.
Disclosure to A covered entity may disclose PHI to a business associate (third party)
business associates
Patient care and A covered entity may disclose to a family member PHI directly related to that
notification person’s involvement with the patient’s care or payment related to care
Disclosures about A covered entity must protect the PHI of a deceased patient for two years
deceased patients following the patient’s death.
Limited uses and The covered entity may exercise professional judgment to determine
disclosures when whether disclosure of PHI is in the best interest of the patient and disclose
the patient is not only that PHI directly related to the person’s involvement with the patient’s
available health care
Disclosures by A covered entity is not considered to have violated this standard if a member
whistleblowers and of its workforce or a business associate discloses PHI.
workforce member
crime victims

Obtaining Patient Except for circumstances requiring patient authorization, providers are not
authorization required to obtain patient authorization prior to disclosing information for
before information treatment, payment and health care operation (TPO).
is disclosed
+
Cont.

 Responsibilities of covered entities towards

Patient Rights:

 Create written privacy policies and procedures

 Train employees
 Designate a privacy officer
+ Cont.
 Security Rule
 Adopts standards and safeguards to protect health
information that is collected, maintained used, or
transmitted electronically.

 Should include the following policies and procedures:

 Define authorized users of patient information to control
access
 Implement a tracking procedure to sign out records to
authorized personnel
 Limit record storage access to authorized users
 Lock record storage areas at all times
 Require that the original medical record remain in the
facility at all times.
+ Cont.

 HIPAA’s security rule standards include the following

safeguards:
 Administrative (Table 8-1A) page 269
 Physical (Table 8-1B) page 270
 Technical (Table 8-1C) page 271
+
LEGISLATION THAT IMPACTS HEALTH
INFORMATION MANAGEMENT
 Federal Legislation that Impacts Health Information Management:
 Conditions of Participation (CoP) and Conditions for Coverage (CfC)
 Drug Abuse and Treatment Act
 Emergency Medical Treatment and Labor Act (EMTALA)
 Federal Patient Self-Determination Act
 Freedom of Information Act of 1966
 Health Care Quality Improvement Act of 1986
+
Cont.

 Health Insurance Portability and Accountability Act of 1996

(HIPAA)
 Health Integrity and Protection Data Bank (HIPDB)
 Occupational Safety & Health Act of 1970 (OSH Act)
 Omnibus Budget Reconciliation Act of 1987
 Omnibus Budget Reconciliation Act of 1990
 Patient Access to Records
 Privacy Act of 1974
 Uniform Health Information Act (UHIA)
+
Cont.

 State Legislation that Impacts Health Information

Management
 Mental Health Records
 Reportable Diseases
 Reportable Events
 Retention of Records
+
RELEASE OF PROTECTED HEALTH
INFORMATION
 Authorization to Disclose PHI is Not Required
 Authorization to Disclose PHI is Required
 Patient Access to Records
 Prohibition on Redisclosure
 Tracking Disclosures of PHI
+
Medical records should not include
information about:
 Information related to care provided to another patient.
 Peer review, quality management documents, and
correspondence or notes form attorneys
 Aberrant or deviant statements about the patient
+ Cont.
 Authorization to Disclose PHI is NOT REQUIRED

 Health oversight activities (audits, criminal investigation)

 Public health activities (authorities that collect reportable
disease/event)
 Law enforcement purposes (abuse/violence)
 Judicial and administrative proceedings (court order)
 Identification and location purposes
 Decedents (coroners/medical examiners/funeral directors)
 Research purposes (approved by IRB)/privacy board)
 Food & Drug Administration (FDA)(quality/safety/effectiveness)
 Specialized government functions
(Medicare/medicaid/correctional institutions)
 Workers’ compensation (work related injuries)
+ Cont.
 Authorization to Disclose PHIS is REQUIRED.

 Attorney requests (except the provider’s attorney)

 Employers (except work-related injuries)
 Government agencies (Dept. of social services etc)
 Health care providers that did not render care to the patient
 HIV related information
 Internal Revenue Service (IRS) (tax collection)
 Law enforcement (except when no authorization is required by HIPAA)
 Marketing communications (report to news media)
 Patient or patient representative (except when no authorization is
required by HIPAA)
 Research that includes treatment of an individual
 Third-party payers (except in the course of TPO)
 Workers’ Compensation carriers (SOCSO etc.)
+
Cont.
 Patient Access to Record

 An individual has the right to access their own PHI for the
purpose of inspection and to obtain a copy, except:

 Psychotherapy notes
 Information compiled for use in a civil, criminal or
administrative action
 PHI maintained by a covered entity that is subject to the
Clinical Laboratory Improvements Amendments of 1988
(CLIA)-human samples
+ Cont.

 A covered entity can deny an individual the right to access

their PHI if the:
+ Cont.

 The covered entity may deny an individual access to PHI,

provided the individual is given a right to have such denials
reviewed:
 Page 284

 The covered entity must comply with a patient access

request no later than 30 days after receipt of the request:
 Page 284
+
Cont.

 Prohibition on Redisclosure

 Unless:
 The Drug Abuse and Treatment Act of 1972
 The HIPAA Final Privacy Rule
+
Cont.

 Tracking Disclosures of PHI:

 Release of information log

 Document patient information released to authorized
requestors and data was entered manually or using tracking
software.
 Establish a tracking mechanism and reporting process:
 Date of disclosure
 Name and address
 Description of the PHI disclosed
 Statement of reason for disclosure
+ Cont.

 An individual has the right to receive an accounting of all

disclosures of PHI made during the six years prior to the
date an accounting is requested, except for disclosures of:
 To carry out treatment, payment and health care operations
 To individuals, themselves of PHI
 Entered in the facility’s directory
 To persons involved in the individual’s care
 For other notification purposes, such as:
 National security or intelligence purposes
 Correctional institutions
 Those that occurred prior to the compliance date
+
Cont.