As we are all aware the Medical Records department has changed by leaps and bounds over the past 20 years with The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and The American Recovery and Reinvestment Act/The Health Information Technology for Economic and Clinical Health Act (ARRA/HITECH) Act 2009 the face of HIT is forever changed. Told we as Health Information Professionals have a plethora of individual patients’ private information at our fingertip and it is paramount that we handle this information with the utmost care.
During this training session we are going to go over some of the most important privacy and security components to insure that everyone knows what the rules are, and how to protect the not only the patients information, but also the HIT department and you as the HIT professional. Today we will cover the high points on: * Privacy, Security, and Confidentiality * Regulations that have impacted privacy and security * The Privacy Rule The Security Rule * HITECH Privacy and Security * HIM Role in Privacy, Security, and Confidentiality Privacy, Security, and Confidentiality It is our jobs as health information management (HIM) professionals to ensure the privacy, security and confidentiality of our patients’ personal health information. This has been the fundamental principle for the health information profession throughout its eighty year history.
Today the HIM professional must continue to face the challenges of maintaining the privacy and security of the patient information. Although this might sound like a simple task, it grows in complexity as information becomes more and more technical and is distributed through electronic systems. The challenge of this responsibility has also increased due to the constantly changing legislative and regulatory environment.
Regulations that have impacted privacy and security The two regulatory acts that have impacted the health information department the most are: * The Health Insurance Portability and Accountability Act of 1996 (HIPAA) * The American Recovery and Reinvestment Act of 2009 (ARRA) * Modifications to the HIPAA Privacy, Security, and Enforcement Rules the Health Information Technology for Economic and Clinical Health Act; Proposed Rule According to the Department of Health and Human Services (HHS) “the major goal of the HIPAA privacy rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. ” (Summary, 2003) Where HIPAA was written in an attempt to protect the patients’ medical records by imposing regulation to address the patient confidentiality the HITECH Act added the necessary requirements concerning the privacy and security for the health information that is so frequently being passed through technology in more diverse ways through third party administrators, businesses and individuals.
With the rapidly growing use of technology it became necessary to write rules that would also address the information being sent to all business associates as well. The Privacy Rule The privacy rule set the floor in the necessary safeguards to be implemented in protected health information (PHI) across all media. It protects individuals’ medical records and other individually identifiable health information created or received by individuals or others. It protects the individuals’ health information by regulating the circumstances under which covered entities may use and disclose protected health information and by requiring that everyone have safeguards in place to protect the privacy of the information.
In addition it states that covered entities are required to have contracts or other arrangements in place with business associates that perform functions for or provide services to the covered entity, and that required access to protected health information to ensure that these business associates likewise protect the privacy of the health information. Lastly it gives individuals rights with respect to their protected health information, including rights to examine and obtain a copy of their health records and to request corrections. The Security Rule The security rule applies only to protected health information in electronic form. It requires covered entities to implement certain administrative, physical, and technical safeguards to protect this electronic information.
And also that covered entities have contracts in place with their business associates that the business associates will appropriately safeguard the electronic protected health information they receive, create, maintain, or transmit on behalf of the covered entities. HITECH Privacy and Security The purpose of the HITECH act was to strengthen the privacy and security protections through * Extending privacy and security protections to business associates of covered entities * Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes * Prohibiting the sale of protected health information Requiring the consideration of a limited data set as the minimum necessary amount of information * Expanding individual’s rights to access of their protected health information * Expanding individual’s rights to receive an accounting of disclosures of their protected health information * Expanding individual’s rights to obtain restrictions on certain disclosures of protected health information to health plans HIM Role in Privacy, Security and Confidentiality As the demands for health information become more diverse, health information management (HIM) professionals use their expertise to protect health information and ensure the right information is available to the right people at the right time.
Successful privacy, security, and confidentiality programs depend on HIM professionals, the experts on the applicable rules and regulations who are skilled in managing healthcare data. For example, HIM professionals ensure privacy and security programs meet regulatory requirements. Once a program is in place, HIM professionals use their expertise to monitor and audit the program to ensure compliance. HIM professionals hold diverse roles such as organizational and corporate privacy officers, compliance officers, and are change agents in policy development. Sample job descriptions include: Privacy Officer and Security Officer. HIM professionals advocate for strong privacy and security programs as electronic health record (EHR) systems are implemented and upgraded.
HIM professionals provide the functional requirements for electronic health information, taking into account federal and state laws, including e-discovery, to ensure appropriate access, use, and disclosure of health information. HIM professionals also impact privacy, security, and confidentiality standards, laws, and regulations outside of their organization. Volunteering on state HIT and HIE initiatives, responding to public comments periods, and looking for ways to participate on standards development groups such as HL7 and HIEs are a few ways HIM professionals may influence and affect change. Organizations count on HIM professionals’ skill sets.
The convergence of people, processes, regulations, structure, standards and system design is vital to the organization. Sound privacy, security, and confidentiality practices lead to more effective management of health information, contributing to safe, high-quality patient care. (AHIMA, 2011) Conclusion: We as health information professionals are given the task of protecting thousands of individuals’ private health information every year. We have taken an oath to protect this information and to show the patient respect and reverence when relaying any amount of information to other individuals, be it an inside entity or a business associate. It is up to each of us to do our duty and insure that we follow the guidelines to the letter.
We must be vigilant in our daily tasks as well as seeing that we are constantly learning new things to help us do our job better. The Code of Ethics each HIM professional must adhere to states that “The HIM professional has an obligation to demonstrate actions that reflect values, ethical principles, and ethical guidelines. The American Health Information Management Association (AHIMA) Code of Ethics sets forth these values and principles to guide conduct. The code is relevant to all regardless of their professional functions, the settings in which they work, or the populations they serve. These purposes strengthen the HIM professional’s efforts to improve overall quality of healthcare. ” (American Health Information Management Association Code of Ethics, 2011)