CHAPTER 3
Health Care Information Regulations, Laws, and Standards

Chapters One and Two focused on the health care information and data that are available to, used by, and managed by health care organizations. We mentioned that there are external drivers that affect and in some cases dictate the types of health care information that health care organizations maintain and to a certain extent the ways in which those types are maintained. These external forces take the form of laws and regulations mandated at both the state and federal levels. Voluntary accreditation standards are additional external forces. In this chapter we will examine more closely the most important of these laws, regulations, and standards and the external organizations that promulgate them. We will do this under two main headings.

In the section titled “Licensure, Certification, and Accreditation,” we define these processes and examine some of the missions and general functions of two of the major accrediting organizations in the United States, the Joint Commission and the National Committee for Quality Assurance (NCQA), and introduce several other accrediting bodies. These discussions focus on how the licensure, certification, and accreditation processes affect health care information and, as a consequence, health care information systems.

Then, in the section titled “Legal Aspects of Managing Health Information,” we look at state and federal laws that address the use of the patient medical record as a legal document, and current laws and regulations that govern patient privacy and confidentiality. These legal requirements have a significant impact on how patient-specific health care information is maintained and secured in health care information systems.

LICENSURE, CERTIFICATION, AND ACCREDITATION

Health care organizations, such as hospitals, nursing homes, home health agencies, and the like, must be licensed to operate. If they wish to file Medicare or Medicaid claims, they must also be certified, and if they wish to demonstrate excellence, they will undergo an accreditation process. What are these processes, and how are they related? If a health care organization is licensed, certified, and accredited, how will this affect the health care information that it creates, uses, and maintains? In this section we will examine each of these processes and their impact on the health care organizations. We will also discuss their relationships with one another.

Licensure

Licensure is the process that gives a facility legal approval to operate. As a rule, state governments oversee the licensure of health care facilities, and each state sets its own licensure laws and regulations. All facilities must have a license to operate, and it is generally the state department of health or a similar agency that carries out the licensure function. Licensure regulations tend to emphasize areas such as physical plant standards, fire safety, space allocations, and sanitation. They may also contain minimum standards for equipment and personnel. A few states tie licensure to professional standards and quality of care. In their licensure regulations, most states set minimum standards for the content, retention, and authentication of patient medical records. Exhibit 3.1 is an excerpt from the South Carolina licensure regulations for hospitals. This excerpt governs patient medical record content (with the exception of newborn patient records, which are addressed in a separate section of the regulations). Although each state has its own set of licensure standards, these are fairly typical in scope and content.

An initial license is required before a facility opens its doors, and this license to operate must generally be renewed annually. Some states allow organizations with the Joint Commission accreditation to forgo a formal licensure survey conducted by the state; others require the state survey regardless of accreditation status. As we will see in the section on accreditation, the Joint Commission standards are more detailed and generally more stringent than the state licensure regulations. Also, the Joint Commission standards are updated annually; most licensure standards are not.

Certification

Certification gives a health care organization the authority to participate in the federal Medicare and Medicaid programs. In other words, an organization must be certified to receive reimbursement from the Centers for Medicare and Medicaid Services (CMS). Legislation passed in 1972 mandated that hospitals had to be reviewed and certified in order to participate in the Medicare and Medicaid programs. At that time the Health Care Financing Administration (now the Centers for Medicare and Medicaid Services) developed a set of minimum standards known as the Conditions of Participation (CoPs). The federal government is required to inspect facilities to make sure they meet these minimum standards; however, this survey process is generally contracted out to the states to perform. In the case of hospitals, those accredited by the Joint Commission are deemed to have met the federal certification standards. One interesting historical fact is that the original CoPs were essentially the same as the then existing Joint Commission standards. The Joint Commission standards, however, have undergone tremendous change over the past forty years whereas the CoPs have not. Exhibit 3.2 displays the section of the current Medicare and Medicaid Conditions of Participation for Hospitals that governs the content of hospital medical records.

Accreditation

Accreditation is an external review process that an organization elects to undergo. The accrediting agency grants recognition to organizations that meet its predetermined performance and outcome standards. The review process and standards are devised and regulated by the accrediting agency. By far the best-known health care accrediting agency in the United States is the Joint Commission. A few other notable accrediting agencies are the National Committee for Quality Assurance (NCQA), the Commission on Accreditation of Rehabilitation Facilities (CARF), and the Accreditation Association for Ambulatory Health Care (AAAHC).

Although accreditation is voluntary, there are financial and legal incentives for health care organizations to seek accreditation. As we stated earlier, the Joint Commission accreditation can lead to deemed status for CMS programs, and many states recognize accreditation in lieu of their own licensure surveys. Other benefits for an organization are that accreditation

  • Is required for reimbursement from certain payers
  • Validates the quality of care within the organization
  • May favorably influence liability insurance premiums
  • May enhance access to managed care contracts
  • Gives the organization a competitive edge over nonaccredited organizations

The Joint Commission

The Joint Commission’s stated mission is “To continuously improve health care for the public, in collaboration with other stakeholders, by evaluating health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value” (The Joint Commission, 2012a).

The Joint Commission on Accreditation of Hospitals (as the Joint Commission was first called) was formed as an independent, not-for-profit organization in 1951, as a joint effort of the American College of Surgeons, American College of Physicians, American Medical Association, and American Hospital Association. The Joint Commission has grown and evolved to set standards for and accredit more than 19,000 health care organizations and programs in the United States. Approximately 82 percent of U.S. hospitals are currently accredited by the Joint Commission. In addition to hospitals, the Joint Commission has accreditation programs for health care organizations that offer ambulatory care, behavioral health care, home care, long-term care, and office-based surgery. They also offer an accreditation program for organizations that offer laboratory services (The Joint Commission, 2011).

In order to maintain accreditation, a health care organization must undergo an on-site survey by a Joint Commission survey team every three years. Laboratories must be surveyed every two years. This survey is conducted to ensure that the organization continues to meet the established standards. The standards themselves are the result of an ongoing, dynamic process that incorporates the experience and perspectives of health care professionals and others throughout the country. New standards manuals are published annually and health care organizations are responsible for knowing and incorporating any changes as they occur.

Categories of accreditation (The Joint Commission, 2011) that an organization can achieve are the following:

  • Preliminary accreditation: for organizations that demonstrate compliance with selected standards under the “Early Survey Policy.” The Early Survey Policy allows organizations to undergo a survey prior to having the ability to demonstrate full compliance. Organizations that receive preliminary accreditation will be required to undergo a second on-site survey.
  • Accredited: for organizations that demonstrate compliance with all standards.
  • Accreditation with follow-up survey: for organizations that are not in compliance with specific standards and require a follow-up survey within thirty days to six months.
  • Contingent accreditation: for organizations that fail to address all requirements in an Accreditation with Follow-up Survey decision or for organizations that do not have the proper license or other similar issue at the time of the initial survey. A follow-up survey is generally required within thirty days.
  • Preliminary denial of accreditation: for organizations for which there is justification for denying accreditation. This decision is subject to appeal.
  • Denial of accreditation: for organizations that fail to meet standards and that have exhausted all appeals.

In addition to the survey process, the Joint Commission (2011) requires accredited organizations to

  • Complete a self-directed Periodic Performance Review (PPR) on an annual basis (except the survey years) and submit a specific Plan of Action (POA). PPR is a process “whereby an organization reviews its compliance with all applicable Joint Commission accreditation requirements.” The POA is subsequently submitted for any requirements that are not in full compliance.
  • Select and use core performance measures to meet ORYX (National Hospital Quality Measures) requirements. Currently Joint Commission–accredited hospitals are required to collect and submit data on a minimum of four core measures or a combination of core and noncore measures (up to nine noncore measures). Organizations may choose their core measure sets from among several that are currently available. Examples of currently available sets are
    1. Acute myocardial infarction (AMI)
    2. Children’s asthma care (CAC)
    3. Heart failure (HF)
    4. Surgical Care Improvement Project (SCIP)
    5. Pneumonia (PN)
    6. Hospital outpatient measures (HOP)
    7. Perinatal care (PC)
    8. Venous thromboembolism (VTE)
    9. Hospital-based inpatient psychiatric services (HBIPS)
    10. Stroke (STK)
    11. Data for all applicable measures must be submitted through performance measurement vendor(s) that have been evaluated and listed by the Joint Commission (The Joint Commission, 2012b).
  • Participate in the Joint Commission Quality Report process. Quality Reports can include the following information (The Joint Commission, 2012c):
    1. Accreditation and certification decision
    2. National Patient Safety Goal compliance
    3. National Quality Improvement Goals performance
    4. Patient satisfaction data
    5. Centers for Medicare and Medicaid Services mortality measures
    6. Special quality awards

As discussed in Chapter One, this information can be publicly searched and viewed on the Joint Commission’s Quality Check web site (www.qualitycheck.org).

  • Comply with currently identified National Patient Safety Goals. Effective January 1, 2012, the Joint Commission National Patient Safety Goals included (among others):
  1. Use at least two patient identifiers when providing care, treatment, and services.
  2. Eliminate transfusion errors related to patient misidentification.
  3. Report critical results of tests and diagnostic procedures on a timely basis.
  4. Label all medications, medication containers, and other solutions on and off the sterile field in perioperative and other procedural settings.
  5. Maintain and communicate accurate patient medication information.

The Joint Commission focus on quality of care provided in health care facilities dates back to the early 1900s, when the American College of Surgeons began surveying hospitals and established a hospital standardization program. With the program came the question, How is quality of care measured? One of the early concerns of the standardization program was the lack of documentation in patient records. The early surveyors found that documentation was so poor that they had no way to judge the quality of care provided. The Joint Commission’s emphasis on health care information and the documentation of care has continued to the present. Not only do the Joint Commission reporting requirements rely heavily on patient information, but the current survey process also uses “tracer methodology,” through which the surveyors analyze the organization’s systems by tracing the care provided to individual patients. Patient records provide the road maps for the tracer methodology. The absence of quality health records would have a direct impact on the accreditation process. The following sections discuss Joint Commission standards that directly influence the creation, maintenance, and use of health care information. These sections further illustrate how the overall accreditation process relies on the availability of high-quality health care information.

The Joint Commission Record of Care, Treatment, and Services Standards

In 2009, the Joint Commission introduced a “new and improved” hospital accreditation manual and survey process. One significant aspect of the new manual was the creation of the Record of Care, Treatment and Services (RC) chapter of standards. This chapter defines the components of the medical record. The content of health records is greatly influenced, if not determined, by these standards. Although the RC chapter is new, the standards within it are not. The standards were found within the Information Management (IM) chapter prior to 2009. By splitting the RC standards out of the overall IM chapter and creating a stand-alone chapter, the Joint Commission clearly defined and distinguished standards governing patient record content from standards governing the management of information. The RC standards require hospitals to

  • Maintain complete and accurate medical records for each individual patient
  • Ensure medical record entries are authenticated appropriately by authorized persons
  • Ensure documentation in medical records is timely
  • Audit their medical records
  • Retain their medical records according to relevant laws and regulations
  • Ensure medical records contain specific information that “reflects the patient’s care, treatment and services”
  • Ensure medical records accurately reflect operative and high-risk procedures and use of sedation and anesthesia
  • Ensure documentation of proper use of restraints and/or seclusion
  • Ensure ambulatory care records contain a summary list
  • Ensure qualified staff receive and record verbal orders
  • Document specific discharge information for each patient

Each RC standard has specific elements that must be addressed. For more information refer to the most recent edition of the Comprehensive Accreditation Manual (CAMH) for Hospitals. All Joint Commission–accredited hospitals have access to the complete manual in electronic and paper form.

In the introduction of the RC chapter, the Joint Commission explicitly states that the same standards apply whether the organization uses electronic, paper, or combination health records. A further caution is directed at hospitals transitioning from paper to electronic systems, “as the period of transition can present increased opportunity for errors in recordkeeping that can affect the delivery of safe quality care” (The Joint Commission, 2011, RC-1).

The Joint Commission Information Management Standards

The Information Management (IM) standards reflect the Joint Commission’s belief that quality information management influences quality care. In the overview of the IM standards, the Joint Commission states, “Every episode of care generates health information that must be managed systematically” (emphasis is the authors’). Information is a resource that must be managed like any other resource within the organization. Whether the information management systems employed by the organization are basic or sophisticated, the functions should include features that allow for:

  • Categorizing, filing, and maintaining all data and information used by the organization
  • Accurately capturing health information generated by delivery of care, treatment, and services
  • Accessing information by those authorized users who need the information to provide safe, quality care

The IM standards apply to both noncomputerized systems and systems employing the latest technologies. The first standard within the IM chapter focuses on information planning. The organization’s plan for information management should consider the “full spectrum of data” generated and used by the organization as well as the flow of information within and to and from external organizations. Identifying and understanding the flow of information is critical to meeting the organization’s needs for data collection and distribution, while maintaining the appropriate level of security (The Joint Commission, 2011, IM-3).

The remaining IM standards address the requirements for health care organizations to

  • Provide continuity of the information management process, including managing system interruptions and maintaining backup systems
  • Ensure the privacy, security, and integrity of health information
  • Manage data collection, including use of standardized data sets and terminology, and limiting the use of abbreviations
  • Manage health information retrieval, dissemination, and transmission
  • Provide knowledge-based information resources twenty-four hours a day, seven days a week
  • Ensure the accuracy of the health information (The Joint Commission, 2011)

National Committee for Quality Assurance

The National Committee for Quality Assurance (NCQA) was discussed in Chapter One as the developer and overseer of the Health Plan Employer Data and Information Set (HEDIS) and for its work in providing quality measures for health plans. In addition to these programs, the NCQA also serves as an accrediting body for health plans, including health maintenance organizations (HMOs), Preferred Provider Organizations (PPOs), and Point of Service (POS) plans. NCQA began accrediting MCOs in 1991 “to meet increasing demand for objective, standardized plan performance information” (NCQA, 2012). Although the NCQA accreditation process is voluntary, many large employers, including American Airlines, IBM, AT&T, and Federal Express, will not do business with a health plan that is not NCQA accredited. Many states recognize NCQA accreditation, eliminating the need for accredited plans to undergo separate state review.

The full list of NCQA Health Plan Accreditation Requirements are published on their web site at www.ncqa.org. The 2011 requirements include specific criteria divided into the following sections:

  • Quality management and improvement (QI)
  • Utilization management (UM)
  • Credentialing and recredentialing (CR)
  • Members’ rights and responsibilities (RR)
  • Standards for member connections (MEM)
  • Medicaid benefits and services (MED)
  • HEDIS and Consumer Assessment of Healthcare Providers and Systems (CAHPS) performance measures

NCQA accreditation surveys are conducted by teams of physicians and other health care providers. These surveys rely heavily on health care data and information, including the HEDIS measures. The results of the surveys are evaluated by a national oversight committee that assigns one of five accreditation levels:

  • Excellent
  • Commendable
  • Accredited
  • Provisional
  • Denied

The NCQA accreditation process is viewed as rigorous. A health plan must be aggressively managing quality in order to achieve accreditation at the excellent level. NCQA provides a free, online health plan report card that shows the accreditation status of all plans that it has surveyed (NCQA, 2012).

Other Accrediting Organizations

Although the Joint Commission and NCQA are arguably the most visible and well-known accrediting bodies in the U.S. health care system, there are others. The Commission on Accreditation of Rehabilitation Facilities (CARF) accredits health and human services programs, including aging services, behavioral health, business and services management networks, child and youth services, employment and community services, and medical rehabilitation. There are currently over 47,000 CARF-accredited programs and services. (CARF, 2012). The Accreditation Association for Ambulatory Health Care (AAAHC) accredits ambulatory care organizations based on a set of core and adjunct standards. There are currently over five thousand ambulatory care organizations with AAAHC accreditation (AAAHC, 2012). These accreditation processes have several features in common. They are based on preestablished standards aimed at improving the quality of health care, they require an on-site survey, they make health care information and documentation critical components of the process, and they award a level of accreditation or approval. All have standards that affect organizations’ health care information and health care information systems.

PATIENT SAFETY ORGANIZATIONS

In 2000, the landmark report “To Err Is Human: Building a Safer Health System” was published by the Institute of Medicine. This report outlined serious concerns about and the need to improve the safety and quality of health care in the United States. In spite of the ongoing efforts by voluntary accrediting bodies to ensure high-quality care, this report identified (among other things) a critical need for reporting and analyzing individual facility and aggregate data related to adverse events. To address this need to capture information to improve health care quality and prevent harm to patients, the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) was passed by Congress. The goals of the Patient Safety Act are “to encourage the expansion of voluntary, provider-driven initiatives to improve the quality and safety of health care; to promote rapid learning about the underlying causes of risks and harms in the delivery of health care; and to share those findings widely, thus speeding the pace of improvement” (AHRQ, 2012).

The Patient Safety Act

To implement the act, the Department of Health and Human Services issued the Patient Safety Rule (effective January 2009), which authorizes PSOs to

PSOs are responsible for the collection and analysis of health information that is referred to in the final rule as “patient safety work product” (PSWP). The PSWP contains identifiable patient information that is covered by specific privilege and confidentiality protections. Currently there are over seventy-five PSOs listed as operating in the United States; however, this list is updated on a weekly basis at www.pso.ahrq.gov.

In the first half of this chapter, we have taken a brief overview of licensure, certification, and accreditation, as well as patient safety organization reporting. Each of these processes is designed to have a positive impact on health care quality, with health care data and information as integral components. The accreditation processes and standards provide guidance to organizations for the development of information planning, retention, and retrieval and to a great extent determine the content of patient records. Health care executives must be familiar with the processes and standards that apply to their health care organizations to ensure that their information management plans and information systems will facilitate compliance, whether voluntary or mandatory.

LEGAL ASPECTS OF MANAGING HEALTH INFORMATION

Health care information, particularly patient-specific information, is governed by multiple state and federal laws and regulations in addition to those for licensure and certification. Laws and regulations governing the privacy and confidentiality of patient information and also record retention and authentication have existed for many years. When all patient records were on paper, it was fairly easy to identify what constituted a patient record and what did not. Authentication was a signature on a document, and destruction of records involved burning or shredding. As patient records are increasingly stored in electronic form and involve multiple types of media from paper to digital images, implementation of the regulations governing health care information has had to change. In some cases the laws and regulations themselves have been rewritten.

At this juncture it is worth emphasizing that laws governing patient information and medical records vary from state to state and a full discussion of them is beyond the scope of this text. The complexity of the U.S. legal system makes it very important for health care organizations to employ personnel who are knowledgeable about all state and federal laws and regulations that govern their patients’ information and to have legal counsel available who can provide specific guidance. With that caveat, in this section we will look at several legal aspects of managing health care information, including a brief discussion of some of the significant laws and regulations related to each aspect and a discussion of legal compliance in an increasingly multimedia environment. Specifically, we will address the medical record as a legal document, including the issues of retention and authentication of health care information, and selected federal regulations governing patient and health information privacy and confidentiality, including an overview of the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule.

The Health Record as a Legal Document

When the patient medical record is a file folder full of paper housed in the health information management department of the hospital, identifying the legal record is fairly straightforward. Records kept in the normal course of business (in this case, providing care to patients) represent an exception to the hearsay rule, are generally admissible in a court, and therefore can be subpoenaed—they are legal documentation of the care provided to the patients. The health care organization might struggle with which documents to file in an individual’s medical record, because of varying and changing state and federal laws and regulations, but once those decisions are made, the entire legal record for any given patient can be found on the file shelf when it is needed. Only one “official,” original copy exits.

When the patient record is a hybrid of electronic and paper documents or when it is totally computer based, how does that change the definition of the legal record? There is no simple, one-paragraph answer to this question, as state governments and the federal government are modifying laws and regulations to reflect the change from paper to digital documentation. The legal health record (LHR) purpose is to provide the information that is recognized as the official business record of the health care organization for evidentiary purposes. As such it represents a subset of the health care organization’s patient database. The organization, therefore, has an obligation to clearly define the elements of the patient database that make up the LHR. This is not a simple undertaking. The documents and data that could potentially be a part of the LHR may exist in several physically separate paper-based and electronic systems. An organization might have stored within its overall patient database, not only the organization’s records, but also outpatient test results, other care provider records, or even the patients’ own personal health records. Multiple types of media could also be stored, such as images, videos, audio files, and e-mails. Clearly, the organization’s LHR definition must include not only the sources of the data it contains, but also the storage media and location (AHIMA, 2011a).

An approach recommended by the American Health Information Management Association (AHIMA) is to develop a “health record matrix” outlining the type and name of the components of the record, primary source, system start date, location for legal purposes, and whether or not the record is part of the LHR. (For more information, see “Fundamentals of the Legal Health Record and Designated Record Set: Appendix A,” available online in the AHIMA Body of Knowledge at www.ahima.org.) The matrix helps identify and track the components of the organization’s entire patient database. From this, the organization must determine which components constitute the LHR.

In defining their LHR, organizations should also consider issues such as these (AHIMA, 2011a):

  • The available functions in the EHR system—for example, will information sent by the patient through a web-based portal be considered part of the LHR?
  • The storage capacity and cost for the required retention period of the health record—for example, what is the organization’s image storage capacity?
  • The data’s importance for long-term use—some raw data might be considered useful only until the final report is created.
  • Whether or not the EHR system is able to provide both readable electronic and paper copies of all components of the LHR.

Examples of information that will generally be found in an organization’s LHR are all components of the clinical record and patient-identifiable source clinical data such as X-rays, fetal strips, and images. Health care records from other providers may or may not be included. Administrative records such as committee reports and encounter forms will generally not be included in the LHR.

Retention of Health Records

The majority of states have specific retention requirements for health care information. These state requirements should be the basis for the health care organization’s formal retention policy. (The Joint Commission and other accrediting agencies also address retention but generally refer organizations back to their own state regulations for specifics.) When no specific retention requirement is made by the state, all patient information that is a part of the LHR should be maintained for at least as long as the state’s statute of limitations or other regulation requires. In the case of minor children the LHR should be retained until the child reaches the age of majority as defined by state law, usually eighteen or twenty-one. Health care executives should be aware that statutes of limitations may allow a patient to bring a case as long as ten years after the patient learns that his or her care caused an injury. AHIMA (2011b) currently recommends that patient health records for adults should be retained for ten years after the most recent encounter and patient health records for children should be retained until the time the person reaches the age of majority plus the time stated in the relevant statute of limitations.

Although some specific retention requirements and general guidelines exist, it is becoming increasingly popular for health care organizations to keep all LHR information indefinitely, particularly if the information is stored in an electronic format. If an organization does decide to destroy LHR information, this destruction must be carried out in accordance with all applicable laws and regulations. Some states require that health care organizations create an abstract of the patient record prior to its destruction. Others specify methods of destruction that can be used. If specific methods of destruction are not specified, the health care organization can follow general guidelines such as those in the following list (AHIMA, 2011b). These destruction guidelines apply to any patient-identifiable health care information, whether or not that information is identified as part of the LHR.

  • Destroy the records so there is no possibility of reconstruction:
  1. bull Burn, shred, pulp, or pulverize paper.
  2. bull Recycle or pulverize microfilm or microfiche.
  3. bull Pulverize write-once read-many laser disks.
  4. bull Degauss computerized data stored on internal or external magnetic media (that is, alter the magnetic alignment of the storage media, making it impossible to recover previously recorded data).
  5. bull Shred or cut DVDs.
  6. bull Demagnetize magnetic tapes.
  • Document the destruction:
  1. bull Date of destruction.
  2. bull Method of destruction.
  3. bull Description of destroyed records.
  4. bull Inclusive dates of destroyed records.
  5. bull A statement that the records were destroyed in the normal course of business.
  6. bull Signatures of individuals supervising and witnessing the destruction.
  • Maintain the destruction documentation indefinitely.

Under the HIPAA privacy rule, when destruction services are outsourced, the contract with the business associate must include the following measures to protect patient privacy (AHIMA, 2011b):

  • The method of destruction or disposal.
  • The time that will elapse between acquisition and destruction or disposal.
  • Safeguards against breaches.
  • Indemnification for the organization to provide for loss due to unauthorized disclosure.
  • Requirement that the business associate maintain liability insurance in specified amounts at all times.

Authentication of Health Record Information

State and federal laws and accreditation standards require that health record entries be authenticated to ensure that the legal document identifies the person or persons responsible for the care provided. Generally, authentication of an LHR entry is accomplished when the physician or other health care professional signs it, either with a handwritten signature or an electronic signature.

Electronic signatures are created when the provider enters a unique code, biometric, or password that verifies his or her identity. The term electronic signature is used to describe a broad range of technologies and methods, ranging from an agreement button following a written statement to a digitally encrypted ID or certificate. Often electronic signatures show up on the computer screen or printout in this form: “Electronically authenticated by Jane H. Doe, M.D., on 4/1/2012 at 12:50pm” (AHIMA, 2009). Electronic signatures are now accepted by both the Joint Commission and CMS. State laws and regulations vary on the acceptability of electronic signatures, so it is important that health care organizations know what their respective state laws and regulations are before implementing such signatures. Most states do allow for electronic signatures in some fashion or are silent on the subject.

Regardless of the state laws and regulations, policies and procedures must be adopted by the health care organization to ensure that providers do not share any codes or passwords that are used to produce electronic signatures. Generally, a provider is required to sign a statement that he or she is the only person who has possession of the signature “key” and that he or she will be the only one to use it (AHIMA, 2009).

Privacy and Confidentiality

Privacy is an individual’s constitutional right to be left alone, to be free from unwarranted publicity, and to conduct his or her life without its being made public. In the health care environment, privacy is the individual’s right to limit access to his or her health care information. Confidentiality is the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust.

There are many sources for the legal and ethical requirement that health care professionals maintain the confidentiality of patient information and protect patient privacy. Ethical and professional standards, such as those published by the American Medical Association and other organizations, address professional conduct and the need to hold patient information in confidence. Accrediting bodies, such as those mentioned in the previous section (the Joint Commission, NCQA, and so forth), and the CMS CoPs dictate that health care organizations follow standard practice, state, and federal laws to ensure the confidentiality of patient information. State regulations, as a component of state facility licensure or other statutes, also address confidentiality and privacy.

However, the regulations and statutes vary widely from state to state. Protections offered by the states also vary according to the holder of the information and the type of information. For example, state regulations may address the confidentiality of AIDS or sexually transmitted disease (STD) information but remain silent on all other types of health care information. Few states specifically address the redisclosure of information, and the lack of uniformity among states causes difficulty when interstate health care transactions are necessary. In today’s environment it is not uncommon for a preferred provider of a technical medical procedure to be out of state. Telemedicine also often requires interstate communication of patient information.

Federal Privacy Laws

The federal laws governing patient privacy have evolved over the past several decades. In this section we will describe the following key privacy laws, rules, and regulations that affect health care information management today:

  • The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975])
  • Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd-2, 42 C.F.R. Part 2)
  • Health Insurance Portability and Accountability Act (HIPAA); Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164)
  • Health Information and Technology for Economic and Clinical Health (HITECH) Act expansion of HIPAA Rules

The Privacy Act of 1974

In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the American public with the right to obtain information from federal agencies. The Act covers all records created by the federal government, with nine exceptions. The sixth exception is for personnel and medical information “the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” There was, however, concern that this exception to the FOIA was not strong enough to protect federally created patient records and other health information. Consequently, Congress enacted the Privacy Act of 1974. This Act was written specifically to protect patient confidentiality only in federally operated health care facilities, such as Veterans Administration hospitals, Indian Health Service facilities, and military health care organizations. Because the protection was limited to those facilities operated by the federal government, most general hospitals and other nongovernment health care organizations did not have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not only because it addressed the FOIA exception for patient information but also because it explicitly stated that patients had a right to access and amend their medical records. It also required facilities to maintain documentation of all disclosures. Neither of these things was standard practice at the time.

Confidentiality of Substance Abuse Patient Records

During the 1970s, people became increasingly aware of the extrasensitive nature of drug and alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These regulations have been amended twice, with the latest version published in 1999. They offer specific guidance to federally assisted health care organizations that provide referral, diagnosis, and treatment services to patients with alcohol or drug problems. Not surprisingly, they set stringent release of information standards, designed to protect the confidentiality of patients seeking alcohol or drug treatment.

HIPAA

The HIPAA Privacy Rule is an important federal regulation. It is the first comprehensive federal regulation that offers specific protection to private health information. Prior to the HIPAA Privacy Rule there was no single federal regulation governing the privacy and confidentiality of patient-specific information. To put the Privacy Rule in context, we will begin our discussion by briefly outlining the content of the entire Act that authorized this regulation. We will then discuss the specifics of the Privacy Rule and its impact on the maintenance, use, and release of health care information.

The Health Insurance Portability and Accountability Act of 1996 has two main parts:

  • Title I addresses health care access, portability, and renewability, offering protection for individuals who change jobs or health insurance policies. Although Title I is an important piece of legislation, it does not address health care information specifically and will therefore not be addressed in this chapter.
  • Title II includes a section titled Administrative Simplification. It is in a subsection to this section that the requirement to establish privacy regulations for individually identifiable health information is found. Two additional subsections under Administration Simplification are particularly relevant to health care information: Transaction and Code Sets, standards for which were finalized in 2000, and Security, standards for which were finalized in 2002. (HIPAA security regulations are discussed at length in Chapter Ten.)

HIPAA Privacy Rule

Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the enforcement of existing state laws that are more protective of individual privacy, and states are also free to pass more stringent laws in the future. Therefore, health care organizations must still be familiar with their own state laws and regulations related to privacy and confidentiality.

The HIPAA Privacy Rule defines covered entities, that is, those individuals and organizations that must comply. This definition is broad and includes

  • Health plans, which pay or provide for the cost of medical care.
  • Health care clearinghouses, which process health information (for example, billing services).
  • Health care providers who conduct certain financial and administrative transactions electronically. (These transactions are defined broadly, so that the reality of the HIPAA Privacy Rule is that it governs nearly all health care providers who receive any type of third-party reimbursement.)

If any of these covered entities shares information with others, it must establish contracts to protect the shared information.

HIPAA-protected information is also defined broadly under the Privacy Rule. Protected health information (PHI) is information that

  • Relates to a person’s physical or mental health, the provision of health care, or the payment for health care
  • Identifies the person who is the subject of the information
  • Is created or received by a covered entity
  • Is transmitted or maintained in any form (paper, electronic, or oral)

There are five major components to the HIPAA Privacy Rule:

  1. Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions.
  2. Security. PHI should not be distributed without patient authorization, unless there is a clear basis for doing so, and the individuals who receive the information must safeguard it.
  3. Consumer control. Individuals are entitled to access and control their health records and are to be informed of the purposes for which information is being disclosed and used.
  4. Accountability. Entities that improperly handle PHI can be charged under criminal law and punished and are subject to civil recourse as well.
  5. Public responsibility. Individual interests must not override national priorities in public health, medical research, preventing health care fraud, and law enforcement in general.

HITECH Expansion of HIPAA Privacy Rules

A portion of the American Recovery and Reinvestment Act of 2009 known as the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to provide substantial Medicare and Medicaid incentives for hospitals and physicians to adopt electronic health records and provide grants to develop health information exchanges. (See Chapter Six for a complete discussion of these aspects of HITECH.) The HITECH Act also substantially expands the HIPAA Privacy and Security Rules (Coppersmith, Gordon, Schermer, & Brokelman, PLC, 2012).

This expansion has four main components:

  • Application of the HIPAA privacy and security requirements directly to business associates. The Act also clarifies that certain entities, such as Health Information Exchange Organizations, Regional Health Information Organizations, e-prescribing gateways, or a vendor that contracts with a covered entity to allow the covered entity to offer a personal health record as a part of its EHR, are business associates if they require access to PHI on a routine basis.
  • Establishment of mandatory federal security breach reporting requirements for covered entities and business associates. (See Chapter Eleven for a complete discussion of this expansion to the HIPAA Security Rule.)
  • Establishment of new criminal and civil penalties for noncompliance and new enforcement responsibilities. The new penalties are applied using a tiered schedule that ranges from $100 for a single violation where the individual did not know he was not in compliance to $1,500,000 for multiple violations due to willful neglect. State attorney generals now have enforcement authority.
  • Creation of new privacy requirements for HIPAA-covered entities and business associates. There are several areas of expansion to the HIPAA privacy requirements. In general the rights of individuals to request and obtain their PHI are strengthened, as is the right of the individual to prevent a health care organization from disclosing PHI to a health plan if the individual paid in full out of pocket for the related services. There are also some new provisions for accounting of disclosures made through an EHR for treatment, payment, and operations.

The federal privacy laws, rules, and regulations create a tension within health care organizations between the need to protect patient information and the need to use patient information. Thinking back to Chapter One, remember the purposes for maintaining patient-specific health information. The number-one reason is patient care; however, there are other legitimate reasons for sharing or “releasing” identifiable health information.

Release of Information

Because of the various state and federal laws and regulations that exist to protect patient-specific information, health care organizations must have comprehensive release of information policies and procedures in place that ensure compliance. Exhibits 3.3 and 3.4 are samples of release of information forms used by a hospital, showing the elements that should be present on a valid release form:

  • Patient identification (name and date of birth)
  • Name of the person or entity to whom the information is being released
  • Description of the specific health information authorized for disclosure
  • Statement of the reason for or purpose of the disclosure
  • Date, event, or condition on which the authorization will expire, unless it is revoked earlier
  • Statement that the authorization is subject to revocation by the patient or the patient’s legal representative
  • Patient’s or legal representative’s signature
  • Signature date, which must be after the date of the encounter that produced the information to be released

Health care organizations need clear policies and procedures for releasing patient-identifiable information. There should be a central point of control through which all nonroutine requests for information pass, and all of these disclosures should be well documented.

In some instances patient-specific health care information can be released without the patient’s authorization. For example, some state laws require disclosing certain health information. It is always good practice to obtain a patient authorization prior to releasing information when feasible, but in state-mandated cases it is not required. Some examples of situations in which information might need to be disclosed to authorized recipients without the patient’s consent are the presence of a communicable disease, such as AIDS and STDs, that must be reported to the state or county department of health; suspected child abuse or adult abuse that must be reported to designated authorities; situations in which there is a legal duty to warn another person of a clear and imminent danger from a patient; bona fide medical emergencies; and the existence of a valid court order.

In addition to situations mandated by law, there are other instances in which patient information can be released without an authorization. In general, health information can be released to another health care provider who is directly involved in the care of the patient, but the regulations governing this may vary from state to state. Information can also be released to other authorized persons within a health care organization to facilitate patient care. Information can also be used by the organization for billing or reimbursement purposes once a patient signs a proper consent form for treatment. It may be released for medical research purposes provided all patient identifiers have been removed.

The HIPAA rule attempts to sort out the routine and nonroutine use of health information by distinguishing between patient consent to use PHI and patient authorization to release PHI. Health care providers and others must obtain a patient’s written consent prior to disclosure of health information for routine uses of treatment, payment, and health care operations. There are some exceptions to this in emergency situations, and the patient has a right to request restrictions on the disclosure. However, health care providers can deny treatment if they feel that limiting the disclosure would be detrimental. Health care providers and others must obtain the patient’s written authorization for nonroutine uses or disclosures of PHI.

SUMMARY

In this chapter we examined a number of external drivers that dictate not only the types of health care information that health care organizations maintain but also the way in which they are maintained. These external forces include federal and state laws and regulations and voluntary accreditation standards. Specifically, this chapter was divided into two main sections. In the first section we defined licensure, certification, and accreditation and examined some of the missions and the general functions of several major accrediting orga­nizations, including the Joint Commission and the NCQA. Patient Safety Organizations were also discussed. In the second major section we looked at a variety of legal issues in managing health care information, including state and federal laws that address the use of the patient medical record as a legal document and current laws and regulations that govern patient privacy and confidentiality. This chapter concluded with an in-depth discussion of the HIPAA Privacy Rule, including the HITECH expansion, and release of information practices. Current examples of privacy violations were presented.

KEY TERMS

  1. Accreditation
  2. Accreditation Association for Ambulatory Health Care (AAAHC)
  3. Authentication
  4. Centers for Medicare and Medicaid Services (CMS)
  5. Certification
  6. Commission on Accreditation of Rehabilitation Facilities (CARF)
  7. Conditions of Participation
  8. Confidentiality
  9. Confidentiality of Substance Abuse Patient Records
  10. Covered entities
  11. Freedom of Information Act (FOIA)
  12. Health Insurance Portability and Accountability Act (HIPAA)
  13. HIPAA Privacy Rule
  14. Laws
  15. Legal health record (LHR)
  16. Licensure
  17. National Committee for Quality Assurance (NCQA)
  18. Patient Safety and Quality Improvement Act of 2005
  19. Patient Safety Organizations
  20. Privacy
  21. Privacy Act of 1974
  22. Protected health information (PHI)
  23. Record retention
  24. Regulations
  25. Release of information
  26. Standards
  27. U.S Department of Health and Human Services (DHHS)

LEARNING ACTIVITIES

  1. Visit a health care organization to find out about its current licensure, accreditation, and certification status. How are these processes related to one another in your state?
  2. Visit the CMS web site at www.cms.gov. Find the Conditions of Participation for a particular type of health care facility (hospital, nursing home, or other). Review this document and comment on the standards. Are they minimal or optimal standards? Support your answer.
  3. Visit the Joint Commission web site at www.jointcommission.org. What accreditation programs other than the Hospital Accreditation Program does the Joint Commission have? List the programs and their respective missions.
  4. Visit the NCQA web site at www.ncqa.org. Look up a health care plan with which you are familiar. What does the report card tell you about this plan?
  5. Do an Internet or library search for a recent article discussing the impact of the HIPAA privacy regulations on health care practice. Write a summary of the article.
  6. Visit the patient safety organization web site at www.pso.ahrq.gov. Does your state currently have a PSO? If so, do a search to find out how long the PSO has been in operation and its number of current clients.
  7. Contact a health care facility (hospital, nursing home, physician’s office, or other organization) to talk with the person responsible for maintaining patient records. Ask about the organization’s release of information, retention, and destruction policies.

REFERENCES

Accreditation Association for Ambulatory Health Care. (2012). About AAAHC. Retrieved March 2012 from www.aaahc.org/eweb/dynamicpage.aspx?site=aaahc_site&webcode=about_aaahc

Agency for Healthcare Research and Quality. (2012). Patient safety organizations. Retrieved March 2012 from www.pso.ahrq.gov

American Health Information Management Association. (2009). Electronic signature, attestation, and authorship (updated). Journal of AHIMA, 80(11), expanded online edition. Retrieved March 2012 from library.ahima.org

American Health Information Management Association. (2011a). Fundamentals of the legal health record and designated record set. Journal of AHIMA, 82(2), expanded online version. Retrieved March 2012 from library.ahima.org

American Health Information Management Association. (2011b). Retention and destruction of health information (updated August 2011). Retrieved March 2012 from library.ahima.org

Commission on Accreditation of Rehabilitation Facilities. (2012). Who we are. Retrieved March 2012 from www.carf.org/About/WhoWeAre

Coppersmith, Gordon, Schermer, and Brokelman, PLC. (2012). HITECH act expands HIPAA privacy and security rules. Retrieved March 2012 from www.azhha.org/member_and_media_resources/documents/HITECHAct.pdf

Department of Health and Human Services (HHS). (2011a). News release. Retrieved March 2012 from www.hhs.gov/news/press/2010pres/07/20100727a.html

Department of Health and Human Services (HHS). (2011b). News release. Retrieved March 2012 from www.hhs.gov/news/press/2011pres/02/20110222a.html

Department of Health and Human Services (HHS). (2011c). Health information privacy. Retrieved March 2012 from www.hhs.gov/ocr/privacy/hipaa/news/uclahs.html

Department of Health and Human Services (HHS). (2011d). News release. Retrieved March 2012 from www.hhs.gov/news/press/2011pres/02/20110224b.html

Institute of Medicine. (2000). To err is human: Building a safer health system. Washington, DC: National Academies Press.

The Joint Commission. (2011). Comprehensive accreditation manual for hospitals (updated September 2011). Oakbrook Terrace, IL: Author.

The Joint Commission. (2012a). About the Joint Commission. Retrieved March 2012 from www.jointcommission.org/about_us/about_the_joint_commission_main.aspx

The Joint Commission. (2012b). Facts about ORYX® for hospitals (National Hospital Quality Measures). Retrieved March 2012 from www.jointcommission.org/assets/1/18/ORYX_for_Hospitals_8_22_11.pdf

The Joint Commission. (2012c). Facts about Quality Check® and Quality Reports®. Retrieved March 2012 from www.qualitycheck.org/help_qc_facts.aspx

National Committee for Quality Assurance. (2012). 2011 NCQA health plan accreditation requirements. Retrieved March 2012 from www.ncqa.org

Sink, L. (2002, May 9). Jurors decide patient privacy was invaded. Milwaukee Journal Sentinel. Retrieved March 2011 from nl.newsbank.com/nl-search/we/Archives

UC San Diego. (2009). HIPAA privacy rule violations. HealthSpan, 1(2). Retrieved March 2012 from healthspan.ucsd.edu/2009/08/Pages/mc-hipaa.aspx

Woman faces criminal charges for HIPAA privacy violations. (2011, June 14). HealthData Management. Retrieved March 2012 from www.healthdatamanagement.com/news/criminal-charges-hipaa-privacy-violations-42622-1.html