Healthcare organizations, such as hospitals, nursing homes, home health agencies, and the like, must be licensed to operate. If they wish to file Medicare or Medicaid claims they must also be certified, and if they wish to demonstrate excellence they will undergo an accreditation process. So, licensure is the process that gives a facility legal approval to operate. Certification gives a healthcare organization the authority to participate in the federal programs. Accreditation is an external review process that an organization elects to undergo.
Legal Aspects of Managing Health Information
Healthcare information, particularly patient-specific information, is governed by multiple laws and regulations in addition to those for licensure and certification. Laws and regulations governing the privacy and confidentiality of patient information and also record retention and authentication have existed for many years. As patient records are increasingly stored in electronic form and involve multiple types of media from paper to digital images, implementation of the regulations governing healthcare information has had to change. In some cases, the laws and regulations themselves have been rewritten.
Retention of Health Records
Although some specific retention requirements and general guidelines exist, it is becoming increasingly popular for healthcare organizations to keep all legal health record information indefinitely, particularly if the information is stored in an electronic format. If an organization does decide to destroy legal health record information, this destruction must be carried out in accordance with all applicable laws and regulations.
Authentication of Health Record Information
The Joint Commission Hospital Accreditation Manual defines authentication as, “The validation of correctness for both the information itself and for the person who is the author or the user of the information”. Generally, authentication of an LHR entry is accomplished when the physician or other healthcare professional signs it, either with a handwritten signature or an electronic signature.
Privacy and Confidentiality
In the healthcare environment, Privacy is the individual’s right to limit access to his or her healthcare information. Confidentiality is the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. There are many sources for the legal and ethical requirement that health care professionals maintain the confidentiality of patient information and protect patient privacy. Ethical and professional standards, such as those published by the American Medical Association and other organizations, addresses professional conduct and the need to hold patient information in confidence.
Accrediting bodies such as (The Joint Commission, NCQA, and so forth), dictate that healthcare organizations follow standard practice, state, and federal laws to ensure the confidentiality of patient information. State regulations, as a component of state facility licensure or other statutes, also address confidentiality and privacy.
Health Insurance and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) privacy rule is an important federal regulation. It is the first comprehensive federal regulation that offers specific protection to private health information. HIPAA privacy rule governs nearly all healthcare providers who receive any type of third-party reimbursement. HIPAA-protected information is also defined broadly under the privacy rule. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
Who is Covered by the Privacy Rule
The Privacy Rule , apply to health plans (Individual and group plans that provide or pay the cost of medical care), health care clearinghouses (Billing services, repricing companies, community health management information systems and value-added networks), and to any health care provider who transmits health information in electronic form in connection with certain transactions.
General Principle for Uses and Disclosure Basic Principle
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities.
Required Disclosure
A covered entity must disclose protected health information in only two situations: (a) to individuals or their personal representatives specifically when they request access to, or an accounting of disclosure of, their protected health information; and (b) to The U.S. Department of Health and Human Services (“HHS”) when it is undertaking a compliance investigation or review or enforcement action.
Permitted Uses and Disclosure
A covered entity is permitted, but not required to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: