For A-Plus Writer Onlypatisa
Judson, K., & Harrison, C. (20 16). Law and ethics for the health professions. (7th ed. ). New York: McGraw- Hill.
Law&Et cs FOR HEALTH PROFESSIONS
KAREN JUDSON CARLENE HARRISON
Privacy, Security, and Fraud
LEARNING OUTCOMES After studying this chapter, you should be able to:
LO 8. I Discuss U.S. constitutional amendments and privacy
laws that pertain to health care.
LO 8.2 Explain HIPAA's special requirements for disclosing
protected health information.
LO 8.3 Discuss laws implemented to protect the security
of health care information as health records are
converted from paper to electronic form.
LO 8.4 Discuss the federal laws that cover fraud and abuse
within the health care business environment and the
role of the Office of the Inspector General in finding
LO 8.5 Discuss patient rights as defined by HIPAA, the Patient Protection and Affordable Care Act, and other health
FROM THE PERSPECTIVE OF . ..
ANN, AN R.N. IN A TEXAS HOSPITAL FOR NEARLY 25 YEARS, remembers when patients' names were posted on the doors to their rooms. She and her colleagues once freely informed telephone call- ers and visitors how patients were progressing. Now, Ann remarks, because of federal legislation to protect the privacy and security of health care information, times have changed. "We have to be so care- ful about releasing any information that when my father's dear friend was admitted to my floor in the hospital where I work, I couldn't tell him that his friend had been admitted."
From Ann's perspective, because she cares about her patients, she would like to be able to talk more freely with family members or friends who also care about her patients. But she is duty-bound to follow the law, and she knows the benefits to patients for laws that guard their privacy.
From the perspective of friends and family members who call for infor- mation about a patient, the law is harsh and hard to understand. They are often angry when they cannot learn the status of a friend or loved one.
From the perspective of some patients, the law sometimes feels over- protective and unnecessarily intrusive, but for others-such as the patient who has tried to commit suicide and failed, who doesn't want anyone to know he is in the hospital, or the battered spouse who doesn't want her abusive husband to find her-it's a safety net they can depend on.
The United States Constitution and Federal Privacy Laws Contrary to popular belief, the term privacy (freedom from unauthor- ized intrusion) does not appear in the U.S. Constitution or the Bill of Rights. However, the United States Supreme Court has derived the right to privacy from the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments to the Constitution.
LO 8.1 Discuss U.S. constitutional amendments and privacy laws that pertain to health care.
privacy Freedom from unaut horized int rusion.
LANDMARK COURT CASE The Constitution Protects the Right to Privacy
In November 1961, the executive director and the medical
director of a Planned Parenthood clinic in Connecticut were
charged with violating a state statute prohibiting the dis-
pensing of contraceptive devices to a married couple. The
defendants were convicted and fined $1 00 each. The U.S.
Supreme Court heard the case in March 1965 and issued a
written opinion on June 7, 1965. William 0. Douglas, writ- ing the majority opinion for the Court, held that the Con-
necticut statute was an unconstitutional violation of the
right of privacy. Douglas noted that many rights are not
expressly mentioned in the Constitution, but the Court
has nevertheless found that persons possess such a right. In
reviewing the many rights that Americans possess, Douglas
noted the existence of "penumbras" or "zone(s) of privacy
created by several fundamental constitutional guarantees."
As a result of the Supreme Court's decision in Griswold v. Connecticut, patients possess certain rights that affect the delivery of med ical services and health care. For example,
persons have t he right to refuse medical treatment, and
courts now recognize a person 's right to die.
Griswold v. Connecticut, 381 U.S. 479, 85 S. Ct. 1978, 14 L. Ed.2d 510 (1965).
C-c9:er 8! Privacy, Security, and Fraud 205
First Amendment: Congress cannot prohibit or abridge free speech. In addition, the Establishment and Freedom of Religion clauses of this amendment prohibit the government from funding, showing preference for, or discriminating against any religion.
Third Amendment: Soldiers cannot be quartered in private homes without the consent of the owner.
Fourth Amendment: People have the right to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.
Fifth Amendment: No person must testify against himself, be tried twice for the same offense, or be deprived of life, liberty, or property without due process of law. The Miranda warning ("You have the right to remain silent ... ")as read during criminal arrests, derives from this amendment.
Ninth Amendment: If certain rights are not explicitly mentioned in the Constitution, that does not mean they do not exist.
Fourteenth Amendment: All states must provide rights for citizens that are at least equal to those in the U.S. Constitution, and under the philosophy called federalism states may grant citizens additional rights not specifically granted in the U.S. Constitution.
Fourth Amendment Rights in Question
The Student Activities Drug Testing Policy adopted by
the Tecumseh, Oklahoma, School District requires all
middle and high school students to consent to urinaly-
sis testing for drugs to participate in any extracurricular
activity. Two Tecumseh High School students and their
parents brought suit, alleging that the policy violates the
Fourth Amendment, which states in part: "The right
of the people to be secure in their persons , houses,
papers, and effects, against unreasonable searches
and seizures , shall not be violated." The district court
granted the school district summary judgment. In
reversing, the court of appeals held that the policy vio-
lated the Fourth Amendment. The appellate court con-
cluded that before imposing a suspicionless drug-testing
program a school must demonstrate some identifiable
drug abuse problem among a sufficient number of those
tested, such that testing that group will actuall y redress
its drug problem , which the school district had failed
to submit to drug testing, consistent with the Fourth
The U.S. Supreme Court concluded that the answer to
the question was yes. In a 5-4 opinion delivered by Justice
Clarence Thomas, the Court held that, because the policy
reasonably serves the school district's important interest
in detecting and preventing drug use among its students,
it is constitutional. The Court reasoned that the board of
education's general regulation of extracurricular activities
diminished the expectation of privacy among students
and that the board 's method of obtaining urine samples
and maintaining test results was minimally intrusive on the
students' limited privacy interest. "Within the limits of the
Fourth Amendment, local school boards must assess the
desirability of drug testing schoolchildren. In upholding
the constitutionality of the Policy, we express no opinion
as to its wisdom. Rather, we hold only that Tecumseh's
Policy is a reasonable means of furthering the School Dis-
trict's important interest in preventing and deterring drug
use among its schoolchildren," wrote Justice Thomas. The question before the court was: Is the Student
Activities Drug Testing Policy, which requires all students
who participate in competitive extracurricular activities
206 Part Two I Legal Issues for Working Health Care Practitioners
Board of Education v. Earls, 536 U.S. 822 (2002).
COURT CASE Fourteenth Amendment at Issue William Baird spoke at Boston University on the sub-
ject of birth control and overpopulation. At the end of
his talk, Baird gave away Emko Vaginal Foam to a woman
who approached him. Massachusetts charged Baird with
a felony, distributing contraceptives to unmarried men
or women. Under state law, only married couples could
obtain contraceptives; only registered doctors or phar-
macists could provide them. Baird was not an authorized
distributor of contraceptives.
At issue was: Did the Massachusetts law violate the
right to privacy acknowledged in Griswold v. Connecticut, and did it violate protection from state intrusion granted
by the Fourteenth Amendment?
grounds. The Court held that the law's distinction between
single and married individuals failed to satisfy the "rational
basis test" of the Fourteenth Amendment's Equal Protec-
tion clause. Married couples were entitled to contraception
under the Court's Griswold decision. Withholding that right to single individuals without a rational basis proved the fatal
flaw. Thus, the Court did not have to rely on Griswold to invalidate the Massachusetts statute. "If the right of privacy
means anything," wrote Justice William J. Brennan, Jr., for
the majority, "it is the right of the individual, married or
single, to be free from unwarranted governmental intru-
sion into matters so fundamentally affecting a person as the
decision to whether to bear or beget a child."
The case reached the U.S. Supreme Court, where jus-
tices struck down the Massachusetts law, but not on privacy Eisenstadt v. Baird, 405 U.S. 438 ( 1972).
FEDERAL PRIVACY LAWS
Concern about privacy has led to the enactment of federal and state laws governing the collection, storage, transmission, and disclosure of personal data. Privacy laws are generally based on the following considerations:
1. Information collected and stored about individuals should be limited to what is necessary to carry out the functions of the busi- ness or government agency collecting the information.
2. Once it is collected, access to personal information should be limited to those employees who must use the information in per- forming their jobs.
3. Personal information cannot be released outside the organization collecting it unless authorization is obtained from the subject.
4. When information is collected about a person, that person should know that the information is being collected and should have the opportunity to check the information for accuracy.
A number of federal laws concern privacy, but until the Health Insurance Portability and Accountability Act (HIPAA) of 1996, fed- eral privacy laws have dealt with financial and credit information or the theft or illegal disclosure of electronic information. HIPAA of 1996 was the first federal law to deal explicitly with the privacy of medi- cal records, and to ensure compliance, HIPAA provides for civil and criminal sanctions for violators of the law.
All states have laws governing the confidentiality of medical records, but laws vary greatly from state to state. Through state preemption, if a state's privacy laws are stricter than HIPAA privacy standards and/or guarantee more patients' rights, the state laws take precedence.
Table 8-1 below lists eight major federal privacy laws passed since 1985.
state preemption If a state's privacy laws are stricter than HIPAA privacy standards, the state laws take precedence.
Chapter 8 1 Privacy, Security, and Fraud 207
COURT CASE HIPAA Preempts State Law in Certain Instances
In July 2013, the U.S. Court of Appeals for the Eleventh
Circuit ruled that HIPAA preempts state law in certain
instances. The case centered on a Florida statute that
allowed nursing homes to release medical records of a
current or former resident to "spouse , guardian , surro-
gate, proxy or attorney in fact" of the individual. How-
ever, many Florida nursing homes refused to disclose
records to surviving spouses who had not been des-
ignated as the personal representative by the probate
courts. The Florida Agency for Health Care Adminis-
tration (AHCA) ordered the various nursing homes to
release the information stating the surviving spouses were
equal to personal representatives. OPIS Management
Resources, an owner of several nursing homes in Florida
filed suit against AHCA, claiming that HIPAA standards
were higher and thus the state law conflicted. The Court
of Appeals held the state statute was fatally flawed and
"authorizes sweeping disclosures, making a deceased
(nursing home) resident's protected health information
available to a spouse or other enumerated party upon
request, without any need for authorization, for any con-
ceivable reason, and without regard to the authority of
the individual making the request to act in a deceased
OPtS Management Resources LLC v. Secretary Florida Agency for Health Care Administration, No. 12- 12593 (II th Cir. Apr. 9, 20 13).
Table 8-1 Major Federal Privacy Laws
Electronic Communications Privacy Act (ECPA)
Computer Abuse Amendments Act
Health Insurance Portability and Accountability Act (H IPAA)
Patient Safety and Quality Improvement Act (PSQIA)
American Recovery and Reinvestment Act (ARRA), commonly called the Stimulus Bill
Patient Protection and Affordable Care Act (PPACA) common ly called the Affordable Care Act orACA
Health Care and Education Reconciliation Act (HCERA)
Provides privacy protection for new forms of electronic commu- nications, such as voice mail, e-mail, and cellular telephone
Amends the 1984 act to forbid transmission of harmfu l com- puter code such as viruses
Guarantees that workers who change jobs can obtain hea lth insurance. Increases efficiency and effectiveness of t he U.S. health care system by electronic exchange of administrative and financial data. Improves security and privacy of patient- identifying information. Decreases U.S. health care system transaction costs
Requires all financial institutions and insurance companies to clearly disclose their privacy policies regarding the shar- ing of nonpublic personal information with affiliates and third parties
Helps assess and resol ve patient safety and health care quality issues, encourages reporting and analysis of medical errors, authorizes HHS to impose civil money penalties for violations of patient safety confidentiality
Title XIII, the Health Information Technology for Economic and Clinical Heal th (HITECH) Act, makes substantive changes to HIPAA, including privacy and security regulations, changes in HIPAA enforcement , provisions about hea lth information held by entities not covered by HIPAA, and other miscellaneous changes
Dea ls mostly with the availability of health insurance coverage for all Americans, but also reinforces privacy regarding pro- tected hea lth information
A federal law that adds to regu lations imposed on the insur- ance industry by PPACA
208 Port Two I Legal Issues for Working Health Care Practitioners
Check Your Progress
I. Does the Constitution provide specifically for the protection of privacy? Explain your answer.
2. W hat was the f irst federal law to deal explicitly w ith the pri vacy of medical records?
3.-6. Name four considerations for protecting privacy when federal and/or state legislation is written.
Since HIPAA is the federal legal standard for privacy and security of electronic health information throughout the health care industry, health care employees must follow the law's provisions, which are contained within four standards:
Standard 1. Transactions and Code Sets. A transaction refers to the transmission of information between two parties to carry out financial or administrative activities. A code set is any set of codes used to encode data elements, such as tables of terms, medical con- cepts, medical diagnostic codes, or medical procedure codes.
Required code sets for use under Standard 1 include Current Procedural Terminology (CPT) and International Classification System of Diseases; Clinical Modifications lOth Edition (ICD-10-CM); and International Classification System of Diseases-Procedure Coding System lOth Edition (ICD-10-PCS) (Since the publication of ICD-10 has been delayed to 2015, some coders may still be using ICD-9.).
Standard 2. Privacy Rule. Policies and procedures health care providers and their business associates put in place to ensure confi- dentiality of written, electronic, and oral protected health information.
Standard 3. Security Rule. Security refers to those policies and pro- cedures health care providers and their business associates use to protect electronically transmitted and stored PHI from unauthorized access.
Standard 4. National Identifier Standards. Provide unique identifiers (addresses) for electronic transmissions.
By now all four sets of HIPAA standards have been implemented, and most health care practitioners are familiar with the language and rules that make up the requirements for compliance. Anyone needing a refresher course can visit www.hipaa.com for specific information.
Of special concern in this chapter are Standard 2, the Privacy Rule and Standard 3, the Security Rule.
HIPAA's Requirements for Disclosing Protected Health Information HIPAA's Standard 2, the Privacy Rule says that protected health information (PHI) must be protected against unauthorized disclosure, whether it is written, spoken, or in electronic form. PHI refers to infor- mation that contains one or more patient identifiers and can, therefore, be used to identify an individual. Information that includes one or more of the following makes a patient's health care information identifiable:
• Zip code or other geographic identifier, such as address, city, or county.
LO 8.2 Explain HIPAA's special requirements for disclosing protected health information.
protected health information (PHI) Information t hat contains one or more patient identifiers.
Chapter 8 I Privacy, Security, and Fraud 209
de-identify To remove from health care transactions all information that identifies patients.
permission A reason under HlPAA for disclosing patient information.
covered entities Health care providers and clearinghouses that transmit HlPAA transactions electronically, and must comply with HlPAA st andards and rules.
• Date of birth, dates of treatment, or any other dates relevant to the individual.
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social Security number.
• Medical record numbers.
• Health plan beneficiary numbers.
• Birth certificate and driver's license.
• Vehicle identification number and license plate number.
• Web site address.
• Fingerprints and voiceprints.
• Any other unique identifying number, characteristic, or code.
It is possible to de-identify health information, by removing the patient identifiers listed above.
Health care providers and plans can use and disclose patient infor- mation (PHl), but to do so legally they must identify a permission-a legal reason for each use and disclosure. To use PHl means that you use patients' protected health information within the facility where you work in the normal course of conducting health care business. To disclose PHI means that patients' protected health information is sent outside of a health care facility for legitimate business or health care reasons.
Permissions: Using and disclosing PHI must fall within the follow- ing six HIPAA-defined permissions:
1. Disclosures to patients. HIPAA requires that PHI be disclosed to any patient who asks to see his or her own medical records (unless the health care provider believes that access will do harm to the patient). This includes talking to the patient about his or her diagnosis, treatment, and medical condition, as well as allow- ing the patient to review his or her entire medical record. Some records, however, such as psychotherapy notes, may be withheld.
2. Use or disclosure for treatment, payment, or health care operations: Health care practitioners need to use PHI within the medical office, hospital, or other health care facility for coordinating care, consult- ing with another practitioner about the patient's condition, pre- scribing medications, ordering lab tests, scheduling surgery, or for other reasons necessary to conduct health care treatment or busi- ness, such as insurance claims and billing. PHI disclosures for these purposes do not require written authorization.
If other covered entities contact you or your employer for access to PHl, such as insurance plans, attorneys, medical survey represen- tatives, and pharmaceutical companies, you must have the patient's written authorization to release PHI. (Covered entities are health care providers and clearinghouses that transmit HIPAA transactions electronically, and must comply with HIPAA standards and rules.)
3. Uses and Disclosures with Opportunity to Agree or Object. Accord- ing to the HHS Web site http://www.hhs.gov/ocr/privacy/hipaa/ understanding/summary/index.html, informal permission may be
210 Part Two I Legal issues for Working Health Care Practitioners
obtained by asking the indi idual outright, or by circumstances that clearly give the individual the opportunity to agree, comply silently or without objection, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in their professional judgment, the use or disclosure is determined to be in the best interest of the individuaL
4. Incidental uses and disclosures of PHI are permitted without authorization from patients as follow s:
• Nursing care center staff members can talk about patients' care if they take reasonable precautions to prevent unauthorized individuals, such as visitors in the area, from overhearing.
• Health care practitioners can talk to patients on the phone or discuss patients' medical treatments with other providers on the phone if they are reasonably sure that others cannot overhear.
• Health care practitioners can discuss lab results with patients and among themselves in a joint treatment area if they take reasonable precautions to ensure that others cannot overhear.
• Health care practitioners can leave messages on answering machines or with family members, but information should be limited to the amount necessary for the purpose of the calL (For detailed messages, simply ask the patient to return the call.)
• You can ask patients to sign in, call patients by name in waiting rooms, or use a public address system to ask patients to come to a certain area. A patient sign-in sheet, however, must not ask for the reason for the visit.
• You can use an X-ray light board at a nursing station if it is not visible to unauthorized individuals in the area.
• You can place patient charts outside exam rooms if you use reasonable precautions to protect patient identity: face the chart toward the wall or place the chart inside a cover while it is in place.
5. Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual's authorization or permission, for 12 national priority purposes, as listed on the HHS Web site at http://www.hhs.gov/ ocr/privacy/hipaa/understanding/summary/index.html:
• If required by law.
• As part of public health activities.
• For victims of abuse, neglect, or domestic violence.
• In health oversight activities.
• For judicial and administrative proceedings.
• For law enforcement purposes.
• For decedents when cause of death is released to funeral home, coroners, or medical examiners.
• For cadaveric organ, eye, or tissue donation.
• For research
• In the event of serious threat to health or safety.
Chapter 81 Privacy, Security, and Fraud 211
limited data set Protected hea lth inform atio n from which ce rta in pat ient identifiers have been removed.
• For essential government functions.
• In claims for Workers' Compensation.
6. Limited data set. A limited data set is protected health informa- tion from which certain specified, direct identifiers of individuals and their relatives, household members, and employers have been removed . A limited data set may be used and disclosed for research, health care operations, and public health purposes, pro- vided the recipient enters into an agreement promising specified safeguards for the PHI within the limited data set.
The HIPAA Privacy Rule does not give patients the express right to sue. Instead, the person must file a written complaint with the secre- tary of Health and Human Services through the Office for Civil Rights. The HHS secretary then decides whether or not to investigate the complaint. Patients may have other legal standings to sue under state privacy laws. (See Court Case, "EMT Liable for Violating Patient's Privacy.") See Table 8-3 on page 222 for a list of patients' rights under the HIPAA Privacy Rule.
COURT CASE EMT Liable for Violating Patient's Privacy
An EMT employed by a volunteer fire department pro-
vided emergency treatment to a female patient for a
possible drug overdose. The unresponsive patient was
transported to a hospital. The EMT returned home and
later spoke to a friend, telling her that she had assisted in
taking a specific patient to the hospital emergency room
for treatment for a possible drug overdose.
Prior to the emergency, the EMT had never met the
patient. However, about two weeks prior to the incident,
the EMT had heard about the patient and her medical
problems at a social event. The woman who spoke about
the patient was apparently a friend, and it was th is person
whom the EMT telephoned, after the patient 's overdose.
The patient sued the EMT and her insurance company,
alleging that she had defamed her and violated her privacy
by publicizing information concerning her medical condi-
tion and making untrue statements indicating that she had
7. Define protected health information.
8. Define de-identify.
attempted suicide. The patient claimed that she had been
and was continuing to undergo medical care due to illness,
and that the apparent overdose she suffered was a "reac-
tion to medication."
The insurance company claimed the EMT's actions
were with in the scope of her employment. The EMT
argued that she had not acted recklessly or unreasonably
in contacting the patient 's friend regarding her care.
The EMT offered to settle for $5,000, but the plaintiff
refused and the matter went to a jury trial. The jury found
that the EMT had vio lated the plaintiff's right of privacy,
as alleged . The jury also awarded the plaintiff/patient
$37,909.86 in compensatory damages and attorney fees.
The EMT and her insurance company appealed. An
appeals court upheld the judgment of the lower court.
Pachowitz v. Ledoux, 2003 WL 21221823 ('Nis. App., May 28, 2003).
9. Which law usually prevails, federal or state, if a state law provides greater privacy protection than a
federal law? Explain your answer.
I 0. What is the process illustrated in question 9 called?
II. One can only legally release PHI under six HIPAA-defined __ .
212 Part Two J Legal issues for Working Health Care Prac titi o ners
Laws Implemented to Protect the Security of Health Care Information As listed in Table 8-1, the American Recovery and Reinvestment Act (ARRA), commonly called the Stimulus Bill, made substantive changes to HIPAA, including privacy and security regulations, changes in HIPAA enforcement, provisions about health information held by enti- ties not expressly covered by HIPAA, and other miscellaneous changes. The ARRA also mandated a deadline-January 1, 2014-for all public and private health care providers and other eligible professionals across the country to have adopted and demonstrated "meaningful use" of elec- tronic medical records (EMR) in order to keep their existing Medicare and Medicaid reimbursement levels. ("Meaningful use" is explained below.)
First, note the difference between electronic medical records (EMR) and electronic health records (EHR), because, according to www.healthit.gov, an online source of information about information technology in the health industry, the two terms are not interchange- able. The electronic medical record (EMR) is the electronic form of a patient's medical history from just one practice. It lets health care pro- viders in one facility:
• Track data over time.
• Identify with a glance which patients are due for screenings or check-ups.
• Check patients' progress within certain …