Click HERE to see what it costs to leak folk's prescription information.
Back in 2003, the
healthcare industry experienced another change.
Patient privacy was moved to the forefront, and subsequently, business
as usual became not so usual.
The Privacy
Rule under Health Insurance Portability & Accountability Act of 1996 (HIPAA)
was in full force.
HIPAA is a federal
law that was originally implemented with the ability of employees to take their
health insurance packages with them, as they change employers.
Today, HIPAA is cover much more; it now
allows patients many more rights within the healthcare system.
Some of them include the right to request actions
such as amendment to their own medical records, accountings of disclosure of
their medical records, and alternative communications.
In response to abuse
of PHI in the past, new policies and procedures also had to be implemented and
enforced, in order to increase protection of patient privacy. The Privacy Rule is responsible for new
policies and procedures that specifically address the way PHI can be used and
transmitted, criteria for release of PHI, as well as accountings of disclosure;
except for the purpose of Treatment, Payment, or Other healthcare operations
(TPO), every disclosure is required to be logged.
Under the
Privacy Rule, identifiable information, also referred to as Protected Health
Information (PHI) includes any information that can be used to identify a
person. Examples of PHI include elements
such as a telephone number, insurance plan number, name, and address/email
address, just to name a few.
Other terms that
have become commonly used and necessary to maintain patient privacy, while
performing day-to-day duties, include:
CMS:
Centers for Medicare & Medicaid Services;
HHS:
Health and Human Services;
Covered
Entity: Healthcare providers, health plans, and clearinghouses;
Clearinghouse:
An entity that processes or facilitates the processing of nonstandard data
elements of health information into standard data elements;
Code Sets:
Any set of codes used for encoding data elements, i.e. ICD
(diagnostic/procedure) codes;
Authorization:
Written consent that is signed by a patient, which gives permission to disclose
PHI; and
Disclosure:
The release, transfer, provision of, access to any information outside of the
entity where PHI is stored.
In outpatient
pharmacy settings, opportunities for privacy breeches are countless. For example, staff should take extra care to
keep patient names and their medication labels from plain view, as customers
and patients approach the pharmacy counter.
Likewise, pharmacists and pharmacy technicians should be conscious of
patient privacy, as various steps of the drug utilization review process are
performed, exercising caution in communicating patient information. For example, phone calls to other covered
entities or patients about refills, drug-drug interactions, or action to be
taken after missing a dose can be easily overheard by unauthorized individuals;
in instances where patients do not answer, a voice mail message may be left,
but diagnosis details and medical record numbers should never be mentioned. Conversations of this kind should take place
in a more intimate setting, as opposed to the pharmacy counter, where other
customers and patients are present.
On-site patient counseling should also occur in a private space,
whenever possible; patients with communicable diseases such as Herpes Simplex
II and HIV-AIDS may be extremely sensitive to privacy issues, and may be likely
to decline counseling, unless privacy is reassured.
Patients are
more informed nowadays than in the past, meaning they tend to be familiar with common
indications for many fast-moving drugs.
Hence, an unprecedented demand for the “Minimum Necessary Rule;” by
definition, employees should have limited access to PHI, according to their job
functions, and should only share such information on a need-to-know basis.
This allows staff to focus on their
individual roles and decreases opportunities to erroneously disclose PHI.
However, staff should be aware of
organizations that require more feasible access to PHI, namely worker’s
compensation carriers, law enforcement agencies, child protective services, and
municipal offices.
In the event
that patients identify breaches of their privacy, they now have points of
contact, to whom they may express their concerns. Every healthcare Covered Entity is required
to have a Facility Privacy Officer (FPO) on staff. Patients can report breaches of privacy in
writing to the appropriate FPO or to HHS’s Office of Civil Rights, directly;
each Covered Entity is required to provide this information within their Notice of Privacy Practices to all
patients. Penalties for HIPAA Privacy
violations and non-compliance could include fines as low as $250 and as high as
$1.5 million, PLUS a maximum of 10 years’ imprisonment.
Ultimately,
whose business is your medical record?
It is the business of healthcare providers, health plans, and
clearinghouses, but on a need-to-know basis.
Contact
information for the Office of Civil Rights: