Lesson

Course Directions

1. When you are finished reading the course & are ready to take the quiz, go to the bottom of this page & click the link underneath the Quizzes Section to begin the quiz.

2. After you complete the quiz with a passing score of 70% or higher, your certificate will be available to view & save for your records.

3. You have unlimited attempts to obtain a passing score on the quiz.

Helpful Tip 

In case you need to double check an answer while taking the quiz, you can keep this reading material page OPEN by taking your mouse, and right clicking the “Quiz” link. Then, select the option to open to “Open Link in New Tab”.

This will open the quiz in a new tabbed window next to the reading material page.  

From past to present, confidentiality has come a long way and some would even say that we are even more at risk now for breach of confidentiality than we were in the past. Now lets think about this. Several years ago, your medical record were one of hundreds, if not thousands of files, most of them going untouched in a doctor’s office until you come in for an annual check up, or if you happen to randomly be sick. Your record is only available to one person at a time, and when your doctor is finished viewing, back on the shelf it goes with all the others.

Of course, this is not all encompassing for every circumstance. There is always risk for breach of confidentiality, especially in larger, more urgent-care related facilities. Of course this system may have it’s cons in the respect that one could make the argument that this is, in fact, less secure because tons of private health information is merely secured by locks and doors. If an unauthorized individual were to dig around in your medical records, no one would know, and no “alarms” or “notifications” would go off to alert you or other personnel who would protect your information and take legal action against this person. Nor was there any sign out protocol.

But now lets take a look at the set up we have now, which is much more integrated as they say. Our medical records are now becoming electronic and easily accessible between health care providers allowing for a more integrated health care experience. For example, if you get blood work done in one office, that information on your medical record is now accessible to your primary care physician’s nurse, medical assistant, or physician assistant in another office. Because of integrated care, more and more people lay eyes on pertinent and private medical information. The same goes for an acupuncture clinic with receptionist, billers, and other personnel having access to medical health information.

Once way to protect yourself as a provider is to have the colleagues you work with to sign an ethical code of conduct stating the repercussions of breaching confidentiality and sharing someone’s personal health information (PHI) for reasons unrelated to patient care. Personal Health Information (PHI) constitutes information that identifies the patient, diagnoses, treatment, medications, clinical notes from physician-patient visits, and any blood work or lab results conducted. In addition, many health care institutions provider user-specific based access to individuals who need to access patient care. For example, user names and passwords are provided for specific access based on what the employee needs to look at in the patient file, to do his or her job. To improve security, biomarker logins may be used such as with a finger-print or face scan.

The electronic health record (EHR) is much more active today than it ever was. Although patient medical records are mostly online based as of now, it is important to note that there must be proper disposal of any printed patient medical records through a paper shredder. Hard copies of medical records should not be left out in the open for unauthorized personnel or other patients to see. This means that paper records with personal health information on them should not be thrown in the trash.

The reason being is because anyone can have easy access to see what is in the trash, which may contain a glimpse of information that is sensitive to your patient. Protect your patients by shredding all papers and records that are not in use. Should your practice need printed copies of health records, please be sensitive to this information and either shred hard copies that are going un-used, or keep them in a secure environment. The same thing applies to computer based medical record systems where files can be opened and closed. Usually medical record system software has a time-out and logs the user out after several minutes of no activity. Although the software itself has good preventive measures to keep records confidential, it is important to check our selves and log out of any un-used files, and close the screen.

The main reasons for medical record keeping is for the purpose of patient care, research, and also for insurance companies. For every patient there are many viewers of the medical record for insurance and care purposes. While the health care company, hospital, or clinic may own the medical record and can be held liable for keeping in confidential from purposes other than patient care, it is the patient who owns the information in the document. Patient information can only be released by written consent of the patients themselves.

For other medical uses such as administration, diagnosis, insurance coverage/payment medical records can issued without the patients consent because this process is directly related to patient care. The medical record essentially represents the person. Regarding electronic health records, there are three components that are vital to understand when running a health care operation and those are confidentiality of patient records, keeping them secure, and the data availability.

Case Study

In the court case Emily Bryne v. Avery Center for Obstetrics and Gynecology, P.C. argued March 12, 2013, the State Supreme Court ruled that patients will now be able to sue for negligence if a medical office violates regulation that dictate how medical offices must maintain patient confidentiality. In the appeal to the State Supreme Court, the ultimate goal was to determine if HIPAA lacks a private right of action and preempts state law claims for negligence and negligent infliction of emotional distress against a health care provider who has breach confidentiality of a patients medical record.

The story of this case goes as follows… Emily Bryne went for a visit to Avery Center for Obstetrics and Gynecology, where upon her first appointment she received gynecological care and signed a privacy policy, from the health care provider, stating that her personal health information would not be disclosed without her authorization. Within the months to follow, Bryne developed a romantic relationship with a man named Andro Mendoza, which lasted 5 months.

Upon conclusion of the relationship, she instructed the Avery Center to not release her medical records to Mendoza. Shortly thereafter, Mendoza filed paternity actions against Bryne and the Avery Center was given a subpoena (an order for a person to attend court) to provide Bryne’s medical records at the New Haven Regional Children’s Probate Court. The main issue arises in this case because the Avery Center did not alert or notify the plantiff (Bryne) of the subpoena to provide her medical record to the court. Instead, the Avery Center simply mailed a copy of her medical records to the court. Shortly thereafter, Mendoza informed Bryne through phone that he reviewed her medical record in the court file, and Bryne claims that she received extortion threats and was harassed since he viewed the record.

Bryne ended up taking the Avery Center to court on the claims that they breached their contract with her on the privacy agreement by disclosing her protected medical records without her authorization, and also acted negligently by “failing to use proper and reasonable care in protecting her medical file, INCLUDING disclosing it without authorization in violation of General Statues and the Department’s regulations implanting HIPAA.”

Additional claims she made against the Avery Center include negligent infliction of emotional distress and that the Avery Center was negligent in abiding her requests that her medical file be protected in accordance with law; in other words, that her records would not be shown to Mendoza.

Ultimately, the State Supreme Court has ruled that patients can sue for negligence if a medical office violates regulations that dictate how medical offices must maintain patient confidentiality. This case is the first time the state’s highest court has ruled regarding this particular HIPAA issue. According to lawyer Bruce Elstein, “Before this ruling, individuals could not file a lawsuit claiming violation of their privacy under the (Health Insurance Portability and Accountability Act of 1996) regulations. It was for that reason that we filed a negligence claim, claiming the medical office was negligent when it released confidential medical records contrary to the requirements set forth in the regulations.” (Tepfer, 2014).

The main take away of this court case is to comply with HIPAA forms and policies you implement within your practice. For example, if you have your patient sign a privacy agreement that states you will not disclose their medical records without their authorization for reasons other than pertinent medical care, then you must inform them. In this case, a court of law wanted Bryne’s medical records. What should have happened- The Avery Center should have informed Bryne of the subpoena (per the privacy policy she signed, letting her authorize/or not authorize the distribution of her medical records), so she could file a motion to protect her records and take appropriate legal action against Mendoza.

Here are some ways providers can hold staff accountable to patient confidentiality laws and regulations.

• Have all staff read and sign an ethics code of conduct with a specific section on Confidentiality Laws & Rules
• Have strict office protocol for how PHI is to be handled. Ex: no papers with PHI are to be left facing up on office desks during business hours, if not being used for any purpose patient files should be paper shredded and disposed of.

Purpose of HIPAA

In 1996, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA). This new law was enacted as part of a broad congressional attempt at incremental healthcare reform.

HIPAA stands for the Health Insurance Portability and Accountability act and has two primary purposes. One is to provide continuous insurance coverage for workers who change jobs, and the other is to “reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper.

It is important to hold regular meetings with staff to discuss the importance of confidentiality, so your clinic stays up to date on laws, rules and regulations regarding this subject and so your staff continues to be mindful of their practice and to safeguard information. A code of ethics in your practice is a great way to remind patients and colleagues of your standards of care and how you respect patient rights.

Benefits of having code of ethics in plain view of patient:

• provides a sense of trust
• plays into informed consent
• it is required by the NCCAOM
• so that staff knows the standards to which they are held

Confidentiality is usually useful in handling the discussions that doctors have with their patients. This conception is generally referred to as patient-physician privilege. There are regulations that mandate doctors not to reveal their discussions with patients, even when they are under oath in court.

Confidentiality is authorized in the American HIPAA laws, particularly the Privacy Rule, and many other state laws. Some of them are more stringent than the HIPAA. Nevertheless, there are a number of exceptions that have been structured down the years. For instance, majorities of states need doctors to report wounds caused by gunshot to the police. They are also required to report drivers who are impaired to the Department of Motor Vehicles.

Confidentiality is also challenged in situations that involve the diagnosis of a sexually transmitted disease in a patient who fails to inform the spouse, and in an underage girl who visits the hospital to terminate the pregnancy without informing the parents. There are various state laws in the US that are related to how parents of under-aged girls who want to get abortion must be notified.

Privacy, Confidentiality & Medical Records

When medical professionals respect patients’ privacy and confidentiality, it helps to build trust, promote selfless decision making and increases care. Protecting data collected in connection to the patient care is a central value in health care.

Confidentiality

Patients must be able to trust that doctors will protect data collected from them and about them in confidence.

Privacy

Patient privacy includes some aspects like personal space or physical privacy, personal data or informational privacy, personal preferences like cultural and religious association or decisional privacy, and personal relationships with family members and other intimates or associational privacy.

Medical Records

Medical records provide significant data that assures the continuity of care of the patient and are very essential both for present treatment and for the treatment of the patient in future cases. It is also significant for insurance, job and other uses.

Health care practitioners are obliged to take reasonable steps to protect medical information and keep them confidential according to the wish of the patient. For instance, a discussion between the doctor and the patient regarding the care of the patient must be done in private. The preference of a patient may be that the doctor contact their mobile phone instead of the home phone. The data of a patient is not supposed to be revealed to even well-meaning members of the patient’s family.

Every patient’s right to confidentiality must be maintained, except the individual permits the disclosure of such information or in a situation where they can no longer state their preference like when they are seriously confused or comatose. The federal Health Insurance Portability and Accountability Act HIPAA act is applicable to the majority of health care practitioners and its law, referred to as the Privacy Rule, stipulate in detail regulations that must be followed with regards to privacy, access, and disclosure of patient’s data.

Some of the regulations that must be followed in handling patient’s information, as stipulated in the HIPAA acts, include the following:

• Patients have the right to see and acquire copies of their medical records. They can also request for corrections to be made if they discover any oversight.
• Individuals who are legally approved to make health care decisions for an individual who lack the capacity also have equivalent right like the sick individual to access medical records of such individuals.
• Health care practitioners must regularly reveal their practices about privacy of private medical data.
• Health care providers may share a patient’s medical data but only among colleagues in so far as it is necessary to care for the individual.
• Personal medical data must not be disclosed for the sake of business promotion or marketing efforts.
• Health care providers must take realistic precautions to make sure that their conversations with the patient are confidential.
• Patients may file complaints regarding privacy breaches by health care practitioners straight to the health care practitioner or to the Office for Civil Rights in the US Department of Health and Human Services.

The HIPAA Privacy Rule does not imply barriers to the standard communications between medical providers and members of the patient’s family or their friends. The rules allow doctors or other health care providers to reveal data that is immediately required for the participation of a spouse, family members, friends, or other individuals allowed by the patient. If the patient is able to make health care decisions, the doctor may talk about this data with the family or others present if the patient gives the consent or when it is necessarily required by law.

Even in the absence of the patient, or when it is not logical to ask the patient’s permission due to emergency or incapacitation, a doctor may share a patient’s data with the family members or friends if the doctor thinks that such would be to the interest of the patients while exercising professional judgment.

Health care providers are occasionally required by law to reveal specific data, normally due to the fact that the condition may be dangerous to others. For instance, the health providers must report specific infectious diseases like human immunodeficiency virus (HIV) infection, syphilis, and tuberculosis to state or local public health agencies. Health care practitioners who notice medical signs of child, adult, or elder mistreatment, abuse, or neglect normally must report such information to protective services. Conditions that might seriously impair a person’s ability to drive, such as dementia or recent seizures, must be reported to the Department of Motor Vehicles in some states.

Confidentiality

Confidentiality is imperative in handling the discussions that doctors have with their patients. This conception is generally referred to as a patient-physician privilege. There are regulations that mandate doctors not to reveal their discussions with patients, even when they are under oath in court.

Difference between confidentiality, privacy, and security of health data

There are three different essential and similar concepts that are frequently mistakenly used as one concept while investigating protection of health data in the U.S. healthcare system. However, they have different basic meaning or exclusive role.

Whenever the issues regarding the privacy of health information are being discussed, the first law that comes to mind is the “HIPAA. This part of the guide discusses these three concepts vary from each other.

****

Confidentiality

Confidentiality is the mandate of health professionals who have access to patients’ health records or discussion to keep the acquired information confidential. The professional obligation of health professionals to hold this data in confidence is implied in professional association codes of ethics, as represented in the American Health Information Management Association Code of Ethics.

Confidentiality is legally identified as advantaged contact between two parties in a professional relationship like the patient-physician, a nurse or other healthcare professional. Patients anticipate that the healthcare professionals must keep that information about them confidential. However, during legal lawsuits, the cases are judged on a case by case basis given the evidence on the ground and factoring the public good or need for the same information with support for the privileged discussion.

When handling sensitive health data that requires particular layers of confidentiality, like those involved in mental health treatment, the state laws offer assistance for health data management expert. In Illinois, for instance, the Mental Health and Developmental Disabilities Confidentiality Act provide thorough requirements for right of entry, utilization, and disclosure of confidential patient information which includes legal proceedings.

Confidentiality ethical issues

Professional persons in health care delivery fields (including those working in the public schools) have legal and ethical responsibilities to safeguard the confidentiality of information regarding the clients in their care. Scholars and those involved in human research have legal and ethical obligations to protect the privacy of persons who agree to participate in clinical studies and other research projects. Children and adults who are legally incompetent have the same right to privacy enjoyed by adults who are competent, though their rights will be mediated by a designated family member or a legal guardian.

There are federal statutes binding on all ASHA members who treat clients or patients, whether they work in healthcare facilities (where the HIPAA privacy and security rules apply), schools (which operate under the Family Education Rights and Privacy Act, as well as HIPAA), or private practice. There are also stringent federal statutes governing the treatment of human subjects in medical and other forms of scientific research. Individual states also have statutes governing the confidentiality of patient and client information, the protection of data gathered in research, and the privacy of students.

If there is variation among the different sources of rules on privacy, the professional should follow the most restrictive rule; for example, if the law seems to allow an action that the Code of Ethics seems to prohibit, follow the Code of Ethics. If there is a conflict between sources, do what the law requires; for example, if workplace policies conflict on some point with legal requirements for confidential handling of records, the law takes precedence.

Confidentiality Issues in Research

Attention to the protection of privacy begins with the planning of a research project, is crucial to the way research on human subjects is conducted, and extends through the review of research results (on both human and animal subjects) for publication and the sharing of data sets. Everyone involved—researchers, human subjects, support personnel, editors, reviewers, and data managers—should be aware of the ethical and legal requirements regarding privacy and should not compromise confidentiality for any reason.

Institutional review boards must be consulted about any research involving human subjects, and informed consent forms must be obtained and honored. Human subjects have a right to expect that their personal information will not be divulged when the results of a study are published or when data sets from a research project are shared with other investigators. Protecting the privacy of research subjects is an obligation for all those who are involved in the research.

Privacy

Privacy, different from confidentiality, is the right of the patient to be allowed to make decisions regarding the way personal data is shared. Although the U.S. Constitution does not state a “right to privacy”, privacy as regards to a person’s healthcare decisions and health data are specified in court decisions, in federal and state statutes, licensing organization guidelines and professional codes of ethics.

The greatest among them is the federal HIPAA Privacy Rule that set up the national standards for privacy of health data and defining “protected health data. The purpose of the HIPAA Privacy Rule is to identify and mark the frontier of the scenarios where a person’s protected health data may be utilized or disclosed.

The privacy rule as established in the broader Health Insurance Portability and Accountability Act of 1996 (HIPAA) as expressed in the U.S. Department of Health and Human Services (HHS), strike a balance that allows significant utilization information even as it protects the privacy of individuals who search for medical care and healing.

Peoples are offered some elements of control like the right to access their own health data in a number of instances and the right to ask that any erroneous health info should be amended. Nevertheless while trying to maintain a balance; the Rule makes provision for a number of exceptions regarding the utilization and disclosure of protected health data without patient authorization. Some of these exceptions include treatment, compensation, health care providers’ operations and for specific public health activities.

Even as there continues to be a debate about if the HIPAA Privacy Rule has significantly boosted people’s privacy rights, it has surely enhanced understanding of the topic of privacy of health data, issues that concern its protection and what the patient’s duty is in the process. The duty of the health information management professionals has clearly been significantly impacted by tasks for HIPAA Privacy Rule compliance.

HIPAA has developed during the last ten years and was significantly strengthened by the 2009 HITECH Act and the HIPAA amendment regulations published in January 2013. Whatever is your view about HIPAA, it is difficult to argue that it has had a huge impact on patients, the healthcare industry, and many other industries and would control the operations of healthcare and HIM professionals for many years to come.

Security

Security means protection directly, and particularly to the method that is employed to keep the privacy of health information intact and support experts to hold such information in confidence.   The concept of security has over the years been applied to health records in manuscript form like locked file cabinets. While the utilization of electronic health record systems broadened and when the issue of transferring health information to support billing started, there arose the need to come up with regulatory guidelines that relate to the electronic health information.

The HIPAA Security Rule offered the first national standards for the safeguard of health information. In handling technical and administrative safeguards, the HIPAA Security Rule’s specified that the objective is to keep independently identifiable electronic health data safe-a part of information covered by the Privacy Rule while giving healthcare providers suitable access to information and flexibility to adopt technology as enshrined in the HHS, 2003b. Once more, that concept of balance exists in the law: necessary access by healthcare providers vs. protection of individuals’ health information.

Medical professionals who breach confidentiality presently face more stringent penalties due to the adjustments made to the HIPAA Privacy and Security Rules during the publication of final ruling of the HITECH Act.   The publication of these alterations is referred collectively as Omnibus Rule and was meant to make a great impact on health care and protect patient privacy. It would as well keep patients healthy data safe especially escalating innovations in technology.

Direction on how to comply with The Confidentiality Act

Data and the private data of patients who take part in research studies must be kept confidential. There must be watchful supervision of employees to make sure that they keep to the best and recommended practices required to ensure the confidentialities of all individuals involved are kept safe.

Some practical precautions to safeguard and maintain the confidentiality of participant include the following:

• Transferring research findings without revealing private data that could easily be recognized
• Ensuring the safety of saved research records and minimizing access to authorized personnel alone;
• Taking away, camouflaging, or coding individual information that could be easily identified;
• Getting printed well-versed consent from the research participant and if the participant is a child the consent of the parent or the guardian must be sought before transferring results that include photographs, videos or audio voice recordings that may make it easy for the individual to be identified.

Due to the fact that the legal requirements in this regard are very strict and given that health institutions monitor research on human subjects very cautiously, professionals must get additional guidance straight from the correct personnel in their home institutions.

In a research that involves the peer review of tendered manuscripts, all result, information, and images in the manuscripts ought to be handled as highly confidential, and reviewers and editors are obliged to protect findings from any form of untimely disclosure. In a blind-review process, the personal data of the researchers must be protected. In a double-blind review procedure, the vagueness of authors and reviewers similarly must be thoroughly maintained. Editors and reviewers must not publish any information they gathered from the manuscripts.

How to manage Verbal Communication  

If a patient is a competent adult, he or she is the only person with the authority to grant access to his or her medical information. If the case has to do with a child, only the parent or the guardian can grant such right of access. However, there are instances like in instances of custody disputes or under custody agreements where both the biological and adoptive parent doesn’t have right of access to the patient information or the right to give permission for such information to be disclosed.

If a patient is an incompetent adult, the right of access to the medical data of the patient is only granted to the designated family member(s) or legal guardian of the patient.

The standard good practice includes the following:

• In every form of treatment situations, a written form that stipulates disclosure of information must be provided to and signed by, the patient or the patient’s representative before the commencement of the treatment of the individual.
• Every patient record must be made up of a clear, precise, up-to-date, and easily situated statement of the person who is authorized to have access to the patients data and the person who has the right to give the right of access to a third party who has the right of access to client information and who may authorize the release of such information to other parties.

For any disclosure of information apart from the one that is contained in the first round of privacy agreement or as the law requires, the doctor need to get a release of information agreement from patients or their assigned representatives. This involves getting permission to share information with a second healthcare professional. It is sensible to get this permission in writing instead of depending on verbal assent.

How to manage written records of patient’s data

Printed records of a patient’s data have a durability and reproducibility that differs from spoken information. There are thus extra concerns regarding the protection and management of paper files or automated records. These fears and challenges continue to get more complex and intense due to the electronic media. Breaches of confidentiality can happen due to how the records are produced, stored, or transmitted.

Typically, professionals should not produce, update, or save patients records on their personal electronic devices like computers and flash drives or personal online accounts. If the workplace permits such off-site management of health records, there must be the implementation of privacy safety measures like password protection and anonymized client data representations. Staffs must not open or read patients records on portable devices should when they are in public places like coffee shops or on a public transport system.

All therapists who practice autonomously and all healthcare organization must have clearly written policies that talk about client records.

Workplace policies about records management must basically take care of the following:

• record precision and content;
• electronic and paper record storage, system
• ownership of records;
• record access to prevent access by workers who may want to read and influence the record and with regard to the right of access by clients;
• record review and maintenance and associated statutes of restriction;
• transfer of data which includes transfer by electronic means;
• procedures for managing requests for data by an individual other than the client or the client’s spokesperson;
• the utilization of patients records for research;
• Obliteration of material removed from records.

These policies should experiment without inconsistency. Failure to comply with the requirements planed to defend patients’ records not only puts patient welfare at risk but as well makes the practitioner susceptible to ethics complaints and legal action.

It is especially significant for professional that look after patients in institutions and facilities to be made to know whom the record belongs to. Normally, in a healthcare setting, the medical facility is the owner of the record. However, in a private practice, the individual who is legally accountable for the practice is the owner of the records. In a school setting, the data belongs to the school district.

Suitable steps must be taken to make sure that the confidentiality and protection of electronic and automated client records and data. All data must be password protected, and only authorized individuals should be given access to the records and information. Automated records must be backed up regularly, and there must be plans for protecting computer systems in the event of emergencies.

Medical ethics and electronic health records

An electronic health record (EHR) is a record that contains a patient’s healthcare information which includes history, physical examination, investigations, and treatment in digital format. Doctors and hospitals are currently making use of electronic health record because they have many advantages over paper records. They boost access to health care, enhance the quality of care and reduce costs.

The office of the National Coordinator for Health Information Technology (IT) sees the patient’s health record as not merely a range of data that you are protecting the individual’s life. The information that is in the patient health record is owned by the patient. The doctor and the organization own the physical medical record. Nevertheless, ethical issues that consign the EHRs are challenges to the health personnel. When patient’s health data are transferred from place to place or from individual to individual or connected to without the knowledge of the patient, it puts the individual’s autonomy at risk.

The patient may cover up and conceal some information because of fear regarding the degree of security of the electronic system on which the data is stored. This could significantly affect their treatment due to the compromise regarding the incomplete disclosure of information. There is the risk that healthcare data of thousands of patients’ can be misplaced in error or be stolen. Leaders, health personnel, and policymakers must be aware of the ethical implications of using EHRs and set up strategies to ensure that the healthcare data of patients in electronic forms are properly safeguarded.

The advantages of electronic health records over the traditional paper records

In the past, the health record of patients was documented on paper for the purpose of research, medical, administrative and financial uses. Its major disadvantage was in the difficulty of accessing the information. Again, it can also be accessible to one individual at any given time. It takes about one month to six months to complete such data or even more time because the update of paper documentation of health records is required one once every year.

The aim of documenting health data through the electronic media is still equivalent to that of the standard paper storage. However, the electronic health record is more beneficial than the paper records.

Some of these advantages include the following:

• EHRs are more legible and this eliminates issues of wrong prescriptions, doses, and processes.
• Furthermore, unpleasant drug reactions can be minimized greatly when the EHRs are linked to drug banks and pharmacies. This can be achieved by not allowing prescription and order for drugs which has a recognized adverse reaction for a specific patient.
• It allows easy access from anywhere at any given time.
• Electronic records require less storage space and can be stored forever. They lessen the number of lost records, assist in research activities, assist in the production of a whole set of backup records at low cost, speed data transfer and are money-spinning.
• EHRs boosts patient compliance, aids quality assurance and minimize medical errors.

Four key ethical priorities for electronic health records (EHRS):

• Privacy and confidentiality
• Security Breaches
• System implementation,
• Data errors

Privacy and confidentiality

The health care data of a patient ought to be provided to others only when it is allowed by the patient or the law. When a patient can no longer give such consent as a result of age or mental inability, the decisions about sharing their healthcare information can be made by the legal representative or legal protector of the patient. Healthcare data shared due to clinical interaction is taken as confidential and need to be protected. Data from which the uniqueness of the patient cannot be discovered, for instance, the number of patients with breast carcinoma in a government hospital, is not covered by this category.

Healthcare organizations, insurance companies, and others will need access to the data if EHRs are functioning as planned. The major reason for protecting confidentiality is to permit just authorized individuals to access the data. This starts with authorizing users. The user’s access must be based on pre-established role-based privileges. The manager of the electronic health data discovers the user, decides the level of information shared and designates usernames and passwords.

The user must be informed that they would be made accountable for the use and misuse of the healthcare data revealed to them. Their access to the information is limited to merely what they require to fulfill their obligations. Therefore, transmission of user privileges is a key aspect of the security of medical record security.

Despite the fact that it is significant to control access to health information, it is not enough to protect the confidentiality. There must be additional security steps in a place like a robust privacy and security policies to ensure that patients’ health care data are adequately protected.

Security Breaches

Security breaches are committed against patient privacy when confidential health data is provided to others without the consent or approval of the person. Two incidents of security breaches that occurred at Howard University Hospital, Washington demonstrated that insufficient data security can affect a large number of people.

On May 14, 2013, one of the hospital’s medical technicians, Laurie Napper, was charged with violating the Health Insurance Portability and Accountability Act (HIPAA). The technician for a 17-month period used her role in the hospital to access the names of patients, their addresses and Medicare numbers for trading purposes. The hearing of the case conducted on the 12th of June 2013 found the technician guilty and she was imprisoned for months in a half-way house with an additional fine of 2,100 dollars.

Before that incident, the same hospital notified more than thirty-four patients in their database that their medical data had been compromised. A contractor working with the hospital downloaded the patients’ data to a personal laptop that got stolen from his car. The data were password protected but was not encrypted. This implies that anyone who guessed the password correct could have access to the patients’ data without an arbitrarily generated key.

The information contained in the patients’ file that was compromised included the names, addresses, and Social Security numbers and in some instances, diagnosis-related data.

Another hospital chain by name the Prime Healthcare Services Inc. has accepted to pay two hundred and seventy-five thousand dollars to settle a federal investigation that alleged violation of patient privacy. The security breaches are constantly becoming a major challenge faced by doctors, public health officials and federal regulators.

Cloud storage, password protection, and encryption are all procedures health care providers can take to keep their portable EHRs additionally secure. A survey carried out discovered that roughly seventy-three percent of doctors send a work-related text to colleagues.

Mobile devices are meant for personal use. They are not structured to be managed by the central IT Department. Mobile devices can readily be misplaced, spoilt, or stolen. There must be a great emphasis on encrypting mobile devices that are utilized in the transmission of confidential information. Portable EHRs can be made more secure with the use of cloud storage, password protection, and encryption.

The use of two-factor validation system with security tokens and password are essential in securing EHRs. Security means like firewalls, antivirus software, and intrusion detection software have to be included to protect data integrity.

Specific policies and measures must be set to maintain patient privacy and confidentiality. For instance, staffs must not share their ID with anyone and they must constantly log off when leaving a terminal and make use of their assigned ID to access patient electronic records.

A security officer must be chosen by the healthcare provider to work with a team of health IT experts.

Regular random audits ought to be carried out on a constant basis to ensure that the staffs comply with the hospital policy. The whole system activity can be tracked by audit trails. This is detailed listings of content, length of use and the user; generating date and time for entries and logs of all s to EHRs.

When there is improper access to a medical record, the system should be structured to provide the name of the individual gaining access; the time, date, the screens from which the access is gained and the duration of the review. This data is essential to determine if the access is the result of an error or just an intentional, unauthorized view.

The HIPAA Security Rule needs organizations to carry out audit trails. This requires that they document information systems activity and have the hardware, software, and measures to record and scrutinize activity in technological systems where health information is stored.

Outside contractors constitute specific privacy issues. There should be the implementation of employee-only access to the EHR. This implies any external contractor should only gain access to the healthcare information under the approval and supervision of a staff of the organization.

System implementation

Healthcare providers face a lot of challenges while making use of the EHRs. These challenges result in a waste of resources, frustrated providers, breach of confidence of patients and patient safety issues. To set up, carry out, and maintain the EHRs needs adequate funds and the participation of a number of individuals which includes physicians, other healthcare professionals, information technologists, educators, and consultants.

Hospitals and healthcare providers are improving greatly without so much engagement by the clinicians. Most EHR execution projects do not succeed due to the fact that the health organizations undervalue the significance of getting one or more clinician to act as opinion leaders for providers in the healthcare institution. Therefore, the clinician must develop strategies to let their colleagues understand what roles they have in the implementation of the EHR. They must enlist their participation in duties like as EHR choice, workflow design, and quality improvement.

Data error

Maintenance of integrity helps to keep the data accurate and non-manipulated. EHRs help to boost the patient’s safety by minimizing healthcare errors, minimize health disparities and boost the health of the public. Nevertheless, concerns have been raised about the correctness and consistency of data keyed into the electronic record.

Erroneous representation of the patient’s present condition and treatment takes place as a result of improper utilization of options like “cut and paste”. This practice is offensive due to the fact that it boosts the risk for patients and liability for clinicians and organizations.

Another thing that can result in an issue in the data integrity is the drop-down menu and disposition of relevant information in the trash. Such menus minimize the choices accessible to the clinician who may hurriedly select a wrong data which may result in a great error. Doctors and contractors have been working to find a solution to software issues to make EHRs both user-friendly and correct.

Loss or destruction of data happens during data transfer. This raises concerns regarding the accuracy of the database since patient care decisions are based on those data. An increasing issue is of medical identity theft. This results in the incorporation of incorrect data into the record of the victim. The individuals’ insurance company would be billed for medical services that were not received by the actual policyholder and the patient’s future treatment is structured on that wrong information from thief’s health record without the immediate knowledge of the patient or the healthcare provider.

Confidentiality standards and adolescents

In most states, teenagers may seek treatment without the consent of their parents for specific conditions, like treatment for pregnancy, sexually transmitted infections, mental health concerns, and substance abuse. It is better to get familiar with what the rule of the state, the local laws, and the institutional policies are with regards to adolescents and healthcare.

Conclusion

Management of electronic health data comes with a lot of regulatory compliance challenge, for ethical consideration and eventually for the quality of care. While the need for electronic health record system continues to increase, and additional data are gathered from mobile health devices, for instance, it comes with additional challenges for healthcare providers.

All employees in healthcare organization including professionals that manages health informatics and health information, clinicians, researchers, business managers and the rest people that work in a medical setting are all obliged to keep the collected health information private. Patients’ privacy rights with regard to their health information and confidentiality must be maintained and protected.

The public interest of citizens in health information, however, subsists in issues that relate to public health or crime. It is essential to balance the entire interests in health data. Maintenance of the confidentiality, privacy, and security of healthcare data present constant and significant challenges in the U.S. healthcare and legal systems and at the same time, it presents a prospective career choice for health IT management professionals.

Different healthcare professionals need the help of the computer to carry out their work effectively. Producing a practical EHR system will need the expertise of doctors, technology professionals, ethicists, managerial personnel, and patients. Despite the fact that electronic health records are more beneficial than the paper records, the future of healthcare requires that the healthcare professionals recognize that there are risks inherent and must properly manage the system to surmount the obstacles it poses to the health and safety of individuals under medical care.

There are a lot of strategies that can be implemented to minimize the risk of overcoming the barriers inherent in the execution of digital health records. Leadership, teamwork, suppleness, and flexibility are the main ways to arrive at some solutions. EMRs capacities ought to be maximized to be able to boost the quality, safety, efficiency, and efficiency of health care and health care service systems.

References

Overview of Legal and Ethical Issues in Health Care.  Merck Manuals

Confidentiality, privacy, and security of health information: Balancing Interests.  Health Informatics.

NCBI Articles

AMA-ASSN.  Delivering Care – Code of Medical Ethics, privacy, confidentiality, medical records.

Confidentiality and HIPAA.  Legal and Ethical Issues, Merck Manuals.

Jessica De Bord, DDS MSD MA, Wylie Burke, MD PhD, & Denise M. Dudzinski, PhD MTS (2013).  Confidentiality – Ethics in Medicine.  University of Washington School of Medicine.

Course Directions

1. When you are finished reading the course & are ready to take the quiz, go to the bottom of this page & click the link underneath the Quizzes Section to begin the quiz.

2. After you complete the quiz with a passing score of 70% or higher, your certificate will be available to view & save for your records.

3. You  have unlimited attempts to obtain a passing score on the quiz.

Helpful Tip 

In case you need to double check an answer while taking the quiz, you can keep this reading material page OPEN by taking your mouse, and right clicking the “Quiz” link.  Then, select the option to open to “Open Link In New Tab”.

This will open the quiz in a new tabbed window next to the reading material page.