One of the tenets in working in the healthcare industry is to maintain the privacy and confidentiality of a patient’s health information. This is an ethical and legal obligation that every healthcare provider or personnel should uphold.
With the advent of computers and other electronic technology, we are now able to maintain electronic files which allow us more flexibility in communicating information between offices, hospitals, and clinics, as well as cutting down on the space requirements for storage. In addition, we are better able to track and analyze data that helps us to be more effective in providing care as well as in controlling costs.
It is a given that numerous professionals can get hold of patient’s information once admitted in the hospital – from nursing staff to x-ray technicians, to billing clerks. They all have access to a patient’s medical records during the course of a typical hospitalization. There are, however, concerns that the increase in electronic information results in a loss of privacy and confidentiality.
Because so many people potentially have access to patient medical information now, we need to do more to ensure that the only people who do access the medical information are those who need to have access in order to provide care.
What is HIPAA?
HIPAA (Health Insurance Portability Act) has been engrained into the consciousness of virtually every healthcare worker in the United States. It has become a synonym for “privacy and security.” HIPAA was passed in an era of economic boom (just before the “dot com bust”) when unemployment was low and many people found themselves in “job lock,” unable to take advantage of better jobs because a medical condition would exclude them from their new employer’s coverage for one year or more. Those with pre-existing medical conditions could not afford to move up in their careers by moving to a position with a new employer because employers’ health plans typically excluded those with pre- existing conditions for one year or more. The cost of healthcare served as a disincentive to employees who, while awaiting coverage with the new employer, would pay more in private payment for medical care and drugs than the increase in income they might enjoy in the new job — they were in job lock.
HIPAA became effective on August 21, 1996. It sets for minimum standards that facilities must follow to protect patients’ health information.
Under its Title I, HIPAA provided for non-discrimination in employee eligibility or continued eligibility to enroll for benefits under the terms of an employer group health plan without regard to health factors. If the employee was covered by the previous employer and maintained that coverage for 18 months, the new employer is required to offer the same healthcare benefits as are offered to other employees within the organization.
Under Title II, the law provided for Administrative Simplification, the provision that has had significant impact on providers who use electronic data transfer. They must provide for the security of that data and the protection of patient privacy.
What is PIH?
The key term associated with the privacy rules is Protected Health Information or PHI.
PHI is generally defined as:
Any information that can be used to identify a patient – whether living or deceased and which relates to the patient’s past, present, or future physical or mental health or condition, including healthcare services provided and the payment for those services.
PHI covers information that can be found in:
- Information used within the facility
- Verbal or written information
- Information stored in computer files
- Information stored in paper patient files
- Information shared with other health care providers, payers or third parties
What is HITECH?
In February 2009, HIPAA was expanded and strengthened when the American Recovery and Reinvestment Act was passed. This law is referred to as the HITECH Act (Health Information Technology for Economic and Clinical Health).
This act represents the first significant commitment of federal resources to support the widespread adoption of electronic health records, or EHRs.
How Does the HITECH Act Specifically Affect Nurses?
The security of personal health records has always been critical within the healthcare industry. As healthcare professionals, the protection of personal health information (PHI) is just as important as the patient care delivered. Since nurses are often involved in the transmission of PHI, they need a basic understanding of the new security rules as they pertain to the HITECH Act. All PHI must be encrypted prior to transmission. Encryption is a technique for transforming information in such a way that it becomes unreadable. This means that even if a hacker is able to gain access to a computer that contains PHI, he or she will not be able to read or interpret that information. The patient’s privacy will still be protected.
Therefore, whenever requests are made for patient’s electronic health records, nurses should always have to answer to these questions before handling in patient information:
- Does the EHR have the capability to comply with requests for electronic access?
- How will patients receive an electronic copy of the data?
- What security protections will be employed to secure the electronic access (i.e. encryption, passwords)?
- Will it be documented and time stamped when EHRs are issued to the patient?
- Will the organization instruct patients on protecting this electronic information?
Our main concern is always to protect patient’s right to privacy and confidentiality. By being aware of these laws, we are able to uphold nursing standards and deliver personalized care to our patients.