Chapter 4
Managing the Electronic Health
Record
© Paradigm Education Solutions
1
Learning Objectives
4.1 Differentiate between the two main healthcare setting categories
and identify four types of healthcare settings.
4.2 Identify key elements of the patient entry process.
4.3 Identify the purpose, goals, and elements of the master patient
index.
4.4 Explain the registration process for a patient requiring acute care.
4.5 Explain the registration process for a patient requiring
ambulatory care.
4.6 Differentiate between a new and an established patient.
4.7 Identify the importance of insurance information in the
administrative management process.
4.8 Describe document imaging and its importance in the electronic
health record (EHR).
© Paradigm Education Solutions
2
Introduction
• Healthcare providers create and maintain an individual
health record for every patient.
• Registrar: the initial contact for a patient
• The patient provides demographic information to the
registrar, such as:
– Name
– Date of birth
– Home address
– Other identifying information
© Paradigm Education Solutions
3
Introduction, Continued
• Patient information may be new or may require updating.
• Accurate data collection and entry is:
© wavebreakmedia/Shutterstock.com
– A critical job requirement for the registrar
– Crucial to ensuring patient safety and preventing
communication problems among providers
© Paradigm Education Solutions
4
4.1 Different Types of Healthcare
Settings
• Two main setting categories of patient care: acute care and
ambulatory care
• Acute care
– For patients who have short-term illnesses or issues and
require overnight hospitalization
– Round-the-clock diagnostic, surgical, and therapeutic care
• Ambulatory care
– For patients who do not require an overnight stay
– Centers have grown over the past 30 years.
© Paradigm Education Solutions
5
4.1 Different Types of Healthcare
Settings, Continued
Patient Care in an Acute Care Setting
• Patients are admitted through the emergency department
or sent from an outpatient clinic or physician’s office.
• Minimum stay of 24 hours; maximum stay of 30 days
• Patient receives room, board, and care
• Admission date: day and time a patient is admitted to an
acute care facility
• Discharge date: day and time a patient leaves the facility
• A physician must admit and discharge patients.
© Paradigm Education Solutions
6
4.1 Different Types of Healthcare
Settings, Continued
Patient Care in an Ambulatory Care Setting
• Includes services that do not require hospitalization or
institutionalization
• Patient is discharged in less than 24 hours
• Ambulatory care settings include:
– Birthing centers
– Cancer treatment centers
– Clinics
– Correctional facilities
– Dentist offices
– Dialysis clinics
– Emergency departments
– Home care
– Physician offices
– Surgery centers
– Therapeutic services
– Urgent care centers
© Paradigm Education Solutions
7
4.1 Different Types of Healthcare
Settings, Continued
© Paradigm Education Solutions
8
4.1 Different Types of Healthcare
Settings, Continued
© Paradigm Education Solutions
© Monkey Business
Images/Shutterstock.com
Other Healthcare Settings
• Long-term care facility: patients
typically reside for more than 30 days
• Behavioral health setting: provides
care to patients with psychiatric
diagnoses
• Rehabilitation facility: serves patients
recovering from accidents, injuries, or
surgeries
• Hospice care: short-term, palliative
care provided to terminally ill patients
9
4.2 Patient Entry into the Healthcare
System
• All patients must be admitted or registered in the EHR.
Admission and Registration
• Begins when the patient makes an appointment or
schedules an admission
• Demographic and payer information collected
– Self-service kiosk, electronic or paper forms
Check-In Process
• Verification of patient identity and insurance
• Consents
• Copayment
© Paradigm Education Solutions
10
4.3 Master Patient Index
• Master patient index
(MPI): database
created by a healthcare
organization to assign a
unique medical record
number to each patient
• Patient identification
number: unique
patient or medical
record number
generated by the EHR
© Paradigm Education Solutions
11
4.3 Master Patient Index, Continued
• Goals of the MPI:
– Match patients with
their MPI record
– Minimize duplication
– Retain lifelong health
records
• The MPI includes
data fields that
uniquely identify
patients.
© Paradigm Education Solutions
12
4.3 Master Patient Index, Continued
• The American Health Information Management
Association (AHIMA) recommends that MPIs include core
data elements:
– Medical record number
– Name
– Date of birth
– Sex
– Race
– Ethnicity
– Address
– Previous name
– Social Security number
– Facility identifier
– Account number
– Admission date
– Discharge date
– Service type
© Paradigm Education Solutions
13
4.3 Master Patient Index, Continued
• AHIMA’s optional data elements for the MPI:
– Marital status
– Telephone number
– Mother’s maiden name
– Place of birth
– Advance directive decision making
– Organ donor status
– Emergency contact
– Allergies
– Problem list
© Paradigm Education Solutions
14
4.4 Enterprise Master Patient Index
• There is a need to maintain patient identifier information
across an EHR system for all healthcare settings.
• This systemwide database is called the enterprise master
patient index (EMPI).
• Two key data elements differentiate the MPI from the
EMPI:
– Enterprise identification number (EIN): identifies the
patient across healthcare settings
– Facility identifier: indicates the healthcare setting where
the patient is seeking care
© Paradigm Education Solutions
15
4.4 Enterprise Master Patient Index,
Continued
• Recommended EMPI data elements:
– EIN
– Facility identifier
– Internal patient
identification
– Patient name
– Date of birth
– Sex
– Race
– Ethnicity
– Address
– Social Security number
– Telephone number
© Paradigm Education Solutions
16
4.5 Collecting Patient Data
Acute Care Registration
• Registrar:
– Collects demographic and administrative information
– Verifies accuracy of and updates patient information already
in the EHR system
• Personnel must follow the Uniform Hospital Discharge
Data Set (UHDDS) for inpatient care.
– A set of patient-specific data elements
– Adopted by federal health programs in 1986
© Paradigm Education Solutions
17
4.5 Collecting Patient Data, Continued
• The UHDDS core data elements:
– Patient identifier
– Date of birth
– Sex
– Ethnicity
– Address
– Healthcare setting
identification
– Admission date
– Type of admission
– Discharge date
– Attending physician
identification
– Surgeon identification
– Principal diagnosis
– Other diagnoses
– Qualifier for other diagnoses
– External cause of injury code
– Birth weight of neonate
– Significant procedures and
dates
– Disposition of patient
– Expected source of payment
– Total charges
© Paradigm Education Solutions
18
4.5 Collecting Patient Data, Continued
© Tyler Olson/Shutterstock.com
Ambulatory Care Registration
• Front office staff handles
registration.
• Information gathered should
follow the Uniform Ambulatory
Care Data Set (UACDS) for
outpatient services.
– Ensures data consistency across
healthcare settings
– Is not required but highly
recommended
© Paradigm Education Solutions
19
4.5 Collecting Patient Data, Continued
• The recommended UACDS data elements include:
– Patient identification
– Address
– Date of birth
– Sex
– Ethnicity
– Provider identification
– Provider address
– Provider specialty
– Place of encounter
– Reason for encounter
– Diagnostic services
– Problem, diagnosis, and
assessment
– Therapeutic services
– Preventive services
– Disposition
– Source of payment
– Total charges
© Paradigm Education Solutions
20
4.6 New versus Established Patients
• New patient: has not received any services from a
provider or another provider in the group in the same
specialty and subspecialty within the past three years
• Administrative information collected to register patient:
– First, middle, and last
names
– Medical record number
– Address
– Telephone numbers
– Sex
– Date of birth
– Place of birth
– Marital status
– Ethnicity
– Social Security number
– Emergency contact
– Date of service
– Physician
– Dentist
© Paradigm Education Solutions
21
4.6 New versus Established Patients,
Continued
• Established patient: has received professional services
from a healthcare provider or another provider in the same
group in the same specialty and subspecialty within the
past three years
• To find an established patient’s record in the EHR
Navigator, search for their:
– Full or partial name
– Medical record or patient number
– Date of birth
• Existing information in the EHR must be confirmed with
the patient.
© Paradigm Education Solutions
22
4.6 New versus Established Patients,
Continued
© Paradigm Education Solutions
23
Consider This
When a patient arrives at an emergency department (ED), he
or she is neither a new patient nor an established patient. The
patient may have a record in the EHR system, but patients in
the ED are not identified as being new or established. The
terms new and established are primarily used for patients in
an ambulatory care setting. Patients may have been to the ED
for previous visits, but they would not be classified as
established.
How would you handle a situation in which a patient
states that they have been to Shoreview Emergency
Department before and, consequently, should not have to
provide their information again?
© Paradigm Education Solutions
24
4.7 Insurance Information
• Insurance information includes details about the patient’s
insurance coverage.
• Patient insurance cards are scanned into the EHR system.
© Paradigm Education Solutions
25
4.7 Insurance Information, Continued
• When entering the patient’s
insurance and financial
information into the EHR, you
must identify:
– The subscriber: the person
whose insurance coverage is
used for acute or ambulatory
care
– The guarantor: the person or
financial entity that
guarantees payment on any
unpaid balances on the
account
© Paradigm Education Solutions
26
4.7 Insurance Information, Continued
© Paradigm Education Solutions
27
4.7 Insurance Information, Continued
• The EHR must be
updated if a
patient’s health
insurance
information is
missing or does
not match.
• This can be done in
the Insurance tab
of the patient’s
record.
© Paradigm Education Solutions
28
4.7 Insurance Information, Continued
• How insurance covers costs is based on:
– The primary reason for the visit
– Insurance rules
• Birthday rule: if two insurance plans cover a child, the
insurance of the parent whose birthday falls first in a
calendar year will be the primary insurance
• For patients insured by more than one provider, the
primary coverage is determined by industry rules adopted
by state insurance commissioners.
© Paradigm Education Solutions
29
4.8 Document Imaging
• Document imaging: a paper copy of medical information is
converted to a digital format to attach to a patient’s EHR
• Documents that may be scanned and added to a patient
health record include:
– Privacy notices
– Financial agreements
– Consent forms
– Advance directives
© Paradigm Education Solutions
30
4.8 Document Imaging, Continued
Privacy Notices
• The Notice of Privacy
Practices
– Must be reviewed and
approved by the patient
– Informs patients of their
rights and responsibilities
© Paradigm Education Solutions
31
4.8 Document Imaging, Continued
Financial Agreements
• Assignment of Benefits
form: an authorization by
the patient to allow their
health insurance or thirdparty provider to
reimburse the healthcare
provider or facility
directly
© Paradigm Education Solutions
32
4.8 Document Imaging, Continued
Consent Forms
• General consent for
treatment form
– Used in acute care
– When signed, gives the
healthcare provider the right
to treat the patient
© Paradigm Education Solutions
33
4.8 Document Imaging, Continued
Advance Directives
• Advance directive:
provides information
about how the patient
would like to be treated
if they are no longer
able to make their own
medical decisions
© Paradigm Education Solutions
34
4.8 Document Imaging, Continued
© Paradigm Education Solutions
35
Consider This
The Documents feature of an EHR system offers many benefits
for healthcare personnel. For providers, this feature allows
them to scan or upload documents, such as test results or
handwritten notes, and attach them to a patient’s chart. This
feature also allows providers to sign the notes. For all
healthcare staff members, the Documents feature allows them
access to view the documents and helps prevent misplaced or
misfiled paperwork. In short, the ability to attach documents
in an EHR system increases efficiency, productivity, and
quality of patient care. With all these benefits, do you think
there are still opportunities for documentation errors? What
types of errors may occur?
© Paradigm Education Solutions
36
Chapter 5
Scheduling and Patient
Management
© Paradigm Education Solutions
1
Learning Objectives
5.1
Explain the importance of using the scheduling feature in an
electronic health record (EHR).
5.2
Customize a healthcare facility’s schedule.
5.3
Describe the five types of scheduling methods.
5.4
Describe the benefits of allowing patients to schedule
appointments using a patient portal.
5.5
List the information required to schedule an appointment.
5.6
Schedule, cancel, and reschedule an appointment in the EHR.
5.7
Generate a provider schedule from the EHR.
5.8
Transfer a patient in the EHR.
5.9
Check out or discharge a patient in the EHR.
5.10 Explain how the patient tracker can improve workflow.
© Paradigm Education Solutions
2
Introduction
• EHR systems include a scheduling feature.
• The facility must first set up a template showing its
overall schedule of operations.
© Paradigm Education Solutions
3
Introduction, Continued
© Paradigm Education Solutions
4
5.1 Healthcare Facility Schedule
• A healthcare facility should create a matrix that shows
available and unavailable appointment times.
• The schedule may be viewed:
– As daily, weekly, or monthly calendars
– By provider or facility
• When setting up the EHR system, the facility enters the
parameters for scheduling patients, such as:
– Available providers
– Available scheduling days and hours
– Types of visits
• A provider’s schedule can be printed via the EHR.
© Paradigm Education Solutions
5
5.1 Healthcare Facility Schedule,
Continued
© Paradigm Education Solutions
6
5.1 Healthcare Facility Schedule,
Continued
• Unavailable hours should be blocked off as soon
as possible via the Schedules or Hours feature.
© Paradigm Education Solutions
7
5.1 Healthcare Facility Schedule,
Continued
© iStockphoto/DenGuy
• Most facilities use a fixed
schedule; others take
walk-in appointments.
• Visit length depends on
appointment type.
– Can also be customized
• Each appointment type is
set up in the EHR
scheduling parameters.
© Paradigm Education Solutions
8
5.1 Healthcare Facility Schedule,
Continued
© Paradigm Education Solutions
9
5.1 Healthcare Facility Schedule,
Continued
• Healthcare facility
scheduling methods:
© Paradigm Education Solutions
© iStockphoto/Mark Bowden
– Open hours: patients
are seen throughout
certain time frames or on
a first-come, first-served
basis
– Time specified: patients
are given a specific date
and time to arrive
– Wave: patients are
scheduled to arrive at
the beginning of the hour
10
5.1 Healthcare Facility Schedule,
Continued
• Healthcare facility scheduling methods (continued):
– Modified wave: patients arrive at planned intervals in the
first half hour
– Cluster: similar appointments are scheduled together at
specific times of the day
© Paradigm Education Solutions
11
5.2 Patient Appointment Scheduling
• When initiating an appointment or admission, specific
information must be collected from new patients:
– Full name
– Telephone number
– Date of birth
– Chief complaint or
reason for
appointment
– Type of insurance
– Insurance
identification number
– Referring physician
– Social Security number
– Sex
– Address
– Emergency contact
– Responsible party
information
– Employer information
© Paradigm Education Solutions
12
5.2 Patient Appointment Scheduling,
Continued
• Facilities use the master patient index (MPI) to populate
the admission or appointment for an established patient.
• Information collected:
– Full name
– Date of birth
– Telephone number
– Chief complaint or reason for appointment
• Existing information in the EHR must be verified and
updated.
© Paradigm Education Solutions
13
5.2 Patient Appointment Scheduling,
Continued
Using the Patient Portal to Schedule an Appointment
• Patient portal: a secure communication tool between
patients and healthcare providers
© Paradigm Education Solutions
14
5.2 Patient Appointment Scheduling,
Continued
• Allows established
patients to:
– Schedule an
appointment
– Send a message
– Update information
– View laboratory
appointments
– Request
prescription refills
– View their health
record
© Paradigm Education Solutions
15
5.2 Patient Appointment Scheduling,
Continued
• To schedule an appointment
in the patient portal, the
patient would select Schedule
an Appointment.
• A confirmation message is
sent after scheduling.
© Paradigm Education Solutions
16
5.2 Patient Appointment Scheduling,
Continued
• Patient portal benefits:
– Makes scheduling convenient for patient and facility
– Increases patient access
– Enhances patient–provider relationships
– Improves quality of care
– Secures information
• The patient portal was a goal of Stage 2 Meaningful Use,
Patient Electronic Access.
– Meets four meaningful use criteria
© Paradigm Education Solutions
17
5.2 Patient Appointment Scheduling,
Continued
Initiating an
Appointment in
the EHR System
• Two options in
the EHR
Navigator:
– Select Schedules.
– Select
Appointment List,
then Add
Appointment.
© Paradigm Education Solutions
18
5.2 Patient Appointment Scheduling,
Continued
Scheduling Telehealth Appointments
• EHR scheduling systems have been adapted to meet the
demands of telehealth.
• Telehealth appointments: health visits conducted
remotely with the assistance of technology
– Expand access to patients
– Require scheduling like onsite appointments
• Before the visit, the patient:
– Receives link to attend
– Updates profile and insurance information
– Pays copay
© Paradigm Education Solutions
19
5.2 Patient Appointment Scheduling,
Continued
Canceling and Rescheduling Appointments
• Many facilities struggle with patients who cancel
appointments or do not show (no-shows).
– Should be documented in the EHR
– May result in rescheduling
• Confirming appointments decreases the incidences
of no-shows.
© Paradigm Education Solutions
20
5.2 Patient Appointment Scheduling,
Continued
© Paradigm Education Solutions
21
Consider This
No-shows affect a healthcare organization through lost revenue,
jumbled employee work schedules, and increased expenses. A missed
appointment, on average, costs the healthcare organization $120 per
no-show. Due to the cost, many healthcare organizations charge
patients for missed appointments. For a healthcare facility that has an
average of 160 appointments per day with a 5% no-show rate, the cost
for no-shows is $11,520. Healthcare organizations are using different
technologies to reach patients to remind them of their appointments.
In the past, healthcare organizations sent postcards that often went
into the trash, made telephone calls that went unanswered, and sent
emails that went to a patient’s spam folder. However, 90% of all text
messages are viewed within three minutes, making them an effective
mode of communication. Text messages can create more engagement
between patients and healthcare facilities, and they also save staff time.
© Paradigm Education Solutions
22
5.3 Patient Transfers in the EHR System
• During hospitalization, a patient may need to be
transferred from one unit or room to another.
• Reasons include:
– Change in patient condition
– Change in isolation status: the precautions that must be
taken by healthcare staff and visitors to prevent the
spread of bacterial or viral infections
– Patient preference
• Transfers must be documented within the EHR system.
– In the EHR Navigator, this function is in the
Admission/Discharge tab.
© Paradigm Education Solutions
23
Consider This
In February 2017, the US Department of Defense
(DoD) launched an inpatient and outpatient EHR
called MHS Genesis. The EHR connects medical
and dental information. MHS Genesis supports 9.4
million DoD beneficiaries and approximately
205,000 military personnel globally. The DOD
plans to have MHS Genesis implemented by 2024.
Why do you think it is taking the DoD
approximately seven years to fully implement MHS
Genesis?
© Paradigm Education Solutions
24
5.4 Checkout and Discharge Procedures
© Monkey Business Images/Shutterstock.com
• The procedure for a
patient leaving a
medical facility
depends on whether
the patient is:
– Checking out at
an outpatient
facility
– Being discharged
from an inpatient
facility
© Paradigm Education Solutions
25
5.4 Checkout and Discharge
Procedures, Continued
• The outpatient checkout procedure includes:
– Ordering tests
– Making referrals
– Scheduling a future appointment
– Verifying prescriptions and completed forms
© Paradigm Education Solutions
26
5.4 Checkout and Discharge
Procedures, Continued
• Inpatient discharge
– Entered into the EHR Navigator via Admission/Discharge
– Discharge disposition: the patient’s destination
following a stay in the hospital
• Home
• Skilled nursing facility
• Rehabilitation hospital
• Long-term acute care
• Expired
– Discharge documents
• Instructions
• Follow-up information
• Medication list
© Paradigm Education Solutions
27
5.5 Electronic Patient Tracker
• An EHR system has an electronic
patient tracking (EPT) function
to track a patient’s location from:
© iStockphoto/vn
– Admission to discharge
(inpatients)
– Check-in to checkout
(outpatients)
• Benefits:
– Know location and status of all
patients at all times
– Monitor wait times and
bottlenecks
– Obtain room and provider
utilization statistics
– Identify improvement
opportunities
© Paradigm Education Solutions
28
5.5 Electronic Patient Tracker,
Continued
• EPT functionality can be simple or complex.
• Simple:
– Outpatient checks in for an appointment.
– Staff enters patient arrival and exam room location in EPT
system.
– Staff enters patient’s departure at checkout.
• Complex:
– Patient checks in via a kiosk.
– Kiosk prints a wristband that contains a computer chip
that tracks the patient via wireless internet.
– Patient location is accessed via computers and mobile
devices.
© Paradigm Education Solutions
29
5.5 Electronic Patient Tracker,
Continued
• Patient Tracker feature in
the EHR Navigator
© Paradigm Education Solutions
30
Chapter 6
Privacy, Security, and Legal Aspects
of the EHR
© Paradigm Education Solutions
1
Learning Objectives
6.1
6.2
6.3
6.4
6.5
6.6
Define Health Insurance Portability and Accountability Act of 1996
(HIPAA), specifically the Administrative Simplification provisions and
the date enacted.
Identify who is and who is not considered to be a covered entity under
HIPAA.
Identify the basic principles of the Privacy Rule and differentiate
between when disclosure of protected health information is permitted
and when it is not permitted.
Demonstrate release of information (ROI) functions carried out by
health information management (HIM) staff in the electronic health
record (EHR) environment.
Demonstrate how to produce an accounting of disclosures log.
Discuss the concept of “minimum necessary” as it relates to the release
of health information.
© Paradigm Education Solutions
2
Learning Objectives, Continued
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
Explain the enforcement and penalty process for violations of HIPAA
privacy and security regulations.
Discuss the HIPAA Breach Notification Rule.
State the two primary purposes for the development of the security
standards of HIPAA.
List the major sections of the standards of the HIPAA Security Rule and
provide safeguard examples that apply to each section.
Discuss the difference between required and addressable
implementation specifications.
Explain why the 21st Century Cures Act is one of the most significant
acts regarding EHR use and exchange.
Discuss the purpose of the United States Core Data for Interoperability
(USCDI) and give examples of the data classes and data elements.
Define information blocking and give examples of what is and is not
considered information blocking.
© Paradigm Education Solutions
3
Introduction
• EHR users must understand and follow laws and
regulations regarding the privacy, safety, and security of
health information.
• Federal legislation provides guidance about the release and
security of:
– Protected health information (PHI) in paper health records
– Identifiable EHR patient information, known as electronic
protected health information (ePHI)
© Paradigm Education Solutions
4
6.1 Health Insurance Portability and
Accountability Act of 1996
• The Health Insurance Portability and Accountability
Act of 1996 (HIPAA) includes provisions that affect all
healthcare facilities.
– Allows for health insurance to be “portable”
– Addresses the confidentiality of medical records
– Sets standards for:
• Health information privacy and security
• Efficiency and effectiveness of healthcare systems (Sections
261–264, the Administrative Simplification Provisions)
© Paradigm Education Solutions
5
6.1 Health Insurance Portability and
Accountability Act of 1996, Continued
© Paradigm Education Solutions
6
6.2 HIPAA Privacy Rule
• 2000: US Department of Health and Human Services (HHS)
published the Privacy Rule
– Intended to define:
• Protected health information
• The entities and circumstances in which it may be used or
disclosed by covered entities
• 2013: HHS modified the HIPAA Privacy, Security, and
Enforcement Rules to align with the Health Information
Technology for Economic and Clinical Health (HITECH) Act
• 2020: Office for Civil Rights and HHS proposed changes to
the Privacy Rule
© Paradigm Education Solutions
7
6.2 HIPAA Privacy Rule, Continued
• The Privacy and
Security Rules
apply to covered
entities: healthcare
providers, health
plans, and
healthcare
clearinghouses
transmitting health
information in an
electronic format.
© Paradigm Education Solutions
8
6.2 HIPAA Privacy Rule, Continued
• Noncovered entities do not have to comply with the
Privacy and Security Rules.
– Workers’ compensation carriers
– Employers
– Marketing firms
– Life insurance companies
– Pharmaceutical manufacturers
– Casualty insurance carriers
– Pharmacy benefit management companies
– Crime victim compensation programs
© Paradigm Education Solutions
9
6.2 HIPAA Privacy Rule, Continued
• Types of health information classified under the Privacy
Rule:
© zimmytws/Shutterstock.com
– PHI
– Individually identifiable health information
– Deidentified health information
© Paradigm Education Solutions
10
6.2 HIPAA Privacy Rule, Continued
• PHI: information, including demographic data, that:
– Identifies the individual, or for which there is a reasonable
basis to believe that the information can be used to identify
the individual
– Relates to at least one of the following:
• The individual’s past, present, or future physical or mental
health condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health
care to the individual
© Paradigm Education Solutions
11
6.2 HIPAA Privacy Rule, Continued
•Types of PHI
–Name
–Address
–Any dates (except years that are
directly related to the individual,
such as birth date)
–Telephone number
–Fax number
–Social Security number
–Medical record number
–Health plan beneficiary number
–Account number
–Certificate/license number
–Vehicle identifiers
–Device identifiers or serial
numbers
–Email address
–Digital identifiers
–IP addresses
–Biometric elements
–Full face photographic images
–Other identifying numbers or
codes
© Paradigm Education Solutions
12
6.2 HIPAA Privacy Rule, Continued
• Deidentified health information: neither identifies an
individual nor provides a reasonable basis to identify an
individual
– Use not restricted by the Privacy Rule
– Primarily used for summary purposes, e.g.:
• Number of patients from a ZIP code
• Number of patients who recently had a cavity
• Number of physical therapy home care visits
© Paradigm Education Solutions
13
6.2 HIPAA Privacy Rule, Continued
Basic Principles of the Privacy Rule
• A covered entity may not use or disclose PHI except either:
1. As the Privacy Rule permits or requires, or
2. As the individual who is the subject of the information (or
the individual’s personal representative) authorizes in
writing
© Paradigm Education Solutions
14
6.2 HIPAA Privacy Rule, Continued
Required Disclosures
• A covered entity must
disclose PHI to:
© Paradigm Education Solutions
© iStockphoto/leezsnow
1. An individual (or their
personal representative),
specifically when he or she
requests access to, or an
accounting of disclosures
of, their PHI
2. HHS, specifically during a
compliance investigation,
review, or enforcement
action
15
6.2 HIPAA Privacy Rule, Continued
Permitted Disclosures
• Health information can be used and/or disclosed without
prior patient authorization:
– To the individual patient
– For treatment purposes*
– For payment purposes*
– For healthcare operations*
*These three disclosures are known collectively as treatment,
payment, healthcare operations (TPO).
(Continued)
© Paradigm Education Solutions
16
6.2 HIPAA Privacy Rule, Continued
• Health information can be used and/or disclosed without
prior patient authorization:
– Incidental to an otherwise permitted use or disclosure
– For public interest and benefit activities
– As a limited data set for purposes of research, public
health, or healthcare operations
• PHI from which certain specified direct identifiers of
individuals and their relatives, household members, and
employers have been removed
© Paradigm Education Solutions
17
Consider This
A teenage patient brought to the emergency department (ED)
of a hospital drifts in and out of consciousness. The ED
physician suspects an adverse event from a medication the
patient is taking or a possible drug overdose. The ED
physician learns that the patient takes medications that have
been prescribed by the patient’s primary care physician.
Because the patient’s EHR is interoperable with the hospital’s
EHR, the ED physician is able to access the medications
prescribed for the patient. How does permitted disclosure of
health information in the Privacy Rule allow the patient to
receive the necessary care? What could happen if the patient
needs to wait while the hospital seeks authorization to
release her information?
© Paradigm Education Solutions
18
6.2 HIPAA Privacy Rule, Continued
Release of Information (ROI)
• Rules and regulations related to the release of PHI are the
same for a paper record and an EHR.
• The ROI process is more streamlined in an EHR
environment.
– Physical records do not need to be located.
– Records can be printed, saved to digital storage, or emailed
directly from the EHR.
– Records can be released faster.
© Paradigm Education Solutions
19
6.2 HIPAA Privacy Rule, Continued
Accounting of Disclosures
• Per the Privacy Rule, a
patient has the right to
receive an accounting of
disclosures of their PHI
made by the covered
entity.
• ROI software, as part of
the EHR system, produces
these documents.
© Paradigm Education Solutions
20
6.2 HIPAA Privacy Rule, Continued
Privacy Rule and State Laws
• State laws that contradict the Privacy Rule are overruled by
the federal requirements unless an exception applies.
Minimum Necessary Concept
• Minimum necessary: covered entities must make
reasonable efforts to limit the use of, disclosure of, and
requests for the minimum amount of PHI necessary to
accomplish the intended purpose
• Required by the Privacy Rule
© Paradigm Education Solutions
21
6.3 Privacy Rule Enforcement
• The HHS Office
for Civil Rights
(OCR) enforces
HIPAA Privacy
and Security
Rules.
Source: Office of OCR
© Paradigm Education Solutions
22
6.3 Privacy Rule Enforcement, Continued
• Two categories of Privacy Rule violations:
– Civil
• Penalties of $100-$50k per failure
– Criminal
• Penalties up to $250k and up to 10 years of prison
• The major difference between civil and criminal violations
involves the intent behind the violation.
– Mistaken vs. knowing
© Paradigm Education Solutions
23
6.3 Privacy Rule Enforcement, Continued
• Resolution agreement: a contract signed by the federal
government and a covered entity in which that entity
agrees to:
– Perform certain obligations (e.g., staff training regarding
privacy and confidentiality)
– Send reports to the federal government for a certain time
period (typically three years)
© Paradigm Education Solutions
24
6.4 Breach Notification Rule
• Breach: an impermissible use or disclosure under the
Privacy Rule that compromises the security or privacy of
PHI and poses significant risks to the affected individual
– Financial risks, reputational risks, other identified harm
• Following a breach, covered entities and their business
associates must notify:
– Affected individuals
– HHS
– The media (in certain circumstances)
© Paradigm Education Solutions
25
6.4 Breach Notification Rule, Continued
Notice to Individuals Requirement
• Written notifications must be provided following the
discovery of a breach and include:
1. A description of the breach
2. A description of the types of information involved in the
breach
3. The steps affected individuals should take to protect
themselves from potential harm
4. A brief description of what the covered entity is doing to
investigate the breach, mitigate the harm, and prevent
further breaches
5. Contact information for the covered entity
© Paradigm Education Solutions
26
6.4 Breach Notification Rule, Continued
Notice to the Media Requirement
• Covered entities must provide notice to the media of a
breach affecting more than 500 residents of a state or
jurisdiction.
– Press release to media outlets serving the affected area
– Must include the same information required for the
individual notice
© Paradigm Education Solutions
27
6.4 Breach Notification Rule, Continued
• The most often investigated HIPAA compliance issues:
1. Impermissible uses and disclosures of PHI
2. Lack of safeguards of PHI
3. Lack of patient access to their PHI
4. Lack of administrative safeguards of ePHI
5. Uses or disclosures of more than the minimum necessary
PHI
© Paradigm Education Solutions
28
6.4 Breach Notification Rule, Continued
• The most common types of covered entities required to
take corrective action:
1. Private practices
2. General hospitals
3. Outpatient facilities
4. Pharmacies
5. Health plans (group health plans and health insurance
issuers)
© Paradigm Education Solutions
29
6.4 Breach Notification Rule, Continued
Cases of Protected Health Information Breaches
• 2018: Anthem, Inc.
– Hacker accessed 78.8 million record database
• 2017: Lifespan Health System
– Laptop containing ePHI of more than 20,000 patients stolen
• 2016: Athens Orthopedic Clinic
– PHI database of over 200,000 patients stolen
• 2015: Primera Blue Cross
– Hacker accessed information of more than 10 million
individuals
© Paradigm Education Solutions
30
6.5 HIPAA Security Rule
• The Security Standards for the Protection of Electronic
Protected Health Information were developed to address
the security provisions of HIPAA.
– Known as the Security Rule
– Pertain exclusively to electronic health information
• As the United States moves toward its goal of a
Nationwide Health Information Network and a greater
use of EHRs, protecting the confidentiality, integrity, and
availability of ePHI becomes even more critical.
© Paradigm Education Solutions
31
6.5 HIPAA Security Rule, Continued
Objectives of the Security Rule
• Each covered entity must:
1. Ensure the confidentiality, integrity, and availability of ePHI
that it creates, receives, maintains, or transmits
2. Protect against any reasonably anticipated threats and
hazards to the security or integrity of ePHI
3. Protect against reasonably anticipated uses or disclosures of
such information that are not permitted by the Privacy Rule
4. Ensure compliance by the workforce
© Paradigm Education Solutions
32
6.5 HIPAA Security Rule, Continued
Major Differences between the Privacy and Security Rules
• The rules are closely aligned, but there are two areas of
distinction:
– The Privacy Rule applies to all PHI; the Security Rule covers
only ePHI.
– The Privacy Rule contains minimum security aspects for PHI
protection; the Security Rule provides comprehensive
security requirements.
© Paradigm Education Solutions
33
6.5 HIPAA Security Rule, Continued
Sections of the Security Rule
• General Rules
– States general covered entity requirements
• Administrative Safeguards
– Includes the assignment or delegation of security
responsibility to an individual and the need for security
training for employees and users
• Physical Safeguards
– Includes mechanisms necessary to protect electronic systems
from threats, environmental hazards, and unauthorized
intrusion
(Continued)
© Paradigm Education Solutions
34
6.5 HIPAA Security Rule, Continued
• Technical Safeguards
© Tero Vesalainen/Shutterstock.com
– Covers automated processes used
to protect and control access to
data
• Organizational Requirements
– Includes standards for business
associate contracts and
requirements for group health
plans
• Policies and Procedures and Documentation Requirements
– Addresses implementation of reasonable and appropriate
policies and procedures to comply with the Security Rule
standards
© Paradigm Education Solutions
35
6.5 HIPAA Security Rule, Continued
• The Security Standards
Matrix assists covered
entities in assessing
their compliance with
the Security Rule.
© Paradigm Education Solutions
Source: HHS.gov
– A required standard
(R) must be met.
– An addressable
standard (A) should
be met if it is a
reasonable and
appropriate safeguard
in the entity’s
environment.
36
6.5 HIPAA Security Rule, Continued
EHR System Security
• EHR systems can track and record user activity.
• Once clinical documentation has been entered and
authenticated, documented entries cannot be modified.
• Attempts to change a health record can easily be identified
by an administrator.
© Paradigm Education Solutions
37
6.5 HIPAA Security Rule, Continued
HIPAA Security Rule Enforcement
• Same process as Privacy Rule enforcement
• Organizations have bolstered their efforts by:
– Reducing risk through network or enterprise data storage:
a centralized system that businesses use for managing and
protecting data
(Continued)
© Paradigm Education Solutions
38
6.5 HIPAA Security Rule, Continued
• Organizations have bolstered their efforts by:
– Encrypting ePHI
– Maintaining administrative and physical safeguards on the
devices and media that handle ePHI
– Raising employee awareness of security and good data
stewardship: the authority and responsibility associated
with collecting, using, and disclosing health information
© Paradigm Education Solutions
39
Consider This
An employee of the State Department of Health and Social Services left
a portable electronic storage device (USB drive) in a car that was later
stolen. The USB drive contained ePHI, so the State Department of
Health and Social Services submitted a report to the OCR, as all
covered entities are required to do when a breach of health
information security has occurred. When the OCR investigated, it
found evidence that the department did not have adequate policies
and procedures in place to safeguard ePHI. In addition, the department
had not completed a risk analysis, implemented sufficient risk
management measures, completed security training for its workforce
members, implemented device and media controls, or addressed
device and media controls or encryption, as required by the HIPAA
Security Rule. Does the State Department of Health and Social Services
have to follow the HIPAA Security Rule? Why? Is there a possibility
that the department would be fined in this scenario? What do you
think the findings of the OCR should be?
© Paradigm Education Solutions
40
6.6 21st Century Cures Act and Final Rule
• 21st Century Cures Act (2016): one of the most significant
acts to address patient access to electronic medical records
and the exchange and use of health information
• Final Rule: sets the standards for interoperability to
promote patient access and control of their ePHI
• The United States Core Data for Interoperability (USCDI): a
required, standardized set of health data for nationwide,
interoperable health information exchange
– Version 1: May 2020
– Version 2: July 2021
© Paradigm Education Solutions
41
Source: HealthIT.gov
6.6 21st Century Cures Act and Final
Rule, Continued
© Paradigm Education Solutions
42
6.6 21st Century Cures Act and Final
Rule, Continued
• The 21st Century Cures Act defines and disallows
information blocking:
– A practice by a health IT developer of certified health IT,
health information network, health information exchange, or
healthcare provider that, except as required by law or
specified by the Secretary of HHS as a reasonable and
necessary activity, is likely to interfere with access, exchange,
or use of ePHI
• This part of the Cures Act prevents restricting access to or
abusing electronic health information.
© Paradigm Education Solutions
43
11111——TH IRO(EDlffilm’N
d,
·~~1?,~~~
A DIVISION OF KENDALL HUNT
Explorin g
ELECTRON IC
HEALT H RECO R[Q)S
Darline·I•.! :’
Karen L
CEHRS
_R I ~\CHPS,
,.
·. , RHIA, MHI, CHDA, CEHR~.\
Privacy,
Chapter 6
security, and
Legal Aspects
of the EHR
Field Notes
‘ ‘ 1worked in a busy physical therapy clinic treating 24 patients
per day. When a physician wrote an order that was illegible,
we would have to take time away from tre~ting patients
to place a call for clarification, many times waiting until
the provider had a chance in their schedule to speak with
us. With an EHR, we have accurate information. We have
access to diagnostic results with a mouse click. The EHR
saves time, as we do not have to place a call and wait for
information _to_be faxed. The EHR also allows for the use of
prompts
. built into the
. system , which allow us t o d acumen t
and bill more effectively’ maximizi·ng re1m
. b ursement We
also have the ability to customize usef I k b
·
that can be shared am
. . .
u ey oard shortcuts
ong clinicians In b’1 1· •
•
may see more than one th
.
·
9 c mies, a patient
erap1st and ou
t
achieve continuity of care.,,
‘
r no es help us to
– Kim Shearer, Physical Therap A .
Y ss1stant
l!ffll!’Dh,•)itiiif&–t._________
6
_1 Define Health Insurance Portability and Accountability Act of 1996
(HIPAA), specifically the Administrative Simplification provisions
and the date enacted.
6.2 Identify who is and who is not considered to be a covered entity
under HIPAA.
6.3 Identify the basic principles of the Privacy Rule and differentiate
between when disclosure of protected health information is
permitted and when it is not permitted.·
6.4 Demonstrate release of information (ROI) functions carried out
by health information management (HIM) staff in the electronic
health record (EHR) environment.
6.5 Demonstrate how to produce an accounting of disclosures log.
6.6 Discuss the concept of “minin:,um necessary” as it relates to the
release of health information.
6.7 Explain the enforcement and penalty process for violations of
HIPAA privacy and security regulations.
6.8 Discuss the HIPAA Breach Notification Rule.
6.9 State the two p~imary purposes for the development of the
security standards of HIPAA.
6.10 Ust the major sections of the standards of the HIPAA Security Rule
and provide safeguard examples that apply to each section.
6.11 Discuss the difference between required and addressable
implementation specifications.
6.12 Explain why the 21 st Century Cu_
res Act is one of the most
significant acts regarding EHR use and exchange.
6.13 Discuss the purpose of the United States Core Data for
Interoperability (USCDI) and give examples of the data classes .
and data elements.
6-14 Define information blocking and give examples of what is and is
not considered information blocking.
A
s y~u have already learned, privacy and confi~entiality of health information ls a
maJor focus when implementing an electromc health record (EHR) system.
As a user of an EHR system, you must understand and follow the laws and
r~ations regarding privacy, safety, and security of health information. Federal legislation that revolutionized the release and security of health information includes the
liIPAA. Privacy and Security Rules published in 2000, which were subsequently
.
Updated in 2010 and 2013 . These rules provide guidance about the release and security
141
150
Chapter 6 Privacy, Security, and Legal Aspects of the EHR
of protected health information (PHI) as documented in paper health records
the release and security of identifiable EHR patient information, known as 1’as Weij as
protected health information (ePHI). In addition, there are procedures for s~ectroni~
health information that are not mandated by law but should be considered w~ding
en
implementing and using EHRs.
6.1 Health Insurance Portability and
Accountability Act of 1996
Locate a website
sponsored by the
US government, such
as https://EHR3
. Paradigm Education
. com/HIPAAindex, that
provides information
and resources regarding
HIPAA.
Figure 6.1
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was
enacted on August 21, 1996. HIPAA includes many provisions that affect all health.
care facilities. For example, HIPAA allows for health insurance to be “porrable”-in
other words, the insurance can be moved from one employer to another without denial
or restrictions. HIPAA mainly addresses the confidentiality of patients’ medical
records, including the safeguards that need to be implemented by a healthcare facility
to protect the privacy and security of patient information. In addition to setting
standards for health information privacy and security, HIPAA also addresses standards
to improve the efficiency and effectiveness of healthcare systems. For example, Sections
261-264, known as the Administrative Simplification Provisions, required the US
Department of Health and Human Services (HHS) to adopt national standards for
electronic healthcare transactions and code sets, unique health identifiers, and security.
To gain a broad picture of the tenets of HIPAA, see Figure 6.1. This chapter will
specifically focus on the HIPAA provisions for the electronic exchange, privacy, and
security of health information.
HIPAA Administrative Simplification Provisions
HIPAA
–
–,- – ~
• . ….1J
. …
. Act of 1996
Accountability
:’, > .
_ ,._..~=-‘
__ _and
Insurance
Health
_ _ _Portability
__
__
~
el
.
·_1,
Healthcare
access,
portability, ,
and
renewability
-‘
Preventing
healthcare
Medical 1
fraud and !
abuse
( Electronic
liability
refonn
cJ
o• ~hang~_a
2m.:J..J •
,T
6.2 HIPAA Privacy Rule
6.2 HIPAA Privacy Rule
EXPAND YOUR
LEARNING
In response to HIP~ legi~lation, the HHS secretary published the Privacy Rule in
December 2000, w_ith th~ m~ent to define prote~ted health information and the entities
d circumstances m which it may be used or disclosed by covered entities, which are
in the next section. HHS modified the HIPM Privacy, Security, and Enforcement
Rules in January 2013, to align with the provisions of the Health Information Technology
for Economic and Clinical Health (HITECH) Act, particularly with regard to EHRs.
Healthcare providers, health plans, and healthcare clearinghouses were required to be in
complete compliance with HIPM, including these modifications, by September 2013.
In December 2020, the Office for Civil Rights (OCR) and the HHS proposed
changes to the HIPM Privacy Rule to support individuals’ engagement in their care,
remove barriers to coordinated care, and reduce regulatory burdens on the health care
industry. Although these proposed changes to the HIPM Privacy Rule had not been
finalized at the time of publication, they are discussed in this chapter. See Figure 6.2
for a timeline of modifications to and expansions ofHIPM.
:fined
Covered Entities
The Privacy and Security Rules apply to healthcare providers, health plans, and healthcare
clearinghouses transmitting health information in an electronic format. These entities are
called covered entities (see Table 6.1). Individuals, organizations, and agencies meeting
the definition of a covered entity under HIPM must comply with the rules’ requirements to protect the privacy and security of health information, and they must provide
individuals with certain access rights with respect to their health information.
Table 6.1
Covered Entities
Healthcare Provider j Health Plan
The term healthcare
provider refers to a
provider who transmits
health information in an
electronic format and
includes the following
professionals and
organizations.
•
•
•
•
•
•
•
•
Physicians
Clinics
Psychologists
Dentists
Chiropractors
Nursing homes
Pharmacies
Hospitals
The term health plan
refers to the following
entities:
•
•
•
•
Health insurance
companies
Health maintenance
organizations
Company health
plans (some selfadministered company health plans
with fewer than 50
participants are not
covered)
Government
programs that pay
for health care,
such as Medicare,
Medicaid, and
military and veterans’ healthcare
programs
151
j Healthcare Clearinghouse
The term healthcare clearinghouse
refers to public or private entities,
including billing services, repricing
companies, community health
management information systems,
community health Information
systems, or value-added networks
and switches, that do either of the
following functions:
•
•
Process or facilitate the
processing of health information
received from another entity In a
nonstandard format or containing nonstandard data content
Into standard data elements or
a standard transaction
Receive a standard transaction
from another entity and process
or facilitate the processing of
health Information Into nonstandard format or nonstandard
data content for the receiving
entity
Toe Final HIPAA Privacy
Rule published on
December 28, 2000, can
be viewed at the following
website: https://EHR3
.Paradigm Education
.com/PrivacyRule.
Modifications made to
HIPM on January 25,
2013, can be viewed at
the following website:
http://EHR3
.ParadigmEducation
.com/HIPMModifications.
And the proposed
changes to the HIPM
Privacy Rule published on
December 10, 2020, can
be viewed at the following
website: https://EHR3
.ParadigmEducation.com/
HIPAAProposedChanges.
152
Chapter 6 Privacy, Security, and Legal Aspects of the EHR
Figure 6.2 HIPAA Timeline
HIPAA Time Line
I HIPAA signed into law.
US Department of Health &
Human Services (HHS)
becomes responsible for
developing privacy standards.
HHS proposes privacy
standards and receives more
than 50,000 comments on the
proposed standards.
December 2000
Enforcement of deadline
begins for covered entities to
comply with the Prtvacy Rule.
HHS publishes the Final Rule
for Standards for Privacy of
Individually Identifiable Health
Information, or the Final
HIPAA Privacy Rule.
April 2003
1
I
HHS publishes modifications to
the HIPAA Privacy, Security, and
Enforcement Rules to comply
with the provisions of the Health
Information Technology for
Economic and Clinical Health
(HITECH) Act This is known as
the HIPAA Omnibus Rnal Rule.
January 2013
HIPAA Code Set Rule: Effective
this date, the use of ICD-1 O
Onternational Classification of
Diseases) codes is mandatory.
October 2015
I
I
_ , •1
11
September 201 3
December 2020
Enforcement of deadline
begins for covered entities
to comply with the Security
Rule.
HIPAA Omnibus Final Rule
compliance is mandatory
for covered entitles,
and
business associates,
t,11 ‘
subcontractors. ·
The Office for Civil Rights
(OCR) and the HHS propose
changes to the HIPAA
Privacy Rule to support
Individuals’ engageme~t In to
their care, remove bam:ce
coordinated care, and ~
regulatory burdens on the
health care lndustrY,
6.2 HIPAA Privacy Rule
Business associates of a covered entity must also £ollo th p ·
.
.
w e nvacy an d Secunty
es
if
they
perform
services
for
the
covered
entity
involvi’ng
the
Rul
use or d’1sc1osure 0 f
individually identifiable health information.
Noncovered Entities
If an entity is not considered a covered entity, it does not have to comply with HIPAA
Privacy and Security Rules. Some examples of noncovered entities include workers’
compensation carriers, employer~, marketing firms, life insurance companies, pharmaceutical manufacturers, casualty msurance carriers, pharmacy benefit management
companies, and crime victim compensation programs.
Health Information and the Privacy Rule
Certain types of health information are classified under the HIPAA Privacy Rule.
These types include protected health information, individually identifiable health
information, and deidentified health information.
Protected Health Information
The Privacy Rule defines protected health information (PHI) as all individually
identifiable health information held or transmitted by a covered entity or its business
associate, in any form or medium, whether electronic, paper, or oral.
PHI is information, including demographic data, that identifies the individual, or
for which there is a reasonable basis to believe that the information can be used to
identify the individual, and that relates to at least one of the following:
• The individual’s past, present, or future physical or mental health condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health care to the
individual
There are 18 types of information that qualify as PHI according.to guidance from the
HHS Office of Civil Rights, which includes:
1. Name
2. Address
3. Any dates (except years that are directly related to the individual, such as
birth date)
4. Telephone number
5. Fax number
6. Social Security number
7. Medical record number
8. Health plan beneficiary
number
_,
I
I
.
…. .
~~
1(
lfi,
.
9. Account number
10. Ccnificacc/licensc
number
Your Social security number Is a type o common
.
153
154
Chapter 6 Privacy, Security, and Legal Aspects of the EHR
11. Vehicle identifiers
12. Device identifiers or serial numbers
13. Email address
14. Digital identifiers, such as website URLs
15. IP addresses
16.
Biometric elements, including finger, retinal, and voice prints
17. Full face photographic images
18. Other identifying numbers or codes
Deidentified Health Information
The term deidentified health information was first used and identified in the Pri
Rule and is health information that neither identifies an individual nor provides avacy
reasonable basis to identify an individual. Therefore, the Privacy Rule does not restrict
the use of deidentified health information. Healthcare staff primarily use deidentified
health information for summary purposes, as illustrated by the following scenarios:
•
The marketing department of a healthcare provider wants to know how many
patients are from each ZIP code.
•
A dentist’s office wants to know the number of patients who recently had a
cavity filled to determine if the office’s use of dental supplies is appropriate.
•
A home care agency wants to know the number of physical therapy home care visits
made last year to determine whether additional physical therapists should be hired.
Basic Principles of the Privacy Rule
A major purpose of the Privacy Rule is to define and limit the circumstances in which
an individual’s PHI may be used or disclosed by covered entities. A covered entity may
not use or disclose PHI except either (1) as the Privacy Rule permits or requires or
(2) as the individual who is the subject of the information (or the individual’s person~
·
·
representative) authorizes in writing.
Required Disclosures
A covered entity must disclose PHI in only two situations:
1. To an individual (or their per~onal representative), s~: ifically when heor
she requests access to, or an accounting of disclosures of, their PHI
nforce·
2. To HHS, specifically during a compliance investigation, review, ore
ment action
Permitted Disclosures
HIPAA regulations permit health information to be used and/or disclosed in tbe
following scenarios without a prior authorization sigrted by the patient:
•
To the individual patient
•
For treatment purposes
•
For payment purposes
6.2 HIPM Privacy Rule
•
For healthcare operat ions
•
Incide ntal to an otherw ise
permit ted use or disclosure
•
For public interes t and
benefit activities
4 4
I
–
– ~
• As a limited data set for
purposes of research, public
health, or healthcare
operations
To learn more about these
specific provisions for the disclosure
of health inform ation, refer to the
following sections.
~_P~tient is often asked to sign a HIPAA disclosure asking
if it 1s acceptable to release their health information in
certain situations.
Individual Patient A patien t has the right to view and receive a copy of
their
health
information. The covered entity must release the health inform
ation in the format
requested by the patien t (e.g., paper electronic storage device)
. As a result of the
HIPAA Omnib us Final Rule, patien ts also now have the right
to download and
transmit their health inform ation electronically.
TPO Clause Three types of permitted disclosures are commonly known
in the healthcare
indusny collectively as treatment, payment, healthcare operations
(fPO). When health
information managers, compliance officers, or administrators are
asked questions related to
the appropriate release of healthcare information and reply with,
“Yes, you can release the
health information under the TPO clause,” they are referring to
these permitted disclosures.
The treatm ent provision of the TPO clause applies to the applica
tion, coordination,
or management of health care and related services for an individ
ual by one or more
healthcare providers, includ ing consul tation among providers
regarding a patien t and
referral of a patien t by one provider to another.
HIPAA has made it easier and faster for providers to release inform
ation for
patient care purpos es because writte n patien t authorization is
not necessary. This
HIPAA provision is particu larly impor tant for EHRs, allowin
g healthcare practitioners
to obtain health inform ation within minute s or seconds. In compa
rison, a written
authorization could take hours or days.
•~———-
A teenage patient brought to the
emergency department (ED) of a
hospital drifts in and out of
consciousness. The ED physician
suspects an adverse event from a
medication the patient is taking or
a possible drug overdose. The ED
physician learns that the patient takes
medications that have been prescribed
by the patient’s primary care physician.
–
Because the patient’s EHR is
interoperable with the hospital’s EHR,
the ED physician is able to access the
medications prescribed for the patient.
How does permitted disclosure of health
information In the Privacy Rule allow the
patient to receive the necessary care?
What could happen if the patient needs
to wait while the hospital seeks
authorization to release her lnformatl
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
