Question

Discuss the legislation that insures the privacy, confidentiality, and security needed to protect a patient's health information. Describe the HIPAA security safeguards and how these protect the healthcare organization or provider from penalties. Provide substantive responses to two of your classmates.

Answer 1

Three important and related concepts are often used interchangeably in discussing protection of health information within the U.S. healthcare system: confidentiality, privacy, and security. Yet, each of these concepts has a different fundamental meaning and unique role.

Most frequently “HIPAA” comes to mind when health information privacy is discussed; however, the concept of patient confidentiality has been around for much longer. This article will briefly explore differences in meaning of privacy, security, and confidentiality of health information. Selected examples of sources of law and guidelines will be offered with respect to these concepts. Challenges in balancing interests of individuals, healthcare providers and the public will be noted, as will the role of health information management professionals.

CONFIDENTIALITY

Confidentiality in health care refers to the obligation of professionals who have access to patient records or communication to hold that information in confidence. Rooted in confidentiality of the patient-provider relationship that can be traced back to the fourth century BC and the Oath of Hippocrates, this concept is foundational to medical professionals’ guidelines for confidentiality. This professional obligation to keep health information confidential is supported by professional association codes of ethics, as can be seen in principle I of the American Health Information Management Association Code of Ethics, “Advocate, uphold, and defend the individual’s right to privacy and the doctrine of confidentiality in the use and disclosure of information”. Confidentiality is recognized by law as privileged communication between two parties in a professional relationship, such as with a patient and a physician, a nurse or other clinical professional.

PRIVACY

Privacy, as distinct from confidentiality, is viewed as the right of the individual client or patient to be let alone and to make decisions about how personal information is shared. Even though the U.S. Constitution does not specify a “right to privacy”, privacy rights with respect to individual healthcare decisions and health information have been outlined in court decisions, in federal and state statutes, accrediting organization guidelines and professional codes of ethics.

The top-of-mind example is the federal HIPAA Privacy Rule, establishing national standards for health information privacy protection and defining “protected health information”. A stated purpose of the HIPAA Privacy Rule “…is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed.

Established pursuant to the broader Health Insurance Portability and Accountability Act of 1996 (HIPAA), as described by the U.S. Department of Health and Human Services (HHS), the Privacy Rule, “…strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing”. Individuals are provided some elements of control, such as the right to access their own health information in most cases and the right to request amendment of inaccurate health information. However, in that attempt to strike a balance, the Rule provides numerous exceptions to use and disclosure of protected health information without patient authorization, including for treatment, payment, health organization operations and for certain public health activities.

SECURITY

Security refers directly to protection, and specifically to the means used to protect the privacy of health information and support professionals in holding that information in confidence.   The concept of security has long applied to health records in paper form; locked file cabinets are a simple example. As the use of electronic health record systems grew, and transmission of health data to support billing became the norm, the need for regulatory guidelines specific to electronic health information became more apparent.   The HIPAA Security Rule provided the first national standards for the protection of health information. Addressing technical and administrative safeguards, the HIPAA Security Rule’s stated goal is to protect individually identifiable information in electronic form—a subset of information covered by the Privacy Rule—while allowing healthcare providers appropriate access to information and flexibility in the adoption of technology. Again, that notion of balance appears in the law: necessary access by healthcare providers vs. protection of individuals’ health information.

Breaches of confidentiality now face more serious penalties given modifications to both the HIPAA Privacy and Security Rules following the publication of final rule provisions of the HITECH Act.   In announcing the publication of these changes, known collectively as the Omnibus Rule, then HHS Secretary Kathleen Sebelius acknowledged change impacting health care since initial enactment of HIPAA: “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age”.

CONCLUSION

The sources of law and guidelines noted here are only samples of many considerations in health information confidentiality, privacy, and security. Managing electronic health information presents unique challenges for regulatory compliance, for ethical considerations and ultimately for the quality of care. As electronic health record system “meaningful use” expands, and more data are collected, such as from mobile health devices, that challenge for healthcare organizations expands.

A response to the challenge is information governance, described as the strategic management of enterprise-wide information including policies and procedures related to health information confidentiality, privacy, and security; this includes the role of stewardship. Health information managers are uniquely qualified to serve as health information stewards, with an appreciation of the various interests in that information, and knowledge of the laws and guidelines speaking to confidentiality privacy and security. The role of the steward encompasses not only ensuring the accuracy and completeness of the record, but also protecting its privacy and security.

All who work with health information— health informatics and health information management professionals, clinicians, researchers, business administrators and others— have a responsibility to respect that information. And as patients, we have privacy rights with regard to our own health information and an expectation that our information is held in confidence and protected. As citizens, our public interest in health information may prevail, such as in situations involving public health or crime. Balancing the various interests in health information and upholding its confidentiality, privacy and security present ongoing and important challenges within the U.S. healthcare and legal systems, and career opportunities for health information management professionals.