The law gives patients exclusive rights to their data unless litigation necessitates that such records be disclosed, which will only be limited in scope. However, a few exceptions apply. Medical records can legally be disclosed during or for treatment purposes, payment processing, and operations exclusion.
Doctor-patient privilege protects confidential communications between a doctor and a patient. The patient can fully disclose confidential information without the fear of recording or disclosure. Patients also enjoy immunity from litigation arising from record release (U.S. Department of Health and Human Services, 2017). They will not be held accountable.
Medical records generally have a slim chance in court. The Rules of Evidence, specifically the rule against heresy, restrict medical record admissibility to a narrow range. For instance, the record must originate from the formal “business” dealings, current concerning the case, and be sworn by an expert (e.g., a physician).
Medical records are protected under HIPAA. However, if the subpoena meets the Privacy Rule, it does not violate HIPAA. For instance, the record owner must have been notified about the request and given a chance to object.
I will initially ensure the cell number or the email belongs to the record owner and that they currently have access and are not unauthorized parties. I will exchange information only through an encrypted network. I will also communicate or share only necessary information.
Bridging the HIPAA-business gap is by adhering to the Privacy Rule. The patient must consent, and the business must respond by safeguarding the patient (i.e., beneficence) and their records (e.g., anonymization). Emailing or texting do not violate HIPAA so long as they adhere to the Privacy Rule within 45 C.F.R. Part 164, Subpart C.
For policy, I would enforce the “minimum rule” where only necessary information is collected from the record owner. The organization must reduce liability by only handling information relevant to the business. Concerning procedure, I would enforce the “beneficence principle,” where every process puts the patient’s well-being at the forefront. Every procedure handling patient data must preconceive their interests, not necessarily the organization.
A medical record retention policy prescribes what records should be [legally] held by the organization and for how long. Record destruction policies prescribe when medical records can be disposed of securely without liability. A litigation hold is a duty to preserve medical records as they follow the start of an investigation.
The litigation temporarily suspends other policies to ensure data fidelity. For example, it adds another layer to the medical record retention policy to the extent that litigation continues. It, however, invalidates record destruction policies until the litigation expires. In other words, the litigation hold precedes the organization’s typical data handling practice for the time necessary to clear the court case.
Compliance is keeping the law and ensuring that business or organizational practices and policies reflect minimum HIPAA requirements. The mentioned policies are tough on different areas of administrative operations. Tweaking each policy to align with HIPAA would collectively facilitate compliance.
A more HIPAA-conscious approach to medical records would have influenced top-level decision-making at Heartland to reconsider system design, relationship with third parties, and employee roles in the new projected environment, which could have avoided the scenario. AHIMA codes come in handy. For instance, Principle #2 would prevent the leaders, particularly the C.I.O., from seeking self-glorification (The American Health Information Management Association, 2019). Principle #11 would have encouraged the C.I.O. to evaluate his fitness before undertaking the project.
The American Health Information Management Association. (2019).
AHIMA code of ethics. https://bok.ahima.org/doc?oid=105098
U.S. Department of Health and Human Services. (2017).
HIPAA FAQs for professionals.
1. Medical records can be released when an authorization of release is signed. In cases where there is a legal stipulation such as a subpoena or court order the records are to be turned over to court officials for examination.
· There are two types of privileges: patient-physician privilege and peer review privilege. The patient-physician privilege protects the communication between a patient and the physician related to seeking medical treatment. The peer review privilege protects information that is collected during the peer process.
· Medical records can be used as evidence in various ways. An example of this would be retrieving previous lab tests from a patient that could link them to a crime where they are the lead suspect with an illness that only the suspect in the case would have. Any information that is relevant to the case and can be used to prove the attorneys case is admissible in court. “A valid court order directing that health records be made available to a third party must be honored, and the patient’s consent is not required. Generally, the legal process for obtaining health record information is through a
subpeona duces tecum– request that a witness bring specified documents to a court or other tribunal that has jurisdiction over pending litigation.” (Showalter, 2020)
· A medical record release in response to a medical record request of subpoena does not violate HIPAA. This is because the information that is accessible is limited to the scope of the request and the patient is not protesting the release, anything other than that is a violation.
2. In order to balance the need to communicate via e-mail or text messaging with the HIPAA duty steps will have to be implemented such as: using secure messaging systems that involves two step verification when each conversation is being had. Another way is to avoid using any identifiable information of the patients in emails and text.
· In order to balance HIPAA requirements with business necessities one has to be compliant with HIPAA requirements such as PHI, while also adhering to the business necessities. The only way emailing or texting could violate HIPAA is if the messages contain personally identifiable information. Also if the emails or texts are not protected from unauthorized access.
· A policy that can be implemented is one that requires all messages to be sent through an encrypted messaging system to ensure the security of all information being discussed. Another policy could prohibit the use of any identifying information being communicated through emails or text messages. In addition to this policy, a clause could be added to secure any information communicated through the system.
3. A litigation hold suspends any medical record retention and record destruction policies. This meaning that any records that would usually be destroyed are not, instead they are kept for discovery.
· The litigation hold is able to suspend policies such as: medical record retention and record destruction policies. This allows for records to be kept instead of being destroyed, in typical practices.
· Medical records, medical record retention and destruction, and medical record release policies can all be used as a compliance tools to ensure the proper information is being released and records that are no longer needed are destroyed.
4. The situation described in book
The Tracks We Leave, breaks various codes of ethics. The AHIMA Code of Ethics states, “The ethical obligations of the health information management (HIM) professional include the safeguarding of privacy and security of health information; appropriate disclosure of health information; development, use, and maintenance of health information systems and health information; and ensuring the accessibility and integrity of health information.” (AHIMA, 2019) In the chapter, one of the Alan’s contractors reported that his laptop was stolen from his hotel room and that required Heartland to have to file a data breach notification. This scenario displays that the staff members were not safeguarding patient health information or ensuring appropriate disclosure of health information. The compliance tools that can be implemented to control the risk are medical record retention and destruction policies; this will ensure that only necessary information is being disseminated to authorized personnel. Another compliance tool would be to implement a system that encrypts all receiving and outgoing messages, also prohibiting the use of any identifying information in emails and text messages to eliminate the risk of violating patient rights and privacy.
AHIMA. Code of Ethics, 1957, 1977, 1988, 1998, and 2004, 2011, 2019.
Standards of Ethical Coding. 2016. Available in the AHIMA Body of Knowledge.
Showalter, S. (2020).
The law of healthcare administration, (9th ed.). Health Administration Press.