Privacy, Confidentiality, and HIPAA: What Clinicians Need to Know

Convenient care clinics (CCCs) provide a health care option that complements traditional medical service providers. CCCs deliver affordable, accessible, episodic care to consumers who may otherwise have to wait for appointments or who seek urgent or emergency care. These clinics make it easier and more convenient for patients to get the right level of care from qualified health care professionals, in the right place and at the right time.

To ensure continuity of care, clinics build relationships with traditional health care systems and share patient information appropriately. Protecting the privacy and security of health information while supporting continuity of care can be challenging, however. The rapid growth of intranet applications to transmit and share patient information, advancements in the computerization of patient medical records, and public concerns about privacy led to passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996.¹HIPAA was introduced to improve coverage for workers changing employment and to raise standards of electronic health care transactions. The act has been instrumental in ensuring patient privacy is protected (Figure).

Protected Health Information

The privacy rules within HIPAA limit who can receive patient information. Individually identifiable health information includes many common identifiers (eg, name, address, birthdate, social security number). The rules apply to all forms of protected health information (PHI)—electronic, written, and oral. PHI includes the following:

• Information physicians, nurses, and other health care providers include in the medical record
• Conversations by the care delivery team related to care or treatment
• Information in the health insurance computer system
• Clinic billing information

Patient Rights Under the HIPAA Privacy Rule

Patients have the right to:

• See and obtain a copy of their medical record and request an electronic copy of their health information held in an electronic health record (EHR)
• Request that information in their record be amended
• Know with whom their information has been shared
• Decide how their information is used or shared by signing an authorization. However, there are circumstances (treatment, payment, and health care operations) for which HIPAA allows information to be disclosed without an authorization.

In terms of information use or sharing:

• Patients can request that their information be shared with friends and family
• A health care provider may share information with friends and family if, using professional judgment, the provider decides it is in the best interest of the patient
• Patients may opt to restrict disclosure of their PHI to health plans if they pay out of pocket for goods or services
• Patients may direct how they wish to be contacted, such as through a particular phone number or address and whether messages may be left
• Practices must issue a notice of privacy practices to all patients on their first visit
• HIPAA prohibits the sale of PHI without the patient’s authorization
• Practices can communicate with patients about their services, send refill reminders, and send letters about health-related goods and services as long as the practice does not receive payment for doing so
• Health care providers may share immunization records directly with schools with either written or oral consent from a parent, guardian, or the individual if the individual is an adult or emancipated minor.³

Strategies for Building and Maintaining a HIPAA Compliance Culture

To address the challenges of protecting the privacy and security of health information while facilitating appropriate disclosure, clinics should do the following⁴:

• Appoint a staff member to be responsible for privacy in the organization
• Adopt privacy and security policies and procedures, including access to electronic health information
• Conduct staff training and education, and document who, what, and when
• Implement technical security: use computer passwords and encrypt transmitted data
• Consider physical security: lock file cabinets and use privacy screens
• Prepare patient authorization forms for disclosure of PHI
• Identify transactions sent/received electronically
• Identify trading partners and vendors that communicate electronically
• Execute business associate agreements for vendors with access to PHI, and adopt a process to respond to violations of agreements
• Prepare “notices of privacy practices” and establish procedures for obtaining patient acknowledgement
• Develop a security incident response team and plan
• Implement audit systems to ensure policies are followed.

Convenient Care Collaborates and Complements

Convenient care is a patient-centric model of health care committed to high-quality, easy-access, and affordable health care, and acts as an important and integrated partner in the health care system. To support this care model, CCCs should do the following⁵:

• Build collegial relationships with health care systems and clinical registries to ensure continuity of care
• Share visit information as appropriate and feasible, including vaccines administered, prescriptions, tests, and postcare instructions
• Provide access to the visit record, written discharge instructions, and educational materials to patients leaving the clinic to ensure they understand their diagnosis and recommended treatment and care plans
• Encourage patients to establish an ongoing relationship with a primary care provider and provide appropriate and careful referrals for follow-up care and/or for conditions outside the clinic’s scope of services
• Use EHRs to facilitate data exchange and ensure high-quality, efficient care.

Appropriate data exchange between convenient care and primary care is essential to becoming a trusted partner in the patient’s care. All clinics should ensure compliance with HIPAA disclosure requirements to ensure secure, confidential exchange of information.

Impact of Electronic Health Records on Privacy

Electronic documentation tools offer many features designed to increase the quality and use of clinical documentation, thereby enhancing communication among all health care providers. With continued advancement of EHRs comes increasing concern that a potential loss of documentation integrity could compromise patient care, care coordination, and quality reporting, and lead to fraud and abuse.

Interoperability facilitates data exchange while creating challenges if the information passed between organizations and consumers is not accurate or complete. Documentation integrity is at risk when the wrong information is documented on the wrong patient health record, such as when a lab result is imported into the wrong record. Errors in patient identification can affect clinical decision making and patient safety, impact a patient’s privacy and security, and result in duplicate testing and increased costs to patients, providers, and payers.⁶A clearly defined process for merging patient records or duplicates must be established to prevent consolidating clinical information from multiple patients into one patient’s EHR.

Patient Portals

The advancement of technology has changed the practice of medicine. The provider—patient relationship has evolved from a face-to-face interaction to real-time online encounters and from e-mails to virtual appointments. Health care organizations can provide easy-to-use, self-service patient tools that enhance patient communication and engagement through patient portals and the implementation of appropriate policies and procedures.

Patient portals represent a technological advancement that is breaking down barriers in patient—provider communication by providing online access to health care information. Privacy incidents and HIPAA violations may occur, however, if incorrect data populate the patient portal. An increase in patient-reported incidents or amendments may increase as patients identify errors that might otherwise go undetected. An increased awareness and need for appropriate management of PHI flowing in and out of patient portals are critical to the confidentiality, privacy, and security of that information.⁷

Conclusion

To ensure continuity of care, clinics should build relationships with traditional health care systems and share patient information appropriately. Protecting the privacy and security of health information while supporting continuity of care can be challenging. Therefore, ongoing training and annual review of HIPAA requirements should be standard practices. The Health Information Technology for Economic and Clinical Health Act’s modifications to the privacy and security rules was the first major change since HIPAA’s privacy rule went into effect in 2003. The act strengthens privacy and security requirements, broadens patients’ rights to access their PHI, and restricts the uses and disclosures of that information. Establishing policies and procedures to protect patient privacy and ensure accurate disclosure of PHI is paramount.⁸The continued advancement of EHRs and patient portals has greatly improved communication between providers and patients. Through implementation of appropriate policies and procedures, care coordination can be enhanced without compromising patient privacy.

Susan Gentilli, RHIA, MBA, is the manager of healthcare quality and safety at Target Corp in Minneapolis, Minnesota. In her current role, she is responsible for monitoring the effectiveness of Target’s health care quality programs, as well as implementing improvement strategies to reduce errors, mitigate risk, and improve the health care experience for pharmacy and clinic guests. Prior to joining Target, Susan was the director of quality measurement and improvement at HealthPartners health plan in Bloomington, Minnesota.

References

1. U.S. Department of Health & Human Services. Health information privacy. hhs.gov/ocr/privacy/index. html. Accessed November 20, 2015.
2. Timeline of important events in the history of HIPAA.HIPAA Journalwebsite. hipaajournal.com/timeline- of-important-events-history-of-hipaa. Published January 26, 2015. Accessed November 20, 2015.
3. Rodriguez L, Johnson MD. Patient privacy: a guide for providers. Medscape website. medscape.org/viewarticle/ 781892. Published April 26, 2013. Accessed November 20, 2015.
4. Rodriguez L, Pritts J. HIPAA and you: building a culture of compliance. Medscape website. medscape. org/viewarticle/762170. Published June 29, 2012. Accessed November 20, 2015.
5. Convenient Care Association. Quality and Safety Standards. ccaclinics.org/about-us/quality-of-care. Accessed November 20, 2015.
6. Arrowood D, Choate E, Curtis E, et al. Integrity of the healthcare record. Best practices for EHR documentation.J AHIMA. 2013;84(8):58-62.
7. The American Health Information Management Association. The implementation and management of patient portals.J AHIMA. 2015;86(4):50-55.
8. Release of information toolkit: a practical guide for the access, use and disclosure of protected health information. The American Health Information Management Association website. ahimastore.org/Product- DetailBooks.aspx?ProductID=16469. Published 2013. Accessed November 20, 2015.