HIPAA
Confidentiality in the healthcare field entails of obligation of the medical professionals with access to patient information and keep it private. The concept of confidentiality is applicable in other fields. Every patient expects the information about his or her health condition to be kept in confidence (Williams, Spencer, Whitley, Kaye, & Dixon, 2015). Another equally important concept in healthcare is privacy, which refers to the right of every patient to be allowed to choose how his or her personal information will be shared. Although the U.S constitution does not give specifications about “right-to-privacy”, various court decisions have outlined various privacy rules concerning decisions on individual healthcare and information on health. A great example of such rules is the Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA act was established in 1996. The Act provides a standard on how patient information is handled and distributed within the healthcare sector. Patients information is supposed to be kept confidential enough to protect the patient’s medical records; but also ensure that the patient receives the right treatment and quality healthcare services. The act applies to health plans, healthcare providers that transfer patient’s information electronically and healthcare clearinghouses. Health plans can be individual or group plans that accrue the cost of medical covers. Healthcare providers that transmit data electronically can be in the form of claims, requests for authorizing a referral, inquiries on benefits eligibility or claims. Use of emails does not mean that a healthcare provider is covered under the privacy act (McNett, 2020). The act covers any institution or individuals who offer medical services and get paid for their services. They can be hospitals or individuals such as a dentist or physician. The transmission has to fall under a standard stipulated by the act. Clearinghouses to convert nonstandard patient information to a standard and vice versa. The clearinghouses receive data that identifies a patient when providing the processing service. For example, a clearing warehouse may receive raw data on patients in a community that is considered nonstandard for transmission as stipulated in the act. The warehouse transforms the data into a standard the act allows. The standardized data can then be passed on to a business associate or transferred electronically. The data transformation ensures that the privacy of the patient is preserved and the entity that transfers data refrains from getting into unnecessary legal disputes.
A business associate in the context of health care is an entity that offers services to a covered entity by the act. The associate is only limited to the data they can collect from the entity. They can perform analysis, billing, process claims or utilization reviews, and that’s as far as they can go. Business associates can operate via contracts as well. Contracts are binding and need to be followed to avoid breaches (Cohen, & Mello, 2018). The business associate can require identifiable health information from a covered entity or the covered entity can authorize the use of disclosed information. If the covered entity permits the contractor to use information, the Act does not consider that a breach. However, most organizations or business associates that use contracts ensure that all measures are taken to protect the privacy of the covered entity. For example, most government contracts ensure the act is maintained in many different ways. So what exact information is referred to as ‘individually identifiable health information”.
Protected information can be in the form of the covered identity’s past, present or future records of their physical or mental health records. The records are protected if they show health care provision to the covered entity or individual and any past, present or future payment transactions the individual carries out to cover their healthcare. These are the three broad areas of coverage of the act. Primarily any information that can be used to single out an individual. However, de-identified information does not fall under the act, as it does not reasonably identify an individual. De-identification can be done in two ways; use of statistical methods or removing personal details such as relative’s identifications, employer or house numbers.
The privacy rules found within the HIPAA can limit the one who can receive the patient information. The rules apply to health plans, healthcare clearinghouses or healthcare providers who transmit health information in an electronic form. Confidentiality is important in healthcare since it helps build trust between the patient and the physician.
Even though everyone’s information is different, there are some common violations of the HIPAA law. A physician who tells his relatives or friends about the medical information of the patient would be violating HIPAA privacy rules. Another example would be discussing personal health information in the public areas of a hospital such as the lobby of a hospital, an elevator or a cafeteria. Again, computer or laptop screens should point away from the public.
Information through which subjects may be identified include names, student identification numbers, hospital ID numbers, social security numbers, driver’s license numbers, home addresses, photographs, videotapes, and the like. Upon request, the covered entities should disclose PHI to an individual within 30 days.
The HIPAA privacy rule should not be interpreted as a means of obfuscating communication with a patient’s family and friends. The act permits doctors and other healthcare practitioners to share information that directly concerns the involvement of a family member, a love on such as spouse or any other person identified by the covered individual. If the patient is in a position to make healthcare related choices, the physician may opt to discuss the matter with family or any other person the patient approves such as a friend. In scenarios where the patient is incapacitated to make a tough decision either due to an emergency or inability to comprehend the decision to be made, the doctor has to contact someone else to make the call. In cases where no one is present, the doctor makes the most logical decision given the circumstances. Scenarios that prove to endanger other people or the individual automatically permit the practitioner to reveal private information. For instance, various infectious illnesses like human immunodeficiency virus (HIV) infection, tuberculosis, and syphilis must be reported to local or state public health agencies in some states. In the event the healthcare practitioners, notices medical signs of a child, adult or the mistreatment of an elderly person, they are required by law to report to the protective services. Some conditions, which may impair the person’s ability to drive like loss of memory and frequently occurring seizures, ought to be reported to the department of motor vehicles in some states.
The move to more computing power has enabled scientists to come up with algorithms that can decode data. Machine-learning techniques were used on two separate datasets provided by the National Health and Nutrition Examination Survey (NHANES) for the period 2003-2004 and 2005-2006. The dataset contained data from recordings from physical activity monitors. The model built gave impressive results. One algorithm identified close to 95% of adults and approximately 70% of children in the NHANES 2003-2004 dataset. A different algorithm was used on the 2005-2006 dataset and gave 85% and 67% for adults and children respectively.
These should be cause for alarm on the current methods being employed to preserve data privacy. Should such accuracy levels go up, fitness companies and insurance companies can use the patient data to perform target advertising. The government ought to revisit the Act to ensure that all loopholes found by modern technologies are closed. Unfortunately, policies take long before they are implemented or amended. The current pace of technology advancements so high and the relevant authorities will need to pick up their pace. Other avenues that have seen the exploitation of data is research (Niimi & Ota, 2017). Research enables the growth of a sector but some research companies use the privilege of research to extort data from patients. The data is used to refine specimens in labs. The consumerism economy has led to all sorts of ways for people to gather data. Data is the new king. This has however stifled genuine research in areas where patient data is needed as more people are avoiding being used as guinea pigs .
Professionals with less education or level of understanding can violate the rules during the normal course of work. Whereas a very small percentage of criminal violations entail nosy behavior or personal gain, most of such violations are momentary lapses that can result in very costly mistakes. HIPAA education and training are very important. Awareness campaigns should be prioritized since the vast majority of people are not aware of their rights. It is also important to design and maintain systems, which minimize human mistakes.
References
Cohen, I. G., & Mello, M. M. (2018). HIPAA and Protecting Health Information In The 21st Century. Jama, 320(3), 231-232.
Mcnett, M. (2020). Protecting the Data: Security and Privacy. In Data For Nurses (Pp. 87-99). Academic Press.
Niimi, Y., & Ota, K. (2017). Examination Of An Electronic Patient Record Display Method To Protect Patient Information Privacy. CIN: Computers, Informatics, Nursing, 35(2), 100-108.
Williams, H., Spencer, K., Sanders, C., Lund, D., Whitley, E. A., Kaye, J., & Dixon, W. G. (2015). Dynamic Consent: A Possible Solution To Improve Patient Confidence And Trust In How Electronic Patient Records Are Used In Medical Research. JMIR Medical Informatics, 3(1), E3.