Chapter 1 Introduction to the Fundamentals of LawFundamentals

Chapter 1: Introduction to the Fundamentals of Law
Fundamentals of Law for Health Informatics and Information
Management, Third Edition
© 2017 American Health Information Management Association
Defining Law
Law
Represents a set of governing rules designed to protect citizens
living in a civilized society
Establishes order, provides parameters for conduct, and defines
rights and obligations of government and its citizens
Controls behavior that threatens public safety and sets penalties
for disobedience
Two Types of Law
Public law
Involves federal, state, and local governments
Defines, regulates, and enforces rights and duties among
individuals and businesses as related to government.
Private law
Involves rules and principles that defines rights and duties
among individuals and private businesses
Law and Healthcare
US healthcare is a trillion-dollar business regulated by federal
and state laws, accrediting bodies, practice standards, and codes
of ethics

Serves to protect consumers and providers by requiring
accountability for services and privacy, confidentiality, and
security of health information
Law and Health Information
Health information
Data generated and collected as a result of delivering care to a
patient
Uses of health information
Primary use—clinical care
Secondary uses—public health reporting, population health
management, third-party reimbursement, quality improvement,
and patient safety
Used as evidence in legal cases in which conflict arises and
resolutions is sought through the court system
Health Information
Protected under federal law—HIPAA,
defines health information as:
“It is any information, whether oral or recorded in any form or
medium, that: (1) is created or received by a health car e
provider, health plan, public health authority, employer, life
insurer, school or university, or health care clearinghouse; and
(2) relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health c are
to an individual; or the past, present, or future payment for the
provision of health care to an individual” (45 CFR 160.103).

Health Information Technology
Push to decrease healthcare costs and improve quality and
safety of healthcare through use of health information
technology (HIT)
Movement from paper to electronic health records (EHRs) and
health information exchanges (HIE) that enable the sharing of
information with multiple parties and across multiple
boundaries
Law and HIT
Public and private collaborations are working together to
eliminate legal barriers for sharing electronically stored health
information
Example: National Governors Association— roadmap to help
states improve health information flow
Health Records
Health information comprises a health record which is defined
as:
“Individually identifiable data, in any medium, that are
collected, processed, stored, displayed, and used by healthcare
professionals” (AHIMA 2010)
Types of Health Records
Hybrid health record
Electronic health record
Electronic medical record
Personal health record

Hybrid Health Record
Record that consists of both paper and electronic records and
media (for example, film, video, or imaging system) and uses
both manual and electronic processes
Data in the record may be handwritten, direct voice entry
captured in a word-processing system, or from provider wireless
devices such as handheld personal computers
Electronic Health Record
“An electronic record of health-related information on an
individual that conforms to nationally recognized
interoperability standards and that can be created, managed, and
consulted by authorized clinicians and staff across more than
one healthcare organization.” The National Alliance for Health
Information Technology (NAHIT) definition
Electronic Medical Record
individual that can be created, gathered, managed, and
consulted by authorized clinicians and staff within one
healthcare organization” The National Alliance for Health
Information Technology definition

Personal Health Record
individual that conforms to nationally recognized
interoperability standards and that can be drawn from multiple
sources while being managed, shared, and controlled by the
individual” The National Alliance for Health Information
Technology definition
Protection of Health Information and Health Records
Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Privacy Rule in effect 2002
Security Rule in effect 2003
Health Information Technology for Economic and Clinical
Health Act (HITECH) of the American Reinvestment and
Recovery Act of 2009 (ARRA)
Privacy and Confidentiality of Health Information
Historically key components of the patient-provider
relationship.
Inherent trust that patient information will be kept private and
protected from unauthorized access.
It is important to understand differences between privacy,
confidentiality, and security and how the concepts relate to law

Privacy
Privacy is an important social value; it means “a right to be left
alone.”
Definitions
“Privacy is a right of individuals to be let [sic] alone and to be
protected against physical or psychological invasion or the
misuse of their property. It includes freedom from intrusion or
observation into one's private affairs, the right to maintain
control over certain personal information, and the freedom to
act without outside interference” (ASTM 2010)
“Right to limit the disclosure of personal information” (Joint
Commission 2016)
17
Confidentiality
Results from sharing private thoughts with someone else in
confidence
Definitions
“Status accorded to data or information indicating that it is
sensitive for some reason, and therefore it needs to be protected
against theft, disclosure, or improper use, or both, and must be
disseminated only to authorized individuals or organizations
with a need to know” (ASTM 2010)
“Protection of data or information from being made available or
disclosed to an unauthorized person(s) or process(es)” (The
Joint Commission 2016)

Confidentiality (continued)
Privileged communication
Confidentiality, as recognized by law, stems from a relationship
where information is shared between two parties such as
attorney and client, clergy and parishioner, husband and wife,
or physician and patient. The information or communication
shared in these relationships is considered “privileged.”
Confidentiality obligates healthcare providers (individuals and
organizations) to protect patient information
Security
Relates to privacy and confidentiality
Pertains to the physical and electronic protection of information
that preserves these concepts
Definition
“Prevent unauthorized access, use, disclosure, modification, or
destruction of information or interference with system
operations in an information system” (Joint Commission 2016)
Security (continued)
ASTM E 31 offers two perspectives
Data security
Systems security
ASTM E 31—Data Security
Data security is defined as

“The result of effective data protection measures; the sum of
measures that safeguard data and computer programs from
undesired occurrences and exposure to accidental or intentional
access or disclosure to unauthorized persons, or a combination
thereof; accidental or malicious alteration; unauthorized
copying; or loss by theft or destruction by hardware failures,
software deficiencies, operating mistakes; physical damage by
fire, water, smoke, excessive temperature, electrical failure or
sabotage; or a combination thereof. Data security exists when
data are protected from accidental or intentional disclosure to
unauthorized persons and from unauthorized or accidental
alteration” (ASTM 2010).
ASTM E 31—System Security
System security is defined as
The totality of safeguards including hardware, software,
personnel policies, information practice policies, disaster
preparedness, and oversight of these components. Security
protects both the system and the information contained within
from unauthorized access from without and from misuse from
within. Security enables the entity or system to protect the
confidential information it stores from unauthorized access,
disclosure, or misuse, thereby protecting the privacy of the
individuals who are the subjects of the stored information”
(ASTM 2010).
US Code on Information Security
Protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification,
or destruction in order to provide
Integrity, which means guarding against improper information

modifications or destruction, and includes ensuring information
non-repudiation and authenticity
Confidentiality, which means preserving authorized restrictions
on access and disclosure, including means for protecting
personal privacy and propriety information
Availability, which means ensuring timely and reliable access to
and use of information
Ownership of Health Record
Ownership of the health record
Traditionally granted to healthcare provider who generates the
record. However, state and federal laws have long upheld the
right of the patient to control the information within the record
The HIPAA Privacy Rule (45 CFR 164.524–526) grants a
patient the right to access, view, copy, or amend the record.
Ownership does not permit providers to share or sell patient-
identifiable medical information as they wish.
Custodian of Health Records
“Individual who has been designated as having responsibility
for the care, custody, control, and proper safekeeping and
disclosure of health records for such persons or institutions that
prepare and maintain records of healthcare” (AHIMA 2010)
Role of custodian = gatekeeper
Stewardship

Similar to role of custodianship
Goes beyond physical record to include
“Responsibilities for ensuring integrity (accuracy,
completeness, timeliness) and security (protection of privacy as
well as from tampering, loss or destruction) within the context
of electronic information and records management” (Davidson
2010)
Information Governance
Stewardship as a component of information governance which is
the “strategic management of enterprise electronic information
including the standards, policies, and procedures for access,
use, and control of that information” (Johns 2015)
Stewardship and Governance
Role of steward requires leadership, responsibility and
governance to ensure consistent application of, and compliance
with policies across organization-wide distributed information
systems.
Reflective Journal
Name:
Date:
1. Summarize and reflect on this week’s, readings and
learning activities.

2. How will these concepts impact your own professional
practice now or in the future?

Informatics
24 November 2015 • Nursing Management
www.nursingmanagement.com
Safety solutions
Patient safety and IT trends
s care coordinators, nurses have a primary
responsibility to be aware of the potential risks
that may accompany the increasing use of
technology in the healthcare environment.
Being able to capture and document patient
data at the point of care in an electronic format
brings with it many benefits. But there are also
inherent risks that come
with the use of health
information technology
(IT) that may impact
patient safety and data
integrity.

Consider these examples:
• A medication is pre-
scribed to be given as an
I.M. injection. It’s actually
intended to be given I.V.;
however, the physician
selects the wrong delivery
route from the drop-down
menu when prescribing
the drug in the electronic
health record (EHR)
system.
• A pharmacist processes a
medication prescription for
acetaminophen for the
wrong patient because he
has two patient records
open at the same time and
becomes distracted during

the prescribing process.
There are also many examples of how well-designed
EHRs and strong clinical processes can improve safety
through their ability to provide historical data, offer
clinical decision support, and facilitate communication
among care providers.1 In order to realize these benefits,
it’s important to identify and analyze the factors that
can lead to health IT-related errors.
How do we minimize risks?
The Joint Commission has issued a Sentinel Event
Alert on the safe use of health IT.2 This report ana-
lyzes factors contributing to 120 health IT-related
sentinel events. The analy-
sis focused on eight general
categories:
• human-computer interface
(33%)—ergonomics and
usability issues resulting in
data-related errors

• workflow and communi-
cation (24%)—issues relating
to health IT support of com-
munication and teamwork
• clinical content (23%)—
design or data issues relat-
ing to clinical content or
decision support
• internal organizational
policies, procedures, and
culture (6%)
• people (6%)—training and
failure to follow established
processes
• hardware and software (6%)
• external factors
(1%)— vendor and other
external issues
• system measurement and monitoring (1%).
Recommended actions to reduce these risk factors
include creating an organization-wide culture of safety

and implementing effective change management pro-
tocols. These actions involve systematically analyzing
each adverse event to determine if health IT played a
By Joyce Sensmeier, MS, RN-BC, CPHIMS, FHIMSS, FAAN
A
Copyright © 2015 Wolters Kluwer Health, Inc. All rights
reserved.
www.nursingmanagement.com Nursing Manage ment •
November 2015 25
role and what can be done to pre-
vent a similar event from happen-
ing in the future.
A proactive approach to process
improvement should be imple-
mented to continually assess for
health IT-related patient safety risks.
This approach includes comprehen-
sive testing of health IT hardware

and software to ensure that it’s free
from malfunctions; configuring the
system to allow clinicians to clearly
identify patients and maximize use
of the EHR to prescribe medica-
tions, tests, and procedures; and
providing patients with access to
their electronic records via portals
to enable them to review those
records for accuracy. For example,
organizations participating in the
OpenNotes project are seeing
improvements in quality and
safety over the 5 years of the study,
including enhanced error reporting,
more effective catching of medica-
tion errors, and improved care
coordination.3

Additional actions suggested by
The Joint Commission to reduce
risks emphasize the importance of
leadership and oversight of health
IT planning, implementation, and
evaluation. This oversight involves
examining workflow processes for
inefficiencies, choosing and opti-
mizing systems that align with the
work of clinicians, continually
improving system interoperability,
and monitoring system effectiveness
according to established metrics.
But the ultimate responsibility for
minimizing the potential negative
impact of health IT lies with the end
users who should be aware of
potential risks to patients in any

clinical situation.
Another resource that offers a
plan for protecting patient safety
and improving care quality is the
recently published Office of the
National Coordinator for Health
Information Technology’s Health IT
Safety Center Roadmap.4 Central to
the proposal is creating a health IT
safety center or “collaboratory” that
welcomes stakeholders from across
the healthcare spectrum and govern-
ment into a trusted space for collab-
orating on solutions. This center will
provide a forum for the exchange of
ideas and information focused on
promoting health IT as an integral
part of patient safety and carry out

the following activities:
• collaborate on solutions to address
health IT-related safety events and
hazards
• improve identification and sharing
of information on health IT-related
safety issues
• report evidence on health
IT-related safety solutions
• promote health IT-related safety
education and competency.
The center will also play an
important role in gathering and
analyzing evidence for preventing
low-frequency, high-severity events,
such as wrong-site surgery, in which
the stakes are high but the causes
are poorly understood.
Several healthcare technologies
used daily by nurses are identified as

potential areas of risk by two reports
published by the ECRI Institute.5 The
top two hazards in each of these
reports were 1) alarm hazards due to
inadequate alarm configuration poli-
cies and practices and 2) data integ-
rity failure due to incorrect or miss-
ing data in EHRs and other health IT
systems. Examples of data integrity
failures as listed in the ECRI Top 10
Health Technology Hazards for 2015
report include the following:
• appearance of one patient’s data
in another patient’s record
• missing data or delayed data
delivery
• clock synchronization errors
between medical devices and IT
systems
• default values being used by

mistake or fields being prepopu-
lated with erroneous data
• inconsistencies in patient informa-
tion when both paper and electronic
records are used
• outdated information being cop-
ied and pasted into a new report.6
To address these problems, organi-
zations should assess their health
IT systems and identify data integ-
rity failures, correcting them to pre-
vent similar problems from recur-
ring. Organizations should also
empower users to report all types of
health IT-related incidents, including
those that don’t cause any harm and
near-misses, because staff members
don’t always recognize health IT’s
contribution to an event. Nurses

should be especially mindful of the
risks of copying and pasting infor-
mation from one episode of care to
another. When errors in documenta-
tion are made, incomplete, inaccurate,
The ultimate responsibility for minimizing the potential
negative impact of health IT lies with the end users who should
be aware of potential risks to patients in any clinical situation.
reserved.
26 November 2015 • Nursing Management
www.nursingmanagement.com
Safety solutions Informatics
or out-of-date information can end up
in a patient’s record, potentially lead-
ing to incorrect treatment decisions or
ultimately causing patient harm.
Where will technology take us?
It has been projected that by 2020 the
average household will contain sev-

eral hundred smart objects, including
LED light bulbs, domestic appli-
ances, sports equipment, and medi-
cal devices. These smart objects are a
part of the “Internet of Things” and
most of them will be able to commu-
nicate with an app on a smartphone
or tablet. Although it’s appealing to
anticipate having dinner prepared
by our smart appliances, we can also
imagine the impact these innova-
tions will have on healthcare.
Monitoring data from a patient’s
wearable technology or maintaining
an accurate up-to-date inventory of
the right supplies and equipment
will allow healthcare organizations to
stay ahead of the curve. Implement-

ing innovative solutions that capture
and analyze data in real time can
improve healthcare quality by find-
ing common patterns and anticipating
outcomes. With smart technologies
rapidly maturing, the healthcare
industry stands to benefit from this
enhanced intelligence to improve
performance through innovation.
Another emerging technology is
remote patient monitoring, which
merges wireless technology and
healthcare to focus on chronic condi-
tions such as heart disease and dia-
betes. Some healthcare providers are
installing devices in patients’ homes
to collect continuous data on weight,
BP, blood glucose, and blood oxygen

levels. These integrated systems
can allow providers to detect and
address issues before they have
serious health consequences. The use
of technologies, such as wearables,
telehealth, text messaging, and smart
devices, can potentially help reduce
rehospitalizations and promote pre-
vention, allowing for earlier diagno-
sis and intervention.7 The challenge
for nurses is to ensure that we main-
tain a meaningful provider-patient
relationship while leveraging the
power of high-tech monitoring and
treatment approaches.
Although these emerging and
innovative technologies may
improve health and healthcare, they

can also introduce new security vul-
nerabilities.8 During a recent hearing,
lawmakers heard testimony from
industry leaders about both the ben-
efits and risks to consumers of con-
nected health devices that may hold
large amounts of personal health
information.9 Individuals looking to
exploit this valuable health data can
hack into these systems, cutting to
the very core of personal privacy.
Cybersecurity protections are rap-
idly becoming essential safeguards
for EHRs that are connected with
mobile devices.6 Acknowledging that
mobile devices are increasingly
being used to store, process, and
transmit patient information, the

National Cybersecurity Center of
Excellence has developed resources
to help organizations implement
advanced technologies to ensure the
security of patient information trans-
mitted on such devices.10 Organiza-
tions can use these resources to
implement relevant standards and
best practices to minimize vulnera-
bility to attack. These guidelines
should be used as part of a continu-
ous risk management process that
will increase the security of EHRs.
Safe and secure
The role of today’s nurse in safe-
guarding patient care is increasingly
complex. Understanding the poten-
tial risks of health IT and mobile

technologies, as well as adopting
essential safeguards, will ensure
that care isn’t compromised and
errors are mitigated. Resources are
available to equip nurses to navi-
gate this evolving frontier, ensuring
patient safety and high-quality,
coordinated care. NM
REFERENCES
1. Agency for Healthcare Research and Qual-
ity. Chartbook on care coordination. www.
ahrq.gov/research/findings/nhqrdr/2014
chartbooks/carecoordination/index.html.
2. The Joint Commission. Sentinel event alert,
issue 54. www.jointcommission.org/assets/
1/18/SEA_54.pdf.
3. Miliard M. OpenNotes showing benefits at
BIDMC. www.healthcareitnews.com/print/
95681.
4. Office of the National Coordinator for
Health Information Technology. Health
IT safety center roadmap. www.healthit
safety.org.

5. ECRI Institute. Top 10 patient safety
concerns for 2015. www.ecri.org/Patient
SafetyTop10.
6. ECRI Institute. Top 10 health technology
hazards for 2015. www.ecri.org/2015
hazards.
7. Blumenthal S, Somashekar G. Advancing
health with information technology in the
21st century. www.huffingtonpost.com/
susan-blumenthal/advancing-health-with-
inf_b_7968190.html.
8. Slabodkin G. Connected health devices
generate innovation and consternation.
www.healthdatamanagement.com/news/
Connected-Health-Devices-Generate-Inno-
vation-and-Consternation-51024-1.html.
9. U.S. House of Representatives Judiciary
Committee. Hearing: internet of things.
http://judiciary.house.gov/index.cfm/
2015/7/hearing-internet-of-things.
10. National Cybersecurity Center of Excel-
lence. Securing electronic health records
on mobile devices. https://nccoe.nist.gov/
sites/default/files/nccoe/NIST_SP1800-
1b_Draft_HIT_Mobile_Approach-Arch-
Security.pdf.
Joyce Sensmeier is the vice president of
Informatics at the Healthcare Information and
Management Systems Society in Chicago, Ill.

The author has disclosed that she has no
financial relationships related to this article.
DOI-10.1097/01.NUMA.0000472765.03731.28
reserved.
Reflective Journal Rubric
20 pts
Exemplary
Developing
Needs Improvement
Discussion Criteria
10 Points
7 Points
4 Points
Faculty Comments
Application of Course Knowledge
Journal contributes reflections and unique perspectives or
insights gleaned from weekly objectives or examples from the
healthcare field.
Journal entry has limited application of course knowledge and
demonstration of perspectives.
Journal does not reflect application of course knowledge and
personal insights or examples from healthcare.
Grammar, Syntax, APA Format
APA format, grammar, spelling, and/or punctuation are
accurate, or with zero to three errors.

Four to six errors in APA format, grammar, spelling, and syntax
noted.
Journal entry contains greater than six errors in APA format,
grammar, spelling, and/or punctuation or repeatedly makes the
same errors after faculty feedback.

Chapter 1 Introduction to the Fundamentals of LawFundamentals

Recommended

Recommended

More Related Content

More from MaximaSheffield592

More from MaximaSheffield592 (20)

Chapter 1 Introduction to the Fundamentals of LawFundamentals