Judson, K., & Harrison, C. (20 16). Law and ethics for the
health professions. (7th ed. ). New York: McGraw-
Hill.
Law&Et cs
FOR HEALTH PROFESSIONS
KAREN JUDSON
CARLENE HARRISON
Key Terms
204
Privacy, Security,
and Fraud
LEARNING OUTCOMES
After studying this chapter, you should be able to:
LO 8. I Discuss U.S. constitutional amendments and privacy
laws that pertain to health care.
LO 8.2 Explain HIPAA's special requirements for disclosing
protected health information.
LO 8.3 Discuss laws implemented to protect the security
of health care information as health records are
converted from paper to electronic form.
LO 8.4 Discuss the federal laws that cover fraud and abuse
within the health care business environment and the
role of the Office of the Inspector General in finding
billing fraud.
LO 8.5 Discuss patient rights as defined by HIPAA, the Patient
Protection and Affordable Care Act, and other health
care entities.
FROM THE PERSPECTIVE OF . ..
ANN, AN R.N. IN A TEXAS HOSPITAL FOR NEARLY 25 YEARS,
remembers when patients' names were posted on the doors to their
rooms. She and her colleagues once freely informed telephone call-
ers and visitors how patients were progressing. Now, Ann remarks,
because of federal legislation to protect the privacy and security of
health care information, times have changed. "We have to be so care-
ful about releasing any information that when my father's dear friend
was admitted to my floor in the hospital where I work, I couldn't tell
him that his friend had been admitted."
From Ann's perspective, because she cares about her patients, she
would like to be able to talk more freely with family members or friends
who also care about her patients. But she is duty-bound to follow the law,
and she knows the benefits to patients for laws that guard their privacy.
From the perspective of friends and family members who call for infor-
mation about a patient, the law is harsh and hard to understand. They are
often angry when they cannot learn the status of a friend or loved one.
From the perspective of some patients, the law sometimes feels over-
protective and unnecessarily intrusive, but for others-such as the patient
who has tried to commit suicide and failed, who doesn't want anyone to
know he is in the hospital, or the battered spouse who doesn't want her
abusive husband to find her-it's a safety net they can depend on.
The United States Constitution
and Federal Privacy Laws
Contrary to popular belief, the term privacy (freedom from unauthor-
ized intrusion) does not appear in the U.S. Constitution or the Bill
of Rights. However, the United States Supreme Court has derived
the right to privacy from the First, Third, Fourth, Fifth, Ninth, and
Fourteenth Amendments to the Constitution.
LO 8.1
Discuss U.S. constitutional
amendments and privacy laws
that pertain to health care.
privacy
Freedom from unaut horized int rusion.
LANDMA ...
Judson, K., & Harrison, C. (20 16). Law and ethics for the h.docx
1. Judson, K., & Harrison, C. (20 16). Law and ethics for the
health professions. (7th ed. ). New York: McGraw-
Hill.
Law&Et cs
FOR HEALTH PROFESSIONS
KAREN JUDSON
CARLENE HARRISON
Key Terms
204
Privacy, Security,
and Fraud
LEARNING OUTCOMES
After studying this chapter, you should be able to:
LO 8. I Discuss U.S. constitutional amendments and privacy
laws that pertain to health care.
LO 8.2 Explain HIPAA's special requirements for disclosing
protected health information.
2. LO 8.3 Discuss laws implemented to protect the security
of health care information as health records are
converted from paper to electronic form.
LO 8.4 Discuss the federal laws that cover fraud and abuse
within the health care business environment and the
role of the Office of the Inspector General in finding
billing fraud.
LO 8.5 Discuss patient rights as defined by HIPAA, the Patient
Protection and Affordable Care Act, and other health
care entities.
FROM THE PERSPECTIVE OF . ..
ANN, AN R.N. IN A TEXAS HOSPITAL FOR NEARLY 25
YEARS,
remembers when patients' names were posted on the doors to
their
rooms. She and her colleagues once freely informed telephone
call-
ers and visitors how patients were progressing. Now, Ann
remarks,
because of federal legislation to protect the privacy and security
of
health care information, times have changed. "We have to be so
care-
ful about releasing any information that when my father's dear
3. friend
was admitted to my floor in the hospital where I work, I
couldn't tell
him that his friend had been admitted."
From Ann's perspective, because she cares about her patients,
she
would like to be able to talk more freely with family members
or friends
who also care about her patients. But she is duty-bound to
follow the law,
and she knows the benefits to patients for laws that guard their
privacy.
From the perspective of friends and family members who call
for infor-
mation about a patient, the law is harsh and hard to understand.
They are
often angry when they cannot learn the status of a friend or
loved one.
From the perspective of some patients, the law sometimes feels
over-
protective and unnecessarily intrusive, but for others-such as
the patient
who has tried to commit suicide and failed, who doesn't want
anyone to
know he is in the hospital, or the battered spouse who doesn't
want her
abusive husband to find her-it's a safety net they can depend on.
The United States Constitution
and Federal Privacy Laws
Contrary to popular belief, the term privacy (freedom from
unauthor-
ized intrusion) does not appear in the U.S. Constitution or the
4. Bill
of Rights. However, the United States Supreme Court has
derived
the right to privacy from the First, Third, Fourth, Fifth, Ninth,
and
Fourteenth Amendments to the Constitution.
LO 8.1
Discuss U.S. constitutional
amendments and privacy laws
that pertain to health care.
privacy
Freedom from unaut horized int rusion.
LANDMARK COURT CASE The Constitution Protects the
Right
to Privacy
In November 1961, the executive director and the medical
director of a Planned Parenthood clinic in Connecticut were
charged with violating a state statute prohibiting the dis-
pensing of contraceptive devices to a married couple. The
defendants were convicted and fined $1 00 each. The U.S.
Supreme Court heard the case in March 1965 and issued a
written opinion on June 7, 1965. William 0. Douglas, writ-
ing the majority opinion for the Court, held that the Con-
necticut statute was an unconstitutional violation of the
5. right of privacy. Douglas noted that many rights are not
expressly mentioned in the Constitution, but the Court
has nevertheless found that persons possess such a right. In
reviewing the many rights that Americans possess, Douglas
noted the existence of "penumbras" or "zone(s) of privacy
created by several fundamental constitutional guarantees."
As a result of the Supreme Court's decision in Griswold v.
Connecticut, patients possess certain rights that affect the
delivery of med ical services and health care. For example,
persons have t he right to refuse medical treatment, and
courts now recognize a person 's right to die.
Griswold v. Connecticut, 381 U.S. 479, 85 S. Ct. 1978, 14 L.
Ed.2d 510
(1965).
C-c9:er 8! Privacy, Security, and Fraud 205
COURT CASE
First Amendment: Congress cannot prohibit or abridge
free speech. In addition, the Establishment and Freedom of
Religion clauses of this amendment prohibit the government
from funding, showing preference for, or discriminating against
any religion.
6. Third Amendment: Soldiers cannot be quartered in private
homes without the consent of the owner.
Fourth Amendment: People have the right to be secure in
their persons, houses, papers, and effects against unreasonable
searches and seizures.
Fifth Amendment: No person must testify against himself, be
tried twice for the same offense, or be deprived of life, liberty,
or property without due process of law. The Miranda warning
("You have the right to remain silent ... ")as read during
criminal arrests, derives from this amendment.
Ninth Amendment: If certain rights are not explicitly
mentioned in the Constitution, that does not mean they
do not exist.
Fourteenth Amendment: All states must provide rights for
citizens that are at least equal to those in the U.S. Constitution,
and under the philosophy called federalism states may grant
citizens additional rights not specifically granted in the
U.S. Constitution.
Fourth Amendment Rights in Question
The Student Activities Drug Testing Policy adopted by
the Tecumseh, Oklahoma, School District requires all
middle and high school students to consent to urinaly-
sis testing for drugs to participate in any extracurricular
activity. Two Tecumseh High School students and their
parents brought suit, alleging that the policy violates the
7. Fourth Amendment, which states in part: "The right
of the people to be secure in their persons , houses,
papers, and effects, against unreasonable searches
and seizures , shall not be violated." The district court
granted the school district summary judgment. In
reversing, the court of appeals held that the policy vio-
lated the Fourth Amendment. The appellate court con-
cluded that before imposing a suspicionless drug-testing
program a school must demonstrate some identifiable
drug abuse problem among a sufficient number of those
tested, such that testing that group will actuall y redress
its drug problem , which the school district had failed
to demonstrate.
to submit to drug testing, consistent with the Fourth
Amendment?
The U.S. Supreme Court concluded that the answer to
the question was yes. In a 5-4 opinion delivered by Justice
Clarence Thomas, the Court held that, because the policy
8. reasonably serves the school district's important interest
in detecting and preventing drug use among its students,
it is constitutional. The Court reasoned that the board of
education's general regulation of extracurricular activities
diminished the expectation of privacy among students
and that the board 's method of obtaining urine samples
and maintaining test results was minimally intrusive on the
students' limited privacy interest. "Within the limits of the
Fourth Amendment, local school boards must assess the
desirability of drug testing schoolchildren. In upholding
the constitutionality of the Policy, we express no opinion
as to its wisdom. Rather, we hold only that Tecumseh's
Policy is a reasonable means of furthering the School Dis-
trict's important interest in preventing and deterring drug
use among its schoolchildren," wrote Justice Thomas. The
question before the court was: Is the Student
Activities Drug Testing Policy, which requires all students
who participate in competitive extracurricular activities
9. 206 Part Two I Legal Issues for Working Health Care
Practitioners
Board of Education v. Earls, 536 U.S. 822 (2002).
COURT CASE Fourteenth Amendment at Issue
William Baird spoke at Boston University on the sub-
ject of birth control and overpopulation. At the end of
his talk, Baird gave away Emko Vaginal Foam to a woman
who approached him. Massachusetts charged Baird with
a felony, distributing contraceptives to unmarried men
or women. Under state law, only married couples could
obtain contraceptives; only registered doctors or phar-
macists could provide them. Baird was not an authorized
distributor of contraceptives.
At issue was: Did the Massachusetts law violate the
right to privacy acknowledged in Griswold v. Connecticut,
and did it violate protection from state intrusion granted
by the Fourteenth Amendment?
grounds. The Court held that the law's distinction between
single and married individuals failed to satisfy the "rational
10. basis test" of the Fourteenth Amendment's Equal Protec-
tion clause. Married couples were entitled to contraception
under the Court's Griswold decision. Withholding that right
to single individuals without a rational basis proved the fatal
flaw. Thus, the Court did not have to rely on Griswold to
invalidate the Massachusetts statute. "If the right of privacy
means anything," wrote Justice William J. Brennan, Jr., for
the majority, "it is the right of the individual, married or
single, to be free from unwarranted governmental intru-
sion into matters so fundamentally affecting a person as the
decision to whether to bear or beget a child."
The case reached the U.S. Supreme Court, where jus-
tices struck down the Massachusetts law, but not on privacy
Eisenstadt v. Baird, 405 U.S. 438 ( 1972).
FEDERAL PRIVACY LAWS
Concern about privacy has led to the enactment of federal and
state
laws governing the collection, storage, transmission, and
disclosure
of personal data. Privacy laws are generally based on the
following
considerations:
11. 1. Information collected and stored about individuals should be
limited to what is necessary to carry out the functions of the
busi-
ness or government agency collecting the information.
2. Once it is collected, access to personal information should be
limited to those employees who must use the information in per-
forming their jobs.
3. Personal information cannot be released outside the
organization
collecting it unless authorization is obtained from the subject.
4. When information is collected about a person, that person
should
know that the information is being collected and should have
the
opportunity to check the information for accuracy.
A number of federal laws concern privacy, but until the Health
Insurance Portability and Accountability Act (HIPAA) of 1996,
fed-
eral privacy laws have dealt with financial and credit
information or
the theft or illegal disclosure of electronic information. HIPAA
of 1996
was the first federal law to deal explicitly with the privacy of
medi-
cal records, and to ensure compliance, HIPAA provides for civil
and
criminal sanctions for violators of the law.
All states have laws governing the confidentiality of medical
records,
but laws vary greatly from state to state. Through state
preemption, if a
12. state's privacy laws are stricter than HIPAA privacy standards
and/or
guarantee more patients' rights, the state laws take precedence.
Table 8-1 below lists eight major federal privacy laws passed
since
1985.
state preemption
If a state's privacy laws are stricter than
HIPAA privacy standards, the state laws
take precedence.
Chapter 8 1 Privacy, Security, and Fraud 207
COURT CASE HIPAA Preempts State Law in Certain Instances
In July 2013, the U.S. Court of Appeals for the Eleventh
Circuit ruled that HIPAA preempts state law in certain
instances. The case centered on a Florida statute that
allowed nursing homes to release medical records of a
current or former resident to "spouse , guardian , surro-
gate, proxy or attorney in fact" of the individual. How-
ever, many Florida nursing homes refused to disclose
records to surviving spouses who had not been des-
ignated as the personal representative by the probate
13. courts. The Florida Agency for Health Care Adminis-
tration (AHCA) ordered the various nursing homes to
release the information stating the surviving spouses were
equal to personal representatives. OPIS Management
Resources, an owner of several nursing homes in Florida
filed suit against AHCA, claiming that HIPAA standards
were higher and thus the state law conflicted. The Court
of Appeals held the state statute was fatally flawed and
"authorizes sweeping disclosures, making a deceased
(nursing home) resident's protected health information
available to a spouse or other enumerated party upon
request, without any need for authorization, for any con-
ceivable reason, and without regard to the authority of
the individual making the request to act in a deceased
resident's stead."
OPtS Management Resources LLC v. Secretary Florida Agency
for Health
Care Administration, No. 12- 12593 (II th Cir. Apr. 9, 20 13).
Table 8-1 Major Federal Privacy Laws
15. Reinvestment Act (ARRA),
commonly called the
Stimulus Bill
Patient Protection and Affordable
Care Act (PPACA) common ly
called the Affordable Care Act
orACA
Health Care and Education
Reconciliation Act (HCERA)
Purpose
Provides privacy protection for new forms of electronic commu-
nications, such as voice mail, e-mail, and cellular telephone
Amends the 1984 act to forbid transmission of harmfu l com-
puter code such as viruses
Guarantees that workers who change jobs can obtain hea lth
insurance. Increases efficiency and effectiveness of t he U.S.
health care system by electronic exchange of administrative
and financial data. Improves security and privacy of patient-
identifying information. Decreases U.S. health care system
transaction costs
Requires all financial institutions and insurance companies
to clearly disclose their privacy policies regarding the shar-
ing of nonpublic personal information with affiliates and third
parties
Helps assess and resol ve patient safety and health care quality
issues, encourages reporting and analysis of medical errors,
authorizes HHS to impose civil money penalties for violations
of
16. patient safety confidentiality
Title XIII, the Health Information Technology for Economic
and
Clinical Heal th (HITECH) Act, makes substantive changes to
HIPAA, including privacy and security regulations, changes in
HIPAA enforcement , provisions about hea lth information held
by entities not covered by HIPAA, and other miscellaneous
changes
Dea ls mostly with the availability of health insurance coverage
for all Americans, but also reinforces privacy regarding pro-
tected hea lth information
A federal law that adds to regu lations imposed on the insur-
ance industry by PPACA
208 Port Two I Legal Issues for Working Health Care
Practitioners
Check Your Progress
I. Does the Constitution provide specifically for the protection
of privacy? Explain your answer.
2. W hat was the f irst federal law to deal explicitly w ith the
pri vacy of medical records?
3.-6. Name four considerations for protecting privacy when
federal and/or state legislation is written.
Since HIPAA is the federal legal standard for privacy and
security
of electronic health information throughout the health care
17. industry,
health care employees must follow the law's provisions, which
are
contained within four standards:
Standard 1. Transactions and Code Sets. A transaction refers
to the transmission of information between two parties to carry
out
financial or administrative activities. A code set is any set of
codes
used to encode data elements, such as tables of terms, medical
con-
cepts, medical diagnostic codes, or medical procedure codes.
Required code sets for use under Standard 1 include Current
Procedural Terminology (CPT) and International Classification
System
of Diseases; Clinical Modifications lOth Edition (ICD-10-CM);
and
International Classification System of Diseases-Procedure
Coding
System lOth Edition (ICD-10-PCS) (Since the publication of
ICD-10
has been delayed to 2015, some coders may still be using ICD-
9.).
Standard 2. Privacy Rule. Policies and procedures health care
providers and their business associates put in place to ensure
confi-
dentiality of written, electronic, and oral protected health
information.
Standard 3. Security Rule. Security refers to those policies and
pro-
cedures health care providers and their business associates use
to protect
18. electronically transmitted and stored PHI from unauthorized
access.
Standard 4. National Identifier Standards. Provide unique
identifiers (addresses) for electronic transmissions.
By now all four sets of HIPAA standards have been
implemented,
and most health care practitioners are familiar with the language
and
rules that make up the requirements for compliance. Anyone
needing
a refresher course can visit www.hipaa.com for specific
information.
Of special concern in this chapter are Standard 2, the Privacy
Rule
and Standard 3, the Security Rule.
HIPAA's Requirements for Disclosing
Protected Health Information
HIPAA's Standard 2, the Privacy Rule says that protected health
information (PHI) must be protected against unauthorized
disclosure,
whether it is written, spoken, or in electronic form. PHI refers
to infor-
mation that contains one or more patient identifiers and can,
therefore,
be used to identify an individual. Information that includes one
or more
of the following makes a patient's health care information
identifiable:
• Name
• Zip code or other geographic identifier, such as address, city,
19. or
county.
LO 8.2
Explain HIPAA's special
requirements for disclosing
protected health information.
protected health information
(PHI)
Information t hat contains one or more
patient identifiers.
Chapter 8 I Privacy, Security, and Fraud 209
,
de-identify
To remove from health care transactions
all information that identifies patients.
permission
A reason under HlPAA for disclosing
patient information.
covered entities
Health care providers and
clearinghouses that transmit HlPAA
transactions electronically, and must
comply with HlPAA st andards and rules.
• Date of birth, dates of treatment, or any other dates relevant to
the
individual.
20. • Telephone numbers
• Fax numbers
• E-mail addresses
• Social Security number.
• Medical record numbers.
• Health plan beneficiary numbers.
• Birth certificate and driver's license.
• Vehicle identification number and license plate number.
• Web site address.
• Fingerprints and voiceprints.
• Photos
• Any other unique identifying number, characteristic, or code.
It is possible to de-identify health information, by removing the
patient identifiers listed above.
Health care providers and plans can use and disclose patient
infor-
mation (PHl), but to do so legally they must identify a
permission-a
legal reason for each use and disclosure. To use PHl means that
you use
patients' protected health information within the facility where
you
21. work in the normal course of conducting health care business.
To disclose
PHI means that patients' protected health information is sent
outside of
a health care facility for legitimate business or health care
reasons.
Permissions: Using and disclosing PHI must fall within the
follow-
ing six HIPAA-defined permissions:
1. Disclosures to patients. HIPAA requires that PHI be
disclosed
to any patient who asks to see his or her own medical records
(unless the health care provider believes that access will do
harm
to the patient). This includes talking to the patient about his or
her diagnosis, treatment, and medical condition, as well as
allow-
ing the patient to review his or her entire medical record. Some
records, however, such as psychotherapy notes, may be
withheld.
2. Use or disclosure for treatment, payment, or health care
operations:
Health care practitioners need to use PHI within the medical
office,
hospital, or other health care facility for coordinating care,
consult-
ing with another practitioner about the patient's condition, pre-
scribing medications, ordering lab tests, scheduling surgery, or
for
other reasons necessary to conduct health care treatment or
busi-
ness, such as insurance claims and billing. PHI disclosures for
these
22. purposes do not require written authorization.
If other covered entities contact you or your employer for
access
to PHl, such as insurance plans, attorneys, medical survey
represen-
tatives, and pharmaceutical companies, you must have the
patient's
written authorization to release PHI. (Covered entities are
health
care providers and clearinghouses that transmit HIPAA
transactions
electronically, and must comply with HIPAA standards and
rules.)
3. Uses and Disclosures with Opportunity to Agree or Object.
Accord-
ing to the HHS Web site http://www.hhs.gov/ocr/privacy/hipaa/
understanding/summary/index.html, informal permission may be
210 Part Two I Legal issues for Working Health Care
Practitioners
:
I
I
I
I
,,
23. :
obtained by asking the indi idual outright, or by circumstances
that clearly give the individual the opportunity to agree, comply
silently or without objection, or object. Where the individual is
incapacitated, in an emergency situation, or not available,
covered
entities generally may make such uses and disclosures, if in
their
professional judgment, the use or disclosure is determined to be
in
the best interest of the individuaL
4. Incidental uses and disclosures of PHI are permitted without
authorization from patients as follow s:
• Nursing care center staff members can talk about patients' care
if they take reasonable precautions to prevent unauthorized
individuals, such as visitors in the area, from overhearing.
• Health care practitioners can talk to patients on the phone or
discuss patients' medical treatments with other providers on the
phone if they are reasonably sure that others cannot overhear.
• Health care practitioners can discuss lab results with patients
and among themselves in a joint treatment area if they take
reasonable precautions to ensure that others cannot overhear.
• Health care practitioners can leave messages on answering
machines or with family members, but information should be
limited to the amount necessary for the purpose of the calL (For
detailed messages, simply ask the patient to return the call.)
• You can ask patients to sign in, call patients by name in
waiting
rooms, or use a public address system to ask patients to come
24. to a certain area. A patient sign-in sheet, however, must not ask
for the reason for the visit.
• You can use an X-ray light board at a nursing station if it is
not
visible to unauthorized individuals in the area.
• You can place patient charts outside exam rooms if you use
reasonable precautions to protect patient identity: face the
chart toward the wall or place the chart inside a cover while it
is in place.
5. Public Interest and Benefit Activities. The Privacy Rule
permits
use and disclosure of protected health information, without an
individual's authorization or permission, for 12 national priority
purposes, as listed on the HHS Web site at http://www.hhs.gov/
ocr/privacy/hipaa/understanding/summary/index.html:
• If required by law.
• As part of public health activities.
• For victims of abuse, neglect, or domestic violence.
• In health oversight activities.
• For judicial and administrative proceedings.
• For law enforcement purposes.
• For decedents when cause of death is released to funeral
home,
coroners, or medical examiners.
• For cadaveric organ, eye, or tissue donation.
25. • For research
• In the event of serious threat to health or safety.
Chapter 81 Privacy, Security, and Fraud 211
,,
,,
.I
limited data set
Protected hea lth inform atio n from
which ce rta in pat ient identifiers have
been removed.
• For essential government functions.
• In claims for Workers' Compensation.
6. Limited data set. A limited data set is protected health
informa-
tion from which certain specified, direct identifiers of
individuals
and their relatives, household members, and employers have
been
removed . A limited data set may be used and disclosed for
research, health care operations, and public health purposes,
pro-
vided the recipient enters into an agreement promising specified
safeguards for the PHI within the limited data set.
26. The HIPAA Privacy Rule does not give patients the express
right to
sue. Instead, the person must file a written complaint with the
secre-
tary of Health and Human Services through the Office for Civil
Rights.
The HHS secretary then decides whether or not to investigate
the
complaint. Patients may have other legal standings to sue under
state
privacy laws. (See Court Case, "EMT Liable for Violating
Patient's
Privacy.") See Table 8-3 on page 222 for a list of patients'
rights under
the HIPAA Privacy Rule.
COURT CASE EMT Liable for Violating Patient's Privacy
An EMT employed by a volunteer fire department pro-
vided emergency treatment to a female patient for a
possible drug overdose. The unresponsive patient was
transported to a hospital. The EMT returned home and
later spoke to a friend, telling her that she had assisted in
taking a specific patient to the hospital emergency room
for treatment for a possible drug overdose.
Prior to the emergency, the EMT had never met the
patient. However, about two weeks prior to the incident,
27. the EMT had heard about the patient and her medical
problems at a social event. The woman who spoke about
the patient was apparently a friend, and it was th is person
whom the EMT telephoned, after the patient 's overdose.
The patient sued the EMT and her insurance company,
alleging that she had defamed her and violated her privacy
by publicizing information concerning her medical condi-
tion and making untrue statements indicating that she had
7. Define protected health information.
8. Define de-identify.
attempted suicide. The patient claimed that she had been
and was continuing to undergo medical care due to illness,
and that the apparent overdose she suffered was a "reac-
tion to medication."
The insurance company claimed the EMT's actions
were with in the scope of her employment. The EMT
argued that she had not acted recklessly or unreasonably
in contacting the patient 's friend regarding her care.
28. The EMT offered to settle for $5,000, but the plaintiff
refused and the matter went to a jury trial. The jury found
that the EMT had vio lated the plaintiff's right of privacy,
as alleged . The jury also awarded the plaintiff/patient
$37,909.86 in compensatory damages and attorney fees.
The EMT and her insurance company appealed. An
appeals court upheld the judgment of the lower court.
Pachowitz v. Ledoux, 2003 WL 21221823 ('Nis. App., May 28,
2003).
9. Which law usually prevails, federal or state, if a state law
provides greater privacy protection than a
federal law? Explain your answer.
I 0. What is the process illustrated in question 9 called?
II. One can only legally release PHI under six HIPAA-defined
__ .
212 Part Two J Legal issues for Working Health Care Prac titi o
ners
li
Laws Implemented to Protect the
Security of Health Care Information
29. As listed in Table 8-1, the American Recovery and
Reinvestment
Act (ARRA), commonly called the Stimulus Bill, made
substantive
changes to HIPAA, including privacy and security regulations,
changes
in HIPAA enforcement, provisions about health information
held by enti-
ties not expressly covered by HIPAA, and other miscellaneous
changes.
The ARRA also mandated a deadline-January 1, 2014-for all
public
and private health care providers and other eligible
professionals across
the country to have adopted and demonstrated "meaningful use"
of elec-
tronic medical records (EMR) in order to keep their existing
Medicare and
Medicaid reimbursement levels. ("Meaningful use" is explained
below.)
First, note the difference between electronic medical records
(EMR) and electronic health records (EHR), because, according
to
www.healthit.gov, an online source of information about
information
technology in the health industry, the two terms are not
interchange-
able. The electronic medical record (EMR) is the electronic
form of a
patient's medical history from just one practice. It lets health
care pro-
viders in one facility:
• Track data over time.
30. • Identify with a glance which patients are due for screenings or
check-ups.
• Check patients' progress within certain parameters, such as
blood
pressure, cholesterol and blood sugar readings, and
vaccinations.
• Monitor and improve overall patient care within the practice.
By contrast, the electronic health record (EHR) is a more
compre-
hensive electronic patient history, focusing on the total health
of the
patient and including a broader view of a patient's care. This
more
detailed record allows for:
• A record that travels with the patient so that emergency
depart-
ment clinicians who see a patient in his home city or traveling
across the country will know about any life-threatening
allergies,
or clinicians treating people injured in a disaster will know
which
medications the patient is taking.
• The opportunity for the patient to log on to her own record
and
see trends in lab results over time, which can help her plan for
staying healthy.
• Specialists to see what tests, X-rays, and other procedures
have
already been done on a patient, thus avoiding unnecessary
dupli-
31. cation when possible.
• Notes from any hospital stays that can help inform discharge
instructions and follow-up care for the patient and can let
patients
! move smoothly from one care setting to another.
"Meaningful use" of electronic health records, as defined by
HealthiT
.gov, consists of using digital medical and health records to
achieve
the following:
• Improve quality, safety, and efficiency of health care, and
reduce
health disparities.
LO 8.3
Discuss laws implemented to
protect the security of health care
information as health records are
converted from paper to electronic
form.
electronic medical record (EMR)
Contains all patient medical records for
one practice.
electronic health record (EHR)
A more comprehensive record than the
EMR, focusing on the total health of the
patient and t raveling with the patient.
Chapter 8 1 Privacy, Security, and Fraud 213
32. breach
Any unauthorized acquisition, access,
use, or disclosure of personal health
information which compromises the
security or privacy of such information.
firewalls
Hardware, software, or both designed
to prevent unauthorized persons from
accessing electron ic information.
FIGURE 8-1
How Breaches Happen
• Engage patients and family in comprehensive health care
plans.
• Improve care coordination and the health of populations and
also
improve public health practices.
• Maintain the privacy and security of patient health
information.
HIPAA'S SECURITY RULE
HIPAA's Standard 2, the Privacy Rule, details procedures for
maintain-
ing the privacy of protected health information. The act's
Standard 3,
the Security Rule, explains the requirements for maintaining the
security of electronic health records, both in transmission and
storage.
Lack of compliance with HIPAA security measures can lead to
33. substan-
tial fines and in extreme cases even loss of medical licenses.
According
to www.hipaa.com, medical practices can follow 5 steps to
ensure
compliance to HIPAA standards and to avoid data breaches. (A
breach
is any unauthorized acquisition, access, use, or disclosure of
personal
health information which compromises the security or privacy
of
such information.)
1. Run a complete risk assessment of the medical practice.
There
are many electronic health recording systems, but practices need
to use a system that meets HIPAA guidelines and standards.
A risk assessment against HIPAA guidelines can reveal those
areas where changes are needed, and should include evaluating
how well each person protects passwords. Passwords should
not be posted for anyone to see, should not be unnecessarily
divulged to others, and should be changed regularly, and
firewalls should be in place to protect against outside intrusion
(see Figure 8-1) . Are security measures reasonable and
appropri-
ate for the health care practice and are they periodically
reviewed? Have security breaches occurred in the past? If so,
what caused the breaches and have causes been remedied? Are
internal sanctions in place for security breaches, and have staff
members been informed of such sanctions?
2. Be prepared for a disaster. One of the best ways to ensure
against
loss or corruption of medical data is to back up all data
regularly.
Data is most safely backed up in offsite locations, so that fires,
34. water leaks, and other incidents at the practice site do not
threaten
HOW BREACHES HAPPEN
Employees report the following
as common causes of data breaches:
31%
roi
(}
:::;
::l
() "
~
<g
()
:::;
33%
Source: Data from ProPublica: http://www.propublica.org/
42%
oom
::J 3
8:.-o
c:~
(1)
2.
s-
~
:2:
35. a.
~
:::1.
'<
46%
214 Part Two I Legal issues fo r Wor ki ng Health Care
Practitioners
data. Antivirus programs should also be installed on all
computers
and regularly updated so that computer viruses and hackers are
not a threat to data.
3. Train all employees in proper computer use. Access controls
such
as passwords and PIN numbers, are HIPAA Security Rule
require-
ments, and encryption systems provide an additional level of
security. Encrypting stored information means that PHI cannot
be
read or understood except by someone who can decrypt it using
a
special decryption key provided only to authorized individuals.
A medical practice can have a secure encryption system, but if
employees don't use their passwords to securely access records
and files, the encryption system is useless, and records are open
to
unauthorized intrusion. Training should be ongoing, so that new
employees are informed and long-term employees are reminded
of proper use.
4. Buy products with security compliance and compatibility in
36. mind. When purchasing any new medical computer software or
other medical products, check to be sure the new purchase
meets
HIPAA security rules and will be compatible with other
products
already in use.
5. Collaborate with all compliance-affected parties. All depart-
ments within a practice are affected when compliance changes
are
made, and employees should be informed and consulted.
ProPublica data reveals that new technology trends threaten
patient
data in that 91 percent of hospitals surveyed are using cloud
technology
(Internet, off-medical-facility-site storage capability) to store
data, yet 47
percent of these hospitals were not confident they could keep
the data
secure in the cloud. In addition, 81 percent of organizations let
employ-
ees use their own mobile devices (BYOD), yet 46 percent of
these orga-
nizations don't ensure that employee devices are secure (see
Figure 8-2).
ProPublica estimates that data breaches have cost the health
care
industry $7 billion to date, both in fraudulent schemes and in
identity
theft, where criminals use health care data to assume a person's
iden-
tity and make unauthorized purchases in that person's name.
NEW TECHNOLOGY TRENDS THREATEN PATIENT DATA
37. Source: Data from ProPublica: http://www.propublica.org/
encryption
The scrambling or encoding of
information before sending it
electronical ly.
FIGURE 8-2
New Technology Trends
Threaten Patient Data
Chapter 81 Privacy, Security, and Fraud 215
Health Information Technology
for Economic and Clinical Health
Act (HITECH)
A section of the American Recovery
and Reinvestment Act (ARRA) that
strengthened certain HIPAA privacy
and security provisions.
American Recovery and
Reinvestment Act (ARRA)
A 2009 act that made substantive
change to HIPAA's privacy and
security regulations.
HITECH RULE
The Health Information Technology for Economic and Clinical
Health (HITECH) Act, part of the American Recovery and
Reinvest-
ment Act (ARRA) of 2009, strengthened the privacy and
38. security pro-
tections for health information established under HIPAA.
Provisions
under HITECH carried a September 23, 2013 enforcement date.
The HITECH Rule strengthens privacy and security by:
• Extending compliance with HIPAA privacy and security rules
to
business associates and their subcontractors.
• Prohibiting the sale of protected health information without
appropriate authorization.
• Expanding individual rights to electronically access one's pro-
tected health information (PHI).
• Prohibiting the use of genetic information for insurance under-
writing purposes.
• Finalizing breach notification requirements.
• Expanding individuals' rights to obtain restrictions on certain
dis-
closures of protected health information to health plans if
services
are paid for out of pocket.
• Establishing new limitations on the use and disclosure of
protected health information for marketing and fund-raising
purposes.
• Providing easier access to immunization records by a school.
• Removing HIPAA Privacy Rule protections for PHI of an
individ-
39. ual deceased for more than 50 years.
A provision of the law states that breaches must be reported, not
just to the Office of Civil Rights (OCR), which has federal
enforce-
ment authority, but also to the media. A quick search of the
Internet
will reveal that breaches occur frequently. Since October 2009
through
November 2013, there have been 768 complaints alleging a
violation of
the Security Rule. The HHS/OCR closed 579 complaints after
investi-
gation and appropriate corrective action and as of November 30,
2013
had 254 open complaints and compliance reviews.
While maintaining privacy and security of PHI are vital
consider-
ations in today' s health care environment, fraud is claiming a
huge
portion of the health care dollar, and has necessitated federal
interven-
tion in the form of legislation and anti-fraud measures.
12.-13. Briefly distinguish between the electronic medical
record (EMR) and the electronic health
record (EHR).
14. What is a breach of PHI?
15.-17. If you use computers in the course of your daily work,
what are three important rules for you to
remember, in order to protect the security of electronic medical
records?
40. 18. Briefly explain the purpose of HITECH.
216 Port Two I Legal Issues for Working Health Care
Practitione rs
Controlling Health Care Fraud
and Abuse
According to the following figures, as published by The
Sentinel, for
fiscal year 2011 (the latest FY for which statistics were
available) esti-
mates for dollar losses, including fraud, abuse, and waste in all
health
care arenas included:
• $1.2 trillion a year, based on a 2008 report by
Pricewaterhouse-
Coopers' Health Research Institute.
• $600 to $850 billion a year, according to a Thomson Reuters
report
that broadly defined "waste" as "healthcare spending that can be
eliminated without reducing the quality of care."
• $64.8 billion in improper payments by Medicare and Medicaid
for
FY 2011, according to the Government Accounting Office
(GAO).
("Improper" meaning the care was not necessary or the bill was
wrong. Improper payments may include fraudulent claims, but
not all improper payments are fraudulent. Improper payments
may be due to honest mistakes.)
• $28.8 billion in improper payments were made to Medicare
41. fee-
for-service (Original Medicare) providers in 2011, according to
GAO.
• $21.9 billion in improper Medicaid payments in 2011,
according
to GAO.
• $2.4 billion in health care fraud judgments and settlements
were
won or negotiated in 2011, according to the 2011 Health Care
Fraud
and Abuse Control Program report by the Department of Health
and Human Services (HHS) and Department of Justice (DOJ).
• $1.2 billion in Medicare and Medicaid audit disallowances
(findings
of unallowable costs), according to the HHS Office of Inspector
General (OIG).
Source: Aldrich, Nancy & Benson, Bill,
The_Sentinel_May2012_HBABCs_Fraud_
Estimates. pdf
Medicare fraud is not easy to estimate, because:
1. Fraudulent spending is not always separated from total health
care dollars spent when records are kept.
2. Dollar amounts spent in a single incident of fraud are
increasing,
so statistics from prior years are not always reliable, thus
effecting
more current estimates.
3. Fraud is often undetected, and therefore difficult to count.
42. Clearly the health care dollar is far from well spent. The health
care
system no doubt loses enough money each year to pay for
insurance
for the uninsured, keep premiums from rising, and improve the
health
of every American-all on the taxpayers' dime.
While much of the deliberate health care fraud and abuse is
committed
by legitimate health care providers, because of the huge profits
possible,
organized crime has also become involved. "Organized crime
has figured
out that it is much safer to defraud the government in a variety
of health
care scams then to sell illegal drugs," said an investigator in the
Office of
Inspector General in June 2012 who wishes to remain
anonymous.
LO 8.4
Discuss the federal laws that cover
fraud and abuse w ithin the health
care business environment and the
role of the Office of the Inspector
General in finding billing fraud .
Chapter 8 I Pr ivacy, Security, and Fraud 217
Federal False Claims Act
A law that allows for ind ividuals t o
bring civil actions on behalf of t he
43. U.S. govern ment for false claims made
t o t he federa l government, under a
p rovision of the law called qui tam
(from Lat in meaning " t o bring an act ion
for the ki ng and for oneself") .
In 2013, ProPublica, an independent, nonprofit newsroom that
pro-
duces investigati,·e journalism in the public interest, released a
series
of critical articles about fraud in Medicare Part D, the
prescription drug
plan. For their investigation the ProPublica staff used the
Freedom of
Information Act to obtain data on the drugs prescribed by every
provider
in the Part D program for 5 years. No patient information was
released,
just prescribing patterns of physicians. The investigation, which
was
ongoing into 2014, revealed that physicians sometimes did not
know that
prescriptions w ere being filled for patients they did not even
see, due
to unscrupulous business managers and accountants. As a result,
both
Congress and the Obama administration have indicated that
targeting
organized crime for health care fraud and abuse will be a
priority.
THE FRAUD PATROL
Since its 1976 establishment, the Office of Inspector General
(OIG) of the
U.S. Department of Health & Human Services (HHS) has been
44. charged
with fighting waste, fraud, and abuse in Medicare, Medicaid and
more
than 300 other HHS programs. The OIG has many offices across
the
country, which create a nationwide network of auditors,
investiga-
tors and evaluators. The OIG oversees enforcement of all
federal laws
related to health care fraud and abuse, including the following
major
federal statutes outlined in Table 8-2 and discussed further
after.
THE FEDERAL FALSE CLAIMS ACT
The Federal False Claims Act allows for individuals to bring
civil
actions on behalf of the U.S. government for false claims made
to the
federal government, under a provision of the law called qui tam
(from
Latin meaning "to bring an action for the king and for oneself").
These
individuals, commonly known as whistle-blowers, are referred
to as
qui tam relators and can share in any court-awarded damages.
Suits brought under the False Claims Act are most often related
to
the health care and defense industries. The act prohibits:
• Making a false record or statement to get a false claim paid by
the
government.
45. • Conspiring to have a false claim paid by the government.
Table 8-2 Major Federal Health Care Fraud and Abuse Laws
Date Enacted
1863-significantly amended in
1986 and several times since.
1972
1989-Expanded in 1995.
Unknown-Part of the U.S.
Code, 18, Section 1347
Law
False Claims Act
Anti-Kickback Statute
Stark Law, or Physician
Self-Referral Law
Criminal Health Care
Fraud Statute
218 Part Two I Legal Issues for Working Health Care
Practitioners
Purpose
Provides for civil penalties for persons knowingly making
false claims to the federal government for payment.
46. Criminal law that prohibits giving, soliciting, accepting or
arranging items of value as a reward for referrals of services
paid for by the government health care system.
Physicians or members of their immediate families cannot
refer patients to health care facilit ies they own if the govern-
ment is to pay for the care.
Makes it a criminal offense to knowingly defraud a health
care benefit program.
• Withholding government property with the intent to defraud or
willfully conceal it from the government.
• Making or delivering a receipt for government property that is
false.
• Buying government property from someone who is not autho-
rized to sell it.
• Making a false statement to avoid or deceive an obligation to
pay
money or property to the government.
• Causing someone else to submit a false claim by giving false
information.
The opportunity for fraud and abuse under the Federal False
Claims
Act is great. The Justice Department secured $3.8 billion in
settlements
and judgments from civil cases involving fraud during fiscal
year
2013. From January 2009 through the end of the 2013 fiscal
47. year, the
Justice Department used the False Claims Act to recover $12.1
billion
in federal health care dollars. Most of these recoveries relate to
fraud
against Medicare and Medicaid.
THE FEDERAL ANTI-KICKBACK LAW
In effect since 1972 and amended many times since then, the
Federal
Anti-Kickback Law states that anyone who knowingly and
willfully
receives or pays anything of value to influence the referral of
federal
health care program business, including Medicare and Medicaid,
can be held accountable for a felony. Violations of the law,
which
excludes from prosecution some designated "safe harbor"
arrange-
ments, are punishable by up to 5 years in prison, fines from
$25,000
to $50,000, and exclusion from participation in federal health
care
programs.
Federal Anti-Kickback Law
Prohibits knowingly and wi llfully
receiving or paying anything of value to
influence the referral of federal health
care program business.
COURT CASE University Overbilled Medicare and Medicaid
for Patients Enrolled in Clinical Trial Research
Major universities often do clinical trials and treat Medi-
48. care and Medicaid patients during those trials. The clini -
cal trial sponsor pays for the medical care and services. In
this case, Emory University was also billing Medicare and
Medicaid for the same services.
A lawsuit was filed by Elizabeth Elliot under the
qui tam, or whistle-blower, provisions of the False Claims
Act, which allow private citizens to bring civil actions on
behalf of the United States and share in any recovery
obtained. The Office of Inspector General of Health and
Human Services investigated and the FBI investigated the
claims and found that Emory had billed, and in some cases
received payment from Medicare or Medicaid , for ser-
vices the clinical trial sponsor had already paid.
The United States Attorney's Office for the Northern
District of Georgia announced a settlement in August
20 13 with Emory University. Emory agreed to pay
$1 .5 million to settle claims that it violated the False
Claims Act by billing Medicare and Medicaid for clinical
49. trial services that were not permitted by the Medicare and
Medicaid rules.
Ms. Elliot received a share of the settlement payment
that resolves the qui tam suit that she filed . However, the
claims settled in the civil settlement are allegations only,
and there has been no determination of liability.
United States of America and Stnte of Georgia ex rei. Elizabeth
Elliott v. Emory
University, eta/., Civ. No. I :09-cv-3569-AT (N.D. Ga. Dec. 18,
2009).
Cnao:e' 81 Privacy, Security, and Fraud 219
J
Stark Law
Prohibits physicians or their family
members who own health care facilities
from referring patients to those entities
if the federal government, under
Medicare or Medicaid, will pay for
treatment.
Criminal Health Care Fraud
Statute
A section of the United States Code
that prohibits fraud against any health
50. care benefit program.
STARK LAW
Since physicians or their family members often own health care
facili-
ties, Congress has passed legislation against self-referral called
the
Stark Law. Under this law, first enacted in 1989 and
significantly
expanded in 1995, physicians or members of their immediate
fami-
lies who have financial relationships with health care entities
may not
refer patients to those entities if the federal government, under
Medi-
care or Medicaid, is responsible for payment.
Generally, three questions determine whether or not a request
for
reimbursement is prohibited by the Stark Law: (1) Has a
physician or
a member of the physician's family referred a Medicare or
Medicaid
patient to an entity? (2) Is the referral for a "designated health
service"?
(3) Is there a financial relationship between the referring
physician or
family member and the entity providing service? If "yes" is
answered
to any of these three questions, the referral violates the Stark
Law.
For years since the Stark Law was implemented, the ban on
physi-
cian conflicts of interest were applied to Medicare claims, but
51. not to
Medicaid. Then recently, whistle-blowers bringing suit against
alleged
violators called for clarification of the law, and the U.S. Justice
Depart-
ment agreed that the law is applicable to Medicaid, as well as
Medi-
care claims. As a result, in 2012, the Justice Department
reported an
all-time high of $3 billion forfeited by drug companies and
health care
providers via whistle-blower Stark Law lawsuits.
A common misconception is that the Federal Anti-Kickback
Law
and the Stark Law are the same. Table 8-3 illustrates the
differences
between the two laws.
CRIMINAL HEALTH CARE FRAUD STATUTE
The Criminal Health Care Fraud Statute (18 United States Code
Section 1347) prohibits knowingly and willfully executing, or
attempt-
ing to execute, a scheme intending to:
• Defraud any health care benefit program,
• Obtain (by means of false pretenses, representations, or
promises)
any of the money or property owned by, or under the custody or
control ot any health care benefit program.
Proof of actual knowledge or specific intent to violate the law is
not
required. Penalties for violating the Criminal Health Care Fraud
52. Stat-
ute may include fines, imprisonment, or both.
Under 42 U.S.C. Section 1320a-7, the Department of Health and
Human Services (HHS) Office of Inspector General (OIG) is
required
to impose exclusions from participation in all Federal health
care
programs on health care providers and suppliers who have been
convicted of:
Medicare fraud;
Patient abuse or neglect;
Felony convictions for other health care related fraud, theft or
other financial misconduct; or
Felony convictions for unlawful manufacture, distribution,
prescription, or dispensing of controlled substances.
220 Part Two I Legal Issues fo r Working Health Care
Practitioners
t
'
Table 8-3 Comparison of the Anti-Kickback Law and the Stark
Law
Prohibition
Referrals
53. Items/Services
Intent
Penalties
Exceptions
Federal Health
Care Programs
The Anti-Kickback Statute
(42 USC § 1320a-7b(b))
Prohibits offering, paying , soliciting or
receiving anything of value to induce
or rewa rd referrals or generate Federal
health care program business
Referrals from anyone
Any items or services
Intent must be proven (knowing
and willful)
Criminal:
• Fines up to $25,000 per violation
• Up to a 5-year prison term per violation
Civil/Administrative:
• False Claims Act liability
54. • Civil monetary penalties and
program exclusion
• Potential $50,000 CMP per vio lation
• Civil assessment of up to three times
amount of kickback
Voluntary safe harbors
All
The Stark Law
(42 USC § 1395nn)
• Prohibits a physician from referring Medicare patients
for designated health services to an entity with wh ich
the physician (or immed iate family member) has a
financial relationship, unless an exception applies
• Prohibits the designated health services entity from
submitting claims to Medicare for those services
resulting from a prohibited referral
Referrals from a physician
Designated health services
• No intent standard for overpayment (strict liability)
• Intent required for civil monetary penalties for
knowing violations
Civil:
55. • Overpayment/refund obligation
• False Claims Act liability
• Civil monetary penalties and program exclusion
for knowing violations
• Potential $15,000 CMP for each service
• Civil assessment of up to three times the amount
claimed
Mandatory exceptions
Medicare/ Medicaid
*This chart is for illustrative purposes only and is not a
substitute for consulting the statutes and their regulations.
http: /
/www.ncqa.org/Programs/Recognition/PatientCenteredMedicalH
omePC .. . 9 I 6/2013
In summary, violations of laws against health care fraud and
abuse
can result in imprisonment and fines, loss of professional
license, loss
of health care facility staff privileges, and exclusion from
participation
in federal and/ or state health care programs.
19. The False Claims Act contains which distinguishing
provision?
20. Are . the Federal Anti-Kickback Law and the Stark Law
exactly the same? Explain your answer.
56. 21. What does the Criminal Health Care Fraud Statute prohibit?
22. What federal office is responsib le for enforcement of the
four laws mentioned above?
23.-26. What types of legal convictions are most likely to
exclude heal~h care providers from participation
in a federal health care program?
Chapter 8 I Privacy, Security, and Fraud 221
LO 8.5
Discuss patient rights as defined by
HIPAA, the Patient Protection and
Affordable Care Act, and other
health care entities.
Patients' Bill of Rights
Legislation designed to protect the health care industry and its
con-
sumers is official in its capacity to prevent harm. Other
unofficial but
effective methods of protecting patients exist in the form of a
Patients'
Bill of Rights.
As illustrated in Table 8-4, HIPAAhas issued a list of patients'
rights
under its provisions.
The Patient Protection and Affordable Care Act of 2010 also
lists
features at http://www.hhs.gov/healthcare/rights that are
57. intended to
give health care consumers more rights, but they apply only to
health
insurance. Insurance companies must:
• Phase out annual and lifetime limits to coverage.
• No longer limit or deny coverage to patients under 19 with a
pre-
existing condition.
• Cover children up to age 26 on their parents' health insurance
policy.
Table 8-4 Patients' Ri9hts Under the HIPAA Privacy Rule
Patient Right
Access to medical
records and the
right to copy them
Request for
amendment
to designated
record set
Request for an
accounting of
disclosures of PHI
Request to be
contacted at an
alternate location
Requests for
58. further restrictions
on who has access
to PHI
Right to file a
complaint
Comments
Access to records is guaranteed
under HIPAA, but there are some
limitations, as mentioned.
A patient has the right to request
amendments to his or her PHI or
other personal information. Unless
a provider has grounds to deny
the request, amendments must
be made.
You are required to account for certain
disclosures during the past 3 years.
Check with your privacy officer for a
list. You have up to 60 days to provide
the disclosure list.
Patients can request to have you
contact them at places other than
work or home. You can deny the
request if you cannot reasonably
comply.
A patient can request that certain
persons or entities do not have
access to his or her medical record.
You may deny the request if you can-
59. not reasonably comply.
Enforcement of the Privacy Rule is
complaint-driven. Patients should
be encouraged to work first with the
provider. Retaliation is prohibited.
Documentation Required
No
Yes
Yes. Always keep a record of the
appropriate disclosures, and make a
copy of the disclosure report for the
patient's file.
Yes. Obtain a request from the
patient in writing. Note in the
patient's electronic medical record
and in a paper communication for
staff members who do not have
access to the patient's electronic
medical record. Document reasons
for denying the request if it is
denied.
Yes. Ask the patient to complete
an opt-out form that is then filed
with electronic and paper records.
Document reasons for denying the
request if it is denied.
Yes. Refer the complaint to the
privacy officer. Document the com-
60. plaint in a privacy complaint log.
Evaluate the complaint and deter-
mine how best to solve it.
Documentation
Recommended
Yes
222 Part Two I Legal Issues for Working Health Care
Practitioners
' Phase out aLvitrary withdra wals of insurance coverage.
• End lifetime limits on benefits.
• Cover preventable care at no cost.
• Justify any raise in rates.
• Remove insurance company barriers to emergency service.
• Allow clients to file a complaint.
Concerns about the quality of medical care patients receive
under
managed care plans prompted Congress to first consider a
Patients'
Bill of Rights Act in 1999. The act contained provisions
applicable
to managed care plans for access to care, quality assurance,
patient
information and securing privacy, grievances and appeals proce-
dures, protecting the doctor-patient relationship, and promoting
61. good medical practice. Congress failed to act on the bill in
1999, and
it was revived in 2001 as H.R. 2563, the Bipartisan Patient
Protec-
tion Act of 2001. The bill died in Congress, but was revived in
2004,
where it again failed to pass. The American Hospital
Association
(AHA) adopted a patient bill of rights to be used by its member
hos-
pitals, which is available from the organization for a fee, and
may
be read online for free. Table 8-5 shows how many state statues
and
hospitals reference the American Hospital Associations' Patients
Bill of Rights.
Currently, no official government statute exists that tells health
care consumers exactly what they can expect. Some hospitals
and
other health care facilities have compiled lists for "rights" they
con-
fer on their patients, but no one universal Patients' Bill of
Rights
exists.
Table 8-5 Frequency of American Hospital Association Patients'
Bill of Rights Themes in State
Statutes and Hospital Documents
Theme
The patient has the right to:
1. Considerate and respectful care
62. 2. Obtain current and understandable information
3. Refuse recommended treatment
4. Have an advance directive
5. Privacy
6. Confidential communications and records
7. Review records
8. The indicated medical care including transfer to another
facility
9. Be informed of business relationships that influence care
10. Refuse participation in research
11. Reasonable continuity of care
12. Be informed of charges as well as policies for patient
responsibilities
and resolution of conflicts
State Statutes (=23). %
78
87
87
35
87
64. 58
87
57
Source: Gen Intern Med. 2009 April; 24(4): 489-494. Published
online 2009 February 3. doi: 10.1007 /sll606-009-0914-z.
Chapter 8 I Privacy, Security, and Fraud 223
The follo·wing Web sites offer additional information about
patients'
rights in various circumstances:
,,}~:,heck • vo'lit,~ progress
American Hospital Association www.aha.org
Offers a brochure for sale that discusses what hospital
patients can expect, and you can read their "Bill of Rights"
online for free, in any one of seven languages, at: www.aha.
orgl aha/issues/Communicating-With-Patients/pt-care
-partnership.html
Medicare Rights Center (for patients with Medicare)
www.medicarerights.org
This service can help Medicare patients understand their
rights and benefits, work through the Medicare system,
and get quality care.
National Library of Medicine www.nlm.nih.gov/medlineplus/
patientrights.html
65. This site has information on patient rights along with many
links to other sources of related information.
(There are no correct answers to the following exercise. It's
intended solely to stimulate thought and
discussion.)
27. Do you see the necessity for a Patients' Bill of Rights for
health care consumers? Explain your answer.
28. Would you add to or subtract from the patients' rights listed
in Table 8-4? If so, how?
29. Should a Patients' Bill of Rights contain the right of the
patient to sue if care is demonstrably
unsatisfactory? Explain your answer.
30. How can you determine if your state has a statute for a
Patients' Bill of Rights?
Based on your own experience as a health care consumer and
the
experiences of your friends and family members, what rights
would
you list in a Patients' Bill of Rights?
224 Part Two I Legal issues for Working Health Care Practit io
ners
Chapter Summary
66. Learning Outcome Summary
LO 8.1 Discuss U.S. constitutional
amendments and privacy laws that
pertain to health care.
LO 8.2 Explain HIPAA's special require-
ments for disclosing protected health
information.
LO 8.3 Discuss laws implemented to
protect the security of health care infor-
mation as health records are converted
from paper to electronic form.
Which U.S. constitutional amendments and privacy laws pertain
to health care?
First, Third , Fourth, Fifth, Ninth, and Fourteenth U.S.
Constitutional
Amendments.
Health Insurance Portability and Accountability Act (HIPAA) of
1996.
• American Recovery and Reinvestment Act (ARRA) of 2009.
Health Information Technology for Economic and Clinical
Health Act (HITECH).
Patient Protection and Affordable Care Act (PPACA) of 2010.
Health Care and Education Reconci liation Act (HCERA) of
2010.
What considerations do federal and state privacy laws share?
67. • Information collected and stored about individuals should be
limited to what is
necessary t o carry out the functions of the business or
government agency col-
lecting the information.
• Once collected, access to personal information should be
limited to those
employees who must use the information in performing their
jobs.
• Personal information cannot be released outside the
organization collecting it
unless authorization is obtained from the subject.
• When info rmation is collected about a person, that person
should know that
t he information is being co llected and should have the
opportunity to check it
for accuracy.
What are HI PAA's four standards and rules?
• Transactions and Code Sets.
Privacy Rule
Security Rule
National Identifier Standards.
Which of HIPAA's four standards are discussed in detail in
Chapter 8?
• Standard 2, the Privacy Rule, and Standard 3, the Security
68. Rule
What are HIPAA's special requirements for disclosing protected
health
information?
Protected health information can be de-identified by removing
certain patient
identifiers.
Permissions are requi red for releasing PHI , under six
categories.
Disclosures to patients.
Disclosures for treatment, payment, or health care operations.
Disclosures with opportunity to agree or object.
• Some incidental uses and disclosures are permitted without
authorization.
• Disclosures for public interest and benefit act ivities.
• Limited data set d isclosures.
Which laws have been implemented to protect t he security of
health care
information as hea lth records are converted from paper to
electronic form?
• American Recovery and Reinvestment Act (ARRA).
Electron ic medical record (EMR).
Electronic health record (EHR).
69. How ca n med ical practices comply with the HIPAA Security
Rule?
Run a complete risk assessment of the medical practice.
Be p repared for a disaster.
• Train all employees in proper computer use.
Buy p roducts with security compliance and compatibility in
mind.
• Collaborate with all com p liance-affected parties.
Chapter 8 I Privacy, Security, and Fraud 225
Learning Outcome Summary
LO 8.4 Discuss the federal laws that
cover fraud and abuse within the health
care business environment and the role
of the Office of the Inspector General in
finding billing fraud.
LO 8.5 Discuss patient rights as defined
by HIPAA, the Patient Protection and
Affordable Care Act, and other health
care entities.
What is the HITECH Ru le?
Part of the ARRA.
70. Strengthens p rivacy and security by:
Extending compliance with HIPAA privacy and security rules to
business
associates and their subcontractors.
Proh ibiting t he sale of protected health information without
authorization.
• Expanding individua l rights to electronically access PHI.
• Prohibits use of genetic information for insurance
underwriting.
Finalizes b reach notification requirements.
Expands individuals' rights to obtain restrictions on certain
disclosures of PHI.
Establ ishes new limitations of the use and disclosure of PHI for
marketing
and fund-raising.
Provides easier access to immunization records by schools.
• Removes HIPAA Privacy Rule protections for persons
deceased for more
than 50 years.
What federal laws cover fraud and abuse w ithin the health care
business
environment?
• False Claims Act.
• Provides for civil penalties for persons knowingly making
71. false claims to the
federal government for payment.
• Whistle-blowers who report false claims can share in awards
under qui tam.
Federal Anti-Kickback Law.
Criminal law that prohibits arranging items of value as a reward
for referrals
of services paid for by the government health care system.
Stark Law
Physicians or members of their immediate families cannot refer
patients to
health care facil ities they own if t he government pays for care.
• Criminal Health Care Fraud Statute.
• A section of the U.S. Code that makes it a criminal offense to
knowingly
defraud a health care benefit program.
How are patients' rights defined under HIPAA, t he Patient
Protection and
Affordable Care Act, and other healt h care entities?
• HIPAA: Patients have the right to:
• Access and copy medical records.
• Request amendments/corrections to medical record.
• Request a list of disclosures.
72. Request to be contacted at certain locations.
• Put further restrictions on those who have access to PHI.
File a complaint.
Patient Protection and Affordable Care Act (PPACA). Insurance
companies must:
Phase out annual and lifetime limits to coverage.
No longer limit or deny coverage to patients under 19 with a
preexisting
condition.
Cover children up to age 26 on their parents' health insurance
policy.
Phase out arbitrary withdrawals of insurance coverage.
End lifetime limits on benefits.
Cover preventable care at no cost.
• Justify any raise in rates.
Remove insurance company barriers to emergency service.
• Allow clients to file a complaint.
Other health care entities.
Patient Bill of Rights is usually specific to the hospita l, long-
term care
facility, medical office, or other health care facility.
73. 226 Part Two I Legal Issues for Working Health Care
Practitioners
Ethics Issues Privacy, security, and Fraud
Ethics ISSUE 1:
HIPAA has made it illegat under threat of penalty, for health
care practitioners to disclose confidential health
information about patients to unauthorized sources.
Discussion Questions
1. Sharon, a second-year nursing student, is completing a
surgical rotation in a community hospital. At the
breakfast tabk Sharon's husband asks her to find out what is
wrong with one of his employees, who
has been hospitalized for several days. He is interested in
knowing when the man may be able to return
to work. Is it ethical for Sharon to give her husband this
information? Explain your answer.
2. What should health care practitioners do when family
members or friends ask them for information
about others that they have discovered in the course of their
employment?
Ethics ISSUE 2:
Some sources distinguish between privacy in health care and
confidentiality. According to the experts, privacy
refers to the right of an individual to be let alone and to the fact
that patients must authorize release of infor-
mation. Confidentiality refers to limiting disclosure to
authorized persons and ensuring protection of records
documenting communication between providers and patients.
74. Discussion Questions
1. Why are privacy and confidentiality so important to patients
and to health care practitioners?
2. The health care practitioners listed below have followed the
letter of HIPAA law. Have they also acted
ethically? Explain why or why not.
A patient asks for a list of disclosures his physician has made of
his health information within the past
6 years, and he is politely asked to submit his request in
writing.
The person responsible for faxing a patient's protected health
information from one physician's office to
another sends the information to the wrong fax number.
Ethics ISSUE 3:
The Criminal Health Care Fraud Statute (18 United States Code
Section 1347) prohibits knowingly and will-
fully executing, or attempting to execute, a scheme intending to:
Defraud any health care benefit program or
obtain (by means of false pretenses, representations, or
promises) any of the money or property owned by, or
under the custody or control at any health care benefit program.
Discussion Questions
1. Of the following practices, which constitutes fraud?
• Billing for services not provided.
• Billing for services not covered under a patient's health
insurance.
75. Chop<e' 8 Privacy, Security, and Fraud 227
• Unbundling: That is, billing separately for each stage of a
procedure.
• A licensed health care practitioner allows an unlicensed
person to bill an insurer under his name.
• A medical facility waives deductibles and copayments.
2. Are all of these practices illegal? Are all of these practices
unethical?
Chapter 8 Review
Enhance your learning by completing these exercises and more
at
http://connect.mheducation.com!
Applying Knowledge
LO 8.1
1. Which U.S. Constitutional Amendments deal with the issue of
privacy?
2.-5. List the four HIPAA Standards and briefly describe their
purpose.
LO 8 .2
6.- 11. List the six HIPAA-defined permissions.
76. [II connect®
12.- 13. Briefly define limited data set and list one example of
when it might be used.
14.-16. List three public interest and benefit activities for which
the disclosure of protected health
information is allowed without authorization.
17. Check each activity listed below that is permitted by HIPAA
without authorization. What is the
understood provision in each permitted case? _________ _____
____ _
A nurse discusses a patient's medical tests with her over the
telephone.
Two medical assistants in a medical office discuss the medical
care of a patient they both know.
A medical office receptionist discusses a friend's medical
treatment with her family at the dinner table.
Two physicians debate the possible treatment of a patient's
difficult disease.
A health insurance salesman telephones a medical office to
speak with a medical assistant "off the
record."
18. You are a medical records supervisor in a clinic. A
pharmaceutical firm asks for data on patients with
a certain diagnosis for a study of the numbers of people with the
disease. Can you give them the
information they ask for? If so, how will you provide the
information?
77. LO 8.3
19. Would you most likely send a patient's electronic medical
record or his electronic health record to a
specialist collaborating on the patient's treatment with your
physician employer?
20. How might a health care provider demonstrate "meaningful
use" of electronic records as required
by law?
228 Part Two I Legal issues for Working Health Care Prac t
itioners
Circle the correct answer to each of the following questions:
21. One of the best ways to ensure against loss or corruption of
medical data is to
a. Refuse to send any medical data electronically
b. Back up all data regularly
c. Send only paper records to recipients of medical data
d. Never store medical data on a computer
22. Training employees in proper computer use involves which
of the following?
a. Quizzing employees to be sure they have memorized
passwords
78. b. Using only proper names as passwords
c. Never posting passwords where others can see them
d. Never requiring the use of passwords to access electronic
information
23. Which of the following is not a helpful HIPAA security
compliance measure?
a. Run a complete security assessment of the medical practice
b. Buy only products for the medical practice with security
compliance and compatibility in mind
c. Never use cloud technology for data storage
d. Be prepared for a disaster
24. Which of the following constitutes a data breach?
a. A medical office computer is sold without erasing the hard
drive.
b . A hacker penetrates a hospital's list of patient's with HIV.
c. A business-use laptop is stolen from a health insurance
company executive while she is
traveling.
d. All of these
25. What is the primary purpose of the HITECH Rule?
a. To eliminate duplication of health care data
79. b. To strengthen privacy and security for electronic health
information
c. To categorize treatments that Medicare will reimburse
d. None of these
LO 8 .4
26. Which is not one of the reasons Medicare fraud is not easy
to estimate?
a. Fraud is often undetected, and therefore difficult to count.
b. Dollar amounts spent in a single incident of fraud are
increasing.
c. Fraudulent spending is not always separated from total health
care dollars spent.
d . Records are destroyed yearly.
27. Which of the following government agencies is charged with
fighting and prosecuting waste, fraud, and
abuse in Medicare and Medicaid?
a. Office of Civil Rights c. Office of the Attorney General
b. Office of the Inspector General d. Office of the HHS
Secretary
Chaprer 81 Privacy, Security, and Fraud 229
,.
80. ~
28. The False Claims Act provides for:
a. Paying any legitimate Medicare or Medicaid bill
b. Making it a criminal offense to defraud any health care
benefit program
c. People bringing claims to share in any court-awarded
damages
d. Jail sentences for all violators
29. A physician pays a long-term care administrator to refer all
new Medicare and Medicaid
patients to his medical practice. He is most likely to be accused
of violating which
federal law?
a. HIPAA
b. The Gramm-Rudman Law
c. The Federal Anti-Kickback Law
d . None of these
30. An entity may have violated the Stark Law if "yes" is
answered to which of the following
questions?
a. Has a physician or a member of her family referred a
Medicare or Medicaid patient
to an entity?
81. b. Is the referral for a "designated health service"?
c. Is there a financial relationship between the referring
physician or family member and the entity
providing service?
d. All of these
31. Which of the following statements is true?
a. The False Claims Act covers only hospitals.
b. The Federal Anti-Kickback Law and the Stark Law are the
same.
c. The Criminal Health Care Fraud Statute has been repealed.
d. The Federal Anti-Kickback Law and the Stark Law are not
the same.
32. Which of the following might a health care practitioner
suffer if convicted of the False Claims Act,
the Federal Anti-Kickback Law, the Stark Law, or the Criminal
Health Care Fraud Statute?
a. Afine
b. A prison sentence
c. Loss of medical license
d. All of these
LO 8.5
82. 33.- 37. Check all statements below that are true of a Patients'
Bill of Rights:
Congress passed a general Patients' Bill of Rights in 2010 and it
is now law.
Under HIPAA's Patients' Bill of Rights, patients may sue.
The Patients' Bill of Rights for the Patient Protection and
Affordable Care Act applies to insurance
companies.
Some health care providers publish their own Patients' Bill of
Rights.
A Patients' Bill of Rights is enforceable under the Criminal
Health Care Fraud Statute.
230 Part Two I Legal issu es for Working Health Care
Practitioners
Case Studies
Use your critical thinking skills to answer the questions that
follow each case study.
LO 8.1
38. John works as an LVN at a Hollywood, California, hospital.
While distributing meds to the patients on
his floor he noticed that the recently admitted patient in Room
402, named Jason Wilson, was really a
well-known actor from a popular television series. John called
his wife to tell her about the celebrity
83. patient on his floor. Was John's statement to his wife a HIPAA
violation?
Can the actor sue for punitive damages?
LO 8.4
39. Patients with Alzheimer's disease twice every week sat
unsupervised inside a small room of a memory
care facility watching the movie "Forrest Gump." Each time the
patients sat in front of the tube watching
the movie, the facility submitted insurance claims for providing
"group therapy."
Is this practice legal and appropriate, or is it an example of
health care fraud?
40. A physician assistant convinced her patients that
hypnotherapy could make them more receptive to
medical treatment. Fortunately, she told them, she could
conduct the hypnosis sessions in the office she
used for consultations. The predominant insurance company for
many of the PA's patients did not pay
for "hypnotherapy," nor was the physician assistant qualified to
provide it, so she billed the sessions as
office visits, at $100 to $125 per visit.
Was the physician assistant committing health care fraud?
Explain your answer.
Internet Activities LO 8.1 and LO 8.4
Complete the activities and answer the questions that follow.
41. Visit http://www.proprofs.com/quiz-
school/story.php?title=hipaa-compliance-quiz and take the
84. privacy
quiz. Answers are provided immediately after the questions, but
which, if any, of the answers most
surprised you and why?
42. Visit https://www.blueshieldca.com/bsca/about-blue-
shield/fraud-prevention/quiz.sp and take the
health care fraud quiz. Record your score below. Read the
correct answer for any questions you missed.
Cha!J!e' 81 Privacy, Security, and Fraud 231
43. Visit http://oig.hhs.gov/fraud/medicaid-fraud-control-units-
mfcu/index.asp. What are the
duties of the Medicaid Fraud Control Units? How would a
health care practitioner report Medicaid
fraud?
Resources
American Hospital Association: www.aha.org
Cost of Fraud:
The_Sentinel_May2012_HBABCs_Fraud_Estimates.pdf
Health Care Portability and Accountability Act: www.hipaa.com
Health Care Fraud and Abuse:
Healthcare Rights: http://www.hhs.gov/healthcare/rights
HHS:
http://www.hhs.gov/ocr/privacy/hipaa/understandinglsummary/i
ndex.html
85. HIT: www.healthit.gov
http://oig.hhs.gov/reports-and-publications/hcfac/index.asp
Medicare Rights Center (for patients with Medicare):
www.medicarerights.org
National Library of Medicine:
www.nlm.nih.gov/medlineplus/patientrights.html
Patient Rights: http://www.hhs.gov/healthcare/rights
232 Port Two I Legal Issues for Working Health Care
Practitioners
· Final Case Analysis (27% of the final grade)
Assignments
Updated
I'm Done
Top of Form
Due October 16 at 11:59 PM
Bottom of Form
Final Case Analysis Project (27% of the final grade)
For the final project, you will provide a case study.
What is a Case Study?
For our purposes, a case study is a real-life health care
administrative situation involving a decision to be made or a
problem or issue to be resolved.
Case studies in general are detailed accounts of an organization,
company, industry, person or group of people, or project. The
case study may include information about company objectives,
strategies, challenges, results, recommendations, or more. The
case study may be a real-life situation described in its entirety
86. or so that portions of it are disguised for reasons of
confidentiality. It may also be fictional.
Most case studies are written in such a way that the reader takes
the place of the manager whose responsibility it is to make
decisions to help resolve the problem or issue. In almost all
case studies, a decision must be made, although this decision
may be to leave the situation as it is. For this assignment, case
studies can be brief or extensive and can range from several
pages to 30 pages or more.
Where Can I Find Sample Case Studies?
The Internet is a great source of sample case studies to examine
before you create your own. To find case study examples,
conduct a search using the words sample case studies. For
formatting help, click the link to see the Microsoft case study
template.
Parts of the Project
This project consists of two parts:
· Part 1 (2% of your final grade): Submit a summary of your
case study situation and challenge/concern to be addressed.
Upload your submission to the Assignment titled "Case Study
and Challenge Section" in week 5.
· Part 2 (25% of your final grade): Submit a case study with the
following:
1. opening paragraph—introduction to the situation
1. background organizational information—history, mission,
values, competition, financial information, and additional
information of significant value
1. area of interest—strategic planning, leadership, marketing,
finance, health care operations, human resources
1. definition of the challenge/concern—specific problem or
decision(s) to be made; this is your problem statement
1. alternative situations/solutions—list of options for meeting
the challenge or concern
1. conclusion—summary of the situation, any constraints or
limitations, and the urgency of the situation, with the best
alternative presented and defended
87. Most but not all case studies will follow this format. The
purpose here is for you to thoroughly understand the situation
and the decisions/discussions that need to be made. Take your
time and stay focused on your objectives.
Here, we'll pay a bit more attention to the fourth and fifth
components:
Defining the Challenge/Concern
The problem statement should be a clear and concise statement
of exactly what issue or concern needs to be addressed. This is
not challenging to write!
To pinpoint the challenge to be addressed, ask yourself the
following questions:
. What appears to be the issue/problem?
. How do I know that this is a problem? Note that, in answering
this question, you will differentiate the indicators of the
problem from the problem itself.
. What needs to be addressed immediately? Answering this will
help you to differentiate between problems that can be resolved
within the context of the case and larger issues that need to be
addressed at a later time.
. What is important and what is urgent? Some problems appear
to be urgent, but upon closer examination, are revealed to be
relatively unimportant, while others may be far more important
than they are pressing.
The problem statement can be framed as a question (e.g., What
should Sue do? or How can Mr. Smith improve? It typically has
to be rewritten several times during the analysis of a case, as
you peel back the layers of symptoms or causation.
Coming Up With Alternative Situations/
Solution
88. s
You'll want to answer the following questions to come up with
viable alternatives:
. Why or how did the challenge/concern arise? You are trying to
determine cause and effect for the problems identified. You
cannot solve a problem of which you cannot determine the
cause! It may be helpful to think of the organization in question
as consisting of the following components:
. people who transform. . .
. resources, such as materials, equipment, or supplies, using. . .
. processes, which create something of greater value
. Who is affected the most by the challenge/concern? You are
trying to identify the relevant stakeholders to the situation, and
who will be affected by the decisions to be made.
. What are the constraints and opportunities in this situation?
This paper should be about 7 - 10 pages of text.
****** SEE Below for topic already selected with summary!!!!!
******
Topic of the case study
The topic of the case study is, “Chronic diseases case study.” It
focuses on ailments such as HIV/AIDS and cancer that have
affected people in a rural area of South Africa. Also, how its
cost affected families in the communities in the area, especially
from the poverty stricken backgrounds.
89. Summary
The setting of the case study is in a rural area in South Africa
known as Hoedspruit that is also a home for the MRC/Wits
Rural Public Health and Health Transitions Research Unit. They
help in conducting the research as they were very conversant
with the locals’ problems and their spoken language. It involved
the research in discovering and exploring the challenges that
family members undergo if one of them has been affected by
any chronic disease. The research involved the inclusion of
different families who had a member of the family affected by
the chronic illness. However, even it some the locals were
entangled and lived in deplorable conditions, it was seen that
they had mechanisms that helped them cope with the situation
despite the hardship. As a result, the data revealed that most of
the families opted not to seek medical attention because of the
expensive treatment. The longitudinal data shown in the study
has validated the importance of the three access barriers:
affordability, availability, and acceptability that form the
integral part of the discussion.
Reference
BMC health services research. (2009). Affordability,
availability and acceptability barriers to health care for the
chronically ill: Longitudinal case studies from South Africa.
Retrieved from:
http://download.springer.com/static/pdf/612/art%253A10.1186%
91. CARLENE HARRISON
Key Terms
120
Professional Liability
and Medical
Malpractice
LEARNING OUTCOMES
After studying this chapter, you should be able to:
LO 5. 1 Identify three areas of general liability for which a
physician / employer is responsible.
LO 5.2 Describe the reasonable person standard, standard of
care, and duty of care.
LO 5.3 Briefly outline the responsibilities of health care
92. practitioners concerning privacy, confidentiality, and
privileged communication.
LO 5.4 Explain the four elements necessary to prove
negligence (the four Ds).
LO 5.5 Outline the phases of a lawsuit.
LO 5.6 Name two advantages to alternative dispute
resolution .
FROM THE PERSPECTIVE OF.
TINA, A MEDICAL RECORDS SUPERVISOR in a small-town
medical clinic, always spends a lot of time with new employees
review-
ing the importance of confidentiality. One of her real-life
lessons is
about the new employee, Samantha, who accidentally and
innocently
93. violated confidentiality, causing the clinic where she worked to
be sued.
Samantha saw one of her high school friends in the hallway of
the
clinic. The friend told Samantha that she was pregnant. A week
later,
Samantha saw her friend's mother in the local grocery store and
con-
QTatulated her on becoming a grandmother. What Samantha did
not
know was that her friend was not planning to continue the
pregnancy
· and had told no one that she was pregnant. The clinic was sued
for
i olating confidentiality. Tina's strong advice to all employees
has
since become: "What you learn in this clinic stays in this
clinic."
From Tina's perspective, even remarks that seem innocent and
harmless, if spoken outside the health care workplace, can
violate pri-
,·acy and create liability for employers and employees.
94. From the perspective of new employees, Samantha's experience
is a
~esson well-learned.
From the perspective of Samantha, who did not think twice
before
she spoke, what she thought were innocent remarks created a
distress-
ing and damaging situation. Samantha's career in health care
was over
:.. efore it had begun.
iability
_-ill competent adults are liable, or legally responsible, for their
own
:1: , both on the job and in their private lives. As homeowners
and
• erators of automobiles, we carry liability insurance in case
someone
- injured in our homes or we are involved in a car accident. In
the work-
: lace, employers carry liability insurance to cover situations in
which
95. :::::nployees, or anyone else on the premises, may be injured or
harmed.
As employers, physicians have general liability for:
The Practice's Building and Grounds. Adequate upkeep will
help ensure that employees and patients are not injured on the
premises. Employers must provide protection against theft, fire,
and burglary in the building and must take all precautions to
ensure that patients' records are protected. Theft, fire, and
liability insurance to cover the workplace is a must for the
physician/employer.
Automobiles. If employees must use their own or the
physician's
automobile in the performance of their daily work (for example,
to drop off or pick up mail or supplies), the employer must be
adequately insured for liability in the event of an accident.
Employee Safety. Employers must provide a reasonably
comfortable and safe work environment for employees. State
(and, in some instances, federal) regulations apply, but they
vary
from state to state. Employers should check with the state
agency
96. governing safety in the workplace, with workers' compensation
LO 5.1
Identify three areas of general
liabi lity for which a physician/
employer is responsible .
liable
Legal ly responsible or obligated .
COURT CASE Nurse Sues Employer After Fall at Work
A registered nurse working as a supervisor in a dialysis
clinic slipped in a puddle of water on the floor at work
and injured her neck and lower back. She had surgical
fusions of the cervical and lumbar spine, and she contin-
ued to have serious symptoms, including debilitating pain
97. and urinary incontinence, for which she received numer-
ous medications. The neurosurgeon who treated the
injured nurse said that he did not think she would be able
to return to gainful employment as a registered nurse,
even in a sedentary position. The nurse had been earning
$1 00,000 per year, and her employer had not offered
her any other position. The trial court found the defen-
dant to be "I 00 percent disabled," which entitled her to
commensurate Worker's Compensation payments. Since
Workers Compensation benefits are paid for, in one way
or another, for a state's employers, the injured nurse's
employer appealed this decision. The appeals court
upheld the trial court's decision.
98. MOUSSEAU v. DAVIT A, INC., No. W20 I 0-02612-SC-WCM-
WC
(Tenn. Aug. 22, 20 I I).
LO 5.2
Describe the reasonable person
standard, standard of care, and duty
of care.
standard of care
The level of performance expected of a
health care practitioner in carrying out
his or her professional duties.
duty of care
The legal obligation of health care
workers to patients and, sometimes,
non patients.
reasonable person standard
That standard of behavior that judges
a person's actions in a situation
according to what a reasonable person
would or would not do under simil ar
99. circumstances.
laws, and with state medical societies to determine safety rules,
rights, and responsibilities. A general safety procedure book for
medical office workers should include guidelines for the
handling
of hazardous laboratory wastes and materials.
Standard of Care and Duty of Care
Standard of care refers to the level of performance expected of a
health
care practitioner in carrying out his or her professional duties.
Duty of
care is the obligation of health care workers to patients and, in
some
case, nonpatients. Physicians have a duty of care to patients
with
whom they have established a doctor-patient relationship, but
they
may also be held to a duty of care toward people who are not
patients,
such as the patient's family members, former patients, and even
office
personnel. Generally, if actions or omissions within the scope of
a
100. health care practitioner's job could cause harm to someone, that
per-
son is owed a duty of care.
For example, medical facility custodians are nonpatients to
whom
a duty of care is owed. Various drugs, equipment, and supplies
are
used and discarded daily in a medical facility. Procedures for
the
proper disposal of drugs and potentially hazardous materials
should
be detailed in a facility's safety manual, so that employees who
handle
these materials do not accidentally prick themselves with used
nee-
dles or otherwise injure themselves.
In some instances, depending on the situation and state law,
physi-
cians may have a duty under standard of care to warn
nonpatients of
danger, as in the case of a psychiatric patient who threatens
harm to
others or in the case of a patient with a communicable disease.
101. Two court cases, "Therapists Found Guilty of Failure to Warn"
(p. 123)
and "Sharing a Prescription Drug Proves Costly" (p. 124), show
that
courts vary widely in establishing a duty of care, according to
the laws
in the states where lawsuits are adjudicated. In "Sharing a
Prescription
Drug Proves Costly," wrongful death was also charged, which is
dis-
cussed in further detail as you progress through this chapter.
As mentioned in Chapter 4, we are responsible for our actions
(or our
failure to act) under the reasonable person standard. That is, we
may be
charged with negligence if someone is injured because we failed
to
122 Part Two I Legalis sues for W orking Health Care
Prad:ioners
102. perform an act that a reasonable person, in similar
circumstances, would
perform or if we committed an act that a reasonable person
would not
commit. Professionals-individuals who are specially trained to
perform
specific tasks-are held to a higher standard of care than
nonprofession-
als (laypersons). If a patient is injured because a health care
professional
failed to exercise the care and expertise that under the
circumstances
could reasonably be expected of a professional with similar
experience
and training, then that professional may be liable for
negligence.
PHYSICIANS
A physician in general practice is expected to conform to the
stan-
dards of other general practitioners in his or her own or a
comparable
community. A specialist is held to a higher standard of care
than that
103. expected of a general practitioner. The standard of care for a
specialist
is generally the same as that for like specialists, wherever they
prac-
tice. Similarly, any health care practitioner-nurse, phlebotomist
Therapists Found Guilty of Failure
to Warn
In October 1969, Prosenjit Poddar, a foreign student
'om Bengal, India, killed Tatiana Tarasoff. Two months
:>efo re, Poddar had confided his intention to kill Tarasoff
:o Dr. Lawrence Moore, a psychologist employed by the
Cowe ll Memorial Hospital at the University of California
zt Berkeley. Poddar told Moore he would kill Tarasoff
"' er she returned from spending the summer in Brazil.
Acting on this information, Moore notified the cam-
104. :: s police, who briefly detained Poddar, but determined
at Poddar was rational and released him. Upon Pod dar's
-elease, Moore's superior, Dr. Harvey Powelson, directed
::. at all of the letters and notes Moore had written while
: unseling Poddar be destroyed and no further action be
-- e n to detain Poddar in the future.
Soon thereafter, Poddar convinced Tarasoff's brother
- share an apartment with him near Tarasoff's residence.
-'he n she returned from Brazil, Poddar went to Tarsoff's
- me and killed her. Tarasoff had not been warned of the
: ssi ble danger Poddar posed.
Tarasoff's parents sued, arguing that the psychologist had
- :::uty to warn them of Poddar's danger to their daughter,
105. :.- that the campus police negligently released Poddar with-
--~ notifying them of their daughter's grave danger. They
- - argued that the police failed to confine Poddar, under
:-.:: Lanterman-Petris-Short Act, a California law designed to
: -ect mentally ill and mentally disabled persons from cer-
- abuses, and to guarantee and protect the public interest.
-:ne defendants argued that there was no duty of care
"Md T atiana T arasoff, and that, as employees of the state,
they had governmental immunity. The trial court granted
the defendants' motion to dismiss. On the plaintiffs' appeal,
the court affirmed dismissals against defendant police on
all claims, stating there was no duty to plaintiffs. Dismissals
106. against the defendant therapists were also upheld , holding
they were protected by governmental immunity. Plaintiffs
appealed to the Supreme Court of California.
The Supreme Court allowed the plaintiffs to amend their
appeal to state that the therapists failed to warn Tatiana
(rather than her parents, as in the original complaint).
The Supreme Court of California heard the case based
on the question "Did defendant therapists have a duty to
warn Tatiana Tarasoff?"
Yes, the court determined. It was found that the defen-
dant therapists should have determined that Poddar pre-
sented a serious danger to Tarasoff, and they failed to exercise
reasonable care to protect her from that danger (i.e., when a
107. therapist determines that a patient poses a danger to another
individual, he or she is obligated to use reasonable care to pro-
tect that individual). Therefore, defendant therapists breached
their duty of care to Tatiana Tarasoff and were negligent
by not warning her of the possible danger posed by Poddar.
Tarasoff v. Regents of University of California, 17 Cal. 3d 4 25,
13 I Cal.
Rptr. 14, 551 P.2d 334 ( 1976).
Prosenjit Pod dar was later convicted of second-degree
murder, but the conviction was ap pealed and overturned,
based on the decision that the jury was inadequately
informed. No second trial was held, and Poddar was
released on the condition that he return to India.