* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download notes #7
Race and health wikipedia , lookup
Maternal health wikipedia , lookup
Patient safety wikipedia , lookup
Health system wikipedia , lookup
Reproductive health wikipedia , lookup
Health equity wikipedia , lookup
Electronic prescribing wikipedia , lookup
Privacy and Health Law 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 1 Learning Objectives • Explain why health information management professionals must be knowledgeable about medico legal issues. • Distinguish between confidential and non confidential information within a health information system. • Describe general legal principles governing access to confidential health information in a variety of circumstances. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 2 Learning Objectives • Distinguish proper or valid requests for access to health information from improper or invalid requests. • Describe the four components of negligence. • Distinguish between properly executed consents and authorizations and incomplete or improper consents and authorizations. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 3 Why are Legal Issues So Important to Health Information Management Professionals? • Health care providers are required by law to maintain health records. • Some requests for health information are legitimate while others are not. • HIM professionals must make decisions about what information can and cannot be disclosed. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 4 Why are Legal Issues So Important to Health Information Management Professionals? Fundamentals of the Legal System • Laws govern: – Private relationships • Relationships between private parties – Public relationships • Relationships between private parties and the government 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 5 Why are Legal Issues So Important to Health Information Management Professionals? Fundamentals of the Legal System • Private Law consists of: – Tort actions • Is allegation that one party’s wrongful conduct has caused another party harm • Wronged party seeks damages. – Contract actions • Is allegation that a contract exists between two parties and that one party has breached that contract in some manner. • Wronged party seeks compensation or a court order to enforce the contract. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 6 Why are Legal Issues So Important to Health Information Management Professionals? Sources of Law • Health Care Law comes from four main sources: – Federal and state constitutions – Federal and state statutes – Rules and regulations of administrative agencies – Court decisions 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 7 Why are Legal Issues So Important to Health Information Management Professionals? Sources of Law – Constitutional Law • Constitution is the highest law in the United States. • If there is a conflict between the Constitution and other laws, the Constitution overrides the other law. • When a law is found to be “unconstitutional” it means that it conflicts with the Constitution, making that law invalid. 9/18/2012 ISC471/HCI 571 Isabelle 8 Bichindaritz Why are Legal Issues So Important to Health Information Management Professionals? Sources of Law – Constitutional Law • U.S. Constitution also limits the powers of the federal and state governments. – Bill of Rights protects specific rights of the citizens. • Example: The people are protected from deprivation of property without due process. • In a public health facility, a physician’s appointment to the staff is considered a property right. • The physician cannot be terminated without due process, such as a full hearing. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 9 Why are Legal Issues So Important to Health Information Management Professionals? Sources of Law – Constitutional Law • The right of privacy: – Very important in health care – Not an express right in the Constitution – Basic definition is the right to: • Be left alone • Make decisions about one’s own body • Control one’s own information 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 10 Why are Legal Issues So Important to Health Information Management Professionals? Sources of Law – Federal and State Statutes • Examples of Laws that affect health care facilities are: – Americans with Disabilities Act – Safe Medical Devices Act – American Recovery and Reinvestment Act of 2009 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 11 Why are Legal Issues So Important to Health Information Management Professionals? Sources of Law – Federal and State Statutes • If there is a conflict between federal and state law, federal law controls. • If there is conflict between state and local law, state law controls. • Therefore the hierarchy of laws is: Constitution federal law state law local law 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 12 The Legal System The Court System Federal Courts • Three levels of courts: – Trial courts – Intermediate courts of appeal – Supreme court • Federal trial courts: U.S. district courts • Appeals from U.S. district courts go to a U.S. court of appeals. – There are 12 circuits, each has its own court of appeals. 9/18/2012 ISC471/HCI 571 Isabelle 13 Bichindaritz The Legal System The Court System State and Territory Courts • States typically have three levels of courts just like the federal government: – The names of the courts vary by state, but they still generally include: • Trial courts • Intermediate courts of appeal • A high court • Some state trial courts are further divided into specialty courts such as: – Traffic court – Probate court – Family court 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 14 The Legal System Cases that Involve Health Care Facilities and Providers – Malpractice and Negligence • Negligence: – Conduct that society considers unreasonably dangerous because: • The party knew or should have known that the conduct (or absence of conduct) would subject others to an appreciable risk of harm. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 15 The Legal System Cases that Involve Health Care Facilities and Providers – Malpractice and Negligence • Two theories to hold the hospital responsible for the conduct of its employees: – Respondeat superior: • Literally means let the master answer. • Legal system holds the health care organization responsible for the negligent actions of the organization’s employees or agents when their actions are performed within the scope of their employment. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 16 The Legal System Cases that Involve Health Care Facilities and Providers – Malpractice and Negligence – Corporate negligence: • Corporate negligence is when courts hold health care organizations liable for their own acts of negligence. • Organizations responsible for monitoring the activities of all the people who function within their facilities. • Includes employees and independent contractors (such as physicians). • Organizations also responsible for complying with appropriate industry standards. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 17 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Claims against health care facilities may include: – – – – – – – 9/18/2012 Assault Battery False imprisonment Defamation of character Invasion of privacy Fraud or misrepresentation Intentional infliction of emotional distress ISC471/HCI 571 Isabelle Bichindaritz 18 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Assault: – Is a deliberate threat + the apparent ability to do harm to another person without that person’s consent. – Does not require any actual physical contact. – Victim must be aware of the threat. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 19 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Battery – Battery is touching another person in a socially impermissible manner without consent. – Victim does not have to be aware of the touching. – Consent may be implied – when an unconscious person is treated in a facility for life-saving treatment. – This is primary reason that written consent is required for all procedures. – Does not matter if the treatment would help the patient. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 20 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • False imprisonment: – – – – Unlawful restrain of a person’s personal liberty Unlawful restraining or confining of a person No requirement of physical force Does require the reasonable fear that force will be used to detain or intimidate the victim into following orders – Examples in this context: • Refusing to let a patient leave until the bill is paid • Use of physical restraints only because of understaffing to monitor patients 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 21 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Defamation of character: – Two types: • Slander – oral • Libel – written – Is a communication that tends to damage the defamed person’s reputation in the eyes of the community. – Must show communication to a third party. – A defense to defamation is truth of the statements. – If the statement occurs during a privileged communication (example, confidential communications between spouses, discussion with a priest) there is no defamation unless there was a malicious intent. – Is rare in a health care context. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 22 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Invasion of privacy: – Very important in a health care context – Negligent disregard for a patient’s privacy can result in: • A tort claim • Regulatory penalties • Criminal penalties – Invasion of privacy includes: • Divulging confidential information from a patient’s record to an improper recipient without the patient’s consent 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 23 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Fraud: – Willful and intentional misrepresentation that could cause harm or loss to a person or the person’s property – May include: • Improper billing for procedures not performed • Deliberately coding incorrectly to gain a higher payment • Promising a certain surgical result when not certain 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 24 The Legal System Cases that Involve Health Care Facilities and Providers – Intentional Torts • Intentional infliction of emotional distress – Must be intentional – Must actually cause significant emotional distress 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 25 The Legal System Cases that Involve Health Care Facilities and Providers – Crimes and Corporate Compliance • Health Information Portability and Accountability Act of 1996 (HIPAA), the Balanced Budget Act, and the Federal False Claims Act all impose penalties for health care providers who engage in fraudulent practices. – May include criminal sanctions. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 26 The Legal System Cases that Involve Health Care Facilities and Providers – Noncompliance with Statutes, Rules, and Regulations • Failure to comply with government imposed statutes, rules, and regulations can lead to: – – – – 9/18/2012 Monetary penalties Criminal penalties Removal from participation in Medicare Loss of licensure ISC471/HCI 571 Isabelle Bichindaritz 27 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duties to Patients in General • Patients have certain rights in connection with their health care. • These rights are established by laws, rules, regulations, ethical codes, or the Constitution. • These laws alert the patients to their rights and provide remedies for the patient if health care providers fail to respect their rights. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 28 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Health Information • HIPAA outlines what documents must be maintained for patient access and use as part of a designated record set (DRS). • Patients must be able to access the information in the designated record set for at least 6 years. • Designated Record Set for a covered entity include: – The medical records and billing records about individuals maintained by or for a covered health provider – The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan – Use, in whole or in part, by or for the covered entity to make decisions about individuals 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 29 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Health Information • Implied duty to maintain health information can be found within: – Vital statistics laws – Mandatory reporting does not require patient consent, in fact may be done over express request by the patient not to report. – Natural tension between reporting requirements and confidentiality 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 30 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Health Information • Laws requiring the reporting of certain diseases and medical events: – – – – – – – – 9/18/2012 Gunshot wounds Suspected child abuse Elder abuse Industrial accidents Certain poisonings Abortions Cancer cases Communicable diseases ISC471/HCI 571 Isabelle Bichindaritz 31 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Retain Health Information and Other Key Documents and to Keep Them Secure • Administrative Simplification section of HIPAA is in part designed to stimulate the development of standards to facilitate electronic maintenance and transmission of health information. – In response DHHS adopted standards for electronically maintained health information and for electronic signatures. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 32 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Retain Health Information and Other Key Documents and to Keep Them Secure • HIM professionals must: – protect health care information from loss or destruction – prevent the corruption of electronically stored data from power losses and surges – protect the integrity of the information itself • protect from inappropriate alteration • control access to records • make special precautions for records involved in litigation 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 33 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Addenda • When new information is being added to a record • Patients may ask for an amendment to their record. – Generally will be granted unless it falls under a specific exception that allows for denial. – If granted, should be treated as an addendum to the record without change to the original entry. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 34 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Authentication and Authorship Issues • Authentication: – Identification of the author of a document or entry – Indication that the author has reviewed the entry for accuracy and attests to it – Paper: original signature or stamp – Electronic: use of a unique identification code and password 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 35 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Validity of Health Information as Evidence • Important reason to protect health records is for their potential use as evidence in court. • Hearsay Rule prohibits the admission into evidence of out-of-court statements (including written statements) unless they fall under one of the specific exceptions to the rule. • Health records are often considered an exception to the “hearsay rule.” • Exceptions are generally circumstances where there is a presumption of reliability. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 36 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Retain Health Information and Other Key Documents and to Keep Them Secure – Validity of Health Information as Evidence • Judge makes a determination as to whether or not the medical records will be admitted as evidence as an exception to the hearsay rule. • The HIM professional is often responsible for testifying in court that the health record is kept in the normal course of business. • Best evidence rule: If the original record exists, it must be provided; if not, a copy may be deemed acceptable if it can be authenticated properly. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 37 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality • Communications between patients and their health care providers are confidential. • Health care workers are bound to maintain the confidentiality of private health information. • A primary goal of HIPAA is to protect the confidentiality of protected health information. • Organizations required to provide patients with a notice of their privacy practices. • Not all information in the health record is protected so it is important that health care workers understand what is and is not confidential • If the state has more restrictive rules on confidentiality, they will govern, HIPAA would not override 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 38 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality • HIPAA definition of protected health information: – Individually identifiable health information that is transmitted by electronic media, maintained in any medium described as electronic media, or transmitted or maintained in any other form or medium 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 39 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality • Definition of individually identifiable health information: – Information that is a subset of health information, including: • Demographic information • Information created or received by a health care provider, health plan, employer, or health care clearinghouse • Relates to the past, present, or future physical or mental health or condition of an individual • Relates to the provision of health care to an individual • Relates to the past, present or future payment for the provision of health care to an individual • That which identifies the individual. • Information that could reasonably be believed to identify the individual 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 40 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality • HIPAA privacy rule used to only apply to covered entities, it has recently been expanded to include the covered entities business associates. – Covered entity: • Health care provider that conducts certain transactions in electronic form • A health care clearinghouse • A health plan • Business associate agreement: used when a health care organization contracts out to a third party to handle or process personal health information (including billing). 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 41 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality – Privacy Act of 1947 • Designed to give citizens some control over the information that the federal government and its agencies collect • Grants people the right to: – – – – Find out what information about them has been collected See and have a copy of that information. Correct or amend the information. Exercise limited control of the disclosure of that information to other parties. • Applies to: – Health care organizations operated by the federal government – Record systems operated pursuant to a contract with a federal government agency 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 42 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality – Freedom of Information Act • Requires that records pertaining to the executive branch of the government be available to the public. • Exception is matters that fall within nine explicitly exempted areas. • One of these areas sometimes includes medical records: – Personnel and medical files and similar files, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” – Unwarranted invasion of personal privacy: • Information is contained in a personnel, medical, or similar file. • Disclosure constitutes an invasion of personal privacy. • Severity of the invasion outweighs the public interest in disclosure. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 43 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Maintain Confidentiality – Regulations on Confidentiality of Alcohol and Drug Abuse Patient Records • Restrict disclosures of patient health information without patient authorization • Specifically apply to facilities that provide alcohol or drug abuse diagnosis, treatment, or referral for treatment • Facility must offer either: – An identified unit that provides alcohol or drug abuse diagnosis, treatment or referral for treatment – Medical personnel or other staff whose primary function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 44 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Internal Uses and External Disclosures of Health Information • Internal uses may not need patient authorization. • Health care workers who are involved in the treatment of a patient have access, but this does not extend to employees of the organization who are not involved in the patient’s care. • Minimum necessary is only the minimum necessary amount of information to fulfill 9/18/2012 ISC471/HCI 571 Isabelle 45 the request should be shared. Bichindaritz Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Internal Uses and External Disclosures of Health Information • Under HIPAA internal uses include: – Treatment – Payment – Health care operations • External disclosures often do not need patient authorization either. – Disclosure to a lawyer who represents someone other than the hospital would require authorization. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 46 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Health Information Ownership • Generally – the health facility owns the record but the patient has an ownership interest in the information within the record. • Patient maintains a right to control the flow of his or her private health information. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 47 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Resources on Releasing Patient Information • Organizations must set policies and have written procedures to guide staff in responding to requests for information. • Should use the most up-to-date resources available because laws change frequently. • Sources to help write the policies: – State HIM association legal manuals – Peers in other local facilities – AHIMA guidelines and practice standards 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 48 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Authorizations for Disclosure of Patient Information • Standards for what must be present in an authorization are included in: – HIPAA Privacy Rule – Regulations on Confidentiality of Alcohol and Drug Abuse Patient Records – Many state laws • HIM professionals have the responsibility to ensure that authorizations meet all applicable standards. • Violations of the standards set forth in the HIPAA Privacy Rule can result in penalties. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 49 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure for Direct Patient Care • Reasonable assumption that when a patient comes in for care, he or she authorizes the care providers to have information about his or her conditions and treatments. • HIPAA privacy rule allows internal uses of protected health information for treatment without patient authorization. – Does not include access for anyone in the facility who may be curious. • Internal use should still be restricted to those who need to know in order to treat the patient. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 50 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure for Direct Patient Care • In cases where the patient is being treated externally (by a new doctor, in a nursing facility) some or all the information from the record may need to be disclosed. – In these cases HIPAA Privacy Rule permits disclosure for treatment without authorization. – There may be other regulations (state-based) that do require authorization. • Conservative view – get authorization any time that there is an external disclosure except when an emergency prevents authorization. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 51 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure for Performance Management and Patient Safety • Health information sometimes is used to evaluate that quality of care and services provided to patients. • In these cases, it is not important who the patient is, just the procedures for treatment. – Records would be referred to by number so no names would be used. • HIPAA does not require authorization for use of health information in this context. • Important to verify that the requester in fact wants the information for quality management purposes. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 52 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure for Research • Also involves impersonal use of the records • It does not matter who the patient is, just the symptoms, treatment, and results. • Facility should still have a policy as to when records can be released for research without patient authorization. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 53 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure for Research • Researchers often have to have projects reviewed by an institutional review board. – Researcher may need to specify data security provisions. – HIM professional may need to review the data collection forms to ensure that patient-identifiable data are not to be included. – Special problems arise if the researchers want to contact patients directly. – Verifying the names and addresses of patients is possibly a breach of confidentiality. – The facility may agree to contact the patient on behalf of the researcher to determine the patient’s willingness to participate. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 54 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure for Payment Purposes • This is one of the most frequent disclosures of health information. • HIPAA does not require authorization for this purpose but some states do. • New regulations allow an option for patients to shield some information from their insurer. – Must be a circumstance where the patient is paying for the service in full out of pocket. • Complicated issue because the person whose information is going to the insurance company may not be the person who applied for coverage (generally a family member) – One solution is making the authorization for disclosure to the insurance company a part of the general consent to treatment. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 55 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Disclosure to Attorneys • Requires one of: – Written authorization from the patient or the patient’s legal representative – Valid subpoena that meets HIPAA’s special requirements • No authorization is required if the attorney represents the health care provider that owns the record. – Attorney for the hospital does not require authorization. – Attorney for an individual employee of the hospital does. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 56 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Health Information Management Department Security Measures to Prevent Unauthorized Access • Internal systems must protect health information from: – – – – – 9/18/2012 Loss Theft Destruction Alteration Unauthorized access ISC471/HCI 571 Isabelle Bichindaritz 57 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Health Information Management Department Security Measures to Prevent Unauthorized Access • Important job of HIM professionals is to keep confidential information out of the hands of unauthorized users through: – – – – – 9/18/2012 Appropriate policies and procedures Facility and space planning Information systems design and selection Staff education Security management ISC471/HCI 571 Isabelle Bichindaritz 58 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers General Principles Regarding Access and Disclosure Policies – Health Information Management Department Security Measures to Prevent Unauthorized Access • Policies and procedures should be specific as to who has access to what. • HIPAA rules require that access control decisions be based on need. – HIM professionals should never hesitate to verify the validity of a request. – Verification of employee identification is always important. 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 59 Legal Obligations and Risks of Health Care Facilities and Individual Health Care Providers Duty to Obtain Informed Consent to Treatment • It often means getting a patient to sign a form. • Informed consent is only valid though if it means that the patient and the health professional have had: – sufficient communication that the patient has information about the anticipated treatments and – the communication has met certain basic requirements • Duty to obtain informed consent is split into two basic parts: – Duty to obtain a general consent for treatment – Physician’s or surgeon’s duty to obtain a separate informed consent before the performance of surgery or other invasive procedure 9/18/2012 ISC471/HCI 571 Isabelle Bichindaritz 60