POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS

Similar documents
Patient Privacy Requirements Beyond HIPAA

Notice of Privacy Practices

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

CAPITAL SURGEONS GROUP, PLLC

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

A general review of HIPAA standards and privacy practices 2016

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

CHI Mercy Health. Definitions

Mobile Mammo Registration Instructions

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

Privacy and Consent Primer

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Your Medical Record Rights in Hawaii

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

Payment: We are permitted to use and disclose your health information to receive payment for our services. For example, we may:

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Your Medical Record Rights in Wisconsin

Your Medical Record Rights in Louisiana

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

Indiana. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

HIPAA for CNAs. This course has been awarded one (1.0) contact hour. This course expires on May 31, 2020.

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Your Medical Record Rights in Utah

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

FCSRMC 2017 HIPAA PRESENTATION

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Faculty Profile. PART I Privacy Training for Health Professionals. Disclaimer. Always Be Prepared 7/11/2013. Why should you care about Privacy?

Your Medical Record Rights in New Mexico

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

NOTICE OF PRIVACY PRACTICES This Notice is effective September 23, 2013

Your Medical Record Rights in i Maryland

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

The History of Meaningful Use

Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Your Medical Record Rights in Rhode Isl and

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

OREGON HEALTH AUTHORITY, DIVISION OF MEDICAL ASSISTANCE PROGRAMS

HIPAA-HITECH HELPBOOK NJ Physician Practices

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Your Medical Record Rights in Nevada

PATIENT INFORMATION Please Print

Virginia. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

Your Medical Record Rights in Iowa

2018 Employee HIPAA Orientation (EHO) Handbook

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

HIPAA and HITECH: Privacy and Security of Protected Health Information

Information Privacy and Security

R. Gregory Cochran, MD, JD

HIPAA THE PRIVACY RULE

NEW PATIENT PACKET. Address: City: State: Zip: Home Phone: Cell Phone: Primary Contact: Home Phone Cell Phone. Address: Driver s License #:

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

(A Guide to Consumer Rights under HIPAA)

Notice of Privacy Practices

always legally required to follow the privacy practices described in this Notice.

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

HIPAA PRIVACY TRAINING

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Protecting Health Information: Health Data Security Training

OREGON HIPAA NOTICE FORM

Medical Records Chapter (1) The documentation of each patient encounter should include:

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

HIPAA Education Program

Acknowledgement of Notice of Privacy Practices

Telemedicine. Important Information. Telemedicine 5/6/2016. Lauren Prew

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

PATIENT INFORMATION. In Case of Emergency Notification

MCCP Online Orientation

PATIENT BILL OF RIGHTS & NOTICE OF PRIVACY PRACTICES

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

CIO Legislative Brief

Your Medical Record Rights in Guam

Meaningful Use Modified Stage 2 Roadmap Eligible Hospitals

Advanced HIPAA Communications and University Relations

PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY

Sandra V Heinsz, Ph.D. Informed Consent Services Agreement

Outpatient Wellness Clinic

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

The Privacy & Security of Protected Health Information

HITECH Act. Overview and Estimated Timeline

YALE-NEW HAVEN HOSPITAL MEDICAL STAFF POLICY & PROCEDURE CONFLICT OF INTEREST

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

NOTICE OF PRIVACY PRACTICES

Psychological Services Agreement

Transcription:

POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS Jeanne M. Born, RN, JD 22 JANUARY 2015 Jborn@nexsenpruet.com

Medical Record Information: Ownership and Patient Rights The physician owns the physician patient records. The hospital owns the hospital records. The patient has a limited access right to their health information. The Physician Patient Records Act: A patient or his legal representative has a right to receive a copy of his medical record, or have the record transferred to another physician, upon request, when accompanied by a written authorization from the patient or his representative to release the record.

Patient Access Rights 2003 HIPAA further refined the access right: A covered entity ( CE ) must provide access when requested by the patient or the patient s personal representative Patient: if competent and able to consent Personal representative if not: Minor: Parent or Legal Guardian Adult: Court appointed guardian; Healthcare power of attorney; Spouse; Parent or adult child; Adult sibling, grandparent, or adult grandchild; Any other relative by blood or marriage reasonably believed by the healthcare provider to have a close personal relationship; Etc. 30 days to provide access (allowed to extend additional 30 days)

Patient Access Rights 2009 HITECH If the CE uses or maintains an EHR with respect to PHI of an individual-- (1) the individual shall have a right to obtain from such CE a copy of such information in an electronic format and, if the individual chooses, to direct the CE to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific; and (2) any fee that the CE may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity's labor costs in responding to the request for the copy (or summary or explanation).

Patient Access Rights 2013 HITECH Final Rule The individual has the right to request a copy of his/her PHI in electronic format if it is readily producible, or if not, in a hard copy form or in readable electronic form and format as agreed to by the CE and the individual. If the PHI requested is kept electronically, then the CE must provide the individual with access in the form and format requested by the individual, if it is readily producible in such form and format, or if not, in a readable electronic form and format as agreed to by CE and the individual. No extension beyond 30 days to provide access.

What happens if I don t provide my patient access? Potential Liabilities: Professional disciplinary action by the Board of Medical Examiners: Misconduct includes - failure to provide pertinent and necessary medical records to another physician or patient in a timely fashion when lawfully requested to do so by a patient or by a lawfully designated representative of a patient. No teeth in the Physician Patient Records Act for violations. No private right of action under HIPAA... But the Attorney General ( AG ) could sue if the AG had reason to believe that an interest of one or more residents of the State has been threatened or adversely affected by any person who violates a provision of HIPAA, the AG may bring a civil action on behalf of a resident to: Enjoin further violations; or Obtain damages (multiply each violation x $100 the total not to exceed $25K for each identical violation). May award attorney fees.

Administrative Penalties Cignet Health: Large multi-healthcare provider group Failed to provide 41 patients access to their PHI (were 41 complaints all individually filed with the OCR) Initial fine: $1.3 Million for failure to provide access Subsequent fine: $3.0 Million for failure to cooperate with the OCR s investigation (3/17/2009 4/7/2010) Total fine: $4.3 Million Upshot cooperate with the OCR investigation! But first, provide appropriate access!!

Providers obligations to provide patient access to certain PHI Meaningful use: Stage 1: EP: Beginning 2014, provide patients with the ability to view online, download, and transmit their PHI within four (4) business days of the information being available to the EP. Provide clinical summary of each office visit within three (3) business days Stage 1: EH: Beginning 2014, provide patients with the ability to view online, download, and transmit information about a hospital admission within 36 hours of discharge.

Providers obligations to provide patient access Meaningful Use: Stage 2: EP: Provide patients with the ability to view online, download, and transmit their PHI within four (4) business days of the information being available to the EP. Provide patients with clinical summary for each office visit within one (1) business day Stage 2: EH: Provide patients with the ability to view online, download, and transmit information about a hospital admission within 36 hours of discharge.

Change in the relationship dynamic between providers and patients Previously the provider controlled the timing of providing access to PHI. Patient had to wait until received a call from the provider or until the next appointment/encounter. Patient had to make a written request and wait. Now, providers must make PHI available electronically if requested (Privacy Standards). EPs must make PHI available within 4 days after availability to the EP (clinical summaries within 1 day of an office visit). EHs must make PHI available within 36 hours of discharge. Patients have always had access to their entire medical record, just not in real time.

Provide Access/Satisfy Meaningful Use Requirements Patient Information Portal A patient portal is a secure online website that gives patients convenient 24-hour access to personal health information from anywhere with an Internet connection. http://www.healthit.gov/providersprofessionals/faqs/what-patient-portal Once you increase accessibility, you increase your potential for risks involved with security, privacy and professional liability.

Addressing the New Reality: Minimize Your Risks Risks related to the security of the portal. Use only Certified Electronic Health Record Technology for your EHR: Make sure that your EHR technology is on the Office of the National Coordinator for Health Care Technology ( ONC ) CEHRT list: http://oncchpl.force.com/ehrcert?q=chpl Use only CEHRT for your patient portal required under the meaningful use standards.

Addressing the New Reality: Minimize Your Risks Risks associated with breaches in the privacy and security of PHI. Unauthorized Access/Breach of Unsecured PHI: Implement appropriate administrative, physical and technical safeguards; Educate your staff on the importance of security; Audit/track access; Encrypt the PHI. Have security incident processes in place. Have breach notification processes in place.

Addressing the New Reality: Minimize Your Risks Potential risk for allegations of Professional Negligence: Potential for misunderstanding results Laboratory tests Radiology reports Potential for misunderstanding how the test results are used in diagnosis and treatment decision-making Piecemeal presentation of information loss of opportunity to provide the overall picture (Most) patients are not diagnosticians Potential for the physician/office staff to not be aware of critical information the patient placed in the EHR through the portal Potential for incomplete/incorrect information uploaded

Addressing the New Reality: Minimize Your Risks Patient education is key Get written consent to post the patient s information on the portal. Consider providing a user policy and have patients accept the terms of use for portal. Convey to the patient: Once you create access your information (username/password) you must take care to maintain the privacy and security of the access. Communication is key: Brochure On-line presentation Notice of Privacy Practices ( NPP ) Modify the Access section of your NPP Face-to-face communication: You may have access to this result on-line through the portal before we have an opportunity to discuss how the results of this testing impact your treatment.

Addressing the New Reality: Minimize Your Risks Risks associated with the PHI of a minor. Special circumstance: Minor patients who can make health care decisions without parental consent: Parents and legal guardians have access to PHI of minors at any age. Counsel minors: Inform minors that parents/legal guardians have access rights to a minor s PHI even if: The minor pays out of pocket for the health care service.

Addressing the New Reality: Minimize Your Risks Review office practices Additional sensitivity to timing/review of testing and imaging results and making patient contact. Office staff education is key: Educate your educators; Make opportunities to educate patients. Establish mechanisms to be alerted to new information and when actions are taken on that information; Audit/track when physician/staff access to check. Documentation: Remember to document in the EHR your communication with your patient through the portal (if not automatically added to the EHR).

Addressing the New Reality: Minimize Your Risks Risks associated with relying on information patient communicates through the portal to: Refill prescriptions (controlled substances DON T); Triage or make a diagnosis in lieu of an office visit DON T; Take great care when dispensing medical advice via the portal Limit use to non-emergency/educational communications. Clearly, constantly and continually communicate the appropriate use of the portal.

Addressing the New Reality: Minimize Your Risks Consult legal counsel Review your general and comprehensive liability policies: Consider cyber-insurance coverage if you haven t already. Notify your insurance carriers of the change in your practices.

Addressing the New Reality: Minimize Your Risks Risk for miscommunication of test results: Civil liability: negligence/intentional infliction of emotional distress Risk for not achieving meaningful use = Lost $$$

Jeanne M. Born, RN, JD Nexsen Pruet, LLC 803.540.2038 jborn@nexsenpruet.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback