HIPAA Privacy and Security in Public Health Laboratories
Information security is of major concern to contemporary health care organizations. Those responsible with ensuring and maintaining the security of sensitive information often face puzzling array of urgent legal, technical concerns and competing priorities. Since the inception of the U.S. Health Insurance Portability and Accountability Act (HIPAA) in 1996, numerous efforts have been put in place for safeguarding protected health information (PHI) as a mechanism to mitigate and consequences of security and privacy breaches on the hospital’s reputation, regulatory bodies, healthcare professional, public health providers and the general public.
For the purpose of the act, the term protected health information is used to refer to any kind of information, whether electronic, oral, pictorial, physical, written or any other form that relates to a person’s past, present and future. It may also involve mental or physical health status, treatment, products purchased, condition or any other identifiable health information, and which can directly reveal the identity of the covered entity. Protected information under the privacy rule include personal and demographic information such as names, telephone number, social security numbers, email addresses, health plan beneficiary numbers, email address, serial numbers and vehicle identifiers, internet protocol addresses, uniform resource locators and biometric identifiers such as full-face photographic images, fingerprints and other related images. This provision also sets the requirement for healthcare providers and health plans to provide patients or clients with a clear written explanation of how the patient information and records can be used, kept and disclosed. Under the privacy rule, covered entities of different functions and sizes are allowed to implement safeguards to protect identifiable health information of patients in relation to their circumstances.
Moreover, the privacy rule safeguards the patient’s right to request restrictions on the utilization and disclosures of his information to outside parties including financial institutions, lifer insurers for non-health purposes. On the other hand, there are cases when the patient consent rights over the use and disclosure of identifiable health information is limited for purposes of treatment, healthcare and payment operations to a contractor or vendor that is not a covered entity. As Glandonet al (2008) puts it, such permissible conditions may include a situation where such information is needed by healthcare authorities or other public health providers for controlling or preventing disease, disability, injury or other outcomes where the safety of individuals or the public is at hand.
Whereas the private rule reveals to whom and under what circumstances can the health care provider or health plans to disclose patient information, the security rule outlines the procedure to be followed by the lab medical technician to protect any identifiable information from unauthorized disclosure through security breaches. Documented evidence indicates that management and acceptance of risk assume a significant role in improving the workflow of inpatient facilities through a process known as informed consent. In the actual laboratory setting, the patients are required to be provided with adequate information that will equip their understanding of the procedure, potential outcomes and risks involved in the process. In this line, the patients are left with the ultimate responsibility to make their own personal decision on whether those risks are acceptable or not.
As Hayden (2013) notes, inpatient facilities such as laboratories are required to provide a detailed documentation of the patient’s understanding, and approval of the presumed risks or liability in the event things turns out unexpectedly. Accordingly, the application of these provisions in inpatient settings has pushed quite a considerable amount of administrative overhead mainly spent on documenting, collecting, educating and tracking the informed consents. Moreover, when the patient consent is not required, the main challenge is usually confronting the issue of patient identification. As previous practical cases have indicated, patient identification can be a very complex issue that can trigger severe or fatal outcomes in the event mistakes are made.
Most successfully, laboratory facilities often employ well-integrated systems and equipment for addressing the issue of patient identification. Notably, a combination of verifiable elements such as a person’s name, date of birth, primary identification number (Passport, social security number, national ID), and an identification picture often provides some useful tips in helping to confirm the identity of a particular person in the selected medical record. Unidentifiable information represents that kind of data that does not require individual privacy provisions due to their reduced risk of unauthorized uses and disclosures (Strauss, 2013). It is necessary to mention that, the privacy rule does not override the existing state, federal or local health laws, which set the provisions on the conduct of a public health investigation, intervention or surveillance, as well as the reporting of disease outbreaks, child abuse, rape victims, birth or death, to mention just a few.
Laboratories and public health agencies assume an integral role in preventing and controlling health concerns with the potential to cause public harm. As a result, they are required to gain meaningful access to identifiable health information in order to undertake various public health activities in terms of monitoring and responding to outbreaks diseases or trends of disability among populations. Numerous interventions such as the provision of direct health services, outbreak investigations, public health surveillance, epidemiological research and even disclosure of PHI may prove essential in helping the relevant authorities analyze, monitor and respond to these incidences. According to studies, public health laboratories have a prime responsibility to produce relevant individually identifiable data that the public health community requires in order to determine whether an individual in question has contracted a particular condition or diseases or may be exposed to harmful environmental poisons (Glandon et al., 2008). When the results of these tests are reported with identifiers upon the patient’s requesting health care provider, physician then such qualifies as the sort of identifiable health information under the privacy rule. In this case, understanding the need to protect individual piracy remains one of the key duties of public health care providers. Accordingly, irresponsible handling of patient information can greatly undermine the quality and integrity of the health information, thus compromising the provisions of the security rule as outlined in the HIPAA (Hayden, 2013).
Whereas the privacy rule was designed for covered entities, the Rule poses substantial implications on the public health authorities and even laboratories. In most cases, PHI information has been successfully utilized for public health purposes and research activities under specific circumstances. First, the privacy rule has contributed to the confusion regarding the manner in which covered functions are performed by public health laboratories. Other impacts of the privacy rule of public health authorities is based on how it allows the various partners, namely public health departments, vital statistics divisions, state cancer registries, local public organizations and other relevant stakeholders to act as the primary public health authority for purposes in order to perform these roles. Whereas these agencies operate under the ultimate mandates to protect the health of the population, they should all the times endeavour to understand and determine the scope and impact of these laws within their line of duty.
Privacy and Security in the Air Ambulance business