Patient Confidentiality and the HIPAA Rule
Textbooks-
“The following is a list of the readings for Week 5 of this course:
1. AMA, Patient Confidentiality
2. Bradshaw v. Daniel
3. Summary of the HIPAA Privacy Rule
4. HIPAA Breach Notification Rule
5. I.S. v. Washington University”
• Week 5: Tutorial Questions
Questions:
TQ 5.1: Patient Confidentiality Overview: What constitutes a breach of patient confidentiality? What are some of the
key exceptions to the requirement to protect patient confidentiality?
TQ 5.2: Bradshaw v. Daniel: Under what circumstances do providers have a duty to breach confidentiality to warn a third
party about a patient’s medical condition? Is the duty to warn limited to patients with contagious diseases?
TQ 5.3: Summary of the HIPAA Privacy Rule: What is PHI? What is a covered entity? What is a business associate?
What is an authorization? What is the “minimum necessary” requirement? What is the difference between a “permitted”
and an “authorized” use or disclosure?
TQ 5.4: HIPAA Breach Notification Rule: (1) In one sentence, summarize the basic purpose of the HIPAA breach
notification rule. (2) What do you think is the rationale behind the three exceptions to the definition of “breach”? In other
words, why shouldn’t these circumstances trigger the usual notification requirement?
TQ 5.5: I.S. v. Washington University: What was the plaintiff’s cause of action in this case? In what way was HIPAA
relevant to the case
Instructions for responses to the Tutorial Questions are available on the Course Information page.
For grading information, please see the Tutorial Question rubric in the Assessment Rubrics menu.
Week 5: Discussion Board Question 1
Week 5: Discussion Board Question 1
Questions:
DQ 5.1: In a case like Bradshaw, it is easy to understand the logic behind requiring the physician to inform third parties at
risk of contracting a deadly contagious disease. But what about a case involving a more stigmatizing medical diagnosis?
For example, if a provider discovers that a patient is HIV-positive, should the provider ever be required to disclose this fact
to the patient’s spouse? What are the strongest arguments in support of and against requiring disclosure in this situation?
Instructions for responses to the Discussion Questions are available on the Course Information page.
For grading information, please see the Discussion Question rubric in the Assessment Rubrics menu.
Week 5: Discussion Board Question 2
Week 5: Discussion Board Question 2
Questions:
DQ 5.2: Please read the news report Flint family says HIPAA laws left them in the dark about dangerous relative - until it was too late and then answer the following questions: Is it true that HIPAA prevented Cassie's physicians from warning her relatives? How would you advise physicians to handle situations like this in the future? Is existing DHHS guidance on these issues adequate?
Instructions for responses to the Discussion Questions are available on the Course Information page.
For grading information, please see the Discussion Question rubric in the Assessment Rubrics menu.
Tutorial and Discussion Questions
Name
Institutional Affiliation
Course Details
Instructor's Name
Due Date
Tutorial and Discussion Questions
TQ 5.1: Patient Confidentiality Overview
Patient confidentiality is one of the foundations upon which modern medical practice is built. All physicians and healthcare providers, by virtue of their training and licensure, are required to ensure that patient information remains confidential and private. Patients entrust their honesty and frankness with doctors because they believe that honest conversations will allow for better diagnoses and possible solutions to problems that may arise (Kornblum, 2021). In the past, issues with patient confidentiality have led to major malpractice lawsuits and settlements. In today's world, many patients are justifiably concerned about their privacy and reluctant to provide sufficient information to doctors unless they are assured of absolute privacy.
Patient confidentiality also is mandated by law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides requirements for organizations involved in healthcare (health plans, covered health providers, clearinghouses, etc.). HIPAA protects patient health information in the conduct of their business by requiring appropriate safeguards so that patient information is not improperly disclosed. The U.S (Kornblum, 2021).
A breach of patient confidentiality is constituted by any action or inaction by a healthcare provider that discloses to any third party (including an unauthorized person) without the patient's authorization or consent: (1) the fact that a patient has received, is receiving, or has received services from a healthcare provider; (2) information relating to the mental condition of the patient unless it is essential to the purpose for which it was disclosed; and/or (3) information acquired in the course of treatment by a health provider (Kornblum, 2021). This means that, in addition to other actions related to breach of confidentiality, an action must be taken against a physician when they disclose protected information on themselves as well.
The key exceptions to the requirement to protect patient confidentiality are as follows:
1 Health care providers are allowed to disclose protected information to others if they provide the following actions: a request, consent, referral, or treatment from the patient; an emergency situation; legal action or proceedings; a proceeding before an administrative tribunal; and certain judicial proceedings (Kornblum, 2021).
2 Patient consent is not required for healthcare providers to perform certain acts such as providing immunizations or providing emergency treatment (e.g., when a patient has collapsed and is unconscious).
3 Medical staff members (i.e., employees of a health care provider) are allowed to disclose protected information in the course of employment for purposes such as evaluation, planning, and management (Kornblum, 2021).
4 Information that may be disclosed without violating confidentiality includes: aggregate statistics; information available to the public through other sources; warnings about potential harm from products or activities if the patient is using a product or engaging in an activity with knowledge of the possible risks involved; and confidential information released by patients themselves to others (Kornblum, 2021).
5 Health care providers are not obligated to protect information gathered by them in the past for purposes unrelated to treatment (e.g., historical billing records).
TQ 5.2: Bradshaw v. Daniel
Tutors and personal tutors in particular have an ethical responsibility of informing those who are being tutored, as well as their instructors or school administration, that the student suffers from potentially harmful mental or physical conditions (Bradshaw v. Daniel, n.d.). In some cases, however, it may be ethically required for a tutor to disclose inadequacies in their teachings that could result in harm for students. Discussions of ethical dilemmas are sometimes limited to medical professionals, but some academic institutions are exploring the inclusion of personal tutors and those who provide training or education.
The determining factor in whether a duty exists is based on whether the tutor was a "provider" or "perpetrator". Although the former may have a greater responsibility than the latter, both are generally held accountable when they breach their duties (Bradshaw v. Daniel, n.d.). Providers may also be held liable for breaching their duties if they knew that they were breaking confidentiality and that their actions would be detrimental to someone in their care, as well as if an outside party (such as another student or instructor) could potentially be harmed. "Perpetrators" may or may not be held liable for the consequences of their actions, but the key distinction is that they acted on purpose and have the means available to them to prevent the harm from occurring (Bradshaw v. Daniel, n.d.).
The duty to warn is one of two affirmative duties that are included in common law. These duties are considered "complementary" duties and can be broken down into 1) Duty to Act and 2) Duty to Warn. The duty to warn is applied where a party who was previously unaware of a danger (such as an individual or group of individuals who could potentially be harmed by a disease or other harmful condition) becomes aware of it after making contact with another party (such as a parent or employer) (Bradshaw v. Daniel, n.d.).
TQ 5.3: Summary of the HIPAA Privacy Rule
As a HIPAA-covered entity, it is important that you know what PHI and covered entities are, who is required by law to comply with the Privacy and Security Rules and other requirements and what the consequences of noncompliance can be.
What is PHI? The acronym "PHI" stands for "Protected Health Information," which is information about you in any form or medium which identifies or can be reasonably linked to your: (1) physical or mental condition; (2) provision of health care services; (3) payment for health care services; or (4) health status. Examples of PHI include: (1) demographic data, such as name, address, and social security number; (2) medical record information, such as diagnosis and treatment information; (3) payment and eligibility data; and (4) health plan beneficiary data (U.S. Department of Health and Human Services, 2013).
What is a covered entity? Covered entities are those health plans, health care clearinghouses, or health care providers that engage in certain transactions involving electronic protected health information. A covered entity includes any of the following: A covered entity does not include an individual practitioner or other person who uses or discloses PHI only to carry out that individual's responsibility to provide medical services to patients in the ordinary course of business. These "business associates" are not required to comply with the Privacy and Security Rules (U.S. Department of Health and Human Services, 2013).
What is a business associate? A business associate (BA) is any entity that performs functions or activities on behalf of a covered entity, including an employer. Health plans, health care clearinghouses, and health care providers are examples of BA's. BA's are not required to comply with the Privacy and Security Rules.
What is an authorization? "Authorization" is a written statement that a health plan or health care provider has reviewed your PHI, has determined what it may use or disclose, and has agreed to the use and disclosure. The decision to allow uses or disclosures is usually made by someone with the authority to make them.
What is the "minimum necessary" requirement? The Privacy Rule requires covered entities to use and disclose only the minimum amount of information needed to accomplish the intended purpose. Under certain conditions, a minimum necessary rule applies to disclosures for treatment, payment and health care operations as well. More information about this requirement can be found in Section 164.514 of the Rules (U.S. Department of Health and Human Services, 2013). A health plan, health care provider, or other covered entity may not require you to sign an authorization for uses and disclosures of PHI without giving you a concise explanation of the information being used or disclosed. The explanation must explain the purpose for the use or disclosure and how you will be notified if your PHI is compromised. (You do not need an explanation for uses or disclosures that are required by law.) (U.S. Department of Health and Human Services, 2013)
What is the difference between a "permitted" and an "authorized" use or disclosure? "Permitted uses and disclosures" are those you have authorized, or for which you have given permission by signing an authorization. A permitted use or disclosure is one that you have allowed the covered entity to make without obtaining your written authorization.
TQ 5.4: HIPAA Breach Notification Rule:
The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines a "breach" as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under HIPAA that compromises the security or privacy of such information.
There are three exceptions to the definition of “breach”: 1) when there is no reasonable probability that such acquisition could res...