Patient Confidentiality and HIPAA

Privacy

broad umbrella term

four ways privacy is related to healthcare:

physical seclusion (zone of personal space)

protection of personal information

protection of one’s personal identity

ability to make choices about interference

Confidentiality

falls under privacy (narrower in scope)

synonymous with informational privacy

we have a duty to not disclose information that a patient has conveyed to us

related to autonomy:
the ability to act on your decisions freely and independently

synonymous with decisional privacy

Ethical Principles Supporting Privacy and Confidentiality

Beneficence: prevent harm
remove harm
bring upon positive good

nonmaleficence: do no harm

fidelity: be faithful to the patient’s reasonable expectations

autonomy: have the ability to act on decisions freely and independently

veracity: obligated to tell the truth

HIPAA

covered entities: health plans
clearinghouses
healthcare providers who transmit health information electronically

privacy rule: protects pt. PHI while allowing providers to share information to coordinate care

security rule

PHI: individually dientifiable information that is held/transmitted/requested by provider
ex: oral/paper/electronic information
common identifiers (name/address/birthdate/SSN/etc)
health conditions
pt. record

de-identified: not PHI→can be used without authorization (research for quality improvement projects)

minimum necessary principle: use only minimum amount of PHI to share

without authorization:
personal representative: pt. requests it or on behalf of dead person

TPO: treatment/payment/operations

abuse/neglect victims

public health activities

law/court order

with authorization: not for treatment/payment/healthcare operations/without authorization

Privacy Rule Requirements: privacy officer
security officer
notice of privacy protection
access to one’s own record
amend one’s own record
disclosure of limited data sets for research/public health purposes
restriction request
confidential communications request

Security/HITECH rule: requires providers to maintain administrative/technical/physical safeguards for protecting e-PHI (electronic PHI)

administrative safeguards: security official+security plan+workforce training

technical safeguards: user access controsl
audits
encryption/decryption
detect unauthorized access
good password protection

physical safeguards: workstation/device security
transfer/removal/disposal of electronic media

Breach Notification Rule: requires providers to notify HHS if there is a breach of unsecured PHI

breach: impermissible use/disclosure under the privacy rule that compromises the security and privacy of PHI

HIPAA vs. State Law: state laws that are contrary are not effective against HIPAA (federal over state)

Special Privacy Considerations:

mental health:
psychotherapy note requires written authorization to be disclosed

substance use:
2020 CARES act: governs how healthcare providers use and disclose records pertaining to substance use (42 CFR part 2)
substance use consideration under 42 CFR part 2 (not under HIPAA)
SUD records require pt written authorization to disclose

mental health+substance use:
Pts can agree/object to disclosure (doesn’t have to be written) for discussing care information with family members/others (not required by HIPAA)

Provider can make determination if information being shared is in the best interest with family/others

Minors:

An ethical duty to protect the confidentiality of minors within certain limits

Issue is closely tied within consent (vary from state to state)

Fear of disclosure vs. belief in confidentiality is major factor in seeking care

Consent rules:

General medical care:

NJ: married of pregnant→yes

PA: married/pregnant/emancipated/graduated high school→yes

Immunizations:

NJ: No

PA: 11+ y/o COVID 19→yes

Graduated HS/married/pregnant→yes

Sexual assault evaluation:

NJ: 13+ y/o→yes

PA: yes

STI testing/txt:

NJ: yes

PA: yes

HIV testing/txt:

NJ: yes

PA: yes

contraceptive care:

NJ: pregnant/married/ever pregnant→yes

PA: 14+ y/o→yes

Prenatal care:

NJ: yes

PA: yes (parent may be informed)

Mental health care:

NJ: 16+ y/o output (excluding meds)

PA: no explicit policy