HIT: Ch. 8 Health Law

Laws are classified as public or private. Public law involves the government at any level and its relationship with individuals and organizations. Its purpose is to define, regulate, and enforce rights where any part of a government agency is a party (Showalter 2017). The most familiar type of public law is criminal law, where the government is a party against an accused who has been charged with violating a criminal statute. In healthcare, the Medicare Conditions of Participation (COP)—the requirements set forth for healthcare providers who accept Medicare patients—are public law. Public law includes both criminal and civil law (non-criminal law).

Private law involves rights and duties among private entities or individuals. For example, private law applies when a contract for the purchase of a house is written between two parties. Normally, private law encompasses issues related to contracts, property, and torts (injuries). In the medical arena, it often applies when there is a breach of contract or when a tort occurs in malpractice. Private law is also civil law.

Constitutions

Constitutional law defines the amount and types of power and authority governments are given. The US Constitution defines and sets forth the powers of the three branches of the federal government. The legislative branch, which is the US Congress and is comprised of the House of Representatives and the Senate, creates statutory law (statutes). Examples of statutory law include Medicare and HIPAA. The executive branch (the president and staff, namely cabinet-level agencies) enforces the law. For example, the Centers for Medicare and Medicaid Services (CMS), an agency within the cabinet-level Department of Health and Human Services (HHS), enforces the Medicare laws. The judicial branch (the court system) interprets laws passed by the legislative branch. This three-branch government structure is also found in state governments. Each state’s constitution is the supreme law of that state, but it is subordinate to the US Constitution, the supreme law of the ­nation (Rinehart-Thompson 2017a).

Statutes

Statutes (which form statutory law) are enacted by legislative bodies. The US Congress and state legislatures are legislative bodies. Local bodies, such as municipalities, can also enact statutes, sometimes referred to as ordinances (Rinehart-Thompson 2017a).

Administrative Law

Administrative law is a type of public law. As previously noted, the executive branch of government is responsible for enforcing laws enacted by the legislative branch. Administrative agencies, which are part of the executive branch, develop and enforce rules and regulations that carry out the intent of statutes. For example, HHS developed rules and regulations to carry out the intent of the HIPAA statute, and it has the power to enforce them. These rules and regulations are administrative law. Another example is the federal Food and Drug Administration (FDA), an agency within HHS, which has the power to develop rules that control the manufacture of drugs. The legislative branch of the federal government has given a number of administrative agencies the power to establish regulations (Rinehart-Thompson 2017a).

Judicial Decisions

The fourth major source of law is judicial law (that is, common law or case law), which is law created from court (judicial) decisions. Courts interpret statutes, regulations, and constitutions, and resolve individual conflicts. Judicial decisions are the primary source of private law (Showalter 2017).

The traditional method of resolving legal disputes is through the court systems. In the US, one court system exists at the federal level. The 50 states, the US territories, and the District of ­Columbia have their own court systems. Although the court system is the most familiar method for resolving legal disputes, there is growing reliance on alternative dispute resolution to lighten court dockets and provide less costly and time-consuming alternatives for parties to settle their differences. Alternative dispute resolution includes arbitration (parties agree to submit a dispute to a third party to decide) and mediation (parties agree to submit a dispute to a third-party facilitator, who assists the parties in reaching an agreed-upon ­resolution).

The US court system consists of state and federal courts. Both federal and state court systems have a three-tier structure: trial courts (called district courts in the federal system); courts of appeal or appellate courts (called circuit courts in the federal system) that hear appeals on final judgments of the trial courts; and supreme courts, the highest courts in a court system that hear final appeals from intermediate courts of appeal. Appeals are designed nearly exclusively to address legal errors or problems alleged to have occurred at the lower court, but they are not meant to address the facts of the case again. Table 8.2 compares the nomenclatures of state and federal court systems. In many states, trial courts are divided into courts of limited jurisdiction which hear cases pertaining to a particular subject (for example, landlord and tenant or juvenile) or involve crimes of lesser severity or civil matters of lower dollar amounts. Courts of general jurisdiction hear more serious ­criminal cases or civil cases involving larger sums of money. Cases presented to courts of appeal or supreme courts are not trial reenactments. Legal documents are prepared by each party’s attorney(s), who ­argue the merits of the case ­before a panel of ­appellate judges.

Legal Process

This section describes a legal action from the time a lawsuit is filed, through the phase in which information is collected by those involved in the lawsuit, to trial and resolution.

Initiation of Lawsuit

In order to prepare for a judicial decision as the ultimate outcome of a legal proceeding (litigation), a plaintiff initiates a lawsuit against a defendant by filing a complaint in court, which outlines the defendant’s alleged wrongdoing. After it is filed, a copy of the complaint is served to the defendant along with a summons. The summons and complaint give the defendant notice of the lawsuit and to what it pertains and informs the defendant that the complaint must be answered or some other action taken. If the defendant fails to answer the complaint or take other action, the court grants the plaintiff a judgment by default.

Usually, the defendant answers the complaint in one of four ways: denying, admitting, pleading ignorance to the allegations, or bringing a countersuit (counterclaim) against the plaintiff by filing a complaint. A defendant may file a complaint (joinder) against a third party or against another defendant (cross-claim). The defendant can ask the court to dismiss the plaintiff’s complaint, but not without substantial reason such as lack of ­evidence.

Discovery

The next stage of litigation is discovery, a pretrial process and a time period in which parties to a lawsuit use various strategies to discover or ­obtain information about a case, held by other parties, prior to trial. Discovery is encouraged in order to determine the strengths and weaknesses of the other parties’ cases. This knowledge helps avoid surprises at trial and perhaps encourages pretrial settlement (Rinehart-Thompson 2017b). Thus, evidentiary rules and court decisions addressing discovery are broad, favoring discovery when it is in doubt. There are several types of discovery methods, but most likely to be encountered are the deposition, which obtains the parties’ and other witnesses’ out-of-court testimony under oath; interrogatories, which are written questions to the parties in order to obtain information; and requests for production of documents or other pertinent items (Rinehart-Thompson 2017b).

Although it is not a discovery method, an important discovery tool is the subpoena. Initiated on behalf of one of the parties and issued through the court, it is a legal document that facilitates discovery by instructing someone to do something (such as compelling attendance at a deposition or court proceeding) or bring something, such as a document. There are two types of subpoenas: the subpoena ad testificandum seeks one’s testimony and the subpoena duces tecum seeks documents and other records one can bring with him or her (Rinehart-Thompson 2017b). Subpoenas may direct that originals or copies of health records, laboratory reports, x-rays, or other records be brought to a deposition or to court. In most instances, a subpoena for the disclosure of an individual’s health information must be accompanied by an authorization, or permission from that individual for the information to be disclosed. HIM professionals can be subpoenaed to testify as to the authenticity of the health records by confirming the records were compiled in the usual course of business and have not been altered in any way. Because the attorney who subpoenas a HIM professional is most interested in the health record, the information is likely to be compelled via subpoena duces tecum.

Another type of discovery tool is the court order. A court order is a document issued by a judge. At times, a court order will be issued to compel the production of health records. If the recipient does not comply with the court order, he or she risks contempt-of-court (namely, failure to comply) sanctions, possibly including jail time. Although both are issued through the court, any legal document that requests a patient’s health information must be reviewed carefully to determine whether it is a court order or subpoena. This is because, as noted previously, a subpoena often requires an individual’s authorization if health information is being sought (Rinehart-Thompson 2017b).

If health records are relevant to a criminal case, they may be obtained via a warrant. A specialized type of court order, a warrant, is a judge’s order that authorizes law enforcement to seize evidence and, often, to conduct a search as well. Criminal cases in which health records are most likely to be obtained via warrant involve healthcare fraud and abuse investigations

E-Discovery

The concept of discovery as defined earlier seems relatively straightforward with paper health records. However, it is vastly different with ­electronic health records. E-discovery maintains the same pretrial process as discovery, but parties now obtain and review electronically stored data. The Federal Rules of Civil Procedure (FRCP) incorporated electronic information through the creation of e-discovery rules. The FRCP applies only to cases in federal district courts, but many states have adopted similar e-discovery rules that apply to both civil and criminal cases. While the role of the HIM professional in paper-based discovery was often limited to responding to a subpoena for health records or testifying as to a health record’s authenticity, involvement begins much earlier with e-discovery. For example, attorneys for the parties in a lawsuit must agree on matters such as document discovery. Early interaction among a healthcare organization’s health information professionals, information technology (IT) professionals, and legal counsel is very important. Electronic health records (EHRs) allow massive volumes of information to be created and stored, subjecting much greater amounts of information to discovery than paper health records. Not all information is discoverable. For example, an incident report is generally not discoverable. An incident report is a quality or performance management tool used to collect data and information about potentially compensable events (events that may result in death or serious injury). Whether it is discoverable or not depends on legal protections (such as a state statute that specifically protects quality assurance records) or the lack thereof. Any electronically stored evidence may potentially be compelled as evidence. Discoverable data includes not only the EHR, but also emails, texts, voicemails that may exist on smartphones, drafts of documents, and information on flash drives. Other information that must be considered as potentially discoverable includes information housed on ancillary systems and other databases throughout a healthcare organization because they may be relevant to a particular case. Discoverable data also include metadata, which are data about data, a concept that was unheard of in paper documents. Metadata includes information that tracks actions such as who accessed or attempted to access a document or an information system, when this ­occurred, which parts of the document or information system were affected, and what operations or changes (for example, creating, viewing, printing, editing) took place (Rinehart-Thompson 2018). Because the e-discovery rule affects retention and destruction of health information, HIM professionals must be involved in those ongoing processes. To protect discoverable data, they must also ensure records involved in litigation or potential litigation are safeguarded through a legal hold, which is generally a court order to preserve a health record if there is concern about destruction. A legal hold supersedes routine destruction procedures. It also prevents spoliation—the act of destroy­ing, changing, or hiding evidence intentionally (Klaver 2017a).

Trial

After discovery is complete, the trial begins. A jury is selected through a process called voir dire or, if a jury is waived, a judge hears the case (bench trial). Evidence is then presented. The plaintiff’s attorney is the first to call witnesses and present evidence. In turn, the defendant’s attorney calls witnesses and presents evidence. Typically, in both health-related and non–health-related cases that involve health records as evidence, the record custodian is called as a witness by one party or the other to testify as to the authenticity of a health record sought as evidence. Testifying as to a health record’s authenticity means the records custodian is verifying that it contains information about the individual in question, was compiled in the usual course of business, and is reliable and truthful as evidence. Because individuals who document in a health record do not typically falsify their entries, the truthfulness of a health record is generally not questioned. Parties to litigation often agree (stipulate) as to a health record’s authenticity and allow it to be entered into evidence without requiring the records custodian to appear in court and testify. The parties may also agree to allow a photocopy of the health record or a printed version of the EHR to be introduced into evidence rather than the original. This generally requires the records custodian to certify in writing that the copy is an exact duplicate of the original. State laws vary on the degree to which courts will consider EHR printouts as evidence.

Many times, a case is settled before it reaches trial. This saves time, money, and emotional hardship on the parties. A settlement may be reached between or among parties and their attorneys with or without intervention from a third party.

After the court (either a jury or the judge) has rendered a verdict, the next stage in litigation is the appeal. If at least one of the parties disagrees with the verdict and has a legal argument on which to base its disagreement (for example, evidence was wrongfully considered at trial), a case may be appealed to the next court for review. The final stage of noncriminal litigation is collection of the judgment, which is a monetary award or in equity (that is, the defendant is required to do, or refrain from doing, something). Examples of collection of monetary judgments include single payments, garnishment of wages (by court order), seizure of property, or a lien on property. Examples of judgments in equity include ordering the completion of a construction project (requiring the defendant to do something) or requiring that a construction project be stopped (requiring the defendant to ­refrain from doing something). The final stage of criminal proceedings is sentencing, which may ­include confinement and monetary penalties.

Evidence

An individual may be compelled to testify in court. This may occur after an individual has provided testimony at a deposition, or it may be the first time an individual testifies in a particular case. Rules regarding admissibility, or the court allowing consideration of evidence, are much more stringent than discovery rules (Rinehart-Thompson 2017b). Thus, much information can be shared during pretrial discovery that is not permitted to be admitted as evidence at trial. The Federal Rules of Evidence (FRE) govern admissibility in the federal court system. Separate rules of evidence that often mirror the federal rules govern admissibility in each state.

Generally, only relevant evidence—that which makes a supposed fact either more or less probable—may be admitted at trial. However, even ­relevant evidence with probative value (that is, ­significant in providing information) may be deemed nonadmissible if it is outweighed as unfairly prejudicial or if presenting the evidence would cause undue delay. Evidence may also be excluded if it is misleading (for example, providing statistics that do not accurately depict death rates associated with a particular disease) or redundant (for example, an answer from a witness that an attorney attempts more than once to belabor a point, such as a patient’s death) (Klaver 2017a). Hearsay is also often excluded. Hearsay is an out-of-court statement used to prove the truth of a matter, and it is inherently deemed untrustworthy because the maker of the statement was not cross-examined at the time the statement was made. Hearsay can be admitted into evidence if it meets one of the hearsay exceptions. The exception most common to the health record is the business records exception. This exception exists because business records are deemed inherently trustworthy and are admissible as long as they are made at or near the time of the event being recorded, are kept in the regular courses of business, and the record was created through the regular practice of business (Klaver 2017a).

Testimony by HIM professionals is often focused on the authenticity of the health record and refers to the document’s baseline trustworthiness (Klaver 2017a). HIM professionals must take care to present a professional decorum when testifying by dressing professionally, answering questions honestly and without becoming defensive, and responding to the questions asked rather than unnecessarily elaborating. If the questioning attorney poses a question that is outside the scope of the individual’s expertise as a HIM professional (for example, eliciting information about a patient’s condition or reason that medical treatment was provided), the HIM professional should respectfully decline to answer the question by stating that it is beyond his or her area of professional expertise.

Causes of Action in Professional Liability

Professionals in many fields, including healthcare, face potential liability for allegedly failing to meet the standards established in their fields of ­practice. Medical malpractice is the professional liability of healthcare providers—physicians, nurses, therapists, or others involved in the delivery of patient care. Breach of contract, intentional tort, and negligence are all causes of action, or elements under which lawsuits are brought that are related to professional liability. To understand how these causes of action apply, examine the elements of the physician-patient relationship.

A physician-patient relationship is established by either an implied contract, also referred to as consent, or an express contract. Implied contracts are created by the parties’ behaviors (for example, a patient’s arrival at a physician’s office). Express contracts are articulated, either in writing or verbally (a patient’s written or verbal agreement to treatment). A contract is usually created by the mutual agreement of the parties involved—in this case, the patient and the physician or another healthcare provider. Termination of the contract usually occurs when the patient either gets well or dies, the patient and physician mutually agree to contract termination, the patient dismisses the physician, or the physician withdraws from providing care for the patient.

No medical liability for breach of contract can exist without a physician-patient relationship. However, when this relationship does exist, the physician’s failure to diagnose and treat the patient with reasonable skill and care may cause the patient to sue the physician for breach of contract.

Healthcare providers also can be held responsible for professional tort liability when they harm another person. A tort is a wrongful civil act that results in injury to another. Tort law is broad and includes non–healthcare-related acts (for example, a driver runs a red light and strikes another vehicle) and healthcare-related acts (a nurse administers the wrong medication). An intentional tort is where an individual purposely commits a wrongful act that results in injury. Usually, however, professional liability actions are brought against healthcare providers because of the tort of negligence, or unintentional wrongdoing.

Negligence occurs when a healthcare provider does not do what a prudent person would normally do in similar circumstances. The three types of negligence are the following:

Nonfeasance is the failure to act as a prudent person would, such as not ordering a standard diagnostic test

Malfeasance is a wrong or improper act that may be unlawful, such as removal of the wrong body part or use of a joint replacement that is known to be problematic (Rinehart-Thompson 2017c)

Misfeasance is the improper performance during an otherwise correct act, such as nicking the bladder during an otherwise appropriately performed gallbladder surgery

For a negligence lawsuit to be successful, the plaintiff must prove the following four elements:

The existence of a duty (an obligation established by a relationship) to meet a standard of care (degree of caution expected of an ordinary and reasonable person under given circumstances)

Breach or deviation from that duty

Causation, the relationship between the defendant’s conduct and the harm that was suffered

Injury (harm) that may be economic (medical expenses and loss of wages) or noneconomic (pain and suffering)

The causes of actions mentioned are not the only ones that can be brought against an individual healthcare provider or a healthcare organization. Other tort actions applicable to healthcare include battery (intentional and nonconsensual contact), assault (intentional contact that causes apprehension of harmful or offensive contact), false imprisonment (intentional confinement against that person’s will), infliction of emotional distress (intentional conduct resulting in extreme emotional suffering such as anxiety, sleeplessness, and inability to perform activities), defamation (false communication that injures a person’s reputation), invasion of privacy (violation of a person’s right for his or her person and information to be left alone), and wrongful disclosure of confidential information by a person with which an individual has a relationship protected by law (for example, physician-patient) (Brodnik et al. 2017).

Patient Rights Regarding Healthcare Decisions

It is an established right in the US that individuals generally have autonomy over their own bodies. Included in this right is the right of individuals to make their own healthcare decisions provided they are not legally incompetent (namely, incompetent by virtue of a mental disability or status as a minor). Consents play an important role in documenting individuals’ wishes regarding the healthcare they will receive. Similarly, advance directives are important in documenting individuals’ end-of-life decisions.

Consent is one’s agreement to receive medical treatment. It can be written (preferable because it offers greater proof) or spoken; further, it can be express (communicated through words) or implied (communicated through conduct or a mechanism other than words, such as an unconscious person who is brought to the emergency department). As a matter of practice, healthcare organizations obtain a general consent from a patient for routine treatment and failure to do so can result in a legal action; generally, for battery, or harmful or offensive contact. When a treatment or procedure becomes progressively more risky or invasive, it is important that ­informed consent be completed to ensure the patient has a basic understanding of the diagnosis and the nature of the treatment or procedure, along with the risks, benefits, alternatives (including opting out of treatment), and individuals who will perform the treatment or procedure. Informed consent is a process and it is the responsibility of the provider who will be rendering the treatment or performing the procedure to obtain the patient’s informed consent and answer the patient’s questions such as risks associated with the treatment or procedure, alternatives, and likely consequences if the treatment or procedure is not chosen. Failure to obtain informed consent can result in legal action generally based on negligence (Klaver 2017b). This informed consent must be documented in the health record.

Advance Directives

An advance directive is a special type of consent that communicates an individual’s wishes to be treated—or not—should the individual become ­unable to communicate on his or her own behalf. Once created, it is important that advance directives become a part of an individual’s health record.

By creating a durable power of attorney for healthcare decisions (DPOA-HCD) an individual, while still competent, designates another person (proxy) to make healthcare decisions consistent with the individual’s wishes on his or her behalf. Durable means that the document is in effect when the individual is no longer competent.

A living will is executed by a competent adult, expressing the individual’s wishes regarding treatment should the individual become afflicted with certain conditions (for example, a persistent vegetative state or a terminal condition) and no longer be able to communicate on his or her own behalf. Living wills often address extraordinary lifesaving measures such as ventilator support and either the continuation or removal of nutrition and hydration.

A third type of document that always specifies an individual’s wish not to receive treatment (specifically, cardiopulmonary resuscitation [CPR]) is the do-not-resuscitate (DNR) order. Most often used by individuals who are elderly or in chronically ill health, it directs healthcare providers to refrain from performing the otherwise standing order of CPR should the individual experience cardiac or respiratory arrest. Prior to executing a DNR, the patient and physician should have a discussion and the patient should sign a consent form for DNR. The physician then writes an order in the patient’s health record. State law provides the framework for completing DNR orders and forms. Joint Commission-accredited organizations are required to implement policies regarding advance directives and DNR orders (Klaver 2017b).

The lack of advance directives can result in legal battles regarding the undocumented wishes of individuals who become legally incompetent. Highly publicized end-of-life cases regarding individuals and whether they would have wanted continued life-sustaining measures in light of their vegetative state include Karen Ann Quinlan (­dispute between family and custodial facility ­regarding respirator support), Nancy Cruzan (dispute between family and custodial facility regarding continuation of artificially administered nutrition and hydration), and Terri Schiavo (dispute between husband and parents and siblings regarding continuation of artificially administered nutrition and hydration) (Klaver 2017b). In each of these cases, the courts eventually determined that lifesaving measures could be removed. These cases have had significant legal and ethical implications on how healthcare providers handle right-to-die situations, prompting more providers to discuss a patient’s end-of-life decisions and encourage the creation of advance directives that will state a patient’s wishes or name a decision-maker for the patient.

Overview of Legal Issues in Health Information Management

For the HIM professional, legal aspects of health records and health information include the topics addressed in the following sections:

Creation and maintenance of health records

Ownership and control of health records, including use and disclosure

The legal health record including content, retention, and destruction

Additionally, the HIM professional may be involved in the medical staff credentialing process as well as healthcare organization licensure, certification, and accreditation.

Creation and Maintenance of Health Records

Requirements for creating and maintaining health records are usually found in state rules and regulations, typically developed by state administrative agencies responsible for licensing healthcare organizations. Requirements often specify only that health records be complete and accurate. However, other requirements specify categories of information to be kept or outline the detailed contents of the health record.

In some circumstances, the federal ­government stipulates specific requirements for maintaining health records. For example, the Medicare Conditions of Participation contain specific ­requirements that must be satisfied by healthcare organizations that seek reimbursement to treat Medicare or Medicaid patients.

In addition to state and federal requirements, accrediting bodies have established standards for maintaining health records. Specifically, the Joint Commission’s relevant standards are set forth in the Information Management (IM) and Record of Care, Treatment, and Services (RC) chapters. Acute care, long-term care, home health, and behavioral health providers, among others, must follow these standards if they are to be accredited by the Joint Commission. Private third-party payers play an important role in the maintenance and content of health records. In addition to regulations that specify ­requirements for Medicare and Medicaid providers, private payers often have specific requirements about content that must be present in the health record for them to reimburse for treatment. Depending on the nature of the external entity that imposes requirements on the healthcare provider, failure to comply with requirements will likely result in some type of penalty such as loss of licensure or accreditation, nonpayment of claims, or fines imposed on the healthcare organization. Thus, health information must be created and maintained appropriately and in compliance with all applicable requirements.

Finally, in addition to governmental, accrediting body, and private payer requirements, professional organizations such as the American Health Information Management Association (AHIMA) publish best practice information. Best practice states that health record entries and health records in their entirety must be complete, accurate, and timely. These characteristics contribute to high-quality patient care and contribute toward a legally defensible health record that can protect a healthcare organization in malpractice litigation. Because health records are frequently admitted into evidence in medical malpractice lawsuits, the absence of complete, accurate, and timely documentation can result in a ­verdict against the healthcare organization.

Healthcare organizations take all previously mentioned external factors, as well as their unique internal factors, into consideration when establishing their own requirements regarding health record format and content. This is done by incorporating them in organizational policies and ­procedures and medical staff bylaws.

Documentation guidelines

Policies should be based on applicable standards, including accreditation, state and local licensure, federal and state regulations, reimbursement requirements, and professional practice standards.

Content and format of health records should be uniform.

Entries must be legible, complete, and authenticated by the person responsible for providing or evaluating the service provided.

Only authorized individuals, as defined by organizational policies and procedures, shall document in the health record. Further, authorship of entries should be clearly defined in the documentation.

The definition of a legally authenticated entry should be established, with rules for prompt authentication of every entry by the author responsible for ordering, providing, or evaluating the service. Health records must be accurately written, promptly completed, properly filed and retained, and accessible. The system must consist of author identification and record maintenance that ensures the integrity of the authentication and protects the security of the entries.

Entries should be made as soon as possible after the event or observation is made at the point of care. Entries shall never be made in advance.

Entries should include the complete date and time. Narrative documentation should reflect the actual time the entry was created.

The record should reflect facts, using specific language. Avoid using vague or generalized language.

For patient safety, policies must address standardized terminology, definitions, abbreviations, acronyms, symbols, and dose designations. Prohibited abbreviations, acronyms, symbols, and dose designations should be published.

Policies should specify who is authorized and responsible to receive and transcribe physician verbal and telephone orders.

Health record entries must be permanent. Because they are evidence in a legal action, policies and procedures must be established to prevent alteration, tampering, and loss.

Documentation errors should not be obliterated or changed and should be corrected per procedure. There should be an option for “corrected final” in addition to “preliminary” and “final.”

Policy should address how the patient or patient representative requests corrections and amendments to the record. The amendment should refer to the information questioned and include date and time. Documentation in question should never be removed from the record or obliterated. Per HIPAA, the patient has the right to request an amendment; however, the organization has discretion whether to grant the request.

Quantitative and qualitative analyses of documents should be conducted according to procedure.

Policies should differentiate whether research records are part of the legal health record or maintained separately, with the decision verified with the organization’s institutional review board.

Ownership and Control of Health Records, Including Use and Disclosure

HIM professionals must understand the concepts of health record ownership and control. The health record and its contents are owned by the healthcare organization that created and maintains it. As the legal custodian, the healthcare organization is responsible to ensure its integrity and security. This is true regardless of whether the health record is paper, imaged, or electronic. Although patients do own the information in the health record, ultimate responsibility for the physical health record still rests with the healthcare organization.

Control of the health record encompasses its use (how health information is used internally) and disclosure (how health information is disseminated externally). Related to disclosure is patient access to one’s own health records. Although health records and other documents (for example, radiologic images) that relate to the delivery of patient care are owned by the healthcare organization, patients and other legitimately interested third parties have the right to access them. The federal HIPAA Privacy Rule grants individuals the right to access their protected health information, with some exceptions that will be discussed in more detail in chapter 9, Data Privacy and Confidentiality. As patient portals become more available and encouraged by providers, this right is becoming a patient expectation as well.

Use and Disclosure Under State and Federal Law

Most states have laws that protect patient confidentiality (Brodnik 2017). Known as privileged communication statutes, the laws generally prohibit medical practitioners from disclosing information during litigation if that information arises from the parties’ professional relationship and relates to the patient’s care and treatment. An example is the protection of information shared by a patient with his or her physician during an office visit (Showalter 2017). If patients waive their privilege, the medical provider is no longer prohibited from making ­disclosures.

State law may specifically provide a patient with the right to access his or her health information. Even if it does not, as previously noted, HIPAA grants an individual the right to access his or her health information for as long as it is maintained, with limited situations where access may be ­denied. The HIM professional should always follow the stricter law (HIPAA or state). HIPAA also establishes standards by which others may access an individual’s health information.

Disclosure of health information without ­patient authorization may be required under ­specific state statutes. Examples include reporting vital statistics (for example, births and deaths) and other public health, safety, or welfare situations. For example, healthcare providers may be required to provide information to the appropriate state agency about patients diagnosed with sexually transmitted and other communicable diseases, injured by knives or firearms, or exhibiting wounds that suggest some type of violent criminal activity. The treatment of suspected victims of child abuse or neglect must also be reported. Because requirements vary by state, HIM professionals must know the reporting requirements for the states in which they practice.

Health information has a variety of purposes—from the provision of direct patient care to use by outside entities such as insurance and pharmaceutical companies—and those uses and disclosures must be appropriate. Compliance with legal requirements for appropriate use and disclosure must be ensured, as must adherence to the profession’s ethical principles.

Use of Health Records in Judicial Proceedings

The health record of an individual who is a party to a legal proceeding is usually admissible in ­litigation or judicial proceedings provided it is material or relevant to the issue (Showalter 2017). Either a court order or subpoena is used to obtain health information for a court that has jurisdiction (legal authority to make decisions) over the pending ­litigation. These are discussed in more detail in chapter 9, Data Privacy and Confidentiality.

Responses to court orders and subpoenas depend on state regulations. In some instances, states allow copies of health records to be certified and mailed to the clerk of the court or to other designated individuals. In other instances, however, original health records must be produced in person and the records custodian is required to authenticate them. Authentication affirms a health record’s legitimacy through testimony or written validation that it is indeed the record of the subject individual and the information in it is valid.

Legal Health Record

The legal health record is the record used for legal purposes and is the “record released upon a valid request” (Rinehart-Thompson 2017d, 171). The legal health record can exist on any medium (paper, electronic or imaged, or a hybrid). Its content is defined by the healthcare organization that maintains it rather than by law.

Importance of the Legal Health Record

The legal health record distinction is important for several reasons. First, it is important to a healthcare organization’s business and legal processes (Rinehart-­Thompson 2017d). Second, because the legal health record is the record that must be produced upon request, including legal request, it becomes important to ensure the legal health record is legally sound and defensible as a valid document in legal situations (Rinehart-Thompson 2017d).

It is also important to differentiate the legal health record from other types of records that are integral to health information. These include the designated record set, the EHR, and the personal health record. The designated record set (DRS), which is a term specific to HIPAA and described further in chapter 9, Data Privacy and Confidentiality, also includes other records (for example, billing records) and, as such, is more expansive than the legal health record. The EHR is also more expansive because it contains components (such as metadata) that are not ordinarily included in legal health record content. The personal health record (PHR) is owned and managed by the individual who is the subject of the health record. As such, it is not the legal business record of the healthcare organization. The PHR is discussed in chapter 3, Health Information Functions, Purpose, and Users.

Content of the Legal Health Record

Determining the content of the legal health record can be challenging because of the myriad of documents that exist, the presence of documentation in multiple locations, and—for the EHR—the existence of documentation that does not exist in paper health records. Healthcare organizations should develop and maintain an inventory of all documents and data that could comprise the legal health record, considering all locations in the healthcare organization where such information could exist (for example, separate departments or servers). Electronic document considerations include emails, text messages, electronic fetal monitoring strips, diagnostic images, digital photography, voice files, and video (AHIMA 2011a). Healthcare organizations should also carefully consider whether to include data such as pop-up reminders, alerts, and metadata.

Retention of the Legal Health Record

Retention includes mechanisms for storing records, providing for timely retrieval, and establishing the length of times various types of records will be retained by the healthcare organization. The HIM professional must consider multiple factors when developing health record retention policies to determine how long health records are to be kept. These factors include applicable federal and state statutes and regulations; accreditation standards; operational needs of the healthcare organization; and the type of healthcare organization (for example, hospital or clinic).

Some state laws designate how long health records must be retained in their original form and specify whether they can be stored on media other than that on which they were initially created. Additionally, state and local laws that require information to be maintained for reporting to public authorities (for example, vital statistics and public health data) must be adhered to.

The health record must be available as evidence in legal actions, as governed by statutes and regulations. Health records should be retained for at least the period specified by the state’s statute of limitations, which is the period of time in which a lawsuit (such as medical malpractice) must be filed. In particular, the health record of a minor should be retained until the patient reaches the age of majority (as defined by state law) plus the period of statute of limitations, unless otherwise provided by state law. For example, if state law defines the age of majority as 18 and the statute of limitations is two years, then the health record would need to be retained until the patient is 20 years old. A longer retention period is necessary because the statute may not begin to run until a potential plaintiff learns of the causal relationship between an injury and the care received. Other claims must also be taken into consideration when determining how long to retain health records as evidence. For example, under the False Claims Act, claims of fraud may be brought for up to 10 years after the incident (31 USC 3729). Payer requirements must also be considered; for example, the Medicare Conditions of Participation, which is federal regulation, require five-year retention for hospital health records.

The standards of accreditation bodies such as the Joint Commission and the HFAP must be followed in developing a health record retention policy. The Joint Commission defers to state law by specifying that records are to be retained in compliance with applicable law.

Health record retention also depends on how the healthcare organization uses the information in the health record. For example, an acute-care hospital may have very different retention policies than a long-term-care organization providing geriatric nursing care. Further, a healthcare organization providing care exclusively to children may have different retention policies than a home health agency. Healthcare organizations with significant educational and research activities may need to retain health records for longer periods than other healthcare organizations because existing health records can be useful for these purposes. For example, information may be extracted from health records for research studies.

Governing boards and medical staffs of every healthcare organization must analyze their medical and administrative needs to ensure health records are available for peer review, quality assessment, and other activities. These needs must be considered in conjunction with legal and accreditation requirements. In many instances, healthcare organizations retain health records longer than the law requires to accommodate research or other needs of the healthcare organization.

AHIMA Retention Recommendations

AHIMA routinely publishes recommendations for the retention of health records (AHIMA 2013). HIM professionals should use these to determine how their healthcare organizations compare with industry-wide best practices. AHIMA recommends, at a minimum, that health record retention schedules do the following:

Be designed to meet a healthcare organization’s needs so that health information is available not only for patient care, but also for research, education, and to meet the legal requirements that apply to the healthcare organization

Be specific about the retention of information, including a description of what information is to be kept, how long it is to be kept, and the medium on which it will stored (for example, electronic or imaged, paper, or hybrid)

Clearly specify in the policies and procedures the destruction method that is to be used for each medium on which health information is housed (AHIMA 2013).

Destruction

Not all information must, or should, be retained forever. Whereas space has historically been a challenge with paper health records, it is easy to presume indefinite or permanent retention of electronic health records because they require little space. However, space can become an issue for electronic health records. Further, from a legal perspective, because a health record can be retained permanently does not mean it should be if it no longer serves a purpose but occupies space.

Just as the HIM professional must consider multiple factors when determining retention, many factors must also be taken into consideration regarding health record destruction. Destruction of records is the act of breaking down the components of a health record into pieces that can no longer be recognized as parts of the original health record. The factors to be considered include applicable federal and state statutes and regulations, accreditation standards, pending or ongoing litigation, storage capabilities, and cost.

Any health record involved in investigations, audits, or litigation should not be destroyed, even if the record retention schedule would ­provide for destruction otherwise. This is because health records contain valuable evidence and, further, destruction of this important evidence may be indicative of the provider’s bad faith. When health records are slated for destruction, procedures must ensure the information is not inappropriately disclosed in the process. For paper health records, common destruction methods include shredding, burning, pulping, or pulverizing (Rinehart-Thompson 2017d). Care should be taken to actually destroy electronic health records rather than merely deleting the pathway to access them. Destruction methods for electronic health records include overwriting; magnetic degaussing or demagnetizing (neutralizing the magnetic field to erase data); and physical destruction of the medium on which the health record resides, including pulverizing (laser discs) and shredding or cutting (DVDs) (AHIMA 2013). With electronic health records, there is the risk of duplicate records remaining in circulation (Rinehart-Thompson 2017d).

Health record destruction may be accomplished by the healthcare organization that owns the records, or the process may be outsourced. In either case, a list of all destroyed health records and the manner of destruction must be documented. A certificate of destruction and an agreement that ensures the protection of the information should both be obtained (AHIMA 2013; Rinehart-Thompson 2017d).

Medical Staff Credentialing

Another area with significant legal implications that the HIM professional may become involved in is medical staff appointments, also referred to as credentialing. A basic understanding of the legal issues and some of the functions in the credentialing process are important because the health information professional may be involved in this activity.

The healthcare organization is ultimately responsible for the quality of care it provides. This includes the quality of the medical staff, which consists primarily of the physicians who have been given permission to provide the healthcare organization’s clinical services. Depending on the healthcare organization, other providers such as dentists, podiatrists, advance practice nurses, and physician assistants may also serve on a healthcare organization’s medical staff.

A healthcare organization’s governing board (board of directors) is accountable to establish policies and procedures that ensure reasonable care in the appointment of medical practitioners to the healthcare organization’s medical staff and the granting of clinical privileges. Clinical privileges are the defined set of services a qualified physician is permitted to perform in that organization such as admitting patients, performing surgeries, or ­delivering infants.

Credentialing includes both the initial appointment and reappointment of individuals to the medical staff and determination of the extent of their privileges. The customary process by which an application for medical staff appointment and privileges involves review at several levels. These include the appropriate clinical departments, credentials committee, medical staff executive committee, and board of directors. Although the board of directors relies on the advice and recommendations of the medical staff, ultimate responsibility for making appointments and reappointments and for ensuring the medical staff members are qualified to perform the functions for which they have been granted privileges rests with the board (Pozgar 2016).

An important part of the credentialing process is querying the National Practitioner Data Bank (NPDB), which was established by the federal Health Care Quality Improvement Act of 1986. One goal of the NPDB is to limit the movement of physicians throughout the US where their negative histories such as medical malpractice liability and loss of privileges at other healthcare organizations may go undetected. NPDB regulations include requirements for reporting information to the NPDB and querying information from the NPDB prior to granting medical staff privileges (Pozgar 2016). Penalties and liability can result from failure to use the NPDB.

The HIM professional may serve as the medical staff coordinator, involving the collection, organization, verification, and storage of all information associated with credentialing. This includes information about the individual staff member’s professional background, credentials, previous professional experience, and quality profiles. All this information, including that obtained from the NPDB, is confidential. Therefore, policies and procedures must be in place to specify who may have access to what information and under what circumstances.

Licensure

Licensure

Licensure is a designation given to an individual or an organization by a governmental agency or board that gives the individual permission to practice, or the healthcare organization to operate, within a certain field of practice. For example, physicians, nurses, and physical therapists must be licensed to practice. In many states, hospitals must be licensed in order to treat patients. Where licensure exists for a practice area, it is mandatory. Once an individual or healthcare organization becomes licensed, it is subject to further regulation by the relevant governmental body to ensure it is maintaining at least a minimal level of competence. For individuals, further regulation may include required continuing education. The legal significance of licensure in healthcare is that a government entity has deemed the individual or healthcare organization qualified to provide competent and safe patient care. HIM professionals are not licensed, but can be certified, meaning they are officially recognized by a private entity as meeting certain qualifications in the field. However, they may take part in or coordinate licensure maintenance for their healthcare organization. They may also assume the role of ensuring that licensure records of individual practitioners are updated and maintained by the healthcare organization in which they work.

Certification

Certification

Certification of individuals is a designation given by a private organization to acknowledge a requisite level of knowledge, competencies, and skills. Whether or not certification is required for an individual to practice (as is licensure) is an employer decision. Certification may either be entry level or mastery level. In the HIM profession, RHIA (Registered Health Information Administrator) and RHIT (Registered Health Information Technician) credentials signify entry-level generalist competency. AHIMA also offers mastery-level specialty certifications such as the CHPS (Certified in Healthcare Privacy and Security), CCS (Certified Coding Specialist), and CHDA (Certified Health Data Analyst). For information on these credentials, see chapter 1, Health Information Management Profession. In healthcare organizations, certification is a designation by HHS that its Conditions of Participation have been met. Although certification is not required for a healthcare organization to operate, it is required for the organization to participate in (and thus be reimbursed by) the Medicare and Medicaid programs.

Accreditation

The HIM professional will likely find herself or himself in a role that involves compliance with accreditation standards. This role may involve compliance with standards relating to health information or coordinating a healthcare organization’s overall compliance with the standards of the body by which it is accredited. Accreditation is a designation given to a healthcare organization by an accrediting body, demonstrating that the healthcare organization has met the accrediting body’s requirements for excellence. Accreditation is generally viewed as the highest level of competence or validation that a healthcare organization can demonstrate. In acute care, Joint Commission is the most prevalent accrediting body. Other accreditors include the HFAP, DNV GL Healthcare, and Center for Improvement in Healthcare Quality (CIHQ). There are accrediting bodies in other care settings as well, such as the Accreditation Association for Ambulatory Health Care (AAAHC) and the Commission on Accreditation of Rehabilitation Facilities (CARF), a prevalent accreditor in rehabilitation. By successfully completing an acute care–deemed status survey by The Joint Commission, HFAP, DNV GL Healthcare, or CIHQ, a healthcare organization that is accredited by one of these healthcare organizations is also deemed to have met Medicare and Medicaid requirements and thus holds concurrent accreditation and Medicare and Medicaid certification.

HIM Roles

With familiarity in health law and a deep knowledge of the health record, HIM professionals can fill nontraditional roles. Many of these positions require advanced training to have the skill set needed to apply for and be accepted into the following dynamic positions:

Medical malpractice health record analyst. This position is dedicated to facilitating health record review for either plaintiff or defense attorneys in the medical malpractice claims and litigation management process. HIM professionals can assist parties and their legal counsel by developing case summaries and preparing chronologies of medical events that are pertinent to a legal case.

Patient advocate. HIM professionals can serve as patient advocates in many roles, including assistance with health literacy and medical bill interpretation. Included in this role is assisting patients toward a greater understanding about healthcare decision-making, including consents and advance directive options.

Risk Management. Identifying, monitoring, and preventing risks are key initiatives in any healthcare organization. Although the risk management function is often reserved for attorneys, in smaller healthcare organizations it may be an ideal role for HIM professionals due to their familiarity with and understanding of the health record, incident reporting, and the analysis and monitoring of trends.

Credentialing. A long-standing position for HIM professionals in some healthcare organizations, credentialing and re-credentialing medical staff members requires organizational and investigative skills. Familiarity with medical staff requirements also makes the HIM professional a qualified person for this role.

Accreditation. Because of the complexity associated with preparation for and compliance with accrediting body standards, healthcare organizations both large and small have positions for individuals who are responsible to manage the accreditation process. Because of their organizational skills and the relationship between health information and many accreditation standards, HIM professionals are suited to fill these roles.

Medical Scribe. Some HIM professionals work with physicians as a medical scribe. The medical scribe takes on some of the clerical responsibilities of retrieving test results, navigating the EHR, and documenting in the health record as instructed by the physician (Gooch 2016).