case one joseph dixon kimberly d. ernst, md rozmin pirwani, rn larry stofko

Case OneCase One

Joseph DixonJoseph Dixon

Kimberly D. Ernst, MDKimberly D. Ernst, MD

Rozmin Pirwani, RNRozmin Pirwani, RN

Larry StofkoLarry Stofko

Northwestern Northwestern University Medical University Medical

CenterCenter

Review of Hospital Policies Review of Hospital Policies and Procedures Regarding and Procedures Regarding

HIPAA-Protected InformationHIPAA-Protected Information

NUMC Privacy CommitteeNUMC Privacy CommitteeJuly 2009July 2009

Recent Case (Mr. Recent Case (Mr. Smith)Smith)

• 25 year old patient admitted for 25 year old patient admitted for work-related accidentwork-related accident

• Required surgeryRequired surgery

• Developed post-operative Developed post-operative infectioninfection

Recent CaseRecent Case

• Wife obtained NUMC internal memo Wife obtained NUMC internal memo from bedside nurse regarding our from bedside nurse regarding our high post-op infection ratehigh post-op infection rate

• Wife went to CEO and threatened to Wife went to CEO and threatened to take internal memo to media if we take internal memo to media if we billed herbilled her

Recent Case IssuesRecent Case Issues

• Privacy issues for patientPrivacy issues for patient• Family membersFamily members• Law enforcementLaw enforcement• Insurance companyInsurance company• Employer (workers’ compensation)Employer (workers’ compensation)

Recent Case IssuesRecent Case Issues

• Research and QI/QA projectsResearch and QI/QA projects• Internal Communications BreechInternal Communications Breech• Business Associate AgreementsBusiness Associate Agreements

• Patient and Media RelationsPatient and Media Relations

HIPAA Privacy RuleHIPAA Privacy Rule

• The Health Insurance Portability and Accountability The Health Insurance Portability and Accountability Act (“HIPAA”) was signed into Federal Law in 1996.Act (“HIPAA”) was signed into Federal Law in 1996.

• After several revisions, the HIPAA Privacy Rule After several revisions, the HIPAA Privacy Rule became effective April 14, 2003.became effective April 14, 2003.

• At this time, the Federal Law supersedes the Illinois At this time, the Federal Law supersedes the Illinois Health Insurance Portability and Accountability Act.Health Insurance Portability and Accountability Act.

• HIPAA Rule slated to become more restrictive this HIPAA Rule slated to become more restrictive this year with enactment of American Recovery and year with enactment of American Recovery and Reinvestment Act (“ARRA”) stimulus program.Reinvestment Act (“ARRA”) stimulus program.

Privacy Issues for Privacy Issues for Patients:Patients:

LegalLegal• The hospital is legally allowed to The hospital is legally allowed to

release PHI, as part of their facility release PHI, as part of their facility directory, to those who ask by name directory, to those who ask by name to include:to include:• NameName• Hospital locationHospital location• General condition (i.e. critical, serious, General condition (i.e. critical, serious,

etc.)etc.)• Religious affiliation Religious affiliation


Policy/ProcedurePolicy/Procedure• NUMC has chosen to enact stricter NUMC has chosen to enact stricter

privacy policies.privacy policies.• Employees will not release any Employees will not release any

information except “minimally necessary” information except “minimally necessary” info for relatives to find the patient. info for relatives to find the patient.

• Religious information will not be given out Religious information will not be given out except in cases of likely terminal except in cases of likely terminal outcomes in the emergency room; outcomes in the emergency room; however, patients will be informed how to however, patients will be informed how to contact clergy.contact clergy.


LegalLegal• Family membersFamily members

• Physicians may release health information to Physicians may release health information to family and friends without authorization or family and friends without authorization or consent if the patient is unconscious or consent if the patient is unconscious or incapacitated and the physician deems it is in incapacitated and the physician deems it is in the best interest of the patient.the best interest of the patient.

• If the patient were unconscious or If the patient were unconscious or incapacitated, the wife would need to make incapacitated, the wife would need to make medical decisions on his behalf (Power of medical decisions on his behalf (Power of Attorney for Healthcare). Attorney for Healthcare).


Policy/ProcedurePolicy/Procedure• Family membersFamily members

• Physicians will use their best Physicians will use their best judgment to release only the judgment to release only the “minimum necessary” information to “minimum necessary” information to families, especially when the families, especially when the information is of a sensitive nature.information is of a sensitive nature.

Privacy Issues:Privacy Issues:LegalLegal

• Law enforcementLaw enforcement

• The hospital can provide the The hospital can provide the “minimum necessary information” to “minimum necessary information” to the police officer under HIPAA’s the police officer under HIPAA’s “Serious Threat or Safety Rule” if they “Serious Threat or Safety Rule” if they believe in their judgment that such believe in their judgment that such disclosure will be in the best interest disclosure will be in the best interest of the patient and public. of the patient and public.



• There are six circumstances when There are six circumstances when information can be released to law information can be released to law enforcement, none of which pertain to enforcement, none of which pertain to this particular case. this particular case.

• Therefore, the covered entity would not Therefore, the covered entity would not havehave to release this information to law to release this information to law enforcement. If they did, it should be the enforcement. If they did, it should be the “minimum necessary” information for law “minimum necessary” information for law enforcement to do their duty.enforcement to do their duty.

Privacy Issues:Privacy Issues:Policy/ProcedurePolicy/Procedure


• The police officer would need to get a signed The police officer would need to get a signed consent or a court order or subpoena for the consent or a court order or subpoena for the release of those records since this was not a release of those records since this was not a criminal investigation.criminal investigation.

• All non-emergent requests coming from law All non-emergent requests coming from law enforcement will need to be written on official enforcement will need to be written on official police stationary to confirm the identity and police stationary to confirm the identity and authority of the asking official.authority of the asking official.

• All requests will be funneled through the Risk All requests will be funneled through the Risk Management Officer of the Health Information Management Officer of the Health Information Management Department. Management Department.


• Insurance companyInsurance company

• HIPAA allows for the use and HIPAA allows for the use and disclosure of patient health disclosure of patient health information so that the treatment and information so that the treatment and services provided may be billed and services provided may be billed and payment may be collected from the payment may be collected from the patient, an insurance company or a patient, an insurance company or a third party.third party.


• Insurance companyInsurance company

• All requests for PHI-necessary information for All requests for PHI-necessary information for payment need to be directed to the Case payment need to be directed to the Case Management Department.Management Department.

• Case Management will provide only the Case Management will provide only the “minimum necessary” information.“minimum necessary” information.

• We will submit the Healthcare Transaction We will submit the Healthcare Transaction Set 837 as part of the electronic claim Set 837 as part of the electronic claim submissions.submissions.


• Employer (workers’ compensation)Employer (workers’ compensation)

• There are three specific exclusions that There are three specific exclusions that allow disclosure of PHI for workers’ allow disclosure of PHI for workers’ compensation cases:compensation cases:• if the disclosure is necessary to comply with if the disclosure is necessary to comply with

state or other lawstate or other law• if the disclosure is for the purpose of if the disclosure is for the purpose of

obtaining paymentobtaining payment• or if the disclosure is for a program that or if the disclosure is for a program that

provides benefits for work-related injuries provides benefits for work-related injuries without regard to faultwithout regard to fault


• Employer (workers’ compensation)Employer (workers’ compensation)

• All workers’ compensation PHI-information All workers’ compensation PHI-information requests must go through the Case requests must go through the Case Management Department.Management Department.

• The information that is disclosed must be The information that is disclosed must be the minimum necessary to accomplish the the minimum necessary to accomplish the workers’ compensation purpose, which in workers’ compensation purpose, which in this case, would not be any labs that may this case, would not be any labs that may have been done for drug-related testing.have been done for drug-related testing.

Privacy Issues with Privacy Issues with Faxes:Faxes:LegalLegal• Faxes have the potential to be an unsecured Faxes have the potential to be an unsecured

method of transmission. The sender has no control method of transmission. The sender has no control over where the copies will end up (a centralized fax over where the copies will end up (a centralized fax machine) and how long they will be exposed to the machine) and how long they will be exposed to the possibility of being seen by people without proper possibility of being seen by people without proper authorization. authorization.

• However, if both the sending and receiving sides However, if both the sending and receiving sides have secure faxes, the transmission of information have secure faxes, the transmission of information can occur as a matter of legality.can occur as a matter of legality.

• The recipient should also have a reasonable The recipient should also have a reasonable identification performed to ensure the information identification performed to ensure the information is disclosed to an authorized party.is disclosed to an authorized party.

Privacy Issues with Privacy Issues with Faxes:Faxes:

Policy/ProcedurePolicy/Procedure• A confidentiality agreement must be signed by the A confidentiality agreement must be signed by the

receiving party prior to transmission.receiving party prior to transmission.

• The recipient should also have a reasonable The recipient should also have a reasonable identification performed to ensure the information is identification performed to ensure the information is disclosed to an authorized party.disclosed to an authorized party.

• A phone number will be obtained at the time of the A phone number will be obtained at the time of the request. The sender will contact the recipient at the request. The sender will contact the recipient at the time of transmission to ensure secure transmission.time of transmission to ensure secure transmission.

• There will be standard confidentiality language on the There will be standard confidentiality language on the cover sheet, approved by the Privacy Committee.cover sheet, approved by the Privacy Committee.

Research and QI/QA Research and QI/QA Projects:Projects:

LegalLegal• Under the umbrella of “healthcare operations,” Under the umbrella of “healthcare operations,”

information may be collected on patient outcomes. information may be collected on patient outcomes. A waiver of consent must be obtained from the IRB A waiver of consent must be obtained from the IRB such that each patient does not need to be notified such that each patient does not need to be notified that their PHI is being utilized. that their PHI is being utilized.

• QI/QA projects are used to provide internal, QI/QA projects are used to provide internal, confidential information to the hospital to gauge confidential information to the hospital to gauge their strengths and weaknesses for quality their strengths and weaknesses for quality improvement. The internal memo was the means improvement. The internal memo was the means he used to provide that information and was he used to provide that information and was confidential and proprietary. confidential and proprietary.


Policy/ProcedurePolicy/Procedure• The nurse went against hospital policy by The nurse went against hospital policy by

providing the wife with the internal providing the wife with the internal memo. memo.

• Other options included:Other options included:• Stating that this is a common infection that Stating that this is a common infection that

the hospital has chosen to deal with as a the hospital has chosen to deal with as a quality improvement project and that quality improvement project and that measures are underway to decrease the measures are underway to decrease the incidence of this type of infectionincidence of this type of infection

• Referring the family to her manager or Risk Referring the family to her manager or Risk Management Department via hospital policyManagement Department via hospital policy


Policy/ProcedurePolicy/Procedure• A Code of Conduct and training of A Code of Conduct and training of

employees of how to deal with patient employees of how to deal with patient inquiries of this type need to be inquiries of this type need to be documented, including the instruction documented, including the instruction of forwarding her inquiry to either her of forwarding her inquiry to either her supervisor, a privacy officer, or the supervisor, a privacy officer, or the Risk Management Department. The Risk Management Department. The penalties for repeat offenses should penalties for repeat offenses should be clearly stated in the policy. be clearly stated in the policy.


Policy/ProcedurePolicy/Procedure• There should be an Institutional Review There should be an Institutional Review Board (“IRB”) in place to guide researchers Board (“IRB”) in place to guide researchers in issues of privacy and security of PHI and in issues of privacy and security of PHI and the welfare of individuals.the welfare of individuals.

• The IRB is responsible for providing a The IRB is responsible for providing a written manual of their own policies and written manual of their own policies and procedures. procedures.

• The manual should be written in clear, The manual should be written in clear, concise, unambiguous language, concise, unambiguous language, understandable to its intended audience.understandable to its intended audience.


Policy/ProcedurePolicy/Procedure• Long-term independent consultants will be treated as Long-term independent consultants will be treated as

“workforce members” of the hospital, subject to all “workforce members” of the hospital, subject to all training, policies, and procedures of the hospital in training, policies, and procedures of the hospital in protecting information.protecting information.

• Short-term independent consultants would need to have Short-term independent consultants would need to have a business associate agreement to spell out the terms a business associate agreement to spell out the terms of data use and disclosure.of data use and disclosure.

• The hospital will install a card security system to ensure The hospital will install a card security system to ensure physical safeguards for several departments, including physical safeguards for several departments, including information systems, medical records, billing, case information systems, medical records, billing, case management, etc. management, etc.


Policy/ProcedurePolicy/Procedure• There has to be a business associate There has to be a business associate

contract signed between the parties contract signed between the parties (hospital and any independent contractors) (hospital and any independent contractors) before any services begin or access to any before any services begin or access to any PHI occurs.PHI occurs.

• Note: By divulging information to Mrs. Note: By divulging information to Mrs. Smith on the issue of the internal memo, Smith on the issue of the internal memo, we believe the BA may have violated key we believe the BA may have violated key provisions within his contract. As such, he provisions within his contract. As such, he can be reprimanded according to the terms can be reprimanded according to the terms of the contract. of the contract.

Patient and Media Patient and Media RelationsRelations

• Immediate reaction to wifeImmediate reaction to wife• Listen to her complaintsListen to her complaints• Say “I’m sorry your husband is so ill.”Say “I’m sorry your husband is so ill.”• Say “Thank you for informing me of Say “Thank you for informing me of

your concerns”your concerns”• Agree with her concernsAgree with her concerns• Assure her that providing quality Assure her that providing quality

healthcare is very important to the healthcare is very important to the organizationorganization


• Internal InvestigationInternal Investigation• Formal investigation taskforce Formal investigation taskforce • Notification of high level executivesNotification of high level executives

• CEOCEO• CNOCNO• CMO CMO • CFOCFO• CIOCIO• Risk ManagementRisk Management• Media RelationsMedia Relations


• Internal InvestigationInternal Investigation• Assure Mrs. Smith that an internal Assure Mrs. Smith that an internal

investigation will be conducted to investigation will be conducted to ascertain the facts about Mr. Smith’s ascertain the facts about Mr. Smith’s condition and treatment.condition and treatment.

• Explain investigation process and Explain investigation process and team membersteam members


• Internal InvestigationInternal Investigation• Meet as a team with Mrs. Smith (and Meet as a team with Mrs. Smith (and

family) to communicate the results of family) to communicate the results of the investigation with her in a timely the investigation with her in a timely manner. manner.


• Internal InvestigationInternal Investigation• If the hospital is “at fault,” assure her If the hospital is “at fault,” assure her

that everything will be done to that everything will be done to address the situation in a manner address the situation in a manner satisfactory to the family. satisfactory to the family.

• If the hospital is not “at fault”, do not If the hospital is not “at fault”, do not belittle her complaint, but assure her belittle her complaint, but assure her that you will use the information that you will use the information gained from the investigation to gained from the investigation to provide quality care to all patients. provide quality care to all patients.


• Send flowers to Mr. Smith and a “Thank Send flowers to Mr. Smith and a “Thank You” card to Mrs. Smith compliant with You” card to Mrs. Smith compliant with OIG regulations not to exceed $10.OIG regulations not to exceed $10.

• Ensure family receives a formal patient Ensure family receives a formal patient satisfaction survey.satisfaction survey.

• DO NOT contact the family for a DO NOT contact the family for a donation after Mr. Smith has been donation after Mr. Smith has been discharged!discharged!

Hospital HIPAA PoliciesHospital HIPAA Policies

• The hospital must have the following:The hospital must have the following:• written PHI privacy policieswritten PHI privacy policies

• written business associates agreements written business associates agreements respecting patient confidentialityrespecting patient confidentiality

• training for employees in privacy rule training for employees in privacy rule requirementsrequirements

• opportunities for patients to receive written opportunities for patients to receive written copies of the policy for privacy and a chance to copies of the policy for privacy and a chance to request restrictions on the use or disclosure of request restrictions on the use or disclosure of their PHItheir PHI

Hospital HIPAA PoliciesHospital HIPAA Policies

• The hospital must have the following:The hospital must have the following:• a grievance process for patientsa grievance process for patients

• a privacy and security officera privacy and security officer

• take reasonable measures to ensure PHI take reasonable measures to ensure PHI is not used for making employment or is not used for making employment or benefits decisions, marketing, or benefits decisions, marketing, or fundraisingfundraising

ANY QUESTIONS?ANY QUESTIONS?

case one joseph dixon kimberly d. ernst, md rozmin pirwani, rn larry stofko

Documents