The situation. Healthcare providers need access to patient personal health information wherever patients are present for care. Systems that standardize electronic medical records provide such access, but the risk to privacy that accompanies that access is real, and breaches often make the news. At the Federal level, the HIPAA Privacy Rule protects personal health information gathered by healthcare providers, but most agree that information needs more protection than HIPAA currently affords. Some believe added protection may be found in the forming and keeping of codes of ethics.
A scenario. Mary works in a hospital health information management department, and Maureen, her friend, comes one day to pick up the medical records of a patient who is a client of the lawyer Maureen works for. Maureen, however, has forgotten to bring the client’s signed authorization form, though she assures Mary the form, which she saw the patient sign, is at her office. Since Maureen’s need for the form is urgent and there isn’t enough time to return with the form today, Maureen hopes to take the records and return with the form another day.
Read the iHealthCoalition’s eHealth Code of Ethics(https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1761853/), the Summary of the HIPAA Privacy Rule (https://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html), and with the above scenario in mind, consider the following questions:
In light of what the Code and HIPAA say, how might Mary and Maureen best resolve the problem?
How might a code of ethics provide personal medical information more protection than HIPAA?
In what ways, if any, does HIPAA protect personal medical information where codes of ethics do not?
Full Answer Section
If Maureen is unable to obtain the signed authorization form from the patient, she may be able to obtain a court order to release the medical records. However, this should be a last resort.
How might a code of ethics provide personal medical information more protection than HIPAA?
Codes of ethics can provide personal medical information more protection than HIPAA in a number of ways. First, codes of ethics can be more specific than HIPAA about certain types of PHI. For example, the iHealthCoalition's eHealth Code of Ethics contains specific provisions governing the release of genetic information and sensitive health information, such as HIV/AIDS status and mental health information.
Second, codes of ethics can hold healthcare professionals to a higher standard of conduct than HIPAA. For example, the iHealthCoalition's eHealth Code of Ethics requires healthcare professionals to "use their best judgment" to protect the confidentiality of PHI, even in situations where HIPAA does not specifically require it.
Third, codes of ethics can provide guidance to healthcare professionals in situations where HIPAA is unclear or silent. For example, the iHealthCoalition's eHealth Code of Ethics provides guidance on how to handle situations where a patient requests access to their PHI that is contained in a third party's records.
In what ways, if any, does HIPAA protect personal medical information where codes of ethics do not?
HIPAA protects personal medical information in a number of ways that codes of ethics do not. For example, HIPAA requires healthcare providers to implement certain safeguards to protect PHI, such as encrypting PHI and restricting access to PHI to authorized personnel. HIPAA also gives patients the right to file complaints with the Department of Health and Human Services (HHS) if they believe their PHI has been improperly disclosed.
In addition, HIPAA provides for civil and criminal penalties for violations of the Privacy Rule. These penalties can deter healthcare providers from improperly disclosing PHI.
Overall, HIPAA provides a comprehensive framework for protecting personal medical information. However, codes of ethics can provide additional protection for personal medical information by holding healthcare professionals to a higher standard of conduct and by providing guidance in situations where HIPAA is unclear or silent.
Conclusion
Mary and Maureen should resolve the problem by following the HIPAA Privacy Rule and the iHealthCoalition's eHealth Code of Ethics. Mary should not release the patient's medical records to Maureen without a signed authorization form. Maureen should obtain the signed authorization form from the patient or obtain a court order to release the medical records.
Codes of ethics can provide personal medical information more protection than HIPAA by being more specific about certain types of PHI, holding healthcare professionals to a higher standard of conduct, and providing guidance in situations where HIPAA is unclear or silent. HIPAA protects personal medical information by requiring healthcare providers to implement certain safeguards, giving patients the right to file complaints, and providing for civil and criminal penalties for violations of the Privacy Rule.
Sample Answer
How might Mary and Maureen best resolve the problem in light of what the Code and HIPAA say?
According to the HIPAA Privacy Rule, Mary should not release the patient's medical records to Maureen without a signed authorization form. This is because the HIPAA Privacy Rule requires healthcare providers to obtain a patient's written authorization before releasing their protected health information (PHI) to anyone other than the patient themselves.
The iHealthCoalition's eHealth Code of Ethics also reinforces this principle. Section 3.4 of the Code states that "health information professionals must obtain a patient's informed consent before releasing their PHI to anyone other than the patient themselves."
In the scenario described, Maureen has assured Mary that she has a signed authorization form from the patient, but she has forgotten to bring it with her. Mary should not rely on Maureen's assurance. Instead, she should explain to Maureen that she cannot release the patient's medical records without a signed authorization form. Mary should also offer to help Maureen obtain the signed authorization form from the patient.