28 Video 3 DMU DPM Health Law 2024 Medical Records & HIPAA.pdf

Full Transcript

Top 10 Lessons:
Helping Podiatric
Physicians Survive the
Health Law Jungle
Video 3

DPM Community Health
September 2024
Denise M. Hill, JD/MPA
Associate Professor, Drake University
Of Counsel Attorney, Whitfield & Eddy, PLC
 Learning Objectives:
Jurisprudence (2024)
Identify the laws that protect patients; including their medical records, protected
health information, and their safety.

Identify the role of laws that govern corporations and other legal practice entities
in protecting patients.

Recognize the general legal concepts that govern medical practice.

Identify the duties and responsibilities of state medical boards and hospital
medical staff.

Demonstrate knowledge of the following; Federal Kickback Law, Stark II Law, and
False Claims Act as they relate to fraud and abuse.

Define and demonstrate knowledge of informed consent liability, batter, and the
essential elements of negligence (duty/standard of care, breach of care, damages,
and causation) as they relate to health care delivery.

Identify strategies for disclosure
© 2024 Denise of adverse
Hill-- outcomes
For Education and legal ramifications.
Not Legal Advice 2
 Top Lessons (Part 1)

Top Lessons to Survive the
Health Law Jungle:
1. Don’t ignore those who set limits & control your destiny.

2. Be clear on the scope of your relationship and don’t abandon your patients.

3. Deal with the elephant in the room—informed consent and disclosure are
crucial.

4. Plan ahead and take steps to protect yourself from malpractice.

5. Don’t repeat everything you hear—maintain confidentiality.
 Top Lessons (Part 2)

6. Know how to recognize and avoid the dangers of fraud and abuse

7. Don’t try to blend in—report.

8. Set up a business system that works efficiently and profitably.

9. Don’t be proud, let process drive you & work with others to improve.

10.Don’t get stuck with a bad contract.
5. Don’t Repeat Everything You Hear—
Maintain Confidentiality
 Document…Document…DOCUMENT!!!!
Document ALL clinically pertinent information in the medical record, objectively
and contemporaneously or, as close to the time care is given as possible.

If it’s not charted, it did not happen!
 What Should be Included
General Patient Information Fail to show/Non-compliance
Past Medical/Family History
Telephone calls
Patient Complaint Symptoms
Reports of exams, lab & x-ray 2nd opinions & Consultations
Diagnosis
Prescription Drugs
Treatment prescribed & results
Progress
Changes in therapy or medications

See https://www.soapnoteai.com/soap-note-guides-and-example/podiatry/
 Office of Inspector General (OIG)
"Compliance Guidance for Physician Practices"
Documentation must:

Be complete & legible

Include: date, observer name, reason for the visit, history, physical exam, test results, assessment, clinical impressions, diagnosis
& plan of care

Express rationale for ordering diagnostic & ancillary services

Complete & double check CMS 1500 form if relevant

Use CPT and ICD-9/10 codes for claims submission & ensure supported in the medical record

Identify health risk factors, patient's progress & response to/changes in treatment or diagnosis

Validate site of service, appropriateness of the services provided, accuracy of the billing & identity of the provider

Record should facilitate continuity & quality of care.
 Resources
https://www.picagroup.com/site/binaries/content/assets
/documents/picadocumentationessentials.pdf

Kobak120web.pdf (podiatrym.com)
 ME3.0 Confidentiality
The podiatrist and his/her staff must maintain strict confidentiality (subject to federal and state laws) as to the
condition and treatment of all patients. Release of any information must be premised on the consent of the
individual patient. (See interpretive guideline.)

ME3.1 Medical Records

ME3.11 The podiatrist acts in a manner that protects the confidentiality of the patient & the records of the patient.

ME3.12 The podiatrist ensures that the staff over whom he/she has responsibility or supervises, has an essential
knowledge of the duty to maintain the confidentiality of the patient records.

ME3.2 Diagnosis

ME3.21 The podiatrist respects the confidentiality of the patient’s diagnosis & does not release the diagnosis without
the consent of the patient unless mandated by law.

ME3.3 Treatment

ME3.31 The podiatrist respects the confidentiality of the patient treatment information & does not release the
treatment information without the consent of the patient unless mandated by law.
 UPDATE Safeguarding
Patient Confidentiality
Policies on information
security limiting access
and retrieval are a
MUST!!!!

Constitutional
implications and liability

Board Administrative
Requirements

HIPAA
http://www.hhs.gov/news/press/2011pres/02/20110222a.html
 HIPAA
Health Insurance Portability and Accountability Act of
2003-Federal approach to privacy
Several components – privacy, security, transactions and
code sets, uniform identifiers
GOALS:
– Gave patients access to their medical information & who has
use/access to it.
– was to ensure that providers and plans NOT use or disclose
an individual’s health information except for Treatment,
Payment, or Regular Health Care Operations without consent
 PRIVACY PRE-EMPTION:
Who rules—State or Federal Government?

If state privacy laws are “contrary” to the HIPAA
Privacy Rule; HIPAA preempts the state law
IF your state law is STRICTER than HIPAA; follow
STATE LAW!
 Health Insurance Portability and
Accountability Act of 1996--Privacy
Privacy Basics
Covered entities, health care providers & Business
Who? Associates
Use, Disclosure & Security of Protected health
What? information (PHI)
& Patient Rights
Always unless patient consents or exception applies
When?
In custody—setting and storage considerations
Where?
To honors patients’ expectation of privacy, promote trust,
Why? & avoid misuse of information (e.g. stigma)
Take steps to safeguard & protect PHI AND Patient Rights
How? For Education Not Legal Advice
https://phoenixnap.com/blog/hipaa-compliance-checklist
 Health Insurance Portability and
Accountability Act of 1996--Privacy
Privacy Basics
Covered entities, health care providers & Business
Who? Associates
Use, Disclosure & Security of Protected health information
What? (PHI)
& Patient Rights
Always unless patient consents or exception applies
When?
In custody—setting and storage considerations
Where?
To honors patients’ expectation of privacy, promote trust,
Why? & avoid misuse of information (e.g. stigma)
Take steps to safeguard & protect PHI AND Patient Rights
How?
For Education Not Legal Advice
https://phoenixnap.com/blog/hipaa-compliance-checklist
 Secure & Protect PHI
Ethics

Common Law

Contract Law

State Law

HIPAA Privacy & Security Standards

HI-TECH
 Your turn…Which is PHI?

Prescription Date of admission
List of Side-effects of drug Health care provider’s name
Patient’s side-effects Clinical Test results
Address of Pharmacy Medical history-allergies
Address of Patient Insurance information
List of Patient’s Medications Name of insurance company
Patient’s height and weight Medication Tracking number
Patient’s Plan of Care Physician’s prescribing pattern
Medication prescribed X-rays
Social security number Fingerprints
Genetic Test Results Picture of patient at counter in
marketing brochure
 Common PHI Podiatry Students
May Encounter
Clinical charts

Rx records

Billing records

Patient profiles

Emails/faxes

Some phone calls from patients

Verbal patient counseling

Rounding lists
 How is PHI Stored & Accessed?

Verbal Communication

Hard Copy

Electronic Data
Your duties to protect PHI will depend on the this!
 Electronic Security Tips
Computers Mobile Devices
The New Reality:
Patient Portals
 Tips for DPM Students—
-Do not discuss patients in a public area

-Don’t speak re: PHI too loudly
-Remove PHI when presenting patients
-Charts and computers should not be left open

-Follow Institutional Policies & Procedures

-Protect portable devices/encrypt etc.
Social Media

Photo by Gianfranco Chicco is is licensed under CC BY-NC-SA 3.0
 Well-Intentioned Social Media Risks

1. Terminated employee posts notice to prior patient 5. Employee “friends” a client/patient –boundary
by name on Facebook about new job. issues.

2. Employee assists patient/family to post or blog (e.g. 6. Mailing home encrypted data or disabling security.
CaringBridge).
7. Patient photos and “geo tags.”
3. Communal laptop and flash drives are not wiped
after use. 8. Inadvertent, social sharing of PHI.

4. Client/patient misses appointment, provider
reaches out on Facebook to ask why.
 Use v. Disclosure of PHI

USE DISCLOSURE
"sharing, employment, application, "release, transfer, provision of
utilization, examination, or analysis access to, or divulging in any other
of PHI within an entity that manner PHI outside the entity
maintains such information." holding the information."
 “TPO”— treatment, payment & operations

Patient authorization Treatment

Agreements
Laws
Payment Operations

When in doubt—Find out!
Photo by LawyersandSettlements.com is
licensed under CC BY-ND 3.0
Ask your administrator or request patient authorization
Photo by Edublog is licensed under CC
BY-NC-SA 3.0 CC BY 4.0

Photo by enfermeriauva.blogspot.com is
licensed under CC BY-NC-SA 3.0
 CAUTION:
Be careful what you discard!

Protected
Health
Information
 Disclosure: Rule of Thumb

Limited to
Protect from
Authorized Necessary
others
Information
 Designated Record Set (HIPAA)

Formal requests re: designated records set:

This set includes any records containing
"medical... case or medical management...
billing... enrollment, payment, [or] claims
adjudication" information, used "in whole or in
part, by or for the covered entity to make
decisions about individuals."
45 CFR 160.103
USE or DISCLOSE it all?
 Permitted Disclosures

Legal Representative

Family & friends involved in care (unless says no)

Other providers

Business associates
 EMERGENCY!

It IS acceptable to release PHI in emergency
situations without authorization.

Remember: use your best judgment and keep
the patient’s best interest in mind!
 Incidental Disclosures
Overheard by another person when counseling a patient
or talking to another health care professional
Piece of paper may be seen by somebody who should
not see it
Family or friends picking up prescriptions
Not HIPAA penalize if policies to protect information
Violations do NOT occur when:
– Disclosure could not reasonably be prevented
– Is limited in nature
– Is a byproduct of permitted disclosures
 3. HIPAA Patient Rights

Patient Right to:

Notice of Privacy Practices

Review & get copies of
medical & financial records

Request corrections
 Patient Access to Records
Patients may request and are entitled to:

– Copy of their medical record
the covered entity has up to 30 days to comply.
May charge a reasonable fee for actual costs

– Accounting of non-routine disclosures:
Description of what was disclosed
Why it was disclosed
The date
Name of individual receiving the information and their address if available
 What’s New…
Restricting Information to Payers

Patient must request that no information be provided to the
insurer

Patient must pay for service in full, in cash

Doctors may disclose restricted information if audited by Medicare

Unbundling situations – patients must be counseled about all or
nothing approach
HI-TECH Act—What if there is a data breach?
http://www.podiatrym.com/Current_Issue2.cfm?id=2226
 Handling Breaches-HITECH Act
If the covered entity discovers a breach of unsecured PHI—Must notify
patients. If more then 500 also have to notify media and HHS.
Three-step procedure, to decide whether or not to disclose a HIPAA breach:
1) Was there an impermissible use or disclosure of PHI under the privacy
rule?
2) Does the impermissible use or disclosure pose a significant risk of financial,
reputational, or other harm to the individual?
3) Are the exceptions to the definition of “breach” or the notification
requirement inapplicable to the impermissible use or disclosure?

If the answer is no= likely do not have to report perceived problems.
Burden to decide if reasonable not to report under circumstances.
Compliance program must include detailed record-keeping procedures to
justify why you did or did not think reporting would be required.
 Reporting Privacy & Security
Violations
If YOU are aware or suspect a violation
YOU are REQUIRED to report it to:

Supervisor
Privacy Office
Information Security Office
Compliance Hotline

Also Institutional requirements
 Consequences on Practice
Employed or contract physicians placed on immediate
leave pending investigation

Disciplinary action:
– Fired/Terminate contract for cause
– Suspension
– Reprimand & Document employee record
– Probation
– Peer review
– Further training on HIPAA Privacy

Student consequences?
There are SERIOUS
Consequences!
Audits

Civil penalties (OCR)
Minimum fine is $100
Maximum is $1.5 million

Criminal penalties (DOJ)
“KNOWINGLY violated HIPAA laws”
Fines up to $250,000
Imprisoned up to 10 years
 Your turn…Matt’s Story
Matt is hit by a car when walking in a cross walk. The driver of the car was texting and did not see
him. Matt and is suing the driver of the other car for a broken arm he sustained when he was hit.

The attorney for the driver who hit Matt sends a request to Dr. Foote requesting “any and all records”
relating to Matt. Enclosed is a general authorization “for records related to treatment for injuries
from being hit by the car” signed by Matt 18 months ago.

Dr. Foote retired retired four months ago and handles record transfer requests from his small
practice himself. He pulls out Matt’s records from the past 10 years. They include medical records
outlining a surgery Matt had on his left foot, on-going treatment for plantar faciitus, a list of
medications used for pain management and to treat plantar faciitus, billing/payments, and
documentation by his psychiatrist justifying a branded psychotropic drug after a fail-first generic has
side effects which was provided from another office. Dr. Foote then sends the records he has as
requested. He figures he won’t need them.
 Your turn…Fran’s Story

Fran is a DPM student working on a research project on patients with
Diabetes. Exhausted from all the work she is doing, Fran doses off on the
train ride home from the research office. As she walks to her car, she
realizes that she does not have her laptop. She knows she had the case when
she got on the train but isn’t sure if she left it on the train or someone took
it.

She panics realizing that the laptop has all her research files which include
the name, date of birth, medical record number, health insurer and policy
number, diagnosis, pharmacy records and name of providers for 110
patients; as well as the names and medical record numbers of 392 other
patients.
https://www.podiatrym.com/pdf/2019/12/Kobak120web.pdf