MMI 407 Legal, Ethical and Social Issues in Medical Informatics
Key Artifacts:
Syllabus
Article Critique: Ethical and Social Challenges for Medical Informatics by Dr. Kenneth Goodman
Research Paper: Medical Identity Theft: What are we doing to protect the victims?
Syllabus
Article Critique: Ethical and Social Challenges for Medical Informatics by Dr. Kenneth Goodman
Research Paper: Medical Identity Theft: What are we doing to protect the victims?
Reflection
Learning Goals:
· Protected Health Information (PHI) and understand the range of permissible uses and disclosures allowed in HIPAA
· Analyze, criticize and construct rigorous policy-oriented arguments for the appropriate handling of healthcare data
· Basic government regulations and legal principles applicable to healthcare data management (i.e., how to keep your CIO out of jail)
· The Joint Commission’s accreditation interest in medical informatics and data handling
· The key components of an effective compliance program including a demonstration of regulatory informatics
· Regarding future legal and ethical regulation of medical informatics in the U.S. social landscape
· Develop a basic facility with legal terminology to be in position to know when and how to consult effectively with corporate legal counsel
On our first day of class in MMI 407, we did a brief introduction and a short housekeeping then immediately delved into the Issue-Spotting exercises. These exercises were not only fun but they were very informative as well. The scenarios were not only realistic but it was something that could happen to anyone of us in that sync session. Everyone in the class was eager to participate in this discussion.
HIPAA Regulation is nothing new to me. A patient’s health information needs to be protected so it is not used inappropriately and that is basically what HIPAA does. As a Case Manager, I am at times, met with resistance whenever I call a facility or a physician’s office requesting for a patient’s clinical information. Their standard response would be “We can’t give you that information because of HIPAA,” of which I reply, “Well, if you want your facility or your office to get paid, I’m going to need that information.” Our class discussion on HIPAA gave me an insight on how to approach this with the providers better. There are six ways that allows a healthcare provider to disclose or use a PHI:
· Treatment
· Payment
· Healthcare Operations
· By operation of Law
· After Patient Authorization is obtained
· After obtaining a Waiver of Patient Authorization from IRB or Privacy Committee
I have since used TPO (Treatment, Payment and Operations) as explanation to facilities or physicians’ offices and have gotten the clinical information I need. Most people are under the impression that PHI is only obtainable when there is an authorization from the patient. What they do not realize is that the HIPAA form they sign actually states that PHI could be released when any of the six key elements are involved.
I learned that de-identified PHI is not covered by the HIPAA Rule although state privacy and security laws still apply. A de-identified PHI is such that the identifiers, which could lead back to a patient, is removed or stripped. This includes the patient’s name, address, date of birth, Social Security number, telephone number, fax number, email address, Medical Record numbers, etc. The de-identified data can then be used to track diseases, track flu outbreaks or for tax purposes. The problem is, because there is an influx of data repositories online keeping the anonymity of the data would be challenging. As a result, I firmly believe that de-identified PHI should still be subject to the HIPAA rule so healthcare providers are not inclined to letting their guard down when it comes to protecting the PHI.
In one of her lectures, Dr. Lindgren mentioned how “a solid knowledge of HIPAA can keep both you and your CIO out of jail.” I learned that there are five HIPAA implementing regulations: Healthcare Data Privacy; Electronic Healthcare Data Security; Transaction Standards & Medical Data Code Sets; Standard Unique Identifier for Healthcare Providers and Standard Unique Identifier for Employers. Wrongful disclosure of a patient’s identifiable PHI could mean stiff monetary fines and jail times for the offender. I think just knowing the consequences of violating the HIPAA rules should scare providers from accessing and disclosing data without obtaining authorization from patients. Another regulation that protects personal information is the Family Educational Rights and Privacy Act of 1974 or FERPA which protects an individual’s educational and medical records but does not provide as strong of a protection as does HIPAA. I could not say how many colleagues have come up to me and still do, asking for a relative or a friend’s medical information while they are in one of our facilities. Taking this class just heightened my HIPAA radar and I refuse to go to jail or pay fines just to satisfy someone’s curiousity.
Our lecture on The Joint Commission, also known as TJC, brought to my attention standards relevant to an Informaticist. These are the Information Management Standards (IM Standards) and the Ethics, Rights and Responsibilities Standards (RI Standards). The IM Standards addresses the Privacy and Confidentiality, Information Security and Data Continuity, while the RI Standard states that “The hospital respects the needs of patients for confidentiality, privacy and security.” By the looks of it, the TJC Standards are in alignment with the HIPAA Regulations.
The concept of Regulatory Informatics was foreign to me until Ms. LesliePrellwitz, Director of Clinical Data and Informatics at The University HealthSystem Consortium, joined our sync session as a guest lecturer. The Federal Government and Accrediting agencies such as TJC have multiple roles serving as Regulators, Policy Makers and even Payers. As a Regulator, the Government’s goal is to ensure effective healthcare coverage and promote quality care for beneficiaries. The UHC performs Regulatory Informatics for their members thru data collection, data aggregation, data integration, data analysis, review of data and the publication of clinical trial data and results. This was very exciting to me because I just started working on Ingenix’s Data Analysis Program and I saw its potential in being a powerful tool for our Case Management Program, after viewing the AHRQ measures for one of UHC’s member hospital.
My perception of Ethics and Informatics colliding was limited to malicious release of someone’s PHI. But soon realized Medical Informatics has the ability to generate information that could become very powerful. Information that could be a double-edged sword: providing benefit for the common good but with a potential to cause harm. When Prof. Lindgren pointed out that traditional structures and professional responsibility would change because of the power of Medical Informatics, I wanted to disagree and say that much like the CDSS, data generated is not meant to be used as the ultimate answer but as a guide. However, with the push to use Evidenced-Based Medicine, Medical Informaticist should be held up to standards so they are more cognizant when analyzing and presenting their data. Other factors that could affect the social landscape are the confusion about ownership or rights to the data and professionalism, whether Informaticists should be held accountable to special moral obligations. In an article by Dr. Kenneth Goodman titled Ethical and Social Challenges for Medical Informatics, he expressed his concern that clinicians would forego a thorough assessment of their patients and rely heavily on data they do not understand. He also pointed out the human tendency to lay blame on someone else when things go wrong. It is therefore reasonable to hold the Medical Informaticists to a higher standard but ultimately, the decision should still rest on the clinician, who might be aware of other factors not accounted for in CDSS.
Professor Lindgren’s class had a great impact on me because of the magnitude when it came to handling PHIs. Her Issue Spotting Exercises were not only informative but something that might come in handy should I encounter the same dilemma as was presented in the cases. Through those exercises I learned when to consult with a corporate legal counsel (when there is a question on whether data was breached or when proprietary ideas were created outside of the working environment). In my project, I decided to focus on Medical Identity Theft, one of the fastest growing form of identity theft. Equally disturbing is the fact that most perpetrators are those with access to the PHI. Because Medical Informatics handles data that could be misused, compliance to regulations and laws are important so the information is used for the common good and not just for a chosen few.
· Protected Health Information (PHI) and understand the range of permissible uses and disclosures allowed in HIPAA
· Analyze, criticize and construct rigorous policy-oriented arguments for the appropriate handling of healthcare data
· Basic government regulations and legal principles applicable to healthcare data management (i.e., how to keep your CIO out of jail)
· The Joint Commission’s accreditation interest in medical informatics and data handling
· The key components of an effective compliance program including a demonstration of regulatory informatics
· Regarding future legal and ethical regulation of medical informatics in the U.S. social landscape
· Develop a basic facility with legal terminology to be in position to know when and how to consult effectively with corporate legal counsel
On our first day of class in MMI 407, we did a brief introduction and a short housekeeping then immediately delved into the Issue-Spotting exercises. These exercises were not only fun but they were very informative as well. The scenarios were not only realistic but it was something that could happen to anyone of us in that sync session. Everyone in the class was eager to participate in this discussion.
HIPAA Regulation is nothing new to me. A patient’s health information needs to be protected so it is not used inappropriately and that is basically what HIPAA does. As a Case Manager, I am at times, met with resistance whenever I call a facility or a physician’s office requesting for a patient’s clinical information. Their standard response would be “We can’t give you that information because of HIPAA,” of which I reply, “Well, if you want your facility or your office to get paid, I’m going to need that information.” Our class discussion on HIPAA gave me an insight on how to approach this with the providers better. There are six ways that allows a healthcare provider to disclose or use a PHI:
· Treatment
· Payment
· Healthcare Operations
· By operation of Law
· After Patient Authorization is obtained
· After obtaining a Waiver of Patient Authorization from IRB or Privacy Committee
I have since used TPO (Treatment, Payment and Operations) as explanation to facilities or physicians’ offices and have gotten the clinical information I need. Most people are under the impression that PHI is only obtainable when there is an authorization from the patient. What they do not realize is that the HIPAA form they sign actually states that PHI could be released when any of the six key elements are involved.
I learned that de-identified PHI is not covered by the HIPAA Rule although state privacy and security laws still apply. A de-identified PHI is such that the identifiers, which could lead back to a patient, is removed or stripped. This includes the patient’s name, address, date of birth, Social Security number, telephone number, fax number, email address, Medical Record numbers, etc. The de-identified data can then be used to track diseases, track flu outbreaks or for tax purposes. The problem is, because there is an influx of data repositories online keeping the anonymity of the data would be challenging. As a result, I firmly believe that de-identified PHI should still be subject to the HIPAA rule so healthcare providers are not inclined to letting their guard down when it comes to protecting the PHI.
In one of her lectures, Dr. Lindgren mentioned how “a solid knowledge of HIPAA can keep both you and your CIO out of jail.” I learned that there are five HIPAA implementing regulations: Healthcare Data Privacy; Electronic Healthcare Data Security; Transaction Standards & Medical Data Code Sets; Standard Unique Identifier for Healthcare Providers and Standard Unique Identifier for Employers. Wrongful disclosure of a patient’s identifiable PHI could mean stiff monetary fines and jail times for the offender. I think just knowing the consequences of violating the HIPAA rules should scare providers from accessing and disclosing data without obtaining authorization from patients. Another regulation that protects personal information is the Family Educational Rights and Privacy Act of 1974 or FERPA which protects an individual’s educational and medical records but does not provide as strong of a protection as does HIPAA. I could not say how many colleagues have come up to me and still do, asking for a relative or a friend’s medical information while they are in one of our facilities. Taking this class just heightened my HIPAA radar and I refuse to go to jail or pay fines just to satisfy someone’s curiousity.
Our lecture on The Joint Commission, also known as TJC, brought to my attention standards relevant to an Informaticist. These are the Information Management Standards (IM Standards) and the Ethics, Rights and Responsibilities Standards (RI Standards). The IM Standards addresses the Privacy and Confidentiality, Information Security and Data Continuity, while the RI Standard states that “The hospital respects the needs of patients for confidentiality, privacy and security.” By the looks of it, the TJC Standards are in alignment with the HIPAA Regulations.
The concept of Regulatory Informatics was foreign to me until Ms. LesliePrellwitz, Director of Clinical Data and Informatics at The University HealthSystem Consortium, joined our sync session as a guest lecturer. The Federal Government and Accrediting agencies such as TJC have multiple roles serving as Regulators, Policy Makers and even Payers. As a Regulator, the Government’s goal is to ensure effective healthcare coverage and promote quality care for beneficiaries. The UHC performs Regulatory Informatics for their members thru data collection, data aggregation, data integration, data analysis, review of data and the publication of clinical trial data and results. This was very exciting to me because I just started working on Ingenix’s Data Analysis Program and I saw its potential in being a powerful tool for our Case Management Program, after viewing the AHRQ measures for one of UHC’s member hospital.
My perception of Ethics and Informatics colliding was limited to malicious release of someone’s PHI. But soon realized Medical Informatics has the ability to generate information that could become very powerful. Information that could be a double-edged sword: providing benefit for the common good but with a potential to cause harm. When Prof. Lindgren pointed out that traditional structures and professional responsibility would change because of the power of Medical Informatics, I wanted to disagree and say that much like the CDSS, data generated is not meant to be used as the ultimate answer but as a guide. However, with the push to use Evidenced-Based Medicine, Medical Informaticist should be held up to standards so they are more cognizant when analyzing and presenting their data. Other factors that could affect the social landscape are the confusion about ownership or rights to the data and professionalism, whether Informaticists should be held accountable to special moral obligations. In an article by Dr. Kenneth Goodman titled Ethical and Social Challenges for Medical Informatics, he expressed his concern that clinicians would forego a thorough assessment of their patients and rely heavily on data they do not understand. He also pointed out the human tendency to lay blame on someone else when things go wrong. It is therefore reasonable to hold the Medical Informaticists to a higher standard but ultimately, the decision should still rest on the clinician, who might be aware of other factors not accounted for in CDSS.
Professor Lindgren’s class had a great impact on me because of the magnitude when it came to handling PHIs. Her Issue Spotting Exercises were not only informative but something that might come in handy should I encounter the same dilemma as was presented in the cases. Through those exercises I learned when to consult with a corporate legal counsel (when there is a question on whether data was breached or when proprietary ideas were created outside of the working environment). In my project, I decided to focus on Medical Identity Theft, one of the fastest growing form of identity theft. Equally disturbing is the fact that most perpetrators are those with access to the PHI. Because Medical Informatics handles data that could be misused, compliance to regulations and laws are important so the information is used for the common good and not just for a chosen few.
