#Sample Health Informatics Paper

 

The Correlation between HIPPA and EMR Systems

Health informatics is indeed one of the fast-growing fields of study thanks to increased usage of modern technologies in the health care industry. The term itself describes the acquisition, storage, retrieval and usage of healthcare information to enhance collaboration among various healthcare providers of a patient. Jeminiwa and Fox (2016) define Health informatics as the interdisciplinary study of the design, development, adoption as well as the application of IT-based innovations in the delivery of healthcare services. Despite a few challenges, health informatics has greatly improved service delivery of healthcare services through systematic processing of data. Therefore, this paper will discuss health informatics, but with a special focus on Health Insurance Portability and Accountability Act of 1996 (HIPPA), Electronic Medical Records (EMR) and more importantly, their correlation.

Health Insurance Portability and Accountability Act of 1996 (HIPPA)

The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is a United States legislation passed in 1996 with portability taking effect in 1997. The Act, which was signed into law by the then President Bill Clinton, provides data privacy as well as security provisions to safeguard medical information (Dwyer, Weaver and Hughes, 2004). HIPPA specifies who has the authority to access or retrieve medical records pertaining to a particular patient. Moreover, the law sets the extent to which medical records can be used and released and more importantly, the privacy standards that ought to be followed by healthcare providers in order to achieve HIPPA compliance.

To begin with, Dwyer et al. (2004) explain that healthcare providers have an obligation to inform patients of their security rights as well as HIPPA privacy. In addition, they must outline the steps or rather the procedures and policies they undertake to ensure the said obligations are met. In as much as the healthcare provider owns the patient’s medical records, the patient has an exclusive right to access or even ask for copies of their original medical records. Providers are prohibited from charging patients for locating and providing access to the said files, but may charge a reasonable amount for making copies as and if requested. The limit for such fees is set by state law and does vary. However, it would be important to note that HIPPA does not prohibit attorneys or insurers from being charged a search and retrieval fee on top of copying fees.  

In regards to the right of access to patient information, HIPPA privacy and security rights limit release or disclosure of a patient’s medical records to third parties without the authorization of that patient. However, this does not apply to other healthcare providers who fall under the category of covered entities.  Also, patient authorization is not required if the receiving party has a direct relationship with the patient and where information disclosed is used for fraud detection, performance review or care quality assessment (Richards, 2009).

Nonetheless, there are special scenarios applicable to HIPPA’s privacy and security rights. One such scenario is a case involving a deceased person. In such a scenario, a death certificate and a valid representative of the estate appointed by legal documentation are mandatory for any information to be released. As for minors, written consent from the parent or legal guardian is required (Richards, 2009). Then there are of course super-confidential records such as ones containing mental health, HIV information as well as drug and alcohol that require more stringent federal and state laws before they are released.   

Electronic Medical Records (EMR) Systems

The use of Electronic Medical Records (EMRs) continues to increase in various health care facilities and clinical practices. Park, Parwani and Pantanowitz (2014) define Electronic Medical Record as a patient’s medical chart that can be accessed and modified in digital format. Unlike personal Health Record which is controlled by the patient, EMR is under the direct control of a health care organization or hospital system. One country that has made enormous strides in regards to adoption of EMR is the United States of America. This can be greatly attributed to the existence of federal legislation that requires clinicians to gain “meaningful use” with certified EMRs. In effect, physicians progressively place more electronic lab tests orders in the EMR and also look up their patients’ results (Park et al., 2014).

In his dissertation, Briggs (2014) observed that approximately one-third of expenditures go into waste due to inefficiencies in healthcare delivery, medical errors, redundant testing and also high administrative costs. It is based on this premise that EMR systems enjoy unmatched acceptance and use in healthcare facilities. According to Hillestad et al. (2005), an estimated $ 77 billion per year could be saved through the adoption of interoperable electronic medical records. What’s more, EMRs contribute to higher quality of care as a result of increased adherence to guidelines that are evidence-based. Electronic Medical Records also improve patient safety through the reduction of medical errors. In regards to redundancy, EMRs reduce rates of duplicate testing as well as overtreatment by enhancing care coordination. Administrative costs are also lowered by the transitioning from paper-based medical records to electronic. More importantly, EMRs enhances the efficiency of patient visits (Briggs, 2014).

Despite the overall advantages of Electronic Medical Records, a number of challenges exist. One such challenge that is relevant to this paper is the issue of privacy and security of patient information. Healthcare providers and patients alike are concerned about medical privacies when implementing EMRs and this is where the correlation between Health Insurance Portability and Accountability Act of 1996 (HIPPA) and Electronic Medical Records systems comes into play.

Correlation between HIPPA and EMR Systems

The correlation between the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and Electronic Medical Records (EMR) is mainly anchored on compliance. According to Dwyer et al. (2004), HIPPA Act contains five sections also referred to as titles. HIPPA Title I offer health insurance coverage protection for individuals who either change or lose jobs. The legislation further prohibits group health plans from restricting access of individuals to coverage due to specific diseases as well as pre-existing health conditions and more importantly, from setting limits of lifetime coverage. Title II deals with the prevention of healthcare fraud and abuse, which comprise: (1) transactions and code sets; (2) identifiers; (3) privacy and (4) security. Title III deals with tax-related provisions and medical care guidelines. Title IV groups health plan provisions by further defining health insurance reform including persons with pre-existing conditions as well as those in need of continued coverage. Lastly, Title V deals with revenue offset provisions (Dwyer et al., 2004).

Of great relevance to health, informatics is Title II of the Act. The section, as aforementioned, prevents healthcare fraud and abuse. According to Dwyer et al. (2004), the provision includes a number of compliance requirements also known as Administrative Simplification Provisions.  One such requirement is the Transactions and Code Sets Standards. These are rules aimed at standardizing the electronic exchange of health-related information that is classified as patient-identifiable. Healthcare organizations are required to abide by a standardized mechanism for electronic data interchange (EDI) which is simply the electronic exchange of information between computers. Prior to the adoption of the Health Insurance Portability and Accountability Act of 1996 (HIPPA), Congress felt there was need to have uniform national standards to govern the electronic exchange of healthcare transactions in a bid to enhance efficiency as well as the effectiveness of the healthcare system and to alleviate administrative burdens on providers.

When submitting healthcare claims electronically, there are five code sets that HIPPA specifies for health care industry to use. They are; Current Procedural Terminology, International Classification of Diseases, National Drug Codes, Code on Dental Procedures and Nomenclature and HCFA Common Procedure Coding System.  With the standardization of the aforementioned medical data code sets, all local and propriety codes are eliminated (Steindel, 2010).

 The other requirement is the National Provider Identifier Standard. Under this requirement, each health care entity, including employers, healthcare providers and individuals must have a National Provider Identifier number. The National Provider Identifier Number (NPI) is simply a ten-digit identification number that is unique to a particular covered provider in the United States (Dwyer et al., 2004). The NPI exists as a result of HIPPA’s administrative simplification standards concerned with transactions of information and data elements. Its main purpose is to create national standards and facilitate organization within HIPPA transactions.

According to Steindel  (2010), the Health Insurance Portability and Accountability Act of 1996 (HIPPA) required that the secretary of the United States Department of Health and Human Services (HHS) develops regulations that protect the privacy as well as the security of certain information. In compliance with this regulation, the HHS published the HIPPA Privacy Rule and HIPPA Security Rule.

HIPPA Privacy Rule establishes national standards aimed at protecting patients against unauthorized access to individually identifiable health information. The rule’s primary focus is to limit the use and disclosure of Personal Health Information (PHI) and in this case, information stored in electronic medical records (Steindel, 2010).  The rule achieves privacy protection of patients’ information by demanding that doctors provide patients an account of every entity to which their PHI for administrative and billing purposes is disclosed while at the same time facilitation efficient flow of relevant health information through proper channels. Moreover, the HIPPA privacy rule allows patients to access their personal medical records.

On the other hand, HIPPA Security Rule concerned with the protection of Electronic Protected Health Information, establishes national standards aimed at securing patient data that is electronically stored or transferred. The rule demands that safeguards ought to be placed both physically and electronically to facilitate secure passage, reception and maintenance of Personal Health Information (Steindel, 2010).

Worth noting is that prior to the establishment of HIPPA, there were no defined or what can be termed as a generally accepted set of security standards for protecting health information in the healthcare industry. Gradually, new technologies evolved and in no time, the healthcare industry began to abandon paper processes and rely more on electronic information systems to transact health care processes such as paying claims, providing health information, answering eligibility questions and conducting many other administrative and clinically related functions.

Considering the potential security risks associated with adoption of such technologies including Electronic Medical Records (EMRs), the Security Rule serves to protect the health information of individuals while at the same time facilitating conducive environment for covered entities to adopt new technologies in a bid to enhance quality and efficiency of patient care. Importantly, the Security Rule is designed to be flexible and scalable to respond to the diverse healthcare market place (Steindel, 2010). This enables covered entities to implement procedures, policies and technologies that resonate with the particular size of an entity, its organizational structure and risks to consumers’ electronic personal health information.

The enforcement of the Privacy and Security Rules is the responsibility of the Office of Civil Rights which falls under the Department of Health and Human Services (HHS).  More precisely, the HIPPA enforcement Rule establishes guidelines for violation of HIPPA compliance investigations. As a result of OCR’s enforcement activities dating back to 2003, significant results have been obtained that have enhanced privacy practices of covered entities. In fact, OCR has obtained corrective actions from various covered entities that have resulted in systematic change. In-turn this has improved the privacy protection of health information for persons they serve (OCR, n.d). The enforcement process of Privacy and Security Rules by the OCR is achieved through several ways. For instance, the office investigates complaints filed with it. The OCR also conducts compliance reviews to establish the compliance of covered entities. Moreover, OCR performs education and outreach to enhance compliance with requirements of the Rules. It is also important to mention that the OCR works hand in hand with the Department of Justice in referring possible criminal violations of HIPPA (OCR, n.d).

The HIPPA De-identification Standards

Apart from the numerous benefits associated with the correlation between HIPPA and EMR systems, there are growing concerns in relation to the de-identification methodologies and standards that exist under the Health Insurance Portability and Accountability Act of 1996 (HIPPA) regulations. Considering that de-identified health data are no longer subject to HIPPA regulations and can be accessed for any purpose, McGraw (2013) explores concerns raised regarding the sufficiency of the HIPPA de-identification methodologies, lack of sufficient transparency about the use of de-identified data and lack of legal accountability for re-identification of the de-identified data that is unauthorized.

It is important to note that health information collected by healthcare providers and health insurers for the purpose of billing and treatment poses high value for other ‘secondary’ purposes. This includes medical research, public health, quality improvement and business analytics. Although the ability to access this information is governed by HIPPA privacy regulations also known as the HIPPA Privacy Rule, the rule only sets standards for identifiable health information (McGraw, 2013). As aforementioned, de-identified data are not subject to HIPPA regulations and the same goes for other state and federal privacy rules.

Policies to Enhance Trust in De-identified health data

Major concerns have been raised regarding the use of electronically stored medical records that are classified as ‘personal information’ by commercial enterprises operating in the mobile space and the internet in general. This is because such entities are not bound by HIPPA regulations hence, not required to comply with related de-identification standards.

To address these concerns, appropriate policies ought to be put in place. Based on findings of a workshop convened by Center for Democracy & Technology (CDT), a number of potential policies could be implemented to build trust in de-identified data. They include; prohibiting the re-identification of de-identified data that is rather unauthorized, enhancing the robustness and efficiency of de-identification methodologies, putting in place reasonable and adequate security safeguards for de-identified data and enhancing public transparency regarding the use of de-identified data (McGraw, 2013).

1. Prohibiting the re-identification of de-identified data that is unauthorized

In as much as there is insufficient evidence to prove common occurrence of re-identification of de-identified data protected by HIPPA, continued use of modern technologies such as Electronic Medical Records warrants the address for potential occurrence and the lack of accountability for those engaging in the activity. This, if not timely addressed, could create obstacles to enhanced usage of de-identified data. According to McGraw (2013), one solution is to ensure individuals and entities are held legally accountable for any unauthorized re-identification. To be more effective, such policies would need to apply to HIPPA non-covered entities that act as recipients of the de-identified data. This would grant them permission to re-identify and use health information, but consistent with the Privacy Rule.

1. Enhancing the Robustness and Efficiency of De-Identification Methodologies

Considering that the HHS already created methodologies that guide re-identification in regulation, their sufficiency concerns can be achieved without further legislation. McGraw (2013) further informs that participants of the CDT workshop gained consensus that strengthening the said methodologies, including accountability for re-identification, could effectively alleviate concerns about de-identification. Although the safe harbor methodology has suffered heavy criticism, HHS has rejected the premise to solely rely on the statistical methodology on the basis of simplification of de-identification process (McGraw, 2013). Therefore, it would be important for HHS to consider regular review of the safe harbor in a bid to ensure it upholds provision of low-risk re-identification.

1. Reasonable and Adequate Security Safeguards

Indeed there’s need to enforce reasonable information security safeguards to protect all health information. However, such safeguards should be proportionate to the privacy risks posed by the health data at hand. Unlike protection of identifiable data or data that face greater risk or re-identification such as electronically protected data which fall under HIPPA Security Rule, the security degree of de-identified health data need not to be that robust (McGraw, 2013).

1. Enhancing Public Transparency in relation to use of De-identified Health Data

Other than potential risks of confidentiality breaches in regards to de-identified health data, McGraw (2013) points out that there are actual concerns about the actual uses of patients’ de-identified health data. Although there are known cases where the data is restricted to pharmaceutical marketing purposes only, concerns have been raised about using de-identified data to inform various business decisions in a manner likely to impact patients negatively. This is indeed true as it applies to de-identifiable data stored in Electronic Medical Records being accessed without public knowledge. The HHS could consider increasing effective outreach to the public to enhance transparency by funding pilot projects or favorable regulatory treatment.

Conclusion

As evidenced in the paper, Health Informatics has truly grown and there are key areas that ought to be monitored in order to alleviate risks while at the same time taking advantage of the opportunities associated with the emerging technologies. One outstanding issue that has been explored in-depth throughout the paper is protection of patient security and privacy. With due compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and progressive improvements to the legislation, health data stored in electronic medical records systems can be retrieved and used without exposing patients to hazardous risks. Moreover, such data can be used safely to enhance healthcare delivery.​

 

References

Briggs, S. J. (2014). Health information technology: Assessing the impact of electronic medical records in primary care. The University of Texas at Dallas.

Dwyer III, S. J., Weaver, A. C., & Hughes, K. K. (2004). Health insurance portability and accountability act. Security Issues in the Digital Medical Enterprise, 72(2), 9-18.

Hillestad R, Bigelow J, Bower A, Girosi F, Meili R, Scoville R, Taylor R. (2005) Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. Health Affairs (Millwood) 24(5):1103–1117.

Jeminiwa, R., & Fox, B. (2016). Electronic Health Records Implementation in Sub-Saharan Africa: A Review of the Literature. Research in Social and Administrative Pharmacy, 12(4), e16.

McGraw, D. (2013). Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data. Journal of the American Medical Informatics Association, 20 (1): 29-34.

OCR. (n.d). Summary of the HIPAA Security Rule. Retrieved May 5, 2017, from U.S. Department of Health & Human Services: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/

Park, S. L., Parwani, A. V., & Pantanowitz, L. (2014). Electronic Medical Records. In Practical Informatics for Cytopathology (pp. 121-127). Springer New York.

Richards, E. (2009, April 19). When Can PHI Be Released without Authorization? Retrieved May 4, 2017, from The LSU Medical and Public Health Law Site: https://biotech.law.lsu.edu/map/WhenCanPHIBeReleasedwithoutAuthorization.html

Steindel, S. J. (2010). International classification of diseases, clinical modification and procedure coding system: descriptive overview of the next generation HIPAA code sets. Journal of the American Medical Informatics Association, 17(3), 274-282.