Abstract: The Patient Safety and Quality Improvement Act of 2005 (PSQIA) aims to aid patients by increasing the availability to data needed to resolve safety and health issues. Consequently, this has a significant impact on the medical industry, creating the need for a comprehensive understanding of patient rights protected by HIPAA, as well as through additional privacy, security and safety rules. Knowing the medical community’s responsibilities when it comes to federal health privacy regulations, and reporting any violations thereof, can ensure your practice a distinct safety of its own.
Federal civil rights laws and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule together protect patients’ fundamental rights of nondiscrimination and privacy. Subsequently, the regulation implementing the Patient Safety and Quality Improvement Act of 2005 (PSQIA) was published on Nov. 21, 2008, and became effective on Jan. 19, 2009, (42 C.F.R. Part 3).
PSQIA establishes a voluntary reporting system to enhance the data available to assess and resolve patient safety and health care quality issues. It also encourages the reporting and analysis of medical errors. It is the federal government’s hope that this confidentiality provision will improve patient safety outcomes by creating an environment in which reporting of patient safety events will yield increased data and better understanding of the issues to improve patient safety.
The U.S. Department of Health and Human Services Office for Civil Rights has been requiring HIPAA-covered entities to promptly notify affected individuals of a breach of security since the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009.
Rules to understand
The HIPAA Privacy Rule provides federal protection for personal health information held by covered entities and gives patients an array of rights with respect to that information. In other words, it says who can look at and receive health information, and also gives the patient specific rights over that information.
At the same time, the Privacy Rule is balanced so it permits the disclosure of personal health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information.
The Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information. It also enforces the HIPAA Security Rule, which sets national standards for the security of protected electronic health information, and the confidentiality provisions of the Patient Safety Rule, which protects identifiable information being used to analyze patient safety events and improve patient safety.
The Privacy and Security Rules apply only to “covered entities.” Individuals, organizations and agencies that meet the definition of a covered entity under HIPAA must comply with the rules’ requirements to protect the privacy and security of patients’ health information, providing individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy or the Security Rule.1
Covered entities include health care providers such as physicians, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies. But this is only if these entities transmit any information in an electronic form in connection with a transaction, for which the Department of Health and Human Services has adopted a standard.1
Covered entities additionally include health plans and can encompass health insurance companies, HMOs, company health plans and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs.1
Finally, a health care clearinghouse is also considered a covered entity, and this includes entities that process non-standard health information they receive from another entity into a standard format or vice versa.1
The Patient Safety Rule went into effect on Jan. 19, 2009, and it established a voluntary system for Patient Safety Organizations (PSOs) to aggregate and analyze data they receive from health care providers regarding medical errors and other patient safety events so as to improve patient safety. To encourage provider reporting, the Patient Safety Act and Rule includes federal privilege and confidentiality protections for Patient Safety Work Product (PSWP). Information submitted to and developed by these PSOs is protected as a PSWP.
A PSWP is any information that:
- Is assembled or developed by a health care provider for reporting to a PSO that is listed by the HHS Agency for Healthcare Research and Quality (AHRQ) and is documented as being within the provider’s patient safety evaluation system for reporting to a PSO;
- Is developed by a PSO for the conduct of patient safety activities; or
- Identifies or constitutes the deliberations, or analysis of, or identifies the fact of reporting pursuant to a patient safety evaluation system.2
PSWP may identify patients, health care providers and individuals who report medical errors or other patient safety events. PSWP is confidential and may only be disclosed in certain, very limited situations.
For a full description of permissible disclosures, see the Patient Safety Rule section at www.hhs.gov/ocr/privacy/psa/regulation/rule/index.html. Additionally, PSWP remains protected regardless of who holds the information.
Privacy Rule complaints
If you believe someone’s health information privacy rights have been compromised or someone has committed a violation of the HIPAA Privacy Rule, you may file a HIPAA Privacy Rule complaint at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
If you believe a person or organization impermissibly disclosed information, you also may file a complaint. Your complaint must:
- Be filed in writing and sent by mail, fax or e-mail;
- Name the person that is the subject of the complaint, as well as describe the act or acts believed to be in violation of the Patient Safety Act requirement to keep PSWP confidential; and
- Be filed within 180 days of when you knew or should have known the act complained of occurred. The OCR may waive the 180-day time limit if good cause is shown.
The complaint form includes:
- The contact information of the person filing a complaint, as well as the means to contact the person filing the compliant. The filer of the complaint may be a patient, a provider or a reporter who is identified in the information that was impermissibly disclosed;
- The provider, patient safety organization or other person whom you believe disclosed the patient safety work products that violated the patient safety confidentiality is also required;
- Date of impermissibly disclosed PSWP;
- Details of the how and why you believe that a disclosure occurred; and
- A signature and filing date.
The OCR is then responsible for the investigation and enforcement of the confidentiality provisions of the Patient Safety Rule. It will provide technical assistance and seek out an informal resolution of complaints involving the impermissible disclosure of PSWP through voluntary compliance from the responsible person, entity or organization.
If the OCR is unable to achieve an informal resolution of an indicated violation through such voluntary compliance, its Secretary may impose a civil money penalty of up to $10,000 for each knowing and reckless disclosure that is in violation of the confidentiality provisions.
The OCR provides technical assistance to people seeking to comply with the confidentiality provisions and public information regarding the administration of the enforcement program. To contact the OCR, visit its Web site at www.hhs.gov/ocr/privacy.
As the federal government debates and considers a more socialized medicine platform, the importance of electronic health care transactions and compliance with standards as a provider, health insurance plan or employer will play a key role in keeping costs under control and patient information private. Keeping abreast of these updates will ensure your practice’s survival through future health care developments on both the state and national level.
1. www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html(Accessed Apr 21, 2010)
2. www.hhs.gov/ocr/privacy/psa/enforcement/index.html (Accessed Apr 21, 2010)