Guide to Healthcare Information Protection and Privacy for Executives

By Tim Godlove

The goal of today's healthcare organizations' information systems is open, interoperable, standards-compliant and secure information systems. As electronic data interchange (EDI) continues to gain acceptance and use, risks of protection of the confidentiality of private healthcare information have arisen. As the volume of stored healthcare information continues to grow, so too does the desire to access that 
information. Insurers, employers, government papers, utilization review entities, researchers, government statisticians, peer-review bodies, and patients are all demonstrating an increased interest in healthcare information. There are some very real challenges implicit in electronic communications too which pose a further risk to the confidentiality of healthcare information.

• Language: English
• Publisher: Tim Godlove
• Release date: Mar 10, 2015
• ISBN: 9781508738923

Book preview

Chapter 1

Healthcare Industry

Technology wants us, but what does it want for us? What do we get out of its long journey?

1.1 Introduction

The rapid changes in healthcare and information technology have effects on health information over traditional methods of maintaining health and medical information. The privacy and security risks of automating health information which allow patient records to be accessed by authorized medical personnel anywhere and at any time, are designed to provide a variety of benefits. The benefits claimed for electronic health records are that, by being able to quickly and accurately access a person's entire health history, errors will be drastically cut and patient care will be significantly improved. However, as with just about every trade-off in life, the good must be taken with the bad; and there are just as many disadvantages to electronic health records as there are benefits. The disadvantages stem from not only the lack of privacy and confidentially associated with these records, but also the inability to properly control who has access to them.

The healthcare industry is exceedingly diverse, consisting of various organizations such as small physician practices and large health systems, laboratories, pharmaceuticals, biomedical companies, private and public payers, regulators and public health organizations, all of which rely on the efficient and effective exchange of patient-related information. This chapter should assist in the understanding of the diversity of the healthcare industry, the types of technologies and flows of information that require various levels of protection, and how healthcare information is exchanged within the industry.

1.2 Understanding the Healthcare Industry

The healthcare industry is one that covers a broad range of topics and delves a multitude of social, scientific, economic and political concerns.  This overview of the industry discusses issues such as the different types of healthcare organizations, healthcare technology, insurance, patient records, research, human resource management and various types of information and financial management.

As Healthcare has been thrust into the digital world and interest in healthcare grows exponentially, many issues pertaining to the accumulation of healthcare data have come to light. These include privacy and confidentiality, sharing of data, use of accumulated data for medical purposes, development of quality of care issues, protocols and guidelines. The Healthcare industry is undergoing unprecedented changes right now. The reforms of the Affordable Care Act, greater consumer choice, public and private exchanges, and new technology are all upending operating business models, as is a fundamental shift from the traditional fee-for-service approach to one based on quality and outcomes. These different ways of doing business have the potential to revamp the healthcare value chain and redistribute value among stakeholders, creating threats and opportunities for both payors and providers.

Achieving and maintaining compliance with the ever-changing privacy, security, and other regulations imposed by HIPAA and HITECH, as well as other federal and state privacy laws such as the Genetic Information Nondiscrimination Act (GINA) and state breach notification laws has increased the challenges of security and privacy compliance.  The passage of HITECH dramatically changed the federal government’s approach to HIPAA by escalating enforcement and increasing penalties for non-compliance, while establishing burdensome new requirements for breach notification. This has increased the risks to both covered entities and their business associates.

1.2.1 Understanding the Healthcare Environment

The health care industry in America has become progressively more economically and politically driven. It has also been revolutionized by modern technology and scientific discovery. Simply put, it is a field undergoing perpetual change.  Some of these changes have been positive, such as the ability to use wireless communication devices to diagnose housebound patients (Shi & Singh, 2005). From work to education and human interaction, the reach of the myriad technologies has increased the volume of information that is available, how it is shaped, understood and deployed, and how individuals and organizations interact.

Most aspects of modern life in the U.S. have been impacted by the proliferation of information and communications technology over the past three decades. Healthcare has woefully lagged adapting this technology and having it drive reorganization and reform. There are three ways that this technology can and will change health care. As the sixth largest economic undertaking in the world, health care is replete with countless administrative processes that, given the nature of the work, demand a high level of reliability. Automation of these processes, particularly when they occur within integrated systems, is the only way to achieve inexpensive, highly reliable exchanges of information ranging from the purely administrative to clinical records. Not surprisingly, this use of health IT is occurring first. Secondly, the process of clinical decision-making and support is improved dramatically as clinicians and consumers have access to new information tools and supports. This includes the movement of more traditional provider-patient interactions into new media and technology. As these tools first need to be developed and then accepted by professionals and patients, this part of the transition will lag behind the more purely administrative. Finally, the real revolution in health care IT will come with the full recognition that health care is essentially a knowledge-based business, and that knowledge widely and freely available to end users, the patient/consumer, will have profound impact on cost, efficacy, quality and access.

Others changes have not been so desirable, such as the exorbitant costs of health insurance, quality medical care and growing inequities in access to healthcare based on culture and income. As Heirich (1998) explains, Both the underlying ideas on which healthcare is based and the organization of care is changing, as is the way all this relates to larger social, economic, and political forces (p. 343).  Examining these forces requires looking at the components that comprise them.

1.2.2 Types of Organizations in the Healthcare Sector

The types of organizations in the healthcare sector are numerous.  There are the actual healthcare providers, such as the doctors, nurses, dentists, psychologists and other types of practitioners that diagnose and/or treat patients.  Then there are the pharmacists, pharmacies, pharmaceutical manufacturers and pharmaceutical marketers that deal with the medications involved in health care.  There are also the manufacturers and distributors of medical supplies and technology, without whom the industry could not operate. The healthcare delivery organizations sector plays a central role in efforts to improve the use of evidence-based care. As entities that organize and employ physicians and other clinicians, deliver care to patients, and, in some cases, conduct research, sector members have opportunities to influence the generation and use of evidence through many channels.

Most notable these days are the insurance providers, both public and private, that not only determine if a patient’s treatments are covered but also determine how long he is allowed to stay in the hospital, what doctors he is allowed to see and just about everything related to medical care.  Last but not least are the healthcare policymakers who pass laws on such things as banning smoking in public buildings, requiring changes in the nutritional value of school lunches and demanding wheelchair access ramps.

1.2.3 Health Information Technology

The effective and efficient management of health information is critical.  As technology has continuously advanced, the ability to keep better patient records, create networks between providers and manage virtually all types of health related data has improved significantly.  Technology has advanced to the point where data in almost any format is more easily collected than ever before. Information can be gathered about clients, health indicator/risk factors, statistics, demographics, mandated health reporting and so on.

Despite investing over $1.7 trillion annually in healthcare, the health system is plagued with inefficiency and poor quality. Better information systems could help. Overcoming these challenges requires ongoing investment in framework, standards, and policy development. Most providers lack the information systems necessary to coordinate a patient’s care with other providers, share needed information, monitor compliance with prevention and disease-management guidelines, and measure and improve performance. If most hospitals and doctors’ offices adopted health information technology, the potential efficiency savings for both inpatient and outpatient care could average over $77 billion per year.

A good example of health information technology and data management is the Electronic Health Record (EHR). The principle behind the system is that it collates information about individuals from different information systems; such as – registration, clinical records, laboratory and diagnostic imaging. The central idea is to be able to exchange health information across the healthcare system, thus providing information flow to improve quality and efficiency of care (Stead, Kelly & Kolodner, 2005). 

1.2.4 Health Insurance (e.g., public vs. private, types, payment models)

According to Williams and Torrens (2010) the three categories of health insurance are Voluntary Health Insurance (VHI) which is private health insurance usually denoting current industrial employment (p. 80); Social Health Insurance (SHI) which encompasses government sponsored insurance plans such as Medicare and Worker’s Compensation;  and public welfare health care programs which medical treatment is provided free of charge. 

The three methods for categorizing health insurance in the United States are: 1) by the typical combination of products; 2) by the type of organization sponsoring the coverage; and 3) by funding mechanism. The three types of managed care plans are: 1) Health Maintenance Organizations (HMO); 2) Preferred Provider Organizations (PPO); and 3) Point-of-Service (POS) plans (Williams & Torrens, 2010).

As managed care has grown, it has raised new concerns about the quality of health care being delivered, especially for Medicare and Medicaid patients. Under a fee-for-service system, people worried that unnecessary diagnostic tests and medical services were being ordered for patients and that the nation's health care costs were out of control. Overuse of services and inappropriate use of health care resources were viewed as the primary problem. Not surprisingly, managed care's financial incentives have the opposite effect (Ahking, Giaccotto & Santerre, 2009).

Currently, public and policymakers are concerned that patients are being denied access to medically needed care in efforts to save money, which is essentially the motivation for the controversial Obamacare policies, which are really called the Patient Protection and Affordable Care Act (PPACA). According to Wheelan (2010) Some kind of health coverage for every citizen would mean fewer child deaths from asthma, fewer cancer deaths in minority communities and fewer veterans who depend on emergency rooms for their primary care.  Yet critics are concerned about where exactly the money will come from to pay for this care.

1.2.5 Coding

Coding is the use of standardized languages to categorize and describe medical data, particularly in terms of bioinformatics (i.e. identifying pathologies). One of the most noted coding systems in SNOMED, which stands for the Systematized Nomenclature of Medicine.  SNOMED is extremely effective at coding the sort of information pathologists use - anatomical sites, clinical diagnoses, surgical procedures, causative agents. Used to its full potential, SNOMED is very versatile, but also very complicated. SNOMED was designed as a comprehensive nomenclature of clinical medicine for the purpose of accurately storing and/or retrieving records of clinical care in human and veterinary medicine.

ICD is the coding system used by the World Health Organization (WHO) to classify diseases and other health problems recorded on many types of health and vital records including death certificates and health records.  ICD stands for International Classification of Diseases.  The most current version is ICD-10, meaning that it is the tenth version of the code. No earlier than October 1, 2015 the United States will adopt the latest version of medical codes by updating to ICD-10. Last updated in 1977 the new ICD-10 will increase the number of codes from approximately 13,600 to more than 144,000.

1.2.6 Billing, Payment, and Reimbursement

There are five different classifications for billing, payment and reimbursement. First is the profit-driven commercial health industry, which includes both multiline and single line carriers.  Second are the Blue Cross/Blue Shield plans, which focus on providing insurance to cover hospital expenses (Williams & Torrens, 2010).  Third is Health Maintenance Organization, or HMO, which Reuland (2002) describes as as a type of insurance where the members, also potential patients, pay a fixed monthly fee to their HMO in return for the financing and delivery of their medical services for a fixed period of time (p. 297). The fourth type is self-funded or partially self-funded insurance. Finally, the fifth type is union sponsored or partially union sponsored insurance (Williams & Torrens, 2010).

HMOs are plans that furnish health care at a lower cost than traditional fee-for-service plans.  An HMO patient has to select a health care medical provider from a pre-determined list of providers within a specific medical group, each of whom has signed a contract in which they commit themselves to seeing patients at a reduced cost. Most HMO co-payments are between the range of $5 and $15 dollars (for an office visit) (Shi & Singh, 2005).

Funding mechanisms are divided into three different classifications. The first is full insurance which, remains the principle funding mechanism for the millions of small and medium size businesses in America (Williams & Torrens, 2010, p. 113).  The second is partial funding in which employers pay part of employees’ medical coverage. The third is self-insurance in which the individual is entirely responsible for his or her own coverage (Williams & Torrens, 2010).

1.2.7 Workflow Management

According to Ransom et al. (2008), "The Workflow Management Coalition (Hollingsworth 1995) defines workflow automation as the ‘computerized facilitation or automation of a business process, in whole or in part’."  Automation clearly reduces personal involvement in the data collecting process. 

But on the other hand, it provides many benefits which include time savings, cost savings, and increased accuracy. This is because these types of programs are specifically designed to provide a proficient and efficient way of tracking a variety of data.

As Ransom et al. (2008) explain, In the context of healthcare, workflow automation provides the ability to encapsulate other information technologies and services and make them available for incorporation into processes of care. Such services include surveys; outbound recorded telephone messages; outbound e-mail messages; printing and mailing of generic or tailored educational materials; outbound faxes; electronic pager or short text messaging; and requests for third-party telemonitoring, care management, and disease management programs.

1.2.8 Regulatory Environment (e.g., security, privacy, oversight)

The healthcare industry has to be regulated because ultimately, it is a business, and that means it has the potential for corruption, lack of attention to detail and irresponsibility.  To regulate these critical issues, there is a regulatory body known as the JCAHO, which stands for The Joint Commission on the Accreditation of Healthcare Organizations.  However it has recently changed its name to simply the Joint Commission and is no longer known as the JCAHO. The purpose of the Joint Commission is to provide accreditation to health care organizations that meet its high list of standards, in order to ensure that patients are receiving the best quality of care and the highest level of safety. 

When patients or other health care professionals see the Gold Seal that represents the Joint Commission’s accreditation, they know that they are looking at an organization that has impeccably high standards – otherwise they never would have passed the rigorous inspection process. Their seal of approval has a lot of meaning in the health care industry because as an independent, not-for-profit organization they are completely objective. According to their website, The Joint Commission accredits and certifies more than 15,000 health care organizations and programs in the United States. Joint Commission accreditation and certification is recognized nationwide as a symbol of quality that reflects an organization’s commitment to meeting certain performance standards (p. 1).

The HIPAA privacy rule which went into effect in 2003 for most healthcare providers ushered in a new era of privacy compliance. Prior to the implementation of the HIPAA privacy rule, healthcare providers, frequently with guidance from HIM professionals' expertise, were bound primarily by state-specific privacy laws that often focused on highly sensitive information such as behavioral health and HIV/AIDS. Although federal privacy laws existed, they were primarily limited to the Privacy Act of 1974 as well as the protection of substance abuse information, neither of which broadly affected health information.

Health reform will substantially impact how life sciences and health care organizations, regardless of sector, size, and region, realize their security and privacy objectives. Regardless of the regulatory forum, there will be significant pressure on organizations to meet challenges associated with the protection of personal health information (PHI). At the same time, health care organizations face increased collaboration and information sharing requirements both internally and externally, as well as competitive pressure to maximize investments in health information technology. Privacy & Security Health information technology promises a number of potential benefits for individuals, health care providers, and the nation’s health care system. It has the ability to advance clinical care, improve population health, and reduce costs. At the same time, this environment also poses new challenges and opportunities for protecting individually identifiable health information.

1.2.9 Patient Care and Safety

Patient care and safety are of the utmost importance.  When a patient is hospitalized, he often receives care from many different healthcare professionals, and in a variety of different settings.  If for example a patient has a heart attack and calls 9-11, first the EMTs will arrive and administer some form of treatment in the home, such as dispensing aspirin or nitrogen pills, then hooking the patient up to a mobile respirator and transporting him to the EMT vehicle. Once inside the ambulance, the patient may be administered additional services depending on his state.

Once the patient arrives at the hospital, he will likely go to the emergency room where a different set of practitioners will work on him. If he goes into surgery, he will be transported again, then seen and treated by the anesthesiologist, then surgeons, then nurses in the recovery ward and then ward nurses when he is moved to a hospital room.

With all of these hand offs or handovers going on, mistakes can be made and quality of care can be jeopardized.