Review of HIPAA, Part 2: Limitations, Rights, Violations, and Role for the Imaging Technologist.

This article is the second part of a continuing education series reviewing the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The term HIPAA should be familiar to those who work in the medical profession, but this article includes details on its rules, patients' rights, violations, breaches, and penalties. To help administer these safeguards, HIPAA requires that every organization designate a HIPAA privacy and security officer. HIPAA violations can have serious repercussions when rules are not followed; these violations can be either negligent or willful. If breaches of unsecured protected health information occur, HIPAA requires covered entities to notify affected individuals, the Secretary of Health and Human Services, and in some cases the media. Violations in which the covered entity did not know of the violation are now punishable under the first tier of penalties. Unintended violations carry a minimum penalty of $100 per violation and a maximum of $50,000 per violation. All patients have a right to privacy and a right to confidential use of their medical records. The role of medical professionals includes understanding how and when to apply these HIPAA rules verbally and electronically.

Implementing a universal informed consent process for the All of Us Research Program.

The United States' All of Us Research Program is a longitudinal research initiative with ambitious national recruitment goals, including of populations traditionally underrepresented in biomedical research, many of whom have high geographic mobility. The program has a distributed infrastructure, with key programmatic resources spread across the US. Given its planned duration and geographic reach both in terms of recruitment and programmatic resources, a diversity of state and territory laws might apply to the program over time as well as to the determination of participants' rights. Here we present a listing and discussion of state and territory guidance and regulation of specific relevance to the program, and our approach to their incorporation within the program's informed consent processes.

Should Immigration Status Information Be Included in a Patient's Health Record?

The documentation of immigration status in patient records poses a challenge to clinicians. On one hand, recording this social determinant of health can facilitate continuity of care and improved communication among clinicians. On the other, it might expose patients or their family members to immediate and unforeseen risks, such as being stigmatized and discriminated against by nonimmigrant-friendly clinicians or being exposed to immigration enforcement if staff contact immigration officials in violation of patient confidentiality. Patients may raise concerns about the purpose and risks of such documentation alongside fears about potential data sharing and violations of privacy and confidentiality. This commentary explores clinicians' options for documenting immigration status within the context of ethical, legal, and historical considerations in caring for stigmatized populations in changing political landscapes.

Should Immigration Status Information Be Considered Protected Health Information?

In response to a case of an undocumented patient who was reported to immigration authorities, this commentary considers whether a patient's immigration status should be deemed protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. A legal argument, supported by clinical data, is offered that immigration status should be regarded as PHI not subject to valid exception for release without patient authorization. This argument concludes that covered entities (eg, hospitals and health care professionals) are legally precluded under the HIPAA Privacy Rule from disclosing a patient's immigration status.

HIPAA's Individual Right of Access to Genomic Data: Reconciling Safety and Civil Rights.

In 2014, the United States granted individuals a right of access to their own laboratory test results, including genomic data. Many observers feel that this right is in tension with regulatory and bioethical standards designed to protect the safety of people who undergo genomic testing. This commentary attributes this tension to growing pains within an expanding federal regulatory program for genetic and genomic testing. The Genetic Information Nondiscrimination Act of 2008 expanded the regulatory agenda to encompass civil rights and consumer safety. The individual access right, as it applies to genomic data, is best understood as a civil-rights regulation. Competing regulatory objectives-safety and civil rights-were not successfully integrated during the initial rollout of genomic civil-rights regulations after 2008. Federal law clarifies how to prioritize safety and civil rights when the two come into conflict, although with careful policy design, the two need not collide. This commentary opens a dialog about possible solutions to advance safety and civil rights together.

Privacy in the digital world: medical and health data outside of HIPAA protections.

Increasing quantities of medical and health data are being created outside of HIPAA protection, primarily by patients. Data sources are varied, including the use of credit cards for physician visit and medication co-pays, Internet searches, email content, social media, support groups, and mobile health apps. Most medical and health data not covered by HIPAA are controlled by third party data brokers and Internet companies. These companies combine this data with a wide range of personal information about consumer daily activities, transactions, movements, and demographics. The combined data are used for predictive profiling of individual health status, and often sold for advertising and other purposes. The rapid expansion of medical and health data outside of HIPAA protection is encroaching on privacy and the doctor-patient relationship, and is of particular concern for psychiatry. Detailed discussion of the appropriate handling of this medical and health data is needed by individuals with a wide variety of expertise.

Patients' confidentiality.

Critical care providers are often privy to confidential information in the course of clinical practice. A dilemma can arise when confidential information is requested by family members or friends of the patient. Critical care nurses must be aware of the regulations regarding confidentiality, as well as situations where the use and disclosure of protected health information are permitted.

Zip it!

When it comes to enforcing HIPAA data security and privacy standards, the federal government means business. In fact, the government is conducting a national pilot program to audit 150 physicians and others that HIPAA covers as the first phase of a concerted effort to crack down on HIPAA violations.

Privacy versus public health: the impact of current confidentiality rules.

Public health research and practice often have been facilitated through the evaluation and study of population-based data collected by local, state, and federal governments. However, recent concerns about identify theft, confidentiality, and patient privacy have led to increasingly restrictive policies on data access, often preventing researchers from using these valuable data. We believe that these restrictions, and the research impeded or precluded by their implementation and enforcement, have had a significant negative impact on important public health research. Members of the public health community should challenge these policies through their professional societies and by lobbying legislators and health officials to advocate for changes that establish a more appropriate balance between privacy concerns and the protection of public health.

Financial penalties for the unhealthy? Ethical guidelines for holding employees responsible for their health.

As health care costs continue to rise, an increasing number of self-insured employers are using financial rewards or penalties to promote healthy behavior and control costs. These incentive programs have triggered a backlash from those concerned that holding employees responsible for their health, particularly through the use of penalties, violates individual liberties and discriminates against the unhealthy. This paper offers an ethical analysis of employee health incentive programs and presents an argument for a set of conditions under which penalties can be used in an ethical and responsible way to contain health care costs and encourage healthy behavior among employees.

Regulatory and ethical considerations for linking clinical and administrative databases.

Clinical data registries are valuable tools that support evidence development, performance assessment, comparative effectiveness studies, and the adoption of new treatments into routine clinical practice. Although these registries do not have important information on long-term therapies or clinical events, administrative claims databases offer a potentially valuable complement. This article focuses on the regulatory and ethical considerations that arise from the use of registry data for research, including linkage of clinical and administrative data sets. (1) Are such activities primarily designed for quality assessment and improvement, research, or both, as this determines the appropriate ethical and regulatory standards? (2) Does the submission of data to a central registry, which may subsequently be linked to other data sources, require review by the institutional review board (IRB) of each participating organization? (3) What levels and mechanisms of IRB oversight are appropriate for the existence of a linked central data repository and the specific studies that may subsequently be developed using it? (4) Under what circumstances are waivers of informed consent and Health Insurance Portability and Accountability Act authorization required? (5) What are the requirements for a limited data set that would qualify a research activity as not involving human subjects and thus not subject to further IRB review? The approaches outlined in this article represent a local interpretation of the regulations in the context of several clinical data registry projects and focuses on a specific case study of the Society of Thoracic Surgeons National Database.

Confidentiality in the age of HIPAA: a challenge for psychosomatic medicine.

This review, a work project of The Standards and Ethics Committee of The Academy of Psychosomatic Medicine, examines the challenges posed for consultation-liaison psychiatrists as they struggle to maintain the trust between patient and physician while balancing compliance with the increasing complexities of confidentiality with the provision of enough information to our medical colleagues for good clinical care. The authors discuss the moral, legal, and ethical issues that arise from the many-layered state and federal regulations, especially the impact of the Health Information Portability and Accountability Act (HIPPA) and make recommendations for practical application in the clinical setting.