Description
WEEK 4: Chapters 25, 26
Chapter 25 ? Health Records and Health Information Management
? Identify major health information management department functions.
?
List the key components of a patient health record in acute care.
?
List the key components of a patient health record in alternative health care settings,
including ambulatory care and long-term care.
?
Describe how health record documentation affects health care facilities and physician
reimbursement.
?
Describe the prospective payment system, including diagnosis-related groups, ambulatory
payment classifications, and coding and classification systems.
?
Identify coding as it relates to radiologic procedures and the reimbursement impact for health
care facilities.
?
Identify components of performance improvement and the relationship of performance
improvement to all hospital departments.
?
Differentiate between confidential and nonconfidential information.
?
Explain the Health Insurance Portability and Accountability Act privacy and security
requirements in a radiologic setting.
?
Discuss the procedure for correcting or amending documentation errors in a patient health
record.
Chapter 26 ? Medical Law
? Differentiate among the various types of law.
?
Outline how the standard of care is established for radiologic technologists.
?
Discuss the concept of tortious conduct and causes of action that may arise from the behavior
of a health care practitioner.
?
Argue the importance of privacy of records and the relationship between privacy of records
and patient confidentiality issues.
?
Explain negligence and the four elements necessary to meet the burden of proof in a medical
negligence claim.
?
Explain the legal theory of res ipsa loquitur and how an attorney may use it in a claim of
medical negligence
?
Illustrate how a hospital may be liable under the doctrine of respondeat superior.
?
Justify the need for informed consent.
?
Outline the information a patient must have before an informed consent may be given.
1.
WEEK 4: Chapters 25, 26
Chapter 25 ? Health Records and Health Information Management
1. Which of the following is not a function of a hospital health information management
department?
a. coding of diagnoses and operative procedures and diagnosis-related group assignment
b. documenting relevant patient information in the medical record
c. quality management and performance improvement activities
d. appropriate release of medical information
2. The prospective payment system is a payment system based on which of the following?
a. the diagnosis-related group (DRG) or the ambulatory patient classification (APC)
b. the coding system based on the International Classification of Diseases, 10th revision,
Clinical Modification (ICD-10-CM)
c. the Current Procedural Terminology (CPT) coding system
d. the resource-based relative value system (RBRVS)
3. Which of the following is an example of an organization that accredits hospitals and other health
care institutions in the United States?
a. American Hospital Association
b. American Medical Association
c. The Joint Commission
d. American College of Radiology
4. The chief complaint, included in a patient’s history, is a statement made by the:
a. physician.
b. patient.
c. admitting officer.
d. admitting nurse.
5. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) legislation affects
radiology and other hospital departments by its focus on:
a. patient record confidentiality.
b. facility reimbursement.
c. quality management and performance improvement.
d. risk management.
6. Which of the following is not required to be included in a patient’s health record?
a. medical history
b. radiology reports
c. patient’s telephone number
d. physical examination report
7. Criteria used in performance improvement activities must be all of the following EXCEPT:
a. clinically valid.
b. diagnosis or procedure oriented.
c. generally acceptable to department staffs.
d. written.
8. Assessment of problems in performance improvement activities must be:
a. ongoing.
b. physician directed.
c. subjective.
d. objective.
9. In making a correction to an entry in the paper health record, the documenter should:
a. line out the error, authenticate, and insert correct information.
b. erase the incorrect information, and insert correct information.
c. leave the incorrect entry alone, and add the new correct information.
d. remove the incorrect page from the record, and begin a new page of documentation.
10. The organization (chart order, forms) of a hospital patient record is determined by:
a. the accrediting body’s suggested format.
b. Medicare regulations.
c. the American Hospital Association?suggested format
d. the hospital’s own preference
Chapter 26 ? Medical Law
1. If a technologist threatens a patient during the course of a procedure and has an apparent
immediate ability to perform the threatened act, which of the following torts may be claimed?
a. assault
b. battery
c. negligence
d. false imprisonment
2. The legal theory of respondeat superior requires that:
a. the employee is responsible for the actions of the employee.
b. each person is responsible for his or her superior.
c. the employer is responsible for the employee’s actions.
d. the employee is responsible for the employer’s actions.
3. A technologist who has completed a procedure on a patient leaves the area grumbling, ?I hate
to do AIDS patients because I am afraid of catching the disease.? A member of the housekeeping
staff hears the technologist and asks who has AIDS. The technologist responds by giving the
patient’s name and room number. After this incident, housekeeping personnel refuse to clean
the room. One person from housekeeping tells the story to members of the housekeeper’s
church, where the patient is also a member. After learning of the patient’s condition, the church
asks the patient not to return. What type of complaint might be brought against the
technologist?
a. negligence
b. defamation
c. assault
d. false imprisonment
4. The claim of false imprisonment requires the patient to show proof that the technologist
restrained his or her freedom without consent. The defenses a technologist may raise include all
of the following EXCEPT the:
a. risk that the patient was going to hurt himself or herself.
b. risk that the patient was going to hurt the technologist.
c. life-threatening condition of the patient’s health.
d. need for motionless images.
5. In a case in which the legal theory of res ipsa loquitur is being raised, the evidence presented
must show all the following elements EXCEPT that the:
a. injury would not have occurred except for negligence.
b. patient contributed to his or her injury
c. defendant was in complete control.
d. patient did not contribute to his or her injury in any way.
6. A consent form has been signed by a patient who will be undergoing an excretory urogram. A
witness should sign the form after the patient. Who is the best witness?
a. a member of the patient’s family
b. the radiographer performing the procedure
c. a ward clerk who has no relationship with the patient or the procedure
d. the patient’s physician
7. Informed consent requires that the patient be given enough information to make an educated
decision about his or her health care. The information the patient needs to make this decision
includes all of the following EXCEPT:
a. how the procedure will be performed.
b. the benefits of the procedure.
c. the alternatives to the procedure.
d. the cost of the procedure.
8. What complaint may be brought against a technologist if he or she touches a patient in any way
without the patient’s permission?
a. assault
b. battery
c. false imprisonment
d. harassment
9. A radiographer is performing an abdominal series on a patient from the emergency department.
To complete the examination, the patient must be moved from a supine to an upright position
using the remote control on the table. During this movement, the patient falls from the table
and suffers a fractured hip. A complaint of negligence is brought against both the radiographer
and the hospital. The elements that the patient (plaintiff) must prove include all the following
EXCEPT:
a. a breach of the duty to the patient.
b. an injury.
c. a direct causal relation between the breach of duty and the injury.
d. that the radiographer acted outside of his or her scope of practice.
10. A patient consents to a procedure in the radiology department, but after it has started, he
decides that he does not want the procedure completed. The technologist should:
a. stop immediately.
b. complete the procedure because the patient may not revoke consent once it is given.
c. stop the procedure as soon as it is safe to do so.
d. none of the above should be done.
Summarize the articles assigned:
1. Taking Action to Avoid Recurring Risk
2. The HIPAA Paradox
3. HIPAA Consumer
Be prepared to discuss in class.
THE
H I PA A
PA R A D OX
The Privacy Rule That?s Not
by RICHARD SOBEL
HIPAA is often described as a privacy rule. It is not. In fact, HIPAA is a disclosure regulation, and it
has effectively dismantled the longstanding moral and legal tradition of patient confidentiality. By permitting
broad and easy dissemination of patients? medical information, with no audit trails for most disclosures, it has
undermined both medical ethics and the effectiveness of medical care.
M
ost physicians, patients, policy analysts,
and journalists believe that the HIPAA
?privacy rule? protects medical confidentiality. They are mostly incorrect. The Health Insurance Portability and Accountability Act creates medical records rules that tighten internal practices, like
hiding computer screens and not talking in elevators,
and these protections are an improvement over previous practice, but they are limited.1 Perhaps because
the enabling legislation called for a ?standard for privacy of individually identifiable health information?
and the original final rule in 2000 required patient
Richard Sobel, ?The HIPAA Paradox: The Privacy Rule That?s Not,?
Hastings Center Report 37, no. 4 (2007): 40-50.
40 H A S T I N G S C E N T E R R E P O R T
informational consent, there is a belief that the Department of Health and Human Services rules provide strong privacy protections for medical information. Unfortunately, that belief is a misconception.2
In fact, the amended final HIPAA rule (for simplicity, hereafter referred to as ?HIPAA,? or ?the HIPAA
rule?) provides much less privacy than the term ?privacy rule? suggests.
Rather than broadly protecting privacy, the
amended HIPAA rule generally constitutes a disclosure regulation.3 As first issued in August 2002,4 the
HIPAA rule specified how health information may
be used and disclosed, and it only partly keeps medical records confidential. Effective in April 2003, the
federal government gave six hundred thousand ?covered entities??such as health care plans, clearingJuly-August 2007
houses, and health maintenance organizations??regulatory permission to
use or disclose protected health information for treatment, payment, and
health care operations? (known as
TPO) without patient consent.5
Some of these ?routine purposes? for
which disclosures are permitted are
far removed from treatment. In fact,
?covered entities? and their ?business
associates? may share patients? sensitive personal information for treatment, payment, and health care operations without the patients? knowledge, over their opposition, and even
if patients pay for treatment out of
pocket or request the right to be
asked for consent to disclosure of
their medical records.6
Particularly troubling is the governmental authorization for covered
entities to use patients? confidential
health information without their
consent for health care operations
HIPAA Rules and Challenges: A Timeline
Health Insurance Portability and Accountability Act, Pub. L. 104-191, 110 Stat. 1936,
especially Title II, Subtitle F (administrative simplification), Secs. 261-4;
42 USC Secs. 1320d-d8; 45 CFR Secs. 160-164, especially 164.506-512
August 21, 1996
Authority for privacy rule delegated to DHHS secretary
August 21, 1999
Proposed original rule (without a consent requirement), 64 Federal Register 59,918
(Notice of Proposed Rule-Making and Order 1999)
November 3, 1999
Comment period
November 3, 1999, to
January 3, 2000,
extended to
February 17, 2000
Original rule (final, with consent), 65 Federal Register 82,462, 45 CFR 160, 164, esp. 506(a)
December 28, 2000
Additional comment period, 66 Federal Register 12,738 (Notice of Proposed
Rule-Making and Order 2001)
February 28, 2001, to
March 30, 2001
Original rule effective date (with consent), 66 Federal Register 12,434
April 14, 2001
Proposed amended rule (without consent), 67 Federal Register 14,776
(Notice of Proposed Rule-Making and Order 2002)
March 27, 2002
Additional comment period
March 27, 2002, to
April 26, 2002
Amended rule (final, without consent), 67 Federal Register 53,182, 45 CRF 160, 164 (2002)
August 14, 2002
Amended privacy rule effective date, 67 Federal Register 53,182
October 15, 2002
Compliance date (for large entities; small health plans given an additional year)
April 14, 2003
(originally
February 26, 2003)
Citizens for Health et al. v. Thompson filed
April 10, 2003
District Court Decision, Judge Mary A. McLaughlin, Philadelphia, 03-2267
April 2, 2004
Appellate Court Decision, Citizens, 428 F. 3rd 167
October 31, 2005
U.S. Supreme Court cert. petition, Citizens, cert. denied, 127 S. Ct. 43
October 3, 2006
July-August 2007
HASTINGS CENTER REPORT
41
that are unrelated to payment or
treatment. ?Health care operations?
(HCO) include most administrative
and profit-generating activities, such
as auditing, data analyses for plan
sponsors, training of nonhealth care
professionals, general administrative
activities, business planning and development, cost management, payment methods improvement, premium rating, underwriting, and asset
sales?all unrelated to direct patient
care.7 Health care operations also include some marketing (which otherwise requires a signed authorization)
and fundraising for the covered entity.8 As distinguished from ?core?
treatment and ?routine? payment
purposes, health care operations permit the legal disclosure of information that could be inappropriately
used for purposes that patients might
not approve, and thereby may lead to
consequences patients might not like.
In addition, covered entities may
share patient information with millions of contracted ?business associates? without patients? consent. Like
covered entities, their business associates are supposed to keep patient information confidential.9 But because
amended HIPAA rules permit broad
uses under health care operations and
do not require an audit trail for ?routine? disclosures, there is no way to
monitor whether health information
is shared in ways inconsistent with
contractual requirements or patients?
wishes. Thus, if patients have problems with employment or insurance
because of unauthorized disclosure of
their health information, the patient
cannot trace the harm to a disclosure
authorized under health care operations.
The Possible Harm
C
onfidentiality is at the heart of
the doctor-patient relationship,
and consent is an essential means by
which patients can assure that information remains confidential.10 There
is a great need for such assurance because any problem that could arise
with health disclosures probably will.
42 H A S T I N G S C E N T E R R E P O R T
As Ted Cooper of Kaiser Permanente
noted in 2000 when he recommended that HIPAA be ?crafted from the
perspective of how we would want?
our family?s health data handled,
?every permutation that can happen
will happen.?11 According to health
attorney James Pyles, ?information
such as a name and diagnostic code
. . . could be enough to derail your
prospects for a loan or a job. You
could be charged higher loan rates or
lose a job because of what?s in your
medical record . . . And it will be impossible to prove it was because your
data was shared . . . because there is
no disclosure or audit? trail under
HIPAA.12 Because of the lack of limitations, potentially harmful information is likely to be shared in the
course of basic health care operations,
and HIPAA actually facilitates that
sharing, without patient authorization, even if other laws might prohibit the use of the information.
Pyles?s comments suggest two examples of possible harm through routine disclosures under HIPAA. When
sharing health information during
health care operations, HIPAA could
permit an insurer to give data to a
bank it owns, which might then deny
someone a loan on the basis of those
data.13 A cancer drug prescription
from a pharmacy bought by a conglomerate that owns a mortgage company could provide the basis for deciding that a patient who may have a
terminal illness is a bad lending risk,
for example. While some laws protect
against the disclosure of special kinds
of information, such as HIV status,
the lack of a HIPAA audit trail on
routine disclosures means that
HIPAA tends to undercut these restrictions.
Health information transmitted
under HIPAA health care operations
rules might also affect job prospects.
HIPAA prohibits covered entities
from disclosing health information
for job-related purposes unless an individual signs an authorization. But
an employer is not considered a covered entity unless it self-insures its
health plan, so if the employer is not
self-insured, it is exempt from these
rules. In addition, even in those cases
in which the employer is subject to
these rules, the lack of audit records
means the prohibition may not be enforceable. For instance, despite the
HIPAA requirement for a patient?s
written authorization before medical
records can be used for employment
purposes, HIPAA lets self-insured
employers receive employee health
data for utilization review. Thus, a
self-insured employer might legally
obtain information from a physical
exam on an employee without his or
her authorization that reveals the employee is diabetic. The employer
might then deny that person a promotion to the head of food services.
Or a corporation considering acquiring a pharmacy group could view
member records as part of due diligence, learn that one of its executives
uses an anxiety medication, and decide she is not a good candidate for
chief financial officer. As businesses
learn that health information may be
obtained legally through health care
operations provisions without asking
for authorization, the likelihood of
breaches may increase.
A recent case in California shows
concretely how HIPAA rules may
lead to insurance or job loss. Through
HIPAA procedures permitting?but
not requiring?that therapy notes be
kept separate, a Stanford hospital?s
disclosure of a patient?s psychiatric
records contributed to her losing a
disability complaint. Because HIPAA
does not require that psychiatric notes
be maintained separately from other
medical records, the patient?s therapy
information, scanned and electronically stored in the hospital?s computer
system with the rest of her medical
records, was released to the disability
insurer against the patient?s wishes?
and despite assurances by her psychotherapist that the notes were being
kept separately and would not be disclosed without her consent. The released information contributed to a
denial of disability insurance benefits
for an unrelated automobile accident,
then to disability discrimination
July-August 2007
when she returned to work, and eventually to the loss of her job.14
Misconceptions about
Protection
M
edical ethics dating back to the
Hippocratic Oath require confidentiality, and the pre-HIPAA practice was almost entirely to ask for patient
consent
to
disclose
information.15 Further, some state
laws and professional codes of ethics
incorporated into state licensing laws
explicitly require confidentiality and
consent to disclose. Nonetheless,
many citizens are not currently so
protected. Most notices of privacy
practices (also known as NPPs)?the
forms handed out at doctors? offices
that are supposed to explain HIPAA?s
rules?are written as if only the federal requirements (or their deficiencies)
apply to medical information. This is
so even though HIPAA?s rules require
that they incorporate any more stringent standards that may be set out in
state laws.16 As two physicians note,
?in effect the Hippocratic Oath?the
foundation of medical ethics and the
most important of all patients?
rights?has been rescinded by federal
decree.?17 Under HIPAA, physicians
neither need to nor are able to keep
patient information private. Moreover, the absence of a requirement for
obtaining patient consent indirectly
lowers the observance of ethical and
professional standards. Justice Brandeis called the government the ?omnipresent teacher? for good or ill;18
the governmental lesson here is that
patient privacy need not be legally or
ethically protected any more.
Ironically, providers? misunderstanding of HIPAA may generate
more privacy protection than the
law?s actual provisions. The 2002
American Medical Association book
on HIPAA says the rule requires ?an
initial consent to the provider?s use or
disclosure of PHI [personal health information] for the purposes of treatment, payment and health care operations.? Although it mentions that a
?proposed modification would elimi-
July-August 2007
nate the need for the initial consent,?19 physicians who read this passage when consent was still part of the
original final rule might not realize
that the requirement has been
amended away. Many physicians may
yet think mistakenly that HIPAA requires patient consent for using information and thus request it of their
patients.20 But consent is now optional under the amended rule.
Similarly, administrators may believe that a HIPAA requirement for
sharing only the ?minimum necessary
information? for insurance purposes
may be generalized to all purposes,
including treatment. In fact, medical
and this similarity of process may itself confuse patients. But notices of
privacy practices are not consent
forms, and patients may or may not
sign them?in fact, whether patients
sign them has no effect on what happens to their medical information.21
Oddly?and disturbingly?they are
one of the main features that the
DHHS identifies as protecting privacy: the DHHS asserts that they have
this effect because they are supposed
to encourage physicians and patients
to discuss informational privacy.
In fact, under HIPAA, patients
cannot prevent their information
from being shared by refusing to pro-
Ironically, providers? misunderstanding of
HIPAA may generate more privacy
protection than the law?s actual provisions.
providers are exempt from minimally
tailoring treatment disclosures. While
some doctors may still offer or ask for
consent as they traditionally have?
whether for ethical reasons or because
they do not understand that it is now
optional?most HIPAA notices do
not offer the patient a chance to give
consent. As more providers, patients,
and policy analysts recognize that
HIPAA now lacks a patient consent
provision, many will realize something is seriously awry with the ?privacy rule.?
The notices of privacy practices
that patients receive at initial clinical
encounters contribute to the confusion. While the forms are supposed to
tell patients what rights they have
(such as seeing their records) and
what rights they lack (such as consenting or withholding consent for
use and disclosure), the language is
complex, and many patients (and
providers) misread the notices as consent forms. Patients are asked and
sometimes required to sign the forms,
just as they are with consent forms,
vide their signatures or otherwise trying to withhold consent. At most, a
covered entity will agree to a patient?s
request to be asked for his or her consent. Up to 90 percent of providers
offered consent prior to HIPAA,22
and a few providers may still ask patients for consent, but most providers
do not currently offer the option on
their own for the few patients who
might request it. With so few
providers offering them, patients cannot secure consent options by moving
to another doctor.
Indeed, there are strong incentives
for providers not to offer consent.
Quite simply, it is easier not to.
Moreover, the license HIPAA gives to
covered entities with ?regulatory permission? to use and disclose patient
data without consent is a strong encouragement not to seek it. In addition, providers who offer a consent
option incur legal liabilities of civil
and criminal penalties if consent is
then not obtained or the privacy
promise is violated.23 In an Orwellian
reversal, not offering the consent opHASTINGS CENTER REPORT
43
tion creates no such obligation. Not
requiring providers to request consent
means that those few patients who
might want to withhold it to protect
or negotiate for their privacy lack the
right and leverage to do so.
Consent is essential to good medical care because the opportunity to
offer or withhold consent provides
patients with a sense of efficacy and
the basic elements of control in receiving medical care. Commentators
sometimes dismiss consent as a useless privacy protection. However, the
problem is typically not with consent
per se, but with the way it is presented. If it is forced, or if it is a merely
pro forma option, then it accomplishes little. The challenge is to make the
consent decision and process an integral part of all treatment and informational relationships.24
When patient consent was required in the original final rule, covered entities could refuse treatment,
except in emergencies, to patients
who declined to sign a consent form.
Now, if patients refuse to sign the
?privacy notice,? they can still get
treatment. However, some health
plans may mistakenly refuse to treat
those declining to sign,25 or they may
set up computer procedures that require HIPAA acknowledgement before being able to sign in. Although
signing the privacy notice is without
legal consequence, providers who
mistakenly withhold treatment from
patients who do not sign it undermine a major purpose of HIPAA?
namely, to facilitate patient care.
Physicians? Concerns about
Medical Privacy
N
ational surveys show that both
doctors and patients question
HIPAA?s benefits for medical privacy.
Doctors, in particular, recognize
problems with the HIPAA rule. According to a survey conducted in
2005 by Julia Slutsman and colleagues, ?Most physicians . . . believe
that the privacy rule does not improve the protection of confidential
health information.?26 While most
44 H A S T I N G S C E N T E R R E P O R T
physicians felt that some HIPAA provisions would ?somewhat or greatly?
?improve privacy protections,? the
majority did not think either the notice provision (64.2 percent) or privacy officers (60.3 percent) would improve protection of health information.27 Although one quarter felt that
a violation of medical records privacy
was a ?very serious problem,? less
than a quarter (22.8 percent) agreed
that the privacy rule would help them
?maintain the confidentiality of patients? medical records.? In fact, nearly half (45.4 percent) disagreed.
Two-thirds of physicians reported
that written patient authorization for
?nonroutine? uses of confidential patient information (other than in
?treatment, payment, and health care
operations?) will ?greatly? or ?somewhat? improve privacy protection. In
fact, the HIPAA requirements for a
written authorization for uses in marketing, employment, or insurance
give patients the control that the traditional practice of requesting consent provides. The authors found
these results ?contradictory.? Most
physicians believe that the privacy
rule does not improve the protection
of confidential health information,
yet many feel specific requirements
will improve privacy protection.
What is going on here?
Physicians? perception that the privacy rule will not greatly improve privacy protections may stem partly
from a belief that their ?ethical and
professional obligations, not regulatory mandates, assure patients? privacy
and confidentiality.?28 Indeed, because the final HIPAA rule was
amended in 2002 to remove patients?
right to consent, only the ethical responsibilities of conscientious physicians and some state laws may keep
patient information confidential. On
the other hand, physicians? ethics will
be severely tested when they want to
promise confidentiality, but their employers, regulatory bodies, or insurers
insist on access to patients? health
data. In short, physicians can neither
readily adhere to professional ethics
nor promise confidentiality to their
patients. More physicians will essentially have to offer not promises of
confidentiality, but warnings, a la
Tarasoff or Miranda, that what patients tell their doctors ?may be used
against them.?29
Patients? Concerns about
Medical Privacy
H
ow concerned are patients about
their medical privacy? And how
many have had their medical information accessed inappropriately and
have suffered because of it? Also, how
many people are so concerned about
threats to their medical privacy that
they forgo medical treatment? As the
Supreme Court noted in Jaffe v. Redmond, concern and suspicion about
the possibility of losing confidentiality, especially for mental health care,
can deter patients from sharing information with providers?or even seeking care in the first place?as effectively as actual breaches. As more
people become aware that they do
not control their medical information
under HIPAA, the number avoiding
treatment is likely to grow.
Public opinion surveys since the
1990s have found high levels of concern about medical privacy. In a 1993
Harris poll, 85 percent believed protecting the confidentiality of medical
records was either ?absolutely essential? or very important in any health
care reform. In a 1994 Wirthlin survey, 83 percent of the public held that
?any provider,? including ?a doctor,?
should need patient approval to send
to an outside organization any diagnosis or treatment information. A
2002 Johns Hopkins University study
found that 85 percent of respondents
opposed employer access to genetic
information.30 In short, the public
thinks their own physicians need patient approval to use their medical
records, even for treatment.
A 1999 California HealthCare
Foundation (CHCF) study found
that one in seven patients (15 percent
nationally) was taking at least one of
six possible measures to hide information from their providers, including
July-August 2007
going to different doctors or paying
out of pocket.31 A 2005 follow-up
that asked only four of those six questions found one in eight patients (13
percent on average) were practicing
?privacy-protective behaviors.?32 If all
six questions had been repeated,
about 20 percent to 22 percent would
have indicated that they pursued privacy protective behaviors.33 In short,
the proportion acting on their concerns about the loss of medical privacy has grown significantly in half a
decade.
The Magnitude of the Harm
W
hile about one third of respondents (36 percent) in the 1999
CHCF study were concerned that
health claims information provided to
insurers might be used by employers
?to limit job opportunities,? the 2005
percentage rose to over half (52 percent).34 The 1999 CHCF study
found that 17 percent had experienced a breach of their health privacy?6 percent by a hospital or clinic,
and 6 percent by an employer. The
2005 survey shows that one quarter of
respondents (23.5 to 28 percent) ?are
aware of . . . specific incidents where
the privacy of people?s personal information was compromised.?
The national CHCF surveys indicate that about a tenth had their hospitals or employers share information
inappropriately. Some feel they have
lost a job or insurance because of
these breaches. These CHCF figures
provide evidence that a significant
number of patients are changing their
treatment behavior because of concerns that their health privacy is not
protected. Though the DHHS Office
for Civil Rights has received twenty
three thousand complaints about privacy violations35?including 5,648 in
just the first year of its operation
(2003-2004)?most have been dismissed for being outside HIPAA
rules.36
Privacy protections are needed because confidentiality is essential for
patients to safely share their health information with physicians who keep
July-August 2007
medical records on an electronic system. As more patients (and doctors)
discover that they have no right under
the HIPAA rules to give or withhold
consent in controlling their health information, the proportion not providing full m
