A Research Paper on HIPAA and 42 Cfr Part 2 in Health Information Management

Health Information is a massive field that is extensively regulated with specific laws for each aspect of the profession. This comes as no surprise as the information that HIM professionals handle is sensitive and extensive. No matter where a professional goes within HIM, the professional will always need to abide by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), local and state laws, and other federal laws. Certain procedures are specific to the aspect of the facility but, should a facility house a patient with certain needs, the laws should always be reviewed and utilized. Patients that visit for mental and behavioral services are those that require a specific set of laws to protect their information, as that information is much more sensitive than that of the average patient visiting for a fracture.

My capstone gave me the chance to visit Porter-Starke Services in Valparaiso, Indiana, which is a mental and behavioral medical facility. Porter-Starke accepts patients from the Porter and Starke counties, though there are several instances of patients coming from Lake and La Porte County. As Porter-Starke is a mental and behavioral facility, they are typically the facility that receives patients for substance abuse or addiction disorders. These patients are often known as SUDs, which stands for “substance abuse disorder”, and marks them as patients who hold very sensitive information in their records.

As a standard, an HIM professional is only an HIM professional, and has no authority to judge a patient based on their records. HIM professionals protect the records, code the records, and keep the information confidential. Even if a patient has been convicted as a felon, an HIM professional must remain judgement-free and keep the record protected and confidential. Regardless of which facility an HIM professional works, patients need to know that their information is safe. Failure to keep the information safe can cause a patient to terminate their treatment early to their detriment. Considering that HIM professionals are under the medical staff umbrella, this is counterproductive to medical efforts.

Patients visit facilities to improve, not receive judgement. And, should someone who has done wrong in the past attempt to receive aid to improve themselves, it goes against what medicine stands for and sets a precedent that a patient will encounter judgement, and potentially discrimination, during their treatment even after they are well. This will cascade to affect others who will balk at the idea of seeking aid in the future; this is not what healthcare is about and, as professionals, we are better than such actions.

Regardless of where one stands on any issue, it is your professional duty to keep your biases outside of work and the information in the records. Such judgements are harmful to the professional, the patient, the facility, and the field itself. During my time at Porter-Starke, this was stressed to me from the beginning and it is something I will not forget regardless of where I go. Medical professionals help people and speaking ill of a patient helps no one.

In 1996, HIPAA was passed and instated as law, creating the Privacy and Security Rules as a standard along with several other implications. Essentially, HIPAA allowed an employee to continue receiving health insurance through their employer should an employee lose or move their job, better defined fraud and abuse within medical information, and better defined confidentiality and security of medical information. It also eliminated the discrimination in medical insurance companies against patients with preexisting conditions. The Privacy Rule made it a standard that only those with permission were granted access to medical information and only the information relevant. This means that if the patient does not provide written consent stating what information is to be given and to whom, the individual requesting will not be granted access to the information given. This also means that a patient is permitted to view their own information, however, there are circumstances where they are restricted from accessing, such as psychiatric notes, as these are considered to be detrimental to the patient’s progress. It should also be noted that the information belongs to the patient, however, the record itself, regardless of the format, belongs to the facility holding the record.

Accidents can occur with medical information; sometimes the letters or numbers get reversed and the information is sent to the wrong person. At times, there are some who intentionally disregard the law. Regardless of intent, when the information goes to someone who is restricted access, this is referred to as a breach. Breaches can be costly for a facility depending on the scope, and that doesn’t include criminal intent. As stated before, breaches can be as simple as someone sending a patient letter to the wrong address. Education is typically the result and the patient is informed that the information may have been compromised. When the breach is more extensive, involving numerous patients or criminal intent, it can costs thousands and take months to notify all the patients involved. And, if criminal intent was the purpose of the breach, those found guilty can face potential jail time and fines over $100,000.

There are many aspects of breaches and criminal intent in regards to medical information; the most common words that are involved are “fraud” and “abuse”. Fraud is defined as the act of someone using information to their benefit, such as identity theft. Abuse is the intentional misuse of procedures to benefit an individual, such as intentionally coding for a medically unnecessary service in order to achieve higher reimbursement. It is, however, unhealthy to assume that everyone has such an intent. Again, mistakes do happen, but a history of such actions should be investigated. Being aware of the potential for such actions keeps information better protected and when suspicion should arise.

When information is within consent to be given, it is often referred to as “release of information” for obvious reasons; it is the act of giving the requested information from a record to the requesting individual. When someone requests information from a record, the patient, who owns the information, must sign the consent request before it can be released. Should the patient refuse to sign, the information will not be released. The signature states that the patient agrees, acknowledges, and understands what information is being given to the individual and, typically, how the information being requested is going to be utilized.

When information is needed by the court, a subpoena is given to the facility by the court. This typically is given to the facility’s Privacy Officer. There are numerous reasons why a court may need information or, at times, an individual to appear at court. Regardless, it is a less than stellar situation for the facility, as it means that, regardless of who is going or what the information is being given, it will result in lost revenue. If the court asks for information, it means that either an HIM professional, nurse, or physician will need to attend court to transcribe the information or verify the information, depending on what is transpiring with the case. A physician who must attend court can be out of the office for a few hours, or even days, of which patients are not being seen. Similarly, work is not being completed if a nurse or an HIM professional is requested with the information as well. For Porter-Starke, they request a few hundred dollars an hour to have a physician attend a hearing or request that a physician can send a letter stating that the information is valid. The former is used to encourage the court to accept the latter. However, there are some cases where the case is so complex and extensive that it requires the individuals involved to be present. In those instances, it is inevitable. As stated by one of the staff members of Porter-Starke, “everything is situational”. While it is best to keep everything to a standard, standards may not always be an option.

42 CFR Part 2

HIPAA covers a majority of cases that are encountered, especially within inpatient hospital facilities. Of course, for every circumstance, there is always a special circumstance. Mental and behavioral facilities, as stated previously, meet very sensitive information. HIPAA, unfortunately, does not cover some of these aspects in its blanket policy. In order to better protect these patients, as well as SUD patients, 42 CFR Part 2 is utilized and enacted. It is an extensive law that covers numerous aspects of patient information and special circumstances of handling the information and its use.

Creation and Updates

42 CFR Part 2 was enacted as law in the 1970s as part of the Code of Federal Regulations, where it is one of the fifty titles. The codes are reviewed annually, which are then subdivided and reviewed through the quarters in a cycle. Part 2 is reviewed with articles 42 to 50 on October 1 (U.S. Government Publishing Office 2019). Part 2 is under scrutiny by some individuals. Last year, in 2018, H.R. 6082 went to the Senate; in this package, 42 CFR Part 2 would have been removed and replaced with HIPAA. While it seems like this would be a wise decision, HIPAA does not take into account the sensitivity of the information 42 CFR Part 2 protects. Part 2 requires a special and specific court order to allow the information to be released and includes a statement prohibiting redisclosure to other sources.

How It Works

Part 2 does protect patient information, especially in the case of SUD patients, from prohibited redisclosure and goes into great detail of how certain circumstances can affect how the information within a record can be used or disclosed or, in some cases, not at all. There are five subparts to the law; Subpart A introduces the law, it’s purpose and effects, criminal recourse, and how to report violations to the law; Subpart B covers the General Provisions of Part 2 with definitions, how to use the law, and the restrictions to it; Subpart C covers disclosures given with patient consent and the form that need to be utilized; Subpart D covers disclosures that do not require patient consent; and Subpart E covers the “Court Orders Authorizing Disclosure and Use”, meaning how the court may use the information disclosed and the procedures for the court orders.

The effect of the law is to restrict disclosure of the information in the record except for the certain circumstances that it covers. These certain circumstances include medical emergencies, criminal activity occurring at the program site involving personnel, qualified audits and evaluations, child abuse and/or neglect reports required by state law, research requests, and court orders for disclosure and use of the records. If, at any point, these situations require the information to be disclosed, they are also required to give the receiving party a notice prohibiting redisclosure of the information they are about to receive. Failure to abide by the prohibition of redisclosure can result in criminal fines of $500 for the first offense and not more than $5,000 any instances that follow the first offense. There is also potential for a lawsuit to follow from the patient, the patient’s family, or the facility from where the information originated.

As stated before, the law also goes into detail about how certain situations should be handled that may require information to be disclosed. During my time at Porter-Starke, there was a situation where a physician was attempting to terminate the patient-physician contract; the physician followed the proper procedures and sent a letter to the patient, where it was held by the post office, as covered by law. The post office notified the patient that they had mail being held for them to pick up. The post office held the letter for the properly defined amount of time determined by the law and sent it back to the facility, unopened and unclaimed. This circumstance is unusual and required some extensive research in order to determine what the next action should be. Unfortunately, during my time with Porter-Starke, I was not able to learn how the situation was handled or the outcome. It is, however, a good lesson to know that even if you work in a position for decades and believe that you know and understand the laws and procedures, there is always a chance for something new and unique to occur.

The Moral Standing

Some might consider Part 2 to be controversial to the point that it needs to be replaced; so why does it remain? HIPAA and Part 2 keep patient information from being given out freely and, unfortunately, there are some who believe medical information should be “fair game” to the rest of the world. This can mean insurance companies looking for a new client or a physician looking for more patients or even a drug company looking for people to advertise to. One can easily imagine what atrocities someone can do with any medical information taken from any medical record, such as blackmail, identity theft, or selling information. Both laws keep this information from the wrong people, however, Part 2 is controversial merely for the fact that it protects SUD patients and those with mental and behavioral medical conditions.

We all make mistakes; sometimes those mistakes are forgotten by the next day while others will be attached to our persona for the rest of our lives. Sometimes, these mistakes are known to everyone while others are only known to the individual. Regardless, when someone is actively attempting to seek help, no one should hold those mistakes against them. That is the essence of this law; it allows someone a chance to get help without fear of judgement. I had a discussion with a Criminal Justice Alumni student from Indiana University Northwest about this matter. We discussed how someone might be arrested for substance abuse, be it through possession, dealing, purchasing, or carrying, it will be something that will always be on their shoulders for the rest of their lives.

Regardless of the amount, it can still be a federal conviction and, when someone is given a federal conviction, they are ostracized from the country. To put into perspective, someone with a federal conviction no longer has the right to vote, will struggle to find a job, to receive a loan (meaning they are also less likely to receive a higher education), and less likely to be recruited by the military. Knowing this puts a SUD patient’s perspective into light. Of course, not all SUDs are attempting to better themselves, however, their information should still be treated with equal respect. It is a small kindness to allow them peace of mind knowing that their information is protected and free of judgement.

Even the patients who have a mental or behavioral condition should also be given the same treatment. Someone who is suicidal should not have to fear their information being given out freely, nor should someone who has schizophrenia be denied the right to have their information protected. These patients are people and they, too, should be given respect and sympathy. Health information professionals are not part of law enforcement and it is not our place to make such calls. The patient’s information is our responsibility and we must do our best to make sure it is protected so the patient can, hopefully, recover. Should Part 2 be altered or removed, it is likely that less patients will return for their treatment. Knowing this, it is more likely for a patient to return to their old habits and potentially gain another conviction or cause harm to themselves or others.

HIPAA vs. Part 2

HIPAA and Part 2 are very similar in how they work as laws. Both keep information safe and secure and require consent for disclosure. It may be due to their similarities that some believe replacing Part 2 with HIPAA is a wise decision. What these individuals do not understand is that Part 2 supersedes HIPAA when the question of which law to abide is asked, as it gives the patient greater control of their information, especially in the case of patients with substance use disorders. While both make it so that protected health information is not disclosed or accessed by the incorrect parties, Part 2 furthers the law by stating that it cannot relate the information if a patient does or does not have an SUD or mental disorder, nor can it be related that a patient is or is not in a particular program. Part 2 does allow those within a program who are treating the patient the information needed simply for treatment; anything further is prohibited. It also means that criminal charges or investigations cannot be given to a patient while in a program unless a proper court order has been given. This also means that it is illegal to place undercover agents in a program to investigate a patient. HIPAA does not have this stipulation. Both HIPAA and Part 2 do have a minimum necessary clause to keep information limited simply to what is being requested, however, HIPAA has the exception that information can be disclosed to the patient and to any other providers for treatment.

Experience

My personal experience at Porter-Stake has been rather interesting. It was a little difficult at first as one employee was leaving and another was being hired in their place. A lot of the staff were upset to hear that this individual was leaving and, while they were sad, they were also happy for them. To my surprise, the staff members outside of the HIM department were upset, including the physicians. While this may seem silly, I had the incorrect idea that physicians weren’t terribly fond of the HIM department; it is rather annoying to get queries and reminded quality over quantity in regards to documentation and the reminders for breach prevention and confidentiality. I am happy to learn that my presumption is incorrect, though it was still surprising for me.

Anyway, there were several things I was able to partake during my time at the facility. I was able to work on some projects and was able to tag along for one of the courthouse runs, which are done twice a day, daily. I went with one of the auditors for this run, though it can be any employee within the HIM department. These runs are very important, as the documents involved have information detailing a patient that is currently being held in the facility and may need to stay for a longer duration than was stated. These reasons can vary, such as the patient being a danger to themselves or others or that they have become unwilling or uncooperative. Since these are court mandated, changes need to be documented and given to the court for records and use during future hearings.

I spent another day assisting in locating particular documents within the records. Porter-Starke utilizes a program known as Streamline Healthcare Solutions for their records; the program is organized and makes it easy to locate what you’re looking for. Usually. If the user does not put the information in correctly, it makes it incredibly difficult to locate the information in the future. For this project, I had to go through a list of patients to look for a particular release of information document from Porter County Alcohol & Drug Offender Services (PCADOS) and Program for Assertive Community Treatment (PACT). During my search, there were times the information wasn’t always available, such as only having a patient’s number or name, other times I was only given the patient’s initials and their number. There was an instance where the numbers were duplicated and required some searching to determine which patient was the correct one and fixing the error.

Porter-Starke utilizes a hybrid medical record system, where the paper record is typically used by the staff in the medical facility and the information is then recorded and scanned into Streamline. On two different days, I was able to put records together in the proper order to make it easier to scan and, on another day, I scanned the records into the system. While I was given a list of how the record should be sorted, there were instances where certain pieces were missing. For example, all patients are required to have the House Rules included in the record but not all of the patients have lab results, as it depends on how or why they arrived at the facility. Still, the records need to be sorted in order for consistency and to make it easier to locate any information in the future. The day I was scanning records into the system was also an interesting day. Scanning is incredibly time consuming and that doesn’t include the machines or the system acting up. In the event that does happen, it can easily turn into an all day affair.

Conclusion

42 CFR Part 2 is an incredibly important bit of law that every HIM professional needs to know and understand. Regardless of how one feels about the issue of where Part 2 stands, it is, currently, still the law and we as HIM professionals are not here to question the law but to merely abide and uphold it. I have stated several times why Part 2 is important to patients and the struggles the endure. We make mistakes and, knowing those mistakes are protected from further incrimination while you are getting help is a relief many need in order to grow and, hopefully, find a better place.