Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Within that Act are privacy provisions with which covered entities (including all health plans, health care providers and health care clearinghouses [e.g. PBMs] that transmit any health information in electronic form must comply. HIPAA rules provide guidance to covered entities about how to comply with the Act. HIPAA allows for the use of protected health information (phi) as it relates to treatment, payment or operations-related activities (TPO) of a covered entity. HIPAA also requires that only the minimum necessary information be used in TPO activities, which means that using or disclosing only the minimum amount of PHI necessary to conduct the particular activity or task must be considered. Further, HIPAA describes the extent to which Business Associate Agreements must be established to allow for PHI disclosure to certain organizations with which a covered entity conducts business.
Privacy and confidentiality have long been recognized as essential elements of the relationship between patients, pharmacists, physicians and other health care professionals. The compilation of a complete, accurate medical record is essential to optimal patient care. To effectively provide quality patient care and evaluate the health status of enrolled populations, managed health care systems must assemble, integrate and provide timely access to complex patient information across a broad spectrum of providers, provider organizations, data sources and users. The increasing use of new information technologies offers many opportunities to improve patient care. However, increased use of these new technologies has also raised concerns about the need to preserve patient rights to privacy and limit access to protected medical and pharmacy information.1
The responsible use of PHI enhances the effectiveness and quality of health care services delivered to groups of patients with similar needs. The individual patient's right to the privacy of his or her patient-identifiable medical information often preempts access to such information for other than allowable reasons involving treatment, payment or operations. In order to maintain patient confidentiality and deliver quality, cost-effective care to patients with similar treatment needs, managed health care systems develop confidentiality policies and procedures that meet statutory requirements and strike a balance between the need to ensure an individual patient's right to privacy and the need of practitioners, managed health care systems and payers to share information to demonstrate the quality of the care provided. Individuals must have assurance that those privileged to access their confidential medical record will abide by statute and tenets of ethical behavior to protect such information from inappropriate disclosure and that the responsible, judicious use of such information will enhance their medical care. Managed health care systems therefore implement programs that guarantee these requirements.
In addition, secure access to complete and reliable information, which by necessity includes PHI, is imperative to the continuing improvement of public health and health care delivery through health care related initiatives such as community health information networks, tele-medicine, outcomes research, disease management programs and the creation of population-based statistical data bases.
What Is Patient Confidentiality?
Patient confidentiality refers to the preservation of the private nature of health care data specific to an individual patient. The following definitions may provide assistance to understand this concept:
- Patient Confidentiality
Patient confidentiality is the practice of maintaining the privacy of patient-identifiable health care information.
- Protected Health Information (PHI)
The health information that identifies an individual (i.e., identification number, name, street address, mailing address, phone number, e-mail address), or can be used to identify an individual (i.e., date of birth, gender, height, weight), and contains at least one of the following elements:
- Relatesto the physical or mental condition of an individual
- Relates to the provision of care, such as diagnosis or treatment
- Relates to the payment for the provision of care
De-Identified information refers to health care information that does not contain, or from which personal identifiers have been removed, masked, encrypted or concealed. Therefore, individual patients cannot be identified.
- Medical Record Privacy
Medical record privacy refers to the specific right of an individual to have the collection, use and disclosure of their health care information restricted.
- Data Integration
Data integration involves the merging of multiple data sets such as medical, pharmacy and demographic information into a unified patient medical record. This more comprehensive electronic medical record enables health care practitioners to make better-informed choices for their patients regarding individual care.
Balancing Patient Confidentiality and Healthy Outcomes
While advances in computer and communication technology have facilitated the development of more comprehensive medical records, consumers are concerned about the use and safeguarding of the information contained in these new records.
Some of the concerns more commonly expressed include:
- Access to personal health records by unauthorized persons,
- The sale or re-use of confidential health information for purposes other than coordination of health care services,
- The use of confidential health information to adversely affect their financial or employment status, their social standing or personal security,
- Personal access to their medical record and the opportunity to offer corrected information for their own personal health records.
Amid increasing consumer concerns regarding how patient-identifiable health care information is used, many patients withhold information from their health care providers to shield themselves from perceived harmful and intrusive uses of their PHI. Examples of such behavior include paying out-of-pocket for medical care expenses, using multiple providers to avoid having all of their health information entrusted to one provider, withholding information from their health care providers and avoiding care altogether. Withholding essential health care information presents a serious threat to the accuracy, completeness, automation, integration and availability of this information for patient care, quality monitoring, appropriate utilization of medications and other services and health related research. The negative consequences of such behavior may be significant:
- The patient may receive poor-quality care, risking undetected and untreated conditions.
- The physician's abilities to diagnose and effectively treat a condition or disease are jeopardized by a lack of complete and reliable information from the patient.
- Likewise, the pharmacist's ability to work collaboratively with other members of the health care team on the patient's behalf may be compromised.
- The information that the patient provides, as well as the resulting diagnosis and treatment, may be incomplete, inaccurate or not fully represent the patient's care or health status.
- Ultimately, the public could be denied access to new or better treatments.2
If physicians and pharmacists as well as other health care professionals are receiving incomplete, inaccurate information from patients, the data they disclose for public health reporting, outcomes analysis, research, payment and other purposes will lack integrity and reliability and compromise both individual care and public health data.
How Do Patients Benefit from the Use of PHI?
Managed health care systems use patient identifiable medical and pharmacy information for treatment and payment-related activities that benefit health plan members. These activities include:
Health Promotion and Disease Management: Patient-identifiable pharmacy information is currently used for disease management programs to monitor patient medication adherence and disease state clinical indicators, to identify the need for changes in therapy and to advise patients of necessary testing and evaluation procedures for many disease conditions.
Health plans use this information for a variety of other health promotion purposes, including dissemination of information designed to help enrollees reduce episodes of acute illness (i.e., flu and pneumonia). In addition, health plans use this information to alert members to the availability of health promotion programs (e.g., smoking cessation, weight reduction, medication compliance, diabetic nutritional programs, stress reduction). Health plans and their providers use PHI to identify health plan members at risk for certain conditions and to engage in outreach programs, which may include empowerment of pharmacists to manage the drug therapy of these patients and assist them in managing their own care.
Quality Assurance, Quality Improvement and Related Research: Health plans engage in quality improvement activities that focus on processes of delivering care, as well as outcomes of care and patient satisfaction. The use of PHI is essential to the success of these efforts, which, for example, may include review of physician practice patterns. Such review enables health plans to work with providers and share "best practices" that are designed to benefit individual patients and large groups of patients. For example, health plans utilize PHI to identify members who have had a myocardial infarction (heart attack). Patients should be treated with a beta-blocker (a type of heart medication) after a myocardial infarction. PHI can be used to identify patients that have not been treated with beta-blockers, so that treatment can be initiated as quickly as possible. In addition, PHI is used to evaluate the use of beta-blockers in the population of patients that have had myocardial infarctions to evaluate the overall quality of the care provided to a health plan's members.
Utilization Review: Health plan utilization review activities require PHI to ensure that all medically necessary, covered services are provided and to promote the efficient use of services. Pharmacists participating in drug use review (DUR) programs use PHI to directly improve the quality of care for patients, individually and as populations, by preventing the use of unnecessary or inappropriate drug therapy and by preventing adverse drug reactions. DUR programs play a key role in helping health plans understand, interpret and improve the prescribing, administration and use of medications.3 For example, health plans utilize PHI to identify members that may be over-utilizing (taking too much of a medication) or under-utilizing (not taking their medications regularly). Patients or doctors may be contacted to identify reasons why patients are not taking medications appropriately and to identify steps that may be taken to improve patient care.
Role of the Health Care Practitioner
Appropriate patient care requires access to and review of patient-identifiable medical and pharmacy information to ensure that the patient receives appropriate drug therapy and achieves optimal outcomes from that therapy. Health care practitioners in managed care pharmacy rely on PHI to protect the patient against inappropriate medication uses, such as combinations of medications that may result in dangerous interactions, drugs to which a patient may be allergic or drugs that may be contraindicated in the presence of certain illnesses or pregnancy. This review process is not always apparent to the patient.4 Health care practitioners in managed care pharmacy are uniquely positioned to services managing a patients medication therapy, which may include evaluating the patient's drug therapy needs, preventing adverse drug reactions, developing patient specific therapy, managing chronic disease and drug therapy, ensuring continuous follow-up, promoting patient responsibility for their own care, and effectively using scarce health care resources.
Pharmacists and other health care practitioners who use patient data must ensure that a balance is maintained that guarantees patient privacy without restricting access to information that would interfere with the delivery of quality care for the individual and public good. Health care practitioners can help maintain this balance through the use of advanced technologies that ensure a high level of security for computerized medical and pharmacy records and other electronic data systems that capture PHI. Additionally, health care practitioners must recognize and adhere to regulations that describe disclosure conditions where a patient’s record must be noted if PHI is disclosed.
Pharmacists, other members of the health care team, managed health care systems and pharmacy benefit managers have a legal, social and ethical responsibility to ensure that:
- PHI is used only when it is essential to assure safe, accurate and efficient delivery and coordination of health care services;
- PHI is recorded, maintained and transmitted in such a way that the potential for inadvertent disclosure and incidental misuses is minimized;
- Policies and procedures have been developed to separate the identity of the patients from their medical information when patient identifiable information is not necessary for the administration of a health benefit;
- Patients, upon request, are provided with an explanation of what PHI is maintained, how it is kept, how it is used and who has access to it for clinical, reimbursement or quality oversight purposes;
- Patients are informed of their rights and responsibilities regarding the confidentiality of their health care information.
The issue of how to protect against inappropriate use of patient-identifiable health care information, while permitting the coordination, delivery and measurement of quality health care, will continue to be an important public policy issue facing managed health care systems.
Our health care system relies upon patient trust as an essential element in the delivery of quality health care. Trust between patients and their health care providers helps ensure that patients will participate in their own care. The use of patient-identifiable and non-identifiable information by managed health care systems, health care researchers, pharmacists and other health care professionals will continue to improve the provision of quality of health care in America. Appropriate safeguarding of PHI is essential to ensuring patient comfort in communicating honestly and openly with their pharmacist and other health care professionals. Without open communication between and among patients and their providers, treatment decisions based on incomplete or inaccurate information adversely affects the quality of care. The recognition that the safeguarding of PHI is an essential tenet of managed health care systems will engender trust within the public we serve.
1 Joint Commission on Accreditation of Health care Organizations and National Committee for Quality Assurance, Health Care at the Crossroads: Development of a National Performance Measurement Data Strategy, 2008.
2 Pritts, Joy. The Importance and Value of Protecting the Privacy of Health Information. Commissioned by the Institute of Medicine Committee on the HIPAA Privacy Rule and Research, 2008.
3 Academy of Managed Care Pharmacy, Concepts in Managed Care Pharmacy Series, Drug Use Review, 2009. http://www.amcp.org/amcp.ark?p=AAAC630C (accessed March 18, 2010).
4 Academy of Managed Care Pharmacy, Position Statement on Patient Confidentiality, 2003. http://www.amcp.org/amcp.ark?p=AA3F5E9F (accessed March 18, 2010).