4.1 Overview of Healthcare Law and Ethics
Christine Malone, EdD
Laws that apply to healthcare may vary from one state to another. This chapter will focus on the laws that apply in Washington state. Ethics, unlike laws, are not universally agreed on. For this reason, healthcare associations provide ethical standards for the professions they serve. For example, the American Nurses Association publishes a Code of Ethics for Nurses with Interpretive Statements. These ethical codes are periodically updated to keep up with new technology, treatments, and diseases. Ethics differ from morals in that what one person considers morally wrong may not necessarily be considered ethically wrong. For example, if a person is morally opposed to abortion, but the state allows it, this procedure is not an ethical violation. In other instances, violating a healthcare law may also be a violation of ethics. For example, if a healthcare professional falsifies a medical record entry, that is a violation of healthcare law and ethics.
Anyone working in healthcare, whether in clinical or non-clinical roles, should be aware of ethical considerations. Healthcare organizations will often have their own code of ethics for employees, which may address issues such as employee use of company equipment for personal purposes. In this example, an employee using the employer’s copy machine for personal use would be considered an ethical violation.
Healthcare law applies to everyone working in a healthcare setting, whether in clinical or non-clinical roles. Clinical employees must adhere to their scope of practice, which is defined by the Department of Health in each state and dictates what a clinical employee may or may not do. For example, a medical assistant is not permitted to suture a wound.
Non-clinical employees must also comply with healthcare laws. The most important of these is the Health Insurance Portability and Accountability Act (HIPAA), which covers patient privacy and the release of patient information.
Federal, State, Tribal, and Local Law
Federal laws apply to all states and are passed by Congress. State laws, on the other hand, apply within a particular state and are passed by lawmakers in that state. Local laws apply to a county or city and are passed by local lawmakers.
Federal Healthcare Laws
There are six key federal laws that regulate the healthcare industry:
- The Health Insurance Portability and Accountability Act (HIPPA)
- The Health Information Technology for Economic and Clinical Health Act (HITECH)
- The Emergency Medical and Treatment Act (EMTALA)
- The Anti-Kickback Statute (AKBS) and the Stark Law
- The Patient Safety and Quality Improvement Act (PSQIA)
- Fraud and abuse laws
These laws apply to all states. However, some states have laws that are stronger or stricter than federal laws. In these cases, the state laws must be followed.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The law was originally intended to protect employees from losing their insurance when they changed jobs. This aim was not achieved, and HIPAA is now most commonly associated with patient privacy.
Protected health information (PHI) refers to any personal information about a patient, including details about their care, diagnosis, medications, and even whether they are a patient at a healthcare organization. Releasing PHI in a way that violates a patient’s privacy is a violation of HIPAA (Centers for Disease Control and Prevention, 2022).
HIPAA also includes specific regulations about how and when healthcare providers may communicate with one another regarding a particular patient. As a general rule, providers may only discuss a patient’s care if both providers are involved in that patient’s care. For example, a surgeon can discuss their findings with the patient’s primary care physician.
Most HIPAA violations are caused by carelessness or a lack of attention to detail. For example, two healthcare providers might discuss their patient in an elevator while other people are present. Healthcare professionals must always be cautious when discussing any patient care details, regardless of setting.
The HIPAA Privacy Rule defines how and when PHI may be released. It also mandates that healthcare organizations disclose to patients their rights to understand and control their PHI. Under this rule, patients must consent to the release of their PHI to any other entity.
The exception to this rule is when a healthcare organization is court-ordered to produce a patient’s PHI. This process involves a subpoena, which is served on the healthcare organization either in person or by mail. A subpoena is a legal order issued by a court.
All healthcare facilities, regardless of size, must have a HIPAA compliance officer. This person receives any complaints regarding HIPAA violations.
A Day in the Life of a HIPPA Compliance Officer
The HIPAA Compliance Officer plays a crucial role in ensuring that a medical office or healthcare organization adheres to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA). Their primary responsibilities include:
- Developing and implementing policies and procedures: The Compliance Officer is responsible for creating and implementing policies and procedures that align with HIPAA regulations. This involves understanding the requirements of HIPAA, including privacy, security, and breach notification rules, and developing protocols to ensure compliance.
- Staff training and education: The Compliance Officer is responsible for educating and training employees about HIPAA regulations. This includes raising awareness about patient privacy rights, data security practices, and the proper handling of protected health information (PHI).
- Conducting risk assessments: The Compliance Officer performs regular risk assessments to identify potential vulnerabilities related to the security and privacy of PHI. They evaluate the effectiveness of current security measures and identify areas for improvement to mitigate risks.
- Ensuring policies and procedures are followed: The Compliance Officer monitors the implementation of policies and procedures to ensure they are followed consistently. They may conduct audits, inspections, or internal reviews to verify compliance and address any identified issues.
- Responding to breaches and incidents: In the event of a security breach or unauthorized disclosure of PHI, the Compliance Officer takes the lead in responding. They investigate the breach, assess its impact, and coordinate the necessary steps to mitigate the breach, including notifying affected individuals, regulatory authorities, and other relevant parties.
- Maintaining documentation: The Compliance Officer is responsible for maintaining documentation related to HIPAA compliance efforts. This includes policies, procedures, training records, risk assessments, incident reports, and any other relevant documentation that demonstrates compliance.
- Keeping Up with regulatory changes: HIPAA regulations can change over time, and it is the Compliance Officer’s responsibility to stay updated on any modifications or additions to the rules. They monitor updates in healthcare privacy and security laws and ensure that the medical office remains compliant with the latest requirements.
The role of the HIPAA Compliance Officer is critical to protecting patient privacy, safeguarding PHI, and ensuring that a medical office meets the standards set forth by HIPAA regulations.
Skill Stitch: Protecting Patient Privacy
The Department of Health and Human Services Office for Civil Rights (OCR) oversees breaches of HIPAA legislation. From October 2009 to December 2022, over 5,000 data breaches were reported to the OCR.
HIPAA legislation includes descriptions of the entities that must comply with its regulations, including healthcare providers, their employees, and healthcare insurance plans. However, there are occasions when PHI may be accessible by entities not bound by HIPAA. For example, a copy-machine repair technician may visit the office to repair the copier and come into contact with PHI. Under HIPAA, this technician is not obligated to protect patient privacy. Because of such cases, healthcare organizations must have such a person sign a business associate agreement, which legally binds a non-employee to protect patient privacy.
There are several situations where HIPAA does not apply. These include:
- Public Interest: Certain public health requirements, such as reporting communicable diseases, are mandated by law.
- Victims of Abuse: State law dictates what injuries must be reported to local authorities in cases of abuse.
- Law Enforcement: If a person is taken into custody, their medical condition may need to be disclosed to law enforcement personnel.
- Prevention of Public Harm: If a person informs their healthcare provider of an intent to harm another person, the provider may be required to disclose this information.
- Workers’ Compensation: Employers have the right to access information regarding an injured employee’s condition for workers’ compensation purposes.
The Health Information Technology for Economic and Clinical Health Act (HITECH)
The HITECH Act was passed by Congress in 2009 to promote the adoption and meaningful use of electronic health records. Part of this law addresses privacy concerns associated with the electronic transfer of PHI. The HITECH Act also established a tiered system of penalties for violation, with the severity of the penalty corresponding to the level of the violation. The maximum penalty for a violation is $1.5 million.
The Emergency Medical Treatment and Labor Act (EMTALA)
The Emergency Medical Treatment and Labor Act (EMTALA) was passed by Congress in 1986 to protect public access to emergency services. Under this law, healthcare organizations must stabilize a patient in an emergency situation before transferring or releasing them. EMTALA aims to prevent organizations from “dumping” patients who are unable to pay for their care.
Under EMTALA, an emergency medical condition is defined as one that is life-threatening, or involves a patient in active labor. Once the patient has been stabilized, the healthcare organization may facilitate a transfer to another facility. If the healthcare organization is unable to stabilize the patient, or if the patient requests a transfer, a transfer may be made.
The Anti-Kickback Statute and the Stark Law
The federal Anti-Kickback Statute (AKBS) was passed by Congress in 1972 to prevent illegal financial incentives that influence healthcare decisions. The Stark Law, named after the congressman who authored the bill, addresses physician self-referral, prohibiting physicians from referring patients to facilities in which they have a financial interest. Both of these laws apply to organizations treating Medicare and Medicaid patients.
The AKBS is designed to prevent unethical transactions between healthcare organizations and hospitals. Under the AKBS, it is a criminal offense to exchange anything of value for patient referrals. For example, a hospital that provides gift cards to physicians for referring patients would violate the AKBS. Such kickbacks can lead to unneeded treatment or diversion from a more appropriate provider. Penalties for violating the AKBS include fines of up to $25,000 per violation and/or a sentence of up to 5 years in prison.
The Physician Self-Referral Law, commonly known as the Stark Law, was passed to prevent physicians from profiting off of self-referrals. Under this law, physicians may not refer patients to an organization with which the physician has a financial interest. For example, a physician cannot refer a patient to a physical therapy clinic that the physician owns. Many healthcare organizations are physician-owned, but to comply with the Stark Law, physicians must advise patients that there are alternatives to their referrals. Penalties for violating the Stark Law include fines of up to $15,000 per referral, as well as three times the amount of any improper payment made as a result of the referral.
Patient Safety and Quality Improvement Act (PSQIA)
The Patient Safety and Quality Improvement Act (PSQIA) was passed by Congress in 2005 to protect healthcare employees from retaliation when reporting unsafe conditions in their workplace. This law encourages individuals to report errors while maintaining patient confidentiality. The PSQIA is also commonly referred to as a “whistleblower statute.”
Fraud and Abuse Laws
Both federal and state laws are in place to prevent fraud and abuse in healthcare. Fraud is defined as intentional deceit for financial gain. Examples of fraud include billing insurance companies for services not provided or using a higher-level billing code to receive higher reimbursement for services. Another form of fraud in healthcare is identity theft. To prevent patients from using another person’s identity, healthcare organizations must request photo identification. This is known as the Red Flags Rule under HIPPA. Examples of abuse include referring patients for tests or procedures that are not medically necessary or having patients return for care that is not medically necessary. While both fraud and abuse are illegal and unethical, fraud typically carries more severe penalties. Penalties for fraud and abuse may include jail time, fines, and exclusion from insurance contracts.
Tribal Healthcare Laws
There are 574 federally recognized American Indian and Alaska Native tribes and villages in the United States. Because these tribes are sovereign nations, they are self-governed and create their own healthcare systems to serve their members. Members of these recognized tribes have access to free or low-cost healthcare through tribal and Urban Indian Health programs (Taylor, n.d.).
As part of the Patient Protection and Affordable Care Act (PPACA), the Indian Healthcare Improvement Act (IHIA) was made permanent. The IHIA serves as the agreement between the federal government and tribal nations to improve the healthcare services and facilities available on tribal lands, with the goal of improving care for the Native American population.
Attributions
- Figure 4.1: Stethoscope And Gavel by George Hodan is released under CC0
- Figure 4.2: image released under the Pexels License
- Figure 4.3: image released under the Pixabay License
- Figure 4.4: image released under the Pexels License
Each state lists the duties that a healthcare professional may legally perform.
Health Insurance Portability and Accountability Act, passed by Congress in 1996, protecting patient information from being disclosed without proper consen.
Part of HIPAA law, the HITECH Act encouraged providers to adopt electronic medical records and improve the privacy of patient information
Commonly abbreviated as PHI. the material in a patient record that is sensitive or identifying and requires special care in storage, release and transmittal. Examples include name, date of birth and death, social security number, phone number or address, and hospital admission and release dates.
A written order that compels an individual to come to court, or compels an individual to provide documents.
A contract that establish a legally-binding relationship between HIPAA-covered entities and business associates to protect patient health information.