Chapter 4: Health Law & Ethics

Christine Malone, EdD

Laws that apply to healthcare may vary from one state to another. This chapter will focus on the laws that apply in Washington State. Ethics, unlike laws, are not topics everyone agrees upon. For this reason, healthcare associations provide ethical standards to the professions they work with. As an example, the American Nurses’ Association publishes a Code of Ethics for Nurses with Interpretive Statements. These ethical codes are updated over time to keep up with new technology, treatments, and diseases. Ethics are different from morals in that what one person believes is morally wrong may not be ethically wrong. As an example, if a person is morally opposed to abortion, yet the state allows abortion, this procedure is not an ethical violation.

Violating a healthcare law may also be a violation of ethics. As an example, if a healthcare professional falsifies a medical record entry, that is a violation of healthcare law as well as a violation of ethics.

Any individual working in the field of healthcare should be aware of ethical considerations. This is true of those working in clinical, as well as non-clinical roles. Healthcare organizations will often have their own Code of Ethics for their employees. Covered in those codes may be employee use of their employers’ equipment for personal use. An example of this could be an employee using the employer’s copy machine for personal use.

Healthcare law pertains to everyone working in the healthcare setting, whether clinical or non-clinical. Those in a clinical role must abide by their scope of practice. This scope is defined by the Department of Health in each state and dictates what a clinical employee may or may not do. As an example, a medical assistant may not suture a wound.

Those in non-clinical roles must also abide by healthcare laws. The most important of these is the Health Insurance Portability and Accountability Act (HIPAA). This law covers patient privacy and the release of patient information.

An image of a stethoscope and a gavel
Figure 4.1. In healthcare, both law and ethics must be followed. / Photo Credit: George Hodan, CC0

Federal, State, Tribal, and Local Law

Federal laws are those that apply to all states. These are laws that are passed by Congress. State laws are those that apply within a particular state. These laws are passed by lawmakers in that state. Local laws are those that apply to a county or city. These are passed by local lawmakers.

Federal Healthcare Laws

There are six key federal laws that regulate the healthcare industry. These laws are the Health Insurance Portability and Accountability Act (hipaa), the Health Information Technology for Economic and Clinical Health Act (hitech), the Emergency Medical and Treatment Act (EMTALA), Anti-Kickback and Stark Laws, Patient Safety and Quality Improvement Act (PSQIA), and Fraud and Abuse laws. These laws apply to all states. In some states, there are laws in place that are stronger and stricter than federal laws. In these cases, the stronger and stricter laws must be followed.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The law was originally intended to protect employees from losing their insurance when the employee changed jobs. While this aim was not achieved, what HIPAA is associated with is patient privacy.

protected health information (PHI) is defined as any personal information about a patient. This includes patient care and diagnosis, medications the patient may be taking, and even if the individual is a patient in a healthcare organization. Releasing PHI in a way that violates a patient’s privacy is a violation of HIPAA law.

HIPAA law includes specifics on how and when healthcare providers may speak to one another regarding a particular patient. As a general rule, providers may only discuss a patient’s care needs if both providers are involved in that patient’s care. For example, a surgeon can discuss their findings with the patient’s primary care physician.

Most HIPAA violations are caused by carelessness and lack of attention to detail. For example, two healthcare providers in an elevator discuss their patient while there are other people present. Healthcare professionals must always be cautious when discussing any patient care details.

The HIPAA Privacy Rule is the part of the law that defines how and when PHI may be released. This Rule also mandates that a healthcare organization must disclose to patients to understand and control their PHI. Under this Rule, patients must consent to the release of their PHI to any other entity.

The exception to this Rule is when the healthcare organization is court-ordered to produce patient PHI to another entity. This process involves a subpoena, which is served upon the healthcare organization in person or through the mail. A subpoena is an order issued by a court of law.

All healthcare facilities, no matter how many employees, must have a HIPAA compliance officer. This person receives any complaints regarding HIPAA violations.

A Day in the Life of a Compliance Officer

The HIPAA Compliance Officer plays a crucial role in ensuring that a medical office or healthcare organization adheres to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA). Their primary responsibilities include:

  1. Developing and implementing policies and procedures: The Compliance Officer is responsible for creating and implementing policies and procedures that align with HIPAA regulations. This involves understanding the requirements of HIPAA, including privacy, security, and breach notification rules, and developing protocols to ensure compliance.
  2. Staff training and education: The Compliance Officer is responsible for educating and training employees within the medical office about HIPAA regulations. This includes raising awareness about patient privacy rights, data security practices, and the proper handling of protected health information (PHI).
  3. Conducting risk assessments: The Compliance Officer performs regular risk assessments to identify potential vulnerabilities and risks related to the security and privacy of PHI. They evaluate the effectiveness of current security measures and identify areas where improvements are needed to mitigate risks.
  4. Ensuring policies and procedures are followed: The Compliance Officer monitors the implementation of policies and procedures to ensure they are followed consistently throughout the medical office. They may conduct audits, inspections, or internal reviews to verify compliance and address any identified issues or non-compliance.
  5. Responding to breaches and incidents: In the event of a security breach or unauthorized disclosure of PHI, the Compliance Officer takes a lead role in responding to the incident. They investigate the breach, assess the impact, and coordinate the necessary steps to mitigate the breach, including notifying affected individuals, regulatory authorities, and other relevant parties.
  6. Maintaining documentation: The Compliance Officer is responsible for maintaining documentation related to HIPAA compliance efforts. This includes policies, procedures, training records, risk assessments, incident reports, and any other relevant documentation that demonstrates compliance with HIPAA regulations.
  7. Keeping up with regulatory changes: HIPAA regulations can change over time, and it is the Compliance Officer’s responsibility to stay updated on any modifications or additions to the rules. They monitor changes in laws and regulations related to healthcare privacy and security and ensure that the medical office remains compliant with the updated requirements.

Overall, the role of the HIPAA Compliance Officer is critical in protecting patient privacy, safeguarding PHI, and ensuring that the medical office meets the standards set forth by HIPAA regulations.

Skill Stitch: Protecting Patient Privacy

A man wearing scrubs provides a woman with a consent form to sign
Figure 4.2. Patients must sign a consent form prior to a procedure. / Photo Credit: SHVETS production, Pexels License

The Department of Health and Human Services’ Office for Civil Rights oversees breaches of HIPAA legislation. From October 2009 to December 2022, there were just over 5000 data breaches reported to the OCR.

Part of HIPAA legislation includes a description of the entities that must abide by this law. These entities include healthcare providers and their employees, and healthcare insurance plans. There are occasions when PHI may be viewable by an entity that is not bound by HIPAA legislation. An example would be a copy-machine repair person who is in the office to repair the copier. This repair person may come into contact with PHI and, under HIPAA legislation, is not bound to protecting patient privacy. In these cases, the healthcare organization needs to have the repair person sign a business associate agreement. This official document binds the non-employee to protect and preserve patient privacy.

There are several instances where HIPAA does not apply. These include public interest (communicable diseases must be reported under law), victims of abuse (state law dictates what injuries must be reported to local authorities), law enforcement (a person taken into custody may have a medical condition that must be known by law enforcement professionals), prevention of public harm (an individual discloses to their healthcare provider their intent to harm another person), and workmens’ compensation (the employer has a right to know the condition of their injured employee).

The Health Information Technology for Economic and Clinical Health Act (HITECH)

The HITECH Act was passed by Congress in 2009 with the goal of promoting the adoption and meaningful use of electronic health records. Part of this Act addresses the privacy concerns associated with the electronic transfer of PHI. The HITECH Act established levels of penalties for violation. These penalties are associated with the level of violation, with a maximum penalty of $1.5 million.

The Emergency Medical Treatment and Labor Act (EMTALA)

The Emergency Medical Treatment and Labor Act (EMTALA) was passed by Congress in 1986 with the goal of protecting public access to emergency services. Under this Act, healthcare organizations must stabilize a patient in an emergency before transferring or releasing the patient. This Act is meant to stop organizations from “dumping” patients who are unable to pay for their care.

Under EMTALA, an emergency medical condition is described as one that is life-threatening, as well as a patient in active labor. Once the patient has been stabilized, the healthcare organization may facilitate a transfer to another facility. If the healthcare organization is unable to stabilize the patient or if the patient requests, a transfer may be made.

photo of a hand with a pulse oximeter on the index finger and an IV in the back of the hand
Figure 4.3. Patients are often treated in the emergency room. / Photo Credit: Engin_Akyurt, Pixabay License

Anti-Kickback and Stark Laws

The federal Anti-Kickback Statute (AKBS) was passed by Congress in 1972. The Stark Law, named after the Congressman who authored the bill, pertains to physician self-referral. These laws apply to organizations treating Medicare and Medicaid patients.

Anti-kickback laws are in place to prevent unethical transactions between healthcare organizations and hospitals. Under the AKBS, it is a criminal act to exchange anything of value in order to obtain the referral of business. An example would be a hospital that provides gift cards to physicians that refer patients. These kickbacks may cause patients to be referred for unneeded treatment or to be steered away from a more appropriate provider. Possible penalties for violating the AKBS include fines of up to $25,000 and/or a sentence of up to five years in jail.

Two male doctors are talking to one another while a female doctor looks on
Figure 4.4. Doctors must be careful they are following the law regarding kick backs. / Photo Credit: Gustavo Fring, Pexels License

The physician self-referral law (Stark Law) was passed to prevent providers from profiting off of self-referrals. Under this law, physicians may not refer patients to an organization with which the physician has a financial interest. An example would be a physician referring a patient to a physical therapy clinic that the physician owns. There are many organizations that are physician-owned. In order to be in compliance with Stark Law, physicians must advise patients that there are other alternatives for their referrals. Penalties for violation of Stark Law include fines of up to $15,000 per referral, and three times the amount of improper payment.

Patient Safety and Quality Improvement Act (PSQIA)

The Patient Safety and Quality Improvement Act (PSQIA) was passed by Congress in 2005. This Act protects healthcare employees from retaliation when the employee reports unsafe conditions in their place of work. This law encourages individuals to report errors while maintaining patient confidentiality. This Act is also referred to as Whistleblower Statutes.

Fraud and Abuse Laws

There are both federal and state laws in place to prevent fraud and abuse in healthcare. Fraud is defined as intentional deceit in order to obtain financial gain. Examples of fraud include billing insurance companies for services that were not provided, and using a higher level billing code in order to be paid a higher level of reimbursement for services. Examples of abuse include referring patients for tests or procedures that are not medically necessary, and having patients return for care that is not medically necessary.

While both fraud and abuse are illegal and unethical, fraud typically carries a higher penalty. Penalties for fraud and abuse may include jail time, fines, and the provider being excluded from insurance contracts.

Another form of fraud that may occur in healthcare is identity theft. To eliminate the possibility that a patient is using the identity of another person, healthcare organizations must ask for photo identification. This is part of HIPAA legislation and is known as the Red Flags Rule.

Tribal Healthcare Laws

There are 574 federally-recognized American Indian and Alaskan Native tribes and villages in the United States. Because these tribes are sovereign nations, they are able to self-govern and create their own healthcare systems to care for their members. Members of these recognized tribes have access to free, or low-cost, healthcare through Tribal and Urban Indian health programs.

As part of the Patient Protection and Affordable Care Act (PPCA), the Indian Healthcare Improvement Act (IHIA) was made permanent. The IHIA serves as the agreement between the Federal government and tribal nations to improve the care of the Native American population by improving the services and healthcare facilities located on tribal lands.

Attributions

  1. Figure 4.1: Stethoscope And Gavel by George Hodan is released under CC0
  2. Figure 4.2: image released under the Pexels License
  3. Figure 4.3: image released under the Pixabay License
  4. Figure 4.4: image released under the Pexels License
definition

License

Icon for the Creative Commons Attribution 4.0 International License

Introduction to Healthcare Professions V1 Copyright © by SBCTC is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.