Practice Management and Quality — HIPAA, Bioethics, PDSA, Patient Safety, Malpractice, and MIPS

ADMIN · EP 03 · QUALITY

Before You Listen

Episode Setup

Topic in one line: the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (protected health information (PHI), the minimum necessary standard, the 18 safe harbor identifiers for de-identification, permitted disclosures for treatment, payment, and healthcare operations); the four pillars of bioethics (autonomy, beneficence, non-maleficence, justice); the Belmont Report and the Institutional Review Board (IRB); quality improvement methodology (the Plan-Do-Study-Act (PDSA) cycle, structure/process/outcome measures, levels of evidence, the Appraisal of Guidelines for Research and Evaluation (AGREE II) instrument); patient safety concepts (sentinel event, never event, near miss, root cause analysis (RCA), failure mode and effects analysis (FMEA), the just culture model, the Reason Swiss cheese model); the four elements of medical malpractice (duty, breach, causation, damages); risk management (documentation, communication, error disclosure); and the Merit-based Incentive Payment System (MIPS) under the Medicare Access and CHIP Reauthorization Act (MACRA).
Prerequisites: familiarity with the basic structure of the United States healthcare system, the federal payer landscape (Medicare, Medicaid), and the rehabilitation team and quality reporting framework introduced in ADMIN-01 (IRF-PAI, IRF Quality Reporting Program).
Runtime: 1 hour 1 minute.

Vignette. A nurse on your inpatient rehabilitation unit administers a 10-fold overdose of morphine to a patient because the order was written as “10mg” without a leading zero or unit clarification, the pharmacy dispensed a 10 mg vial when the intended dose was 1 mg, the bedside scanner had been disabled because of repeated false alarms, and the night shift was staffed at a 1:8 nurse-to-patient ratio (the protocol calls for 1:5). The patient develops respiratory depression requiring naloxone but recovers fully with no permanent harm. The unit medical director is asked to lead the post-event analysis.

Classify this event using the standard patient safety taxonomy, identify which structured analytic method should be used and what its central question is, identify which conceptual model best explains how the harm reached the patient, classify the nurse’s behavior under the just culture framework and state the appropriate organizational response, and identify which of the four malpractice elements would be the strongest defense if the patient sued.

(Answer at the end of this chapter)

Section 1: HIPAA, PHI, and Permitted Disclosures

ADMIN-03 · ~03:30

Bottom line: HIPAA (1996), Privacy Rule (2003) established national standards for protected health information (PHI). PHI = any individually identifiable health information in any form. Covered entities are health plans, clearinghouses, and providers conducting electronic transactions. The minimum necessary standard does NOT apply to treatment between providers, disclosures to the patient, or disclosures required by law. Permitted disclosures without authorization include Treatment, Payment, and Healthcare Operations (TPO), plus public health, law enforcement, judicial/administrative proceedings, workers’ comp, public safety threats, and abuse/neglect reporting. Safe harbor de-identification requires removal of 18 specific identifiers; de-identified information is no longer PHI.

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national standards for the protection of individually identifiable health information. The Privacy Rule (effective 2003) governs the use and disclosure of protected health information (PHI) by covered entities: health plans, healthcare clearinghouses, and healthcare providers conducting certain electronic transactions.

PHI is any individually identifiable health information relating to past, present, or future health condition, healthcare provision, or payment, in any form (oral, written, electronic).

The minimum necessary standard: covered entities must limit the use, disclosure, and request of PHI to the minimum amount necessary for the intended purpose. It does not apply to disclosures for treatment between providers, disclosures to the patient, or disclosures required by law.

Permitted disclosures without patient authorization fall into several board-tested categories. The primary category is Treatment, Payment, and Healthcare Operations (TPO):

Treatment: PHI can be shared among providers involved in care without separate authorization.
Payment: information for billing, claims processing, insurance functions.
Healthcare operations: quality improvement, training, compliance, business management.

Additional permitted disclosures without authorization:

Public health activities: reporting communicable diseases, vital statistics, public health surveillance.
Law enforcement under specific conditions.
Judicial and administrative proceedings in response to a court order or subpoena.
Workers’ compensation to the extent required by state law.
Public safety: serious and imminent threat to health or safety.
Abuse, neglect, or domestic violence reporting.

De-identification removes information from the protections of the Privacy Rule. Two methods exist:

Figure 3.1 — HIPAA safe harbor 18 identifiers

The safe harbor method requires removal of 18 specific identifiers (see figure). The expert determination method uses a qualified statistical expert to certify a very small risk of identification.

A physician releasing records for treatment by another provider does not require authorization. An employer request for non-workers’-comp purposes does require authorization. Law enforcement requests depend on the specific legal circumstances.

High Yield — HIPAA

HIPAA (1996), Privacy Rule (2003); covered entities = health plans, clearinghouses, providers conducting electronic transactions.
PHI = individually identifiable health information in any form (oral, written, electronic).
Minimum necessary standard does NOT apply to treatment between providers, to the patient, or as required by law.
TPO disclosures (Treatment, Payment, Healthcare Operations) do not require authorization.
Other permitted disclosures: public health, law enforcement (specific conditions), judicial/administrative, workers’ comp, public safety threats, abuse/neglect/IPV.
Safe harbor de-identification requires removal of 18 specific identifiers.
De-identified information is no longer PHI.

Mnemonic — “TPO is free, everything else needs a key”

Treatment, Payment, and Healthcare Operations are the three permitted disclosures that flow without patient authorization. Everything else (employer requests, marketing, life insurance applications) requires a signed authorization from the patient. When a vignette asks “does this disclosure need authorization,” start by checking whether it falls under TPO. If yes, the answer is no authorization required.