Protecting the Privacy and Security of Patients’ Health Care Information in the Age of an Electronic Health Record
Julie Agris, J.D., LL.M., Ph.D.,
Assistant Professor, Health Professions and Hofstra North Shore-LIJ School of Medicine; Director, Master of Health Administration Program
Patients are encouraged to communicate freely with health care providers based upon the ethical and legal obligations of physicians to respect and protect the privacy of their patients. Such special protections can encourage the development of trust. Further, an honest exchange of information between patients and their health care providers is more likely to lead to the delivery of appropriate and high-quality health care services.
These basic principles continue to remain high priorities within the current multifaceted and complex debate regarding efforts to reform the U.S. health care system. One of the significant pieces of health care reform is the movement toward an interoperable electronic health record. An electronic health record merges the traditional model of documenting medical information in a paper record with one in which records are kept in an electronic format. The hope is that such an innovative format allows more fluid communication between and among health care providers who are caring for the same patient. Such an effort has the potential to reduce unnecessary costs and duplicative diagnostic tests, which currently exist in the fragmented system. These improvements have the potential to increase the quality of health care that will be beneficial to patients in the future.
In addition to having the potential to positively transform the health care system, the effort to transform this system toward an electronic health record has also been met with justifiable criticism regarding the way in which such a system may have the potential to increase the risks of eroding the inherent privacy that is deeply imbedded in the physician-patient relationship. In other words, if sensitive patient health information is no longer secured in the minds and locked filing cabinets of trusted physicians, but is now widely available in electronic form, then the risk of breaching the privacy and security of the data arguably increases.
“An electronic health record merges the traditional model of documenting medical information in a paper record with one in which records are kept in an electronic format.”
To address this legitimate concern, subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. This law addressed the privacy and security issues associated with the electronic transmission of health information by strengthening enforcement provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a law that had previously addressed the privacy and security of protected health information. As a result, HITECH was meant to promote the adoption and meaningful use of health information technology while simultaneously protecting the privacy and security of the information within such a system. The health care industry took notice of HITECH as a result of financial incentives that were included to adopt an interoperable health record. Simultaneously, the privacy and security provisions received a new level of attention, as qualification for the financial incentives would require renewed compliance with the previously enacted privacy and security provisions of the law.
Responding to the Privacy and Security Provisions of the Health Information Technology for Economic and Clinical Health Act
To date, the health care system’s conversion to an interoperable electronic health record is far from complete. Some large health care entities that are affected by HITECH have initiated their response to the increased enforcement efforts by reacting with a global institutional policy redevelopment project. Health care entities, such as large health systems, have used the passage of ARRA and HITECH as the needed trigger to encourage a reexamination of the way in which HIPAA policies may have been developed and implemented at the institutional level more than a decade ago. Some of the triggers for amending HIPAA policies and procedures have included the need for:
- Revision of business associate agreements
- Policies and procedures to be responsive to breach notification requirements, patients’ requests for restrictions related to their protected health information, the restrictions on the sale of protected health information, “minimum necessary” requirements, and restrictions on fundraising and marketing communications
- Revision of notices of privacy practices to reflect new regulatory requirements and incorporate concepts of health literacy
In order to effectively conduct this global institutional policy redevelopment project with the ultimate goal of implementing a meaningfully used electronic health record, successful health care entities will establish a framework in which this process will occur. Such a process must be thoughtful of both the policy development and implementation phases of systematic change. Within each of these phases, the application of organizational behavior concepts, such as those originating from Kim and Mauborgne’s (2003) Theory of Fair Process, is critical.
“… managers who believed the company’s processes were fair displayed a high level of trust and commitment, which, in turn, engendered active cooperation. Conversely, when managers felt fair process was absent, they hoarded ideas and dragged their feet (Kim & Mauborgne, 2003).”
A Brief Overview of Fair Process Theory
One theoretical model that has been noted as having significance in the field of organizational behavior and health policymaking is Fair Process Theory. Kim and Mauborgne discovered the managerial relevance of fair process in the mid-1990s during a study of strategic decision-making in multinational corporations. They studied 19 companies in which they found a direct link between processes, attitudes, and behavior. They found that managers who believed the company’s processes were fair displayed a high level of trust and commitment, which, in turn, engendered active cooperation. Conversely, when managers felt fair process was absent, they hoarded ideas and dragged their feet (Kim & Mauborgne, 2003).
Kim and Mauborgne developed the concept of fair process after studying a model workforce that degenerated into a cauldron of mistrust, resistance, and plummeting performance when management implemented a major change effort without inviting employees’ input, without explaining the reasons for the change, and without clarifying new performance expectations (Kim & Mauborgne, 2003). Their findings indicated that the company ignored fair process – a decision-making approach that addresses the basic human need to be valued and respected (Kim & Mauborgne, 2003).
Kim and Mauborgne’s central finding is that employees will commit to a manager’s decision, even one with which they disagree, if they believe that the process used to make the decision was fair. Studies of fair processes have shown that people care as much about the fairness of the process through which an outcome is produced as they do about the outcome itself (Kim & Mauborgne, 2003). Individuals want to be respected for their intelligence and want to understand the rationale behind specific decisions (Kim & Mauborgne, 2003). In addition, fair process profoundly influences attitudes and behaviors critical to high performance (Kim & Mauborgne, 2003). Fair Process Theory describes that when a process is considered to be fair, it builds trust and commitment, trust and commitment produce voluntary cooperation, and voluntary cooperation drives performance, leading people to go beyond the call of duty by sharing their knowledge and applying their creativity (Kim & Mauborgne, 2003).
There are three mutually reinforcing principles that consistently emerge based on Fair Process Theory: engagement, explanation, and expectation clarity (Kim & Mauborgne, 2003). Engagement means involving individuals in the decisions that affect them by asking for their input and allowing them to refute the merits of one another’s ideas and assumptions. Engagement communicates management’s respect for individuals and their ideas, builds collective wisdom, and generates better decisions and greater commitment from those involved in executing those decisions (Kim & Mauborgne, 2003).
Explanation posits that everyone involved and affected should understand why final decisions are made as they are. Explanation reassures people that managers have considered their opinions and made decisions with the company’s overall interests at heart. This allows employees to trust their managers’ intentions despite the fact that their own idea might have been rejected (Kim & Mauborgne, 2003).
Expectation clarity requires that once a decision is made, managers state clearly the new rules of the game, including performance standards, penalties for failure, and new responsibilities. By minimizing political jockeying and favoritism, expectation clarity enables employees to focus on the job at hand (Kim & Mauborgne, 2003).
Kim and Mauborgne (2003) emphasize that fair process is not decision-making by consensus and does not aim to achieve harmony or win individuals’ support through compromise or accommodation of individuals’ interests. Further, fair process is not a democratic process. Rather, fair process gives every idea a chance, regardless of the majority opinion. Therefore, a decision maker’s determination of merit for the idea, not consensus, drives the decision-making. Fair process is also distinguished from distributive justice, which uses the traditional management tools of resource allocation, economic incentives and organizational structure.
Kim and Mauborgne identify reasons why so few companies actually engage fully in the use of fair process. Often, managers confuse fair process with fair outcomes. In other words, they will describe a fair manager as one who gives employees the authority they deserve, the resources they need or the rewards they have earned (Kim & Mauborgne, 2003). However, the use of fair process is rare because many managers have difficulty communicating their decisions clearly and directly, particularly when they feel that the decision impacts the individual. Also, it is difficult to shift to the mindset that employees might accept the need for short-term personal sacrifices in order to advance the long-term interests of the corporation when elements of fair process are present (Kim & Mauborgne, 2003).
A Global Institutional HIPAA Policy Redevelopment Project Incorporating Fair Process Theory
The first step after senior leadership of a health care entity endorses a global institutional HIPAA redevelopment project with the incorporation of fair process concepts is to focus on the principle of engagement. To accomplish this, leadership must understand the process of institutional policy development and approval within the health care entity. Nuances may exist, depending upon the managerial independence of individual health care facilities within a larger parent corporation. For example, a “Forms Committee” may be part of the policy development process in one division of the health care system, but not another. Understanding of institutional policy development processes allows for the initiation of invitations to engage relevant stakeholders at the policy development and implementation stages of the policy redevelopment project. Depending upon the organizational structure of the health care entity, the relevant stakeholders with an interest in the privacy and security of patients’ protected health information will likely include:
- Inpatient and outpatient clinical leadership and designees, such as the physician and nursing groups
- Quality improvement leadership and designees from individual facilities, as applicable
- Hospital administration leadership and designees from inpatient and outpatient facilities, as applicable
- Patient care services leadership
- Health information management leadership and stakeholders from across the continuum of care
- Legal counsel (subject matter expertise in addition to general representation required)
- Ethics committee leadership
- Chief information officer
- Chief medical information officer
- Corporate compliance leadership with subject matter expertise
- HIPAA privacy officer
- HIPAA security officer
- Risk management leadership
- Relevant frontline stakeholders who will be integral in spearheading the policy implementation process
- Other members depending upon specific considerations of the individual health care entity
After engaging the appropriate stakeholders, the Fair Process Theory concept of explanation must be applied. The engaged stakeholders must recognize the culture of their organization’s use of institutional policies.
In this assessment, the health care entity, represented by the engaged stakeholder cohort, must determine whether many concise, subject-specific policies will be preferable to one or two comprehensive policies that delegate authority to sub-entities to create site-specific policies tailored to that individual entity. Another approach may be the creation of multiple mid-sized policies and procedures based upon broad subjects, such as “Protecting Patients’ Rights” and “Releasing Protected Health Information of Patients” (see Figure 1).
The strategy for such a mid-sized approach might be to seize an opportunity to more fully educate individuals who are looking for discrete answers to particular questions by providing comprehensive information that includes answers to broad inquiries within a single institutional policy. For example, a specific question related to whether protected health information may be disclosed in a particular instance could develop into an opportunity to teach individuals more about their obligations to patients’ protected health information through reading a broad policy description.
Regardless of the chosen approach, the Fair Process Theory concept of explanation must be applied by communicating the rationale for the chosen approach to the relevant stakeholders, regardless of whether those stakeholders were supportive of the final decision. Such an approach will increase the likelihood of successful implementation of the policy as relevant stakeholders will understand the rationale for such policy.
Once the global institutional policy redevelopment plan is established, the Fair Process Theory principles of engagement, explanation and expectation clarity will be enhanced through the creation of a HIPAA Policy Review Grid (see Figure 2) in order to track, communicate and encourage continued engagement in the policy development process. In addition, each distribution of an updated grid provides an opportunity to reiterate elements of the explanation and expectation clarity principles by explaining the rationale supporting the decisions that have been made and the ways in which those decisions affect new expectations.
The opportunities to apply the principles of fair process to institutional HIPAA policy redevelopment projects will continue to be plentiful. A health care system that is attempting to transition to an electronic health record, yet currently functions with a hybrid medical record (use of paper and electronic records) serves as an illustration of such an opportunity. For example, how should each health care entity define the “legal medical record” or the document that will be responsive to a patient’s request for his or her “entire medical record”? Should this be defined to include the paper copy of the physician’s progress notes in the paper record? Should this be defined to include a paper copy of the information that is in electronic form? Will this include copies of laboratory reports and X-ray files that are kept in separate data files? How will these efforts be coordinated using the limited resources that currently exist for such administrative activities? How will health care entities be truly responsive to patients’ requests and their obligations to be responsive to their patients? Each of these inquiries serves as an opportunity to engage, explain and provide expectation clarity for crucial stakeholders who will later serve as leaders in the policy implementation phase.
Another example of such an opportunity is the implementation of the HITECH provision that allows patients to request restrictions on the disclosure of their health information if they pay for such services out-of-pocket. The logistics of such a provision have proven to be extremely difficult to implement. How will an institutional policy be developed to implement such a complicated legal provision? Regardless of the articulated policy position, inclusion of fair process principles will likely promote investment of frontline stakeholders during policy implementation.
HIPAA Policy Review Grid
|Old Policy Number||New Policy Number||Policy Name||Recommendation||Status|
|100.46||800.46||Facility Directory and Clergy List Opt-Out||Archive – Incorporated into 800.46||Scheduled for Presentation to Policy Committee – June 2010|
|200.07||800.46||Request for Amendment to Billing Records||Archive – Incorporated into 800.46||Scheduled for Presentation to Policy Committee – June 2010|
|200.08||800.42||Minimum Necessary||Archive – Incorporated into 800.42||Scheduled for Presentation to Policy Committee – July 2010|
Other challenging provisions that encourage opportunities for further policy development include:
- The development of a comprehensive institutional policy to guide the response to a patient’s request for an accounting of disclosures, including disclosures related to treatment, payment and health care operations
- A policy to develop a process that assists in the determination of what should be considered “reasonable” when a patient initiates his or her right to “confidential communication”
- A policy to allow patients to freely opt-out of and opt back in to the “facility directory” (the list of patient information to which the public has access when a patient is admitted to a hospital)
- The development of policies to meaningfully implement the “minimum necessary” standard
- The creation of standardized electronic forms that will assist in the implementation of any of the HIPAA policies developed
The work to be done will be voluminous and ongoing in the institutional HIPAA policy redevelopment processes. Application of the concepts of fair process outlined above will continue to serve health care entities well in the policy development and implementation phases. Though all stakeholders may have been adequately engaged in the policy development and approval processes, it is necessary to continue to speak to frontline stakeholders and engage them in the implementation process to ensure that there is continued support to reflect the established policies consistently over time.
The process of engaging in a meaningful global institutional HIPAA policy redevelopment project involves high levels of responsibility and intense work. Such efforts should be encouraged in light of the need to retain the expectation of trust within the physician-patient relationship. This trusted communication contributes to physicians’ abilities to provide coordinated, high-quality health care. To accomplish meaningful policy development and implementation, we must continue to understand the HIPAA and HITECH regulatory provisions and critically analyze forthcoming regulatory development and guidance. Engaging in policy development and implementation processes that incorporate the fair process principles of engagement, explanation and expectation clarity will contribute to the creation of a more significant array of policies that better reflect the spirit of protecting patients’ privacy and security in the age of an interoperable electronic health record. A fair process approach to the development and implementation of health information privacy and security policies will serve as a useful mechanism in the translation of health reform legislation into meaningful practice.
Kim, W. C., & Mauborgne, R. (2003). Fair process: Managing in the knowledge economy. Harvard Business Review, 75(4), 65-75. Graduate School of Business Administration, Harvard University. Retrieved from http://www.ncbi.nlm.nih.gov/pubmed/10168337