Informed Consent in Healthcare Services
Informed Consent in Healthcare Services
With the implementation of HIPAA (Health Insurance Portability and Accountability Act) in 1996, new privacy regulations were in place concerning issues such as informed consent and patient authorization (Stember, 2005, p. 10). It was important for professionals to fully understand the fact of these new regulations on policies and activities so that they could ensure they were conforming to best practices. In the human services field, it is quite common for the terms "informed consent" and "authorization" for professionals to use these two terms interchangeably when referring to a written permission form that grants providers with the right to either use or disclose some or all of their healthcare data. However, under the current understanding of these terms they are not actually synonymous. The following will explain the difference between the two and clarify how they are used by human service workers to obtain informed consent.
According to the privacy regulations incorporated into HIPAA, it is necessary for a health care plan provider to obtain consent in a written form to either use or disclose healthcare data or information that can be used for the purpose of treatment, operations or payment collections (Demuro, 2000, p. 143). But for other types of purposes, an authorization is used for any disclosure or use of client or patient health information (excluding those things laid out in current laws or regulations). In line with this, individuals who represent covered entities (those organizations that come under the umbrella of pace that regulations) are required under the regulations to make their privacy practices and rules both clear and available to clients. For instance, social
workers operating under the auspices of such a covered entity are required to comply fully with the Act's various privacy regulations. Furthermore, they have to comprehend and adhere to those aspects of the regulations related to client notice, including authorization and consent.
The privacy rules in HIPAA are designed to did find those circumstances and situations in which entities are allowed to disclose or use an individual's healthcare information (unless otherwise mandated by different or subsequent laws). These regulations make clear that covered entities are only allowed to disclose such information to the individual the information is regarding or to the HHS (Department of Health and Human Services) so that it can ensure that regulations are being enforced. In addition to this, HIPAA regulations mandate that any covered entity is only permitted to disclose as much information as is absolutely necessary to meet the needs of the requested disclosure. There are certain exceptions to this latter requirement, such as the fact that disclosures are permitted when the information is going to a specified healthcare provider carrying out treatment, disclosures to the individual in question, disclosures mandated by law, disclosures necessary to fully comply with the regulations and any disclosures required by the Department of Health and Human Services.
All of this regulation comes down to ethical and professional behavior for human service workers. They must ensure that they adhere to a code of ethics in which they use their own experience and judgment (combined with any applicable federal or state laws (when carrying out their decisions regarding disclosing a clients personal health data.
The National Association of Social Workers provides a written code of ethics designed to layout the principles that should guide social workers in carrying out their professional duties, particularly in regard to issues like disclosure and informed consent. The relevant sections should be consulted and carefully reviewed when a social worker is attempting to make a decision regarding the disclosure of protected and sensitive client health data. It is also necessary that social workers review their states confidentiality and privacy laws ensure that they are adhering to them. Furthermore, HIPAA regulations make it plain that if a given state's laws are more rigorous and more demanding than the federal government's HIPAA regulations (meaning they do a more effective job of protecting a client's health data) then the worker should use the state laws rather than the weaker federal ones.
The concept of informed consent is clearly laid out in detail in HIPAA regulations and there are many requirements that have to be met before information can be released. Informed consent must do the following (Setness, 2002, p. 15):
Explain what is being requested in understandable, straightforward language.
Explained to the client exactly why their health information is going to be disclosed, whether it is for payment purposes, treatment or otherwise.
Explain the mandated privacy policies and that the client has the right to review this information before he or she signs a consent form.
Clarify that the individual has the right to request that the information related to his or her health be restricted to certain uses and/or disclosed to certain
organizations or individuals. It is entirely optional whether the entity involved agrees to abide by this request, but if they do they are bound by it.
Point out that the individual has the right to revoke their consent. But such a revocation has to be done in writing. However, any activities carried out by the entity in question prior to the revocation of the consent by the individual cannot be revoked retroactively (shared information cannot be unshared).
Make it clear that following a revocation, a client can still be billed for any services that occurred prior to that revocation.
Included a dated signature by the client.
Remain in the possession of the entity in question for six years.
Later changes to the original 1996 HIPAA clarified certain points. One of these related to emergency situations. Providers are permitted in emergency situations to disclose the otherwise protected health data of patients or clients without first obtaining their informed consent. However, it's important that human service workers carefully evaluate the situation and use professional judgment when deciding whether a set of circumstances meets the definition of an emergency. Furthermore, even if a provider or human service worker is forced in and emergency to forgo obtaining informed consent, following the emergency situation he or she should later obtain that consent as soon as it is possible.
Another change that was introduced was that a human service worker or provider does not need to specify the exact data or information that will be disclosed or who that information will be disclosed to. Furthermore, a human service worker or provider can decline to provide treatment for any patient who refuses to provide sign the
informed consent document allowing for the disclosure of private health data. Finally, consent has to be obtained one time and does not have to be obtained at a later date for the release of other information.
Federal Authorization
As mentioned above, authorizations are used in those instances where the client protected data is being disclosed for purposes that are not related to payment collection, treatments or other healthcare activities. Any authorization must:
Explain what is being requested in understandable, straightforward language.
Explain to the client what health information is going to be disclosed.
Identify the person or persons who can disclose the information.
Identify the person or persons the information can be disclosed to.
Point out that the individual has the right to revoke their consent.
Make it clear that following a revocation, a client can still be billed for any services that occurred prior to that revocation.
Point out that once the information is disclosed to a third party, that party can then use the information as they please.
Include a dated signature by the client.
Include a date on which the consent will expire.
Include a copy of the agreement for the signator.
Exceptions
As suggested previously, there are situations in which current regulations concerning privacy for clients or patients do allow for the use and/or disclosure of
private health data without actually obtaining either the client's informed consent or his or her authorization. Such exceptions include (but are not necessarily limited to) the following:
Satisfying public health needs with regard to data needed by either state or federal agencies. This can include data to be used for disease reporting or statistical analysis.
Reporting the neglect or abuse of an individual, whether it is a child or another adult.
Oversight and management of the healthcare system.
Law enforcement requests.
Administrative or judicial actions.
Imminent and believable threat to safety or health.
Research purposes.
Specific functions of the government, such as census data collection.
Information necessary to comply with federal requirements regarding Worker's Compensation laws and related programs.
Disclosures and uses related to descendents (usually to allow medical examiners, corners and funeral homes to perform their functions under the law).
Notification Regarding Privacy Practices
HIPAA regulations mandate that human services workers or providers have to ensure that clients or patients are provided with a written notice regarding just what is permitted with regard to disclosing and using private healthcare data. It should clarify
just what the client's rights are in this regard (Anas, 2003, p. 1487). The notice must include the following at a minimum:
The statement "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."
A discussion of disclosures and uses, including a listing of those things for which disclosures are permitted (such as payment collection, treatment and healthcare operations).
A detailed description of disclosures that can occur without the individuals written authorization or informed consent.
A statement regarding those things for which a written authorization is required, as well as information about how to revoke authorization.
Inform an individual of his or her rights to request that certain disclosures or uses be restricted, with the notation that provider does not have to agree to the request.
Discuss the provider responsibilities with regard to the privacy of client information, including the fact that the provider must abide by regulations and the current notice.
Inform the client that the provider has the right to draft changes to the above provisions in this notice, but must make clear how the new notification will be provided to clients.
Provide a statement that informs the client as to his or her rights to file a
complaint either with the provider or with the HHS if any violation of privacy has occurred. This statement must provide clear contact information for making such complaints, both with the provider and at the HHS. Finally, the statement must make clear that no retaliation against the client will occur.
An effective date for the notice must be included.
There are a number of activities for which providers should descriptions so that the clients or patients can better understand how these activities affect disclosure and privacy. This can include:
Phone or email contacts to remind individuals about their appointments or to provide information regarding healthcare benefits or alternative treatments.
Fundraising activities carried out by the organization.
Any disclosure of private healthcare information by the HMO or insurance issuer to those sponsoring the plan.
Keeping up with Changes
The government by its nature is an ever-changing bureaucracy, with new rules and regulations being published on a regular basis. As recently as 2010, new changes were proposed for federal privacy regulations (Holloway & Fensholt, 2010, p. 66) One of the most important things a human service worker should do is to keep themselves fully abreast of any changes to the privacy regulations in the documentation produced by the HHS. These documents help to define and further clarify such changes to the regulations. It is essential (for both legal, professional and ethical reasons) that those interacting with client's private healthcare information fully comprehend what is required
of them. The following techniques can help with doing so:
Human service worker should ensure that they are familiar with all relevant HIPAA regulations regarding privacy.
The organization or the individual worker should determine if they meet the definition of a "covered entity" described in these regulations so that they know whether they are subject to them.
In addition to the federal regulations, workers should study their state privacy and informed consent regulations.
It's helpful to maintain an updated file of all HIPAA resources and contacts.
Any organization should regularly review its privacy and consent policies to ensure that they are in full compliance with federal and state regulations.
A notice form that conforms to federal requirements should be developed, printed and distributed/posted.
Authorization and informed consent forms should be regularly reviewed and (if necessary) revised to ensure that they are always in compliance with state and federal privacy regulations.
Policy should be put in place that provide deal with obtaining client consent, addressing concerns about restrictions and clarifying what is authorized and what is not.
All changes to procedures, forms and policies should be reviewed by legal experts prior to their implementation.
Staff should be fully trained to handle existing and new forms and procedures.
A review process should be put in place for monitoring staff compliance with both federal and state regulations and office policies and procedures.
The Protection of Data
Along with the issues revolving around informed consent and authorization, modern-day human service workers have to be concerned about other ways in which healthcare data could be compromised. All too frequently, many office workers will choose to discuss matters at home or with friends regarding their work that are in fact confidential and should not be shared with anyone. Several human service workers have been in the news recently because they chose to discuss client's private information on social networking sites like Facebook. Office managers need to monitor such activity to ensure that this is not occurring and provide with service workers with clear policies in this regard.
There is also the question of basic data safety. Laptops, flash drives, printed documents and other media that might contain privileged client information should always be carefully guarded to ensure that unauthorized persons do not gain access. Password encryption of digital media, computers and laptops is essential to ensure data security (Pankey, 2001, p. 46).
In conclusion, the issue of informed consent of patients is an important one both for the patients themselves and the workers handling their healthcare information. No patient or client will be comfortable having their private healthcare information available to just anyone. Having a place clear policies that both human service workers and their clients understand makes it much easier to deal with this issue. However, it's also
essential that these workers stay fully up to date and apprised about any changes that take place in such policies, both at the state and federal levels.
References
Annas, George J,J.D., M.P.H. (2003). HIPAA regulations--a new era of medical-record privacy? The New England Journal of Medicine, 348(15), 1486-90.
DeMuro, P. R., & W Andrew H Grant, I.,II. (2001). HIPAA privacy standards raise complex implementation issues. Healthcare Financial Management, 55(1), 42-7.
Holloway, M., & Fensholt, E. (2010). HHS proposes rewrite of HIPAA privacy and data security rules. Benefits Law Journal, 23(4), 66-71.
Pankey, B. (2001). Private healthcare data transfers need encryption protection. Managed Healthcare Executive, 11(4), 46-50
Setness, P. A., M.D. (2002). HIPAA and the changing face of patient privacy ; new legislation requires timely response. Postgraduate Medicine, 111(1), 15.
Stember, M. L. (2005). HIPAA security rules-is your health plan secure? Journal of Pension Benefits, 12(3), 10-16.
