Confidentiality of Health Information Exam

1. Should corrections be date and time stamped?

Yes, it is very important to keep track of when changes are made to an individual’s medical records. Any correction made to confidential medical information should be time and date stamped. In addition, the name of the person who makes the changes should be recorded with the time and date change. should there not be a note of who makes changes to the medical record.

An example of the negative consequences of not date and time stamping medical records, electronic or otherwise, is that in a court of law, one’s medical records could be inadmissible due to this simple negligence. A medical malpractice case, in which the patient deserves compensation for being diagnosed incorrectly, or not diagnosed at all, could hinge on this incredibly important detail. Whether or not the patient’s medical records was date and time stamped, as well as signed by the individual working on the patient’s electronic medical record.

2. When should the patient be advised of the existence of computerized databases containing medical information about the patient?

A patient should be advised of the existence of computerized database containing medical information about the patient , before the patient’s physician releases said information to the entity keeping the computer bases. All medical information must be shared with the patient before any treatments are performed, so that the patient may give their informed consent for the treatment or procedure to be administered.

If patients were unaware of the existence of their medical information stored in computerized database, they obviously would not have the knowledge to access their own records, which is highly unprofessional and detrimental to the patient’s health care in the future. According to the American Medical Association (AMA), patients have the right to know where their records are being stored and who has access to them for safety and privacy of the individual.

3. When should the patient be notified of purging of archaic or inaccurate information?

States “ procedures for purging the computerized data base of archaic or inaccurate data should be established and the patient and physician should be notified before and after the data has been purged.” It is essential that the patient and physician always know what is going on with their confidential medical records. Care must be taken to make sure that the medical record are never accidently mixed with other computer based record. With technology growing faster than most of us can keep up, most of today information is on computer. Either being stored on a disk, on websites, or even online storage . The American Medical Association (AMA), has issued opinion 5.07 confidentiality for computers.

4. When should the computerized medical database be online to the computer terminal?

The computerized medical database is online to the computer terminal only when authorized computer programs requiring the medical data are in use. According to the (AMA ) policy, External individuals or organizations should not have online access to these computerized database. containing identifiable data from medical records patient. Access should be controlled through security measures.

Some examples of these are encryption of the file, password to gain access to the file, or other user identification. In addition, leaving a terminal online to the database when it is not necessary can make it easier for hackers to get into the system.

5. When the computer service bureau destroys or erases records, should the erasure be verified by the bureau to the physician?

I believe that when the computer services bureau destroys or erases the record, the physician should be notified in writing that it has taken place. Before records can be destroyed or erased the bureau has to establish that the physician has another copy, of some form, in his possession. The patient and the physician have the right to know any little alteration on any record. This will help in knowing what information has been erased and what significance it has as far as patient’s medical process is concerned.

6. Should individuals and organizations with access to the database be identified to the patient?

Yes, all individuals and organizations with some form of access to the computerized databases, and the level of access permitted should be specifically identified in advance. Full disclosure of this information to the patients is necessary in obtaining consent to treatment. patient data should be assigned a security level appropriate for the data’s degree of sensitivity, which should be used to control who has access to the information. The patient has the right to know who have an access to his/her information and why. This will for the respect of the patient’s right to privacy and confidentiality.

7. Does the AMA ethics opinion mention encryption as a technique for security?

Yes, the computerized data systems have a compromising information security. The (AMA) opinion is that “ there should be controlled access to the computerized database via security procedures such as encryption (encoding), passwords, and other user identification including scan able badges”. Confidentiality agreements should be made with other healthcare professional whom the office networks with encryption is recommended if the network entails public channel of communication such a radio waves, telephone wires, and microwaves. This will increase the changes of information confidentiality.

8. In regard to electronic medical record (EMR), what is the policy for disclosing authorized data requested by third parties?

The patient must give consent in writing authorization for disclosing any information about his/her medical record. the individual or groups requesting the data required to obtain the expressed consent of the patient. The dissemination of confidentiality medical data should be limited to only those individuals or agencies with a bona fide use of the data. As well as the fact that, the third parties receiving the Electronic – PHI , do not have the authorization to disclose the information to additional sources.

Then , the database should disclose the least amount of E-PHI possible to serve the purpose , while also limiting the period of its use. Finally, the policy for disclosing the E-PHI is clear, the database must acquire consent for the dissemination of the least amount of information possible , the database must maintain the patient’s confidentiality, and, the third parties receiving the data may not disclose the data to any other organization or individual. American Medical Association, (AMA) opinion 5.07.

REFERENTS: Search box type, opinion 5.07