Connecting Healthcare
Welcome Visitor
Tue, Jun 18, 2019
Login | Logout | Profile

Patient Rights - Mark Pastin & Geralyn Kidera
Mark Pastin
Chair and President of the Council of Ethical Organizations, Mark Pastin has advised major corporations and government bodies worldwide since 1973. His book The Hard Problems of Management; Gaining the Ethics Edge (Jossey-Bass: 1986; NTT Publications-Japan: 1994) has won awards in the United States, Brazil, Australia and Japan. Dr. Pastin has authored over 100 articles and books.

Dr. Pastin has advised corporations including Caterpillar, American Express, Medtronic, NYNEX, Blood Systems, Inc., Motorola, General Electric, Texas Instruments, Intel, Cadbury Schweppes, Allied Signal, J.P. Morgan, and GTE Telops. Dr. Pastin has served as advisor to both Houses of Congress and to state and federal agencies. U.S. agencies served include the Internal Revenue Service, the Social Security Administration, and the National Science Foundation. Foreign governments and agencies include the European community, the Federal Government of Brazil, Mexico (President's Commission on housing), Australia, Hong Kong (Anti-Corruption Commission), the Republic of China, and the United Kingdom.

Dr. Pastin received his B.A. (summa cum laude) from the University of Pittsburgh and his Ph.D. from Harvard University (Lewis Award). He has served as faculty member and administrator at Indiana University, the University of Michigan, Harvard University, University of Maryland, and Arizona State University. Dr. Pastin has also served as Research Fellow of the Center for Metropolitan Planning and Research at Johns Hopkins.

Dr. Pastin serves on several corporate and non-profit boards. He is recognized in Who's Who in America, Who's Who in Finance and Industry and Who's Who in the World.

Mark Pastin, President
Council of Ethical Organizations/Health Ethics Trust
214 South Payne Street
Alexandria, VA 22314
Tel: 703-683-7916
Fax: 703-299-8836

Geralyn Kidera
Geralyn A. Kidera serves as Senior Vice President and Director of Compliance for the Council of Ethical Organizations. Her responsibilities include design and implementation of compliance programs (risk assessment, contract issues, code of conduct, hotline, training programs, investigations) and liaison with regulatory and enforcement agencies.

Prior to joining the Council, Ms. Kidera served as Vice President and General Counsel, Integrated Living Communities Inc., a public corporation operating assisted living and retirement facilities in 23 states. Her responsibilities included monitoring of compliance and regulatory issues; providing legal assistance for acquisition of facilities; and development of legal systems and corporate record keeping protocols.

Ms. Kidera also served as Assistant General Counsel, Vencor, Inc., (formerly Hillhaven Corporation). She created the Hillhaven corporate compliance program and provided counsel and oversight to all compliance efforts. Additionally, she provided legal counsel to all corporate operations departments and advised the company's 400 skilled nursing facilities, assisted living units, pharmacies and retirement communities on healthcare operations, regulatory, licensure, and fraud and abuse issues.

Ms. Kidera has also worked in compliance-related positions for Aetna and Care Enterprises. She received her B.A. from Fordham University and her J.D. from the University of Connecticut. She is a member of the bar in Connecticut and California and was admitted to the United States Supreme Court in 1991.

Geralyn Kidera, Senior Vice President and Director of Compliance
Council of Ethical Organizations/Health Ethics Trust
214 South Payne Street
Alexandria, VA 22314
Tel: 703-683-7916
Fax: 703-299-8836

Question 1 - What impact will the legislation have on employer sponsored health insurance? by malooj on March 13, 2000

Answer 1 - In a nutshell, it will eventually make such insurance a lot more costly to someone. Depends on how you run the numbers, but the cost differential between HMO model insurance and old style indemnity insurancehas never been as great as promised, and may be less than the added cost of the malpractice risk under any adequate patient rights legislation. Even the proposed privacy regs will add considerable cost to employee sponsored health insurance. by Mark Pastin on March 13, 2000
Question 2 - This question goes to both hosts. Do you think we (society) have taken the best path of problem-solving for patient rights? If yes, what do you see as the positives that will come from this? If no, what approach should we have taken to get to an agreed solution? Thanks by tammy on March 13, 2000

Answer 2 - Historically, issues of patient rights including the confidentiality of medical information have been left to the states. Virtually all states have some form of with statute and/or case law which regulates the release of medical information, and which defines some rights of patients to make health care decisions, and to release information about their health care. With the incredible changes that have occurred, and continue to occur, in the transmission and dissemination of information (via such things as the internet, satellite transmission, digital cellular transmission etc etc) it has become apparent to many of us that there needs to be consistent and global protections given to patient rights and confidentiality.

When the Health Insurance Portability and Accountability Act (HIPAA) was passed, Congress resolved to set national standards in these areas, so that no matter where a patient might be, or go, the rules (protections) would be the same. I personally believe that such a global standard is necessary. What originally began as a one on one relationship between the physician and patient, in which the patient knew the doctor and had reasonable expectations that the physician would protect the interests of the patient, is by and large a thing of the past. Health information is now controlled by payors, large health plans, and often the government itself. Controls are necessary to assure that the interests of the patient are not lost in the shuffle of information and data, as it speeds its way along communication methodologies unheard of a generation ago.

A different issue, though, is whether HIPAA as written, and its proposed implementing regulations adequately provide that standard. On that question I personally have reservations.

You only need to read some of the volumes of comments that were submitted to DHHS in response to its proposed regulations to see the concerns that many providers, payers, and patients have concerning HIPAA's provisions. One of the more interesting provisions in the statute, for me, specifically states that there is no private right of action by a patient for violation of his or her privacy protections. Given that the patient is what this is supposed to be about, I find that a surprising provision. (This means that a patient, who believes a provider or health plan has violated his/her privacy, does not have the right to sue the violator under the terms of HIPAA. The patient may, of course, have a right to sue under some other law, such a state patient rights statute.)

Another concern is the cost of the new regulations for the average provider. It appears to me that the only way to truly meet the requirements of HIPAA will be for each provider/healthplan/clearinghouse to adopt highly sophisticated systems designed to facilitate the provision of healthcare while at the same time maximizing patient privacy protections. Not an easy - or inexpensive - task, and one that will require constant upgrades and changes as technology changes.

On the positive side, I do believe that HIPAA brings attention to a very serious issue, and attempts to resolve concerns generated by today's technology. What will be important to watch, in my opinion, is the way DHHS resolves the many comments it has received when it prepares the final regulations.

Geralyn Kidera
by Geralyn Kidera on March 13, 2000

Answer 2 - To oversimplify matters, the issue of patient rights is understood today in terms of the patient's relationship to a managed care system. Today's debate focuses on whether that system itself should be charged with establishing a protocol that supports patients' rights, or whether patients' rights should be treated as a formal legal right with the protections associated thereto. From a patient's perspective, having a right enforced by the very entity that is suspect is not an adequate solution. From the managed care organization's perspective, enforcing rights through a litigation methodology undermines the economies of a managed care organization. The debate is leading to deadlock not only because of intense lobbying efforts intended to produce just this result - lock-up. There is a dearth of solutions that will not produce more secondary harm than intended good. There are not really a lot of good ideas on the table, which makes choosing among the ideas unappealing.

Mark Pastin
by Mark Pastin on March 13, 2000
Question 3 - If there are so few good ideas on the table, then maybe it's time to clear the table, so to speak, and start afresh.

The patient is the foundation to the whole provider-insurer-patient structure. If you are too expensive, you'll lose the patient. If you are too complex, you'll lose the patient... if you are using methods that strip patients of their rights as people, then everyone loses.

Having the same entity that provides the service policing itself when it comes to patient privacy issues is a pretty poor idea... I'm all for limiting bureaucracy whenever and however possible, but I think it's imperative to have a way for patients to maintain their rights as people while undergoing the experience of not being well. by Ingolfsson on March 14, 2000

Answer 3 - - One of the good things about the proposed privacy rules is that they create penalties for violations of a patient's privacy. But the rules are so complex that few patients will be able to understand what rights they have, what rights they've waived and their options for recourse when violations occur. If the patient is the foundation, then rules protecting the patient must be sensible and accessible to the patient. It is also important that there be a single standard, rather than a different standard in each state, plus a federal standard. It is just because patients are so vulnerable when they are asked to waive privacy rights that the rules governing privacy must be transparent in their implications to the patient.

Mark Pastin
by Mark Pastin on March 14, 2000

Answer 3 - I agree that these issues are complex and troubling, and we need an appropriate methodology to monitor provider adherence to the rules. But given the options, I see little alternative to having federal oversight of privacy issues. It was relatively easy when healthcare truly involved just the patient and doctor (and maybe a hospital on occasion); one could assume the physician would maintain the patient's privacy. After all, if the doctor didn't he or she risked losing patients to another provider who would. The medical record probably consisted of a paper file kept in the physician's office, with some information (over the physician's signature) occasionally released pursuant to a subpoena, or in order to obtain insurance payment. But today the complexity of the healthcare SYSTEM (no longer just a "relationship") invites issues and concerns that cannot be dealt with one-on-one. Many patients are members of a managed care system - which controls much of the medical and patient information; there may be multiple payers beyond the MCO, including government payers. Healthcare is becoming ever more a technology-driven science, with increasing use of electronic data storage and transmission. Patient health information is a valuable commodity, which may effect employability, insurance, and many other economic factors. Protection of that information is of prime importance to each of us.

Having a federal standard will, hopefully, force providers, payers and other interested entities to take that privacy as seriously as necessary, and to invest the necessary resources to maximize privacy in our electronic world.

There is still a lot to do before a national standard achieves the goal mandated by HIPAA, but I do believe that one standard (even with some state-specific variations which would extend protections even further) is on the horizon.

Geralyn Kidera
by Geralyn Kidera on March 14, 2000
Question 4 - Could both of you give us some practical advice on how to do an organizational assessment related to these issues? What should we look for in our polices and patient rights documents? What should the average CIO and information department be considering to prevent and protect sensitive information? What kinds of questions should be asked by ethicists, compliance officers and patient representatives to ascertain what if anything is happening? by pix on March 15, 2000

Answer 4 - This is an excellent question, and one that every provider needs to think about. The following are just some suggestions (NOT legal advice!) on areas to explore - there are likely many more that may pertain to your specific operation:

1) policies and procedures involving many different disciplines need to include comprehensive privacy protections; e.g. general employee policies on confidentiality; vendor policies - make sure per HIPAA that you require your vendors to adhere to privacy protections; medical staff by-laws and credentialling; policies governing the use of electronic data and information resources (such as e-mail, internet, telemedecine); facility security policies (regarding facility access, visitation procedures etc); physician-facility arrangements concerning information transfer (e.g. transmission of orders, test results etc)

2.MIS departments need to be concerned about both the creation and retention of records, and the dissemination of information from those record data bases. HIPAA requires that providers implement relatively sophisticated encryption and other technology to protect medical information, and to create records (e.g. electronic signatures). Since most (and soon probably all) medical billing is done via some sort of electronic transmission, your IS department needs to be constantly vigilant to assure the processes being followed meet privacy requirements. It is also important that the IS function have sufficient budget and resources to meet these requirements. This may involve working directly with other providers with whom you have relationships in which medical data transfer will routinely occur; e.g. hospitals working with physician offices where information routinely goes back and forth; owned physician practices where the doctors use e-mail to communicate with patients (such communication could very easily be considered medical information), or are involved in telemecine etc.

3. It is important to look at your contractual relationships (such as between physicians and hospitals, between heath care facilities, joint venture arrangements, billing service agreements etc) to assure that any applicable HIPAA requirements are met. This may require revisions to existing agreements. When looking at these agreements (and any future such contracts) think broadly about what might become practice in the years to come - it's not good enough to be current, you have to plan ahead!

4. Look at managed care contracts to assure that all parties have a mutual understanding and commitment to privacy and to insuring that HIPAA requirements are met. Look at the requirements both from the provider AND patient perspective.

As for the kinds of questions to ask, I like to remind healthcare providers that - as people - they are both consumers (i.e. patients) and providers. So look at privacy from both perspectives. Obviously, given the many changes in healthcare, and the increasing use of sophisticated electronic data transfer, and remote access to healthcare data, compliance officers need to look critically at systems, both present and future. Are there adequate protections for the patient? Where is it likely that problems might occur? (Don't forget to look at the little things - e.g. when an employee of the billing office leaves her desk for lunch or to use the rest room, is the computer still on? Is the screen readily visible to others? What kinds of chit chat is occuring in the elevators or in the cafeteria?)

You should also look at employer issues - particularly if the employer provides healthcare benefits to employees AND is a provider of health care. What kinds of barriers or "firewalls" are in place to protect the employee from unauthorized access to his/her medical information?

The above is just a start. I suspect that we could discuss this issue for hours, and still not cover everything. Good luck!

Geralyn Kidera
by Geralyn Kidera on March 15, 2000

Answer 4 - I wholeheartedly agree with Geralyn's advice and would only add that the best place to start is with the front-end process. Are waivers being obtained and are they both readable and understandable by the patient (who may otherwise claim consent was coerced) and do waivers and limitations follow the patient's record according to a well established protocol - or are they "assumed."

A good approach for compliance officers and ethicists is to do a proces analysis following a patient's record from fisrt contact with the patient (pre-admission or admission for example) to billing and billing problem resolution. Test for adquacy of privacy protections at each step. Frankly, when we have conducted this process, the outcomes have been less than satisfactory in many cases.

Mark Pastin
by Mark Pastin on March 15, 2000
Question 5 - There is a lot in the news about healthcare providers being ready for HIPAA. My thoughts turn to the government. It seems the oversite will require expert knowledge of both healthcare privacy policies and technology processes and capabilities. I'm sure people with experience in both areas are rare and at a premium these days. How ready is the government to provide appropriate and meaningful oversite? by yvette on March 17, 2000

Answer 5 - Let's limit this to the privacy issue for now. I we look at the privacy regs from an enforcement viewpoint, gov't's job is a lot easier than that of say a single metro area health system. Gov't's job is to be able to detect or react to violations of privacy encompassed in the regs. If the regs can be enforced through the False Claims Act, the cases will come.

If you look beyond enforcement of violations to use of data that becomes available as a result of these regs and HIPAA's mandate to create a national database, gov't has already made substantial progress through their FI's data collection efforts.

But I think the tenor of your question is, how can they mandate that we do this, when it is often still hard to download a reg or search the exclusions list, gov't just can. Is it fair? Doesn't matter since it is your job to protect the privacy of your records.

Mark Pastin
by Mark Pastin on March 17, 2000

Answer 5 - I'm not sure I can answer that, since I have no personal knowledge of the individual level of knowledge and expertise of government officials involved in this area. I can tell you that, just as healthcare providers are scrambling to acquire the requisite knowledge - or to hire the expertise needed to meet HIPAA's challenges, so to is the government. The units within the various DHHS departments involved in implementing HIPAA requirements, for example, have hired and continue to hire qualified people who have expertise in the areas of electronic data retention and transmission, encryption, internet-based systems etc. Frankly, in some ways, I personally believe that the federal government has lead the way in practical uses of the internet, and electronic information (after all the internet was a government project to begin with). You only have to look at the innovative, and user-friendly web sites maintained by the various government agencies, on which you can obtain information on virtually all relevant topics under their jurisdiction, to see the government has made enormous strides in this areas.

As for privacy issues, government representatives are actively working with healthcare leaders, internet companies, and other interested parties to reach consensus on how HIPAA issues will be handled. There are a number of high level work groups underway addressing alot of the major concerns in this area. In addition, the government is looking at ways to utilize existing resources, including outside vendors with expertise in oversight processes, to assist.

Lots of work remains to be done, but the government is taking this very seriously, and is reaching out to obtain help from a lot of different corners.

Geralyn Kidera
by Geralyn Kidera on March 17, 2000

Printer-friendly format

Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: