HEALTH RECORDS AND THE LAW FIFTH EDITION Donna K. Hammaker Director, National Institute on Health Care Management & the Law JD, Temple University School of Law; MGA, Wharton School at the University of Pennsylvania Hebrew University of Jerusalem Faculty of Law; London School of Economics Adjunct Professor of Graduate Health Administration, Saint Joseph’s University Former President and Chief Executive Officer, Collegiate Health Care Corporation with Yilmaz C. Kaymak Senior Manager, Accenture MBA & MSE, Wharton School at the University of Pennsylvania and Sarah J. Tomlinson Office of the General Counsel, Fox Rothschild LLP JD, Villanova University School of Law; MBA, Pennsylvania State University Adjunct Professor of Health Law, Immaculata University World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 [email protected] www.jblearning.com Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www. jblearning.com. Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to [email protected]. Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner. The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Health Records and the Law, Fifth Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product. There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only. This publication is designed to provide accurate and authoritative information in regard to the Subject Matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought. Production Credits Director of Product Management: Michael Brown Composition: codeMantra U.S. LLC Product Manager: Sophie Fleck Teague Cover and Text Design: Kristin E. Parker Product Specialist: Danielle Bessette Rights & Media Specialist: Merideth Tumasz Associate Production Editor: Alex Schab Media Development Editor: Shannon Sheehan Senior Marketing Manager: Susanne Walker Cover Image (Title Page, Chapter Opener): Production Services Manager: Colleen Lamy © cunfek/Getty Images Manufacturing and Inventory Control Supervisor: Printing and Binding: McNaughton & Gunn Amy Bacus Cover Printing: McNaughton & Gunn Library of Congress Cataloging-in-Publication Data Names: Hammaker, Donna K., author. Title: Health records and the law / Donna K. Hammaker. Description: Fifth edition. | Burlington, Massachusetts: Jones & Bartlett Learning, [2019] | Preceded by Medical records and the law / William H. Roach Jr. ... [et al.]. 4th ed. c2006. | Includes bibliographical references and index. Identifiers: LCCN 2018007493 | ISBN 9781284128994 Subjects: | MESH: Health Information Management—legislation & jurisprudence | Medical Records—legislation & jurisprudence | Medical Informatics—legislation & jurisprudence | Disclosure—legislation & jurisprudence | Confidentiality—legislation & jurisprudence | United States Classification: LCC KF3827.R4 | NLM WX 33 AA1 | DDC 344.7304/1—dc23 LC record available at https://lccn.loc.gov/2018007493 6048 Printed in the United States of America 22 21 20 19 18 10 9 8 7 6 5 4 3 2 1 © cunfek/Getty Images Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix Point of Service Plans . . . . . . . . . . . . . .18 Preferred Provider Organizations . . .19 About the Authors . . . . . . . . . . . . . . . . . . .xv Consolidated Medical Groups . . . . . .19 Integrated Care Models . . . . . . . . . . . .19 Chapter 1 Introduction to the Other Managed Care U .S . Legal System . . . . 1 Organizations . . . . . . . . . . . . . . . . . . .20 Principles and Applications . . . . . . . . . . . . . .2 The Effect of Managed Care on Patient Data Management . . . . . . . . . . . .20 The Nature of Law . . . . . . . . . . . . . . . . . . . . . . .2 HIPAA and State Privacy Rules . . . . . .21 Sources of Law . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Changes in Health Record The U .S . Constitution . . . . . . . . . . . . . . .3 Standards . . . . . . . . . . . . . . . . . . . . . . .23 State Constitutions . . . . . . . . . . . . . . . . .5 Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Chapter 3 Health Record Decisions and Rules of Requirements . . . . . . 25 Administrative Agencies . . . . . . . . .6 Court Decisions . . . . . . . . . . . . . . . . . . . .7 Principles and Applications . . . . . . . . . . . . . .26 Government Organization and Function . . . .8 The Legal Health Record . . . . . . . . . . . . . . . .27 Organization of the Court System . . . . . . . .9 Content Requirements . . . . . . . . . . . . . . . . . .28 State Court System . . . . . . . . . . . . . . . .10 Record Retention Requirements . . . . . . . . .31 Federal Court System . . . . . . . . . . . . . .11 Statutory and Regulatory Stare Decisis . . . . . . . . . . . . . . . . . . . . . . .11 Concerns . . . . . . . . . . . . . . . . . . . . . . .32 Statutes of Limitations . . . . . . . . . . . . .33 Chapter 2 Health Records and Medical Research and Storage Managed Care . . . . . . 15 Space Considerations . . . . . . . . . . .33 Professional Association Principles and Applications . . . . . . . . . . . . . .16 and Accreditation Agency Utilization Review . . . . . . . . . . . . . . . . . . . . . . .16 Guidelines . . . . . . . . . . . . . . . . . . . . . .34 Managed Care . . . . . . . . . . . . . . . . . . . . . . . . . .16 Developing a Record Retention Managed Care Organizations and Policy . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Related Health Care Entities . . . . . . . . . .17 Destruction of the Record . . . . . . . . . . . . . . .35 Accountable Care Organizations . . .17 Chapter 4 Health Record Health Maintenance Organizations . . . . . . . . . . . . . . . . . . .17 Entries . . . . . . . . . . . . 39 Exclusive Provider Organizations . . .18 Principles and Applications . . . . . . . . . . . . . .40 Independent Practice Associations . . . . . . . . . . . . . . . . . . . .18 Legible and Complete Health Record Entries . . . . . . . . . . . . . . . . . . . . . . . .40 Physician-Hospital Organizations . . .18 Management Services Timely Health Record Entries . . . . . . . . . . . .42 Organizations . . . . . . . . . . . . . . . . . . .18 Authorship and Countersignatures . . . . . .43 iii iv Contents Authentication of Records . . . . . . . . . . . . . .44 Summary of Confidentiality Auto-Authentication . . . . . . . . . . . . . .47 Requirements . . . . . . . . . . . . . . . . . . . . . . . .82 Verbal Orders . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Federal Law . . . . . . . . . . . . . . . . . . . . . . . .82 State Law . . . . . . . . . . . . . . . . . . . . . . . . . .90 Corrections and Alterations . . . . . . . . . . . . .49 International Privacy Standards . . . .94 Chapter 5 Document Consent Accreditation Organizations . . . . . . .95 to Treatment . . . . . . . 55 HIPAA-Covered Entities . . . . . . . . . . . . . . . . . .95 Health Providers . . . . . . . . . . . . . . . . . . .96 Principles and Applications . . . . . . . . . . . . . .56 Clearinghouses . . . . . . . . . . . . . . . . . . . .96 Legal Theories of Consent . . . . . . . . . . . . . . .57 Health Insurance Plans . . . . . . . . . . . . .97 Express and Implied Consent . . . . . .57 Exercise of Professional When Is Consent Implied? . . . . . . . . .58 Judgment . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Informed Consent . . . . . . . . . . . . . . . . .58 Hybrid Entities, Affiliated Service Exceptions to the Informed Groups, and Organized Health Care Consent Requirement . . . . . . . . . .60 Arrangements . . . . . . . . . . . . . . . . . . . . . . .100 Distinguishing Informed Consent Hybrid Entities . . . . . . . . . . . . . . . . . . . .100 and HIPAA Authorization . . . . . . . . . . . . .62 Affiliated Service Groups . . . . . . . . . .101 Who Can Give Consent . . . . . . . . . . . . . . . . . .62 Documentation of Competent Adults . . . . . . . . . . . . . . . . .62 Designations . . . . . . . . . . . . . . . . . . .102 Refusal of Consent . . . . . . . . . . . . . . . . .63 Organized Health Care Arrangement . . . . . . . . . . . . . . . . . .102 Incompetent Adults . . . . . . . . . . . . . . .63 Minors . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Uses and Disclosures of Health Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Responsibility for Obtaining Consent . . .65 Access by or on Behalf of the Documentation . . . . . . . . . . . . . . . . . . . . . . . . .67 Patient . . . . . . . . . . . . . . . . . . . . . . . . .104 Types of Consent Forms . . . . . . . . . . . . . . . . .68 Access, Uses, and Disclosures with Short Consent Forms . . . . . . . . . . . . . .68 the Patient’s Authorization . . . . . . .108 Long Consent Forms . . . . . . . . . . . . . . .68 Access by Family and Friends . . . . . .111 Challenges to Consent Forms . . . . . .69 Patient Directories . . . . . . . . . . . . . . . .112 Withdrawal of Consent . . . . . . . . . . . . .69 Records of Minors . . . . . . . . . . . . . . . . .112 Effect of State Laws . . . . . . . . . . . . . . . .70 Access for Treatment, Payment, Effect of the Medicare Insurance or Health Care Operations . . . . . .114 Conditions of Participation . . . . . .70 Access by Employers . . . . . . . . . . . . . .117 HIPAA Preemption . . . . . . . . . . . . . . . . .71 Psychiatric Records . . . . . . . . . . . . . . . .118 Substance Use Records . . . . . . . . . . .120 Chapter 6 Access to Health Genetic Information . . . . . . . . . . . . . .124 Information . . . . . . . 75 Record Duplication and Fees . . . . . . . . . . .125 Record Keeping of Quality Principles and Applications . . . . . . . . . . . . . .77 Improvement Organizations . . . . . . . . .126 Types of Patient Data . . . . . . . . . . . . . . . . . . . .78 QIO Access to Individual Protected Health Information . . . . . .78 Health Records . . . . . . . . . . . . . . . . .127 De-Identification of Patient Data . . .78 Third-Party Access to Information Limited Data Set . . . . . . . . . . . . . . . . . . .80 Collected by a QIO . . . . . . . . . . . . .127 Designated Record Set . . . . . . . . . . . . .80 Patient Access to QIO Ownership of the Health Record . . . . . . . .81 Information . . . . . . . . . . . . . . . . . . . .129 Contents v Hospital Utilization Review Chapter 7 Reporting and Quality Assurance . . . . . . . . . . . . . . .129 and Disclosure Business Associates . . . . . . . . . . . . . . . . . . . .131 Requirements . . . . .179 Qualifying as a Business Associate . . . . . . . . . . . . . . . . . . . . . .131 Principles and Applications . . . . . . . . . . . . .180 Requirements for Business Disclosures Required by Law . . . . . . . . . . .180 Associate Agreements . . . . . . . . . .133 Child Abuse and Neglect . . . . . . . . .181 Non-HIPAA Required Provisions Abuse of Adults and Injuries for Business Associate to Disabled Persons . . . . . . . . . . . .183 Agreements . . . . . . . . . . . . . . . . . . . .134 Controlled Drug Prescriptions Liability for Acts or Omissions and Abuse . . . . . . . . . . . . . . . . . . . . .184 of Business Associates . . . . . . . . . .136 Occupational Diseases . . . . . . . . . . . .184 Additional Patient Rights Under Abortion . . . . . . . . . . . . . . . . . . . . . . . . .185 HIPAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Birth Defects and Other Health Right to Notice of How a Conditions in Children . . . . . . . . .185 Covered Entity Will Use and Cancer and Other Disease Disclose PHI . . . . . . . . . . . . . . . . . . . .137 Registries . . . . . . . . . . . . . . . . . . . . . .185 Right to Have Access to, Inspect, Death or Injury from Use of a and Copy PHI . . . . . . . . . . . . . . . . . .142 Medical Device . . . . . . . . . . . . . . . .186 Right to Request Restrictions on Communicable Diseases . . . . . . . . . .186 the Uses and Disclosures of Misadministration of Radioactive PHI for Treatment, Payment, Materials . . . . . . . . . . . . . . . . . . . . . . .187 and Health Care Operations . . . .143 Death . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Right to Request to Gunshot and Knife Injuries . . . . . . . .188 Receive Confidential Communications . . . . . . . . . . . . . .144 Other Health-Related Reporting Right to Request Restrictions on Requirements . . . . . . . . . . . . . . . . . . . . . . .188 the Uses and Disclosures for Required Disclosure by Managed Which an Authorization Is Not Care Organizations . . . . . . . . . . . . .189 Required . . . . . . . . . . . . . . . . . . . . . . .144 Health Oversight . . . . . . . . . . . . . . . . .190 Right to Request an Amendment to PHI . . . . . . . . . . . . . . . . . . . . . . . . . .145 Chapter 8 Documentation and Right to Receive an Accounting Disclosure: Special of Disclosures of PHI . . . . . . . . . . .147 Areas of Concern . . .195 Right to Report Violations of the Regulations to HHS . . . . . . . . . . . .149 Principles and Applications . . . . . . . . . . . . .197 Verifying Identity and Representations . . .149 Special Documentation Concerns . . . . . .198 HIPAA Administrative Requirements . . . .151 Emergency Department Policies and Procedures . . . . . . . . . . .151 Records . . . . . . . . . . . . . . . . . . . . . . . .198 Documentation . . . . . . . . . . . . . . . . . . .151 Celebrity Patients . . . . . . . . . . . . . . . . .200 Personnel . . . . . . . . . . . . . . . . . . . . . . . . .151 Hostile Patients . . . . . . . . . . . . . . . . . . .201 Training . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Recording Indicators of Abuse . . . . .202 Sanctions Imposed on the Patients Refusing Treatment Workforce . . . . . . . . . . . . . . . . . . . . . .152 and/or Near Death . . . . . . . . . . . . .202 Duty to Mitigate . . . . . . . . . . . . . . . . . .152 Deceased Patients and Autopsy Safeguards . . . . . . . . . . . . . . . . . . . . . . .153 Authorizations . . . . . . . . . . . . . . . . .209 vi Contents Recording Disagreements Disclosure to Third Parties Among Professional Staff . . . . . .209 with Authorization . . . . . . . . . . . .254 Special Disclosure Concerns . . . . . . . . . . .210 Disclosure to Health Care Uses and Disclosures for Workers . . . . . . . . . . . . . . . . . . . . . . .254 Marketing . . . . . . . . . . . . . . . . . . . . .210 Disclosure Without Consent Uses and Disclosures for to Emergency Medical Fund-Raising . . . . . . . . . . . . . . . . . .212 Personnel . . . . . . . . . . . . . . . . . . . . .257 Health Records Sought by Disclosure Without Consent to Managed Care Organizations . .212 Spouse or Needle-Sharing Partner . . . . . . . . . . . . . . . . . . . . . . . . .258 Records Sought by Parties to Adoption . . . . . . . . . . . . . . . . . . .214 Other Permissible Disclosures Without Authorization . . . . . . . . .259 Records Indicating Abuse of a Child or Vulnerable Adult . . . . . .216 Disclosure by Court Order . . . . . . . .260 Patient Data Sought by Law Liability for Unauthorized Enforcement Agencies . . . . . . . .218 Disclosure of HIV/AIDS Information . . . . . . . . . . . . . . . . . . . .260 Warrants and Searches . . . . . . . . . . .220 Recommended Policies and Responding to Subpoenas Procedures . . . . . . . . . . . . . . . . . . . . . . . . . .261 and Court Orders . . . . . . . . . . . . . .223 Health Care Fraud Investigations . .227 Oversight for HIPAA Compliance . .229 Chapter 10 Discovery and Use of Outside Test Reports Admissibility of Health in Hospital Records . . . . . . . . . . . .230 Records . . . . . . . . .267 Change of Ownership or Closure: Disposition of Records . . . . . . . . .231 Principles and Applications . . . . . . . . . . . .268 Discoverability of Health Records . . . . . . .269 Chapter 9 Human Physician–Patient Privilege . . . . . . . .269 Immunodeficiency Admissibility of Health Records . . . . . . . .272 Health Records as Hearsay . . . . . . . .273 Virus/Acquired Immune Other Health Care Documentation . . . . .274 Deficiency Peer Review Records . . . . . . . . . . . . . .275 Syndrome: Mandatory Incident Reports . . . . . . . . . . . . . . . . . .276 Reporting and Confidentiality . . . .249 Chapter 11 Legal Theories in Principles and Applications . . . . . . . . . . . .250 Improper Disclosure Duty to Report . . . . . . . . . . . . . . . . . . . . . . . . .251 Cases . . . . . . . . . . .281 Protecting Confidentiality Principles and Applications . . . . . . . . . . . .282 of HIV/AIDS Information . . . . . . . . . . . .252 HIPAA Liability . . . . . . . . . . . . . . . . . . . . . . . . . .282 The Privacy Rule and the Violations . . . . . . . . . . . . . . . . . . . . . . . . .282 Security Rule . . . . . . . . . . . . . . . . . .252 Other Statutory Bases for Liability . . . . . .284 State Law . . . . . . . . . . . . . . . . . . . . . . . .253 Statutory Provisions Regarding Theories of Liability . . . . . . . . . . . . . . . . . . . .284 Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Defamation . . . . . . . . . . . . . . . . . . . . . .284 Disclosures Permitted by the Invasion of Privacy . . . . . . . . . . . . . . .287 Privacy Rule . . . . . . . . . . . . . . . . . . .254 Breach of Confidentiality . . . . . . . . .291 Contents vii Chapter 12 Risk Management Security Requirements in Health Data Networks . . . . . . . . . .334 and Quality State Data Security Laws . . . . . . . . . . . . . . .334 Management . . . .299 Electronic Health Record Principles and Applications . . . . . . . . . . . .300 Contracting Issues . . . . . . . . . . . . . . . . . . .335 Increased Scrutiny of Medical Considerations for Contracting . . .335 Errors and Demand for Improving Health Data Network Quality Care . . . . . . . . . . . . . . . . . . . . . . . . .300 Agreements . . . . . . . . . . . . . . . . . . .336 Relationship Between Risk Vendor Agreements . . . . . . . . . . . . . .336 Management and Quality Participation Agreements . . . . . . . . .337 Management . . . . . . . . . . . . . . . . . . . . . . .301 Regulatory Issues . . . . . . . . . . . . . . . . . . . . . .338 Risk Management . . . . . . . . . . . . . . . . . . . . .302 Anti-Kickback Laws . . . . . . . . . . . . . . .338 Quality Management . . . . . . . . . . . . . . . . . .304 Stark Legislation . . . . . . . . . . . . . . . . . .338 Joint Commission Tax Laws Affecting Tax-Exempt Accreditation . . . . . . . . . . . . . . . . . . .305 Entities . . . . . . . . . . . . . . . . . . . . . . . . .339 National Committee for Antitrust . . . . . . . . . . . . . . . . . . . . . . . . . .340 Quality Assurance . . . . . . . . . . . . . .305 Electronic Health Records as HIPAA and Risk Management/Quality Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Management . . . . . . . . . . . . . . . . . . . . . . .306 The Rule Against Hearsay . . . . . . . . .341 Compliance Programs . . . . . . . . . . . . . . . . .307 The Best Evidence Rule . . . . . . . . . . .342 Health Records in Risk Management, The Difficulties of E-Discovery . . . .342 Quality Review, and Compliance Malpractice . . . . . . . . . . . . . . . . . . . . . . . . . . .344 Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Specific Electronic Health Record Joint Commission Standards . . . . .310 Security Issues . . . . . . . . . . . . . . . . .344 Prospective Payment Systems . . . .310 Chapter 14 Health Information in Medical Chapter 13 Electronic Health Research . . . . . . . .367 Records . . . . . . . . .313 Principles and Applications . . . . . . . . . . . . .368 Principles and Applications . . . . . . . . . . . .315 U .S . Federal Laws Relating to Electronic Health Record Acquisition and Use of Health Systems . . . . . . . . . . . . . . . . . . . . . . .318 Information in Connection with HIPAA Privacy Rule . . . . . . . . . . . . . . . . . . . . .320 Medical Research . . . . . . . . . . . . . . . . . . .369 Privacy Rule Issues for The Common Rule . . . . . . . . . . . . . . .369 Interoperable Electronic The HIPAA Privacy Rule . . . . . . . . . . .372 Health Records . . . . . . . . . . . . . . . .320 Information Protected Under the Other Privacy Issues . . . . . . . . . . . . . .323 Family Educational Rights and HIPAA Security Rule . . . . . . . . . . . . . . . . . . .324 Privacy Act . . . . . . . . . . . . . . . . . . . . .375 General Security Requirements . . .325 Use of De-Identified Patient Data Administrative Safeguards . . . . . . . .327 and Limited Data Sets . . . . . . . . . .375 Physical Security Standards . . . . . . .330 Other Accommodations Technical Security Standards . . . . . .331 for Research in the HIPAA Organizational Security Privacy Rule . . . . . . . . . . . . . . . . . . . .376 Safeguards . . . . . . . . . . . . . . . . . . . .333 Certificates of Confidentiality . . . . .376 viii Contents State Laws Relating to Acquisition Blockchain Technology . . . . . . . . . . . . . . . .391 and Use of Health Information Connectivity . . . . . . . . . . . . . . . . . . . . . .391 in Connection with Medical Ledger Technology . . . . . . . . . . . . . . .391 Research . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Transparency with State Privacy Laws . . . . . . . . . . . . . . . .377 Pseudonymity . . . . . . . . . . . . . . . . .392 State Common Law . . . . . . . . . . . . . .378 Secure Data Encryption . . . . . . . . . .392 International Laws Relating to Health Unified Clinical Systems . . . . . . . . . .392 Records and Clinical Trials . . . . . . . . . . .378 Transformational Law for Health European Union . . . . . . . . . . . . . . . . . .378 Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 United Kingdom . . . . . . . . . . . . . . . . . .380 Canada . . . . . . . . . . . . . . . . . . . . . . . . . . .380 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Other Guidance . . . . . . . . . . . . . . . . . . . . . . . .381 ICH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 The Future of Privacy with Global Data Sharing . . . . . . . . . . .382 Chapter 15 Looking to the Future . . . . . . . . . .389 Principles and Applications . . . . . . . . . . . .390 Sharing Information Among Electronic Record Systems . . . . . . . . . .390 © cunfek/Getty Images Preface “With respect to excellence, it is not enough to know, but we must learn to have and use it.” —Aristotle (384 BCE-322 BCE), Greek Philosopher, from Nicomachean Ethics The nature and use of health records has changed dramatically since the first edition of this text was published in 1985. Patient data that once traveled by paper at the pace of the U.S. mail now moves instantaneously on top of TCP/IP (also known as the Transmission Control Protocol/Internet Protocol) and blockchain technologies. With the evolution in how we create, store, retrieve, use, transmit, and protect health records has come new and comprehensive regulation in the form of the Health Insurance Portability and Accountability Act (HIPAA) and its voluminous privacy, security, identifier, code set, and transactions regulations. Patients have emerged in this new regulatory scheme with expanded rights to con- trol their health information. Health providers and governments at all levels have an increased focus on accountability for the quality of health care and the reduction of medical errors. Rapid access to health records has become an essential and fundamental part of successful quality improvement efforts. The ability to create for every patient a com- munity health record maintained in a health data network—and making it easily accessible to patients, their health providers, ancillary support providers, and other authorized individuals—is viewed as providing greater protection for patients, data for important medical and public health research, and enhanced cost savings for all. As the creation of health information becomes the norm, health record administra- tors must increasingly collaborate with their information technology professionals to provide secure spaces for health records storage and safe methodologies for data transmission. The pace of change will continue to increase as the health care indus- try endeavors to keep up with technological advances. It should be noted that this text does not distinguish between health information in any form or media, whether electronic, paper, or oral; it simply calls this information health information. This fifth edition of Health Records and the Law is written primarily for students in health information management programs as a comprehensive and accessible text and as a reliable reference source for those professionals in the health information field as well as for those in the legal and risk management professions. It addresses the substantial changes brought about by HIPAA and the growth of network infor- mation systems while retaining and updating the discussion of state laws affecting the use and disclosure of patient data. The text also discusses the highly complex interplay of federal and state privacy laws. In addition to the considerable new mate- rial concerning HIPAA and its regulations, this edition addresses the challenging area of how patient data may be used in connection with medical research involving human subjects. The effect that the Health Information Technology for Economic ix