Privacy Legislation in the fields of Speech-Language Pathology & Audiology. Privacy Legislation in the Fields of Speech-Language Pathology & Audiology

Transcription

1 1 Privacy Legislation in the Fields of Speech-Language Pathology & Audiology Kailey M. Falcon February, 2014 Alliison Haskill Ph.D., CCC-SLP, Faculty Advisor Augustana College Rock Island, IL

2 INTRODUCTION 2 Speech-language pathologists and audiologists are both ethically and legally responsible for maintaining the confidentiality about protected health information of the patients and clients they serve. The ASHA Code of Ethics states that speech-language pathologists and audiologists are obligated to maintain the confidentiality the information of their clients unless doing so jeopardizes the welfare of the persons served (ASHA, 2010). In professions that involve close personal contact between patients and healthcare providers, trust between a clinician and a client is of utmost importance. When the trust of a client is jeopardized, clients may consequently withhold information that affects both assessment and treatment (ASHA, 2013e). Both SLPs and audiologists are required to maintain confidentiality in treatment plans, evaluations, medical records, and plans for payment. They must also be contentious of their conversations both in public and professional settings to ensure that protected information is shared other individuals involved in the care of the client. (ASHA, 2013e). In addition to the ASHA Code of Ethics, speech-language pathologists and audiologists are bound by several privacy laws, including HIPAA (1996, 2013), the HITECH Act, and FERPA. The Health Insurance Portability and Accountability Act (HIPAA; 1996) was passed to protect the confidentiality of protected health related information, including provisions commanding the transfer of electronically stored and transferred patient information (United States Department of Labor 2013, 19b). As healthcare providers, speech-language pathologists and audiologists are bound by HIPAA s provisions and are obligated to protect information regarding evaluations, intervention, and patient health history (U.S. Department of Health & Human Services, 2013b).

3 The Family Educational Rights and Privacy Act (FERPA) is a federal law that was 3 passed to protect the privacy of students education records. This law allows parents to access their children s educational records, including those used in campus based health centers, speech and hearing centers, counseling services and the like, until the age of 18 and then the rights of privacy and access are transferred to eligible students (American Psychological Association, 2005). The Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted to strengthen the enforcement of HIPAA (1996 & 2013) and pertains to the electronic transmission of health information (U.S. Department of Health & Human Services 2013a, 2013b; United States Department of Labor, 2013, 19b). The Americans with Disabilities Act (ADA) is a broad based critical law that relates to the work of speech-language pathologists and audiologists because they provide assessment, intervention and counseling for individuals with disabilities (U.S. Department of Labor, 2013, 19a). The ADA prohibits discrimination against persons with disabilities by employers, labor organizations and public entities including state and local governments (United States Department of Labor, 2013, 19a; U.S. Department of Health & Human Services 2013a, 2013b). Under the ADA, healthcare providers may not disclose the related health and education information of people with disabilities, is protected under HIPAA (1996, 2013), FERPA and the HITECH Act (American Psychological Association, 2005; U.S. Department of Health & Human Services, 2013a, 2013b). The aim of this project is to examine where and how speech-language pathologists and audiologists learn about privacy laws. Although there are many resources available online at the disposal of healthcare professionals, many employers and undergraduate and graduate institutions require speech- language pathologists and audiologists to receive formal training on

4 4 maintaining the confidentiality of the information of the clients they serve. For instance, speechlanguage pathologists who supervise student clinicians are responsible for educating student clinicians about HIPAA regulations. Before they begin their clinical work, many student clinicians are required by their graduate or undergraduate institutions to complete HIPAA training as part of their introduction to the procedures and responsibilities of clinical work (American Speech-Language-Hearing Association, 2013b, 2013a). Speech-language pathologists who seek the Certificate of Clinical Competence (CCC) are required to demonstrate knowledge of standards of ethical conduct pertaining to the principles of the ASHA Code of Ethics. FERPA is one of the laws that SLPs who supervise graduate students must know to correctly teach student clinicians about the privacy of clients educational information (American Speech- Language-Hearing Association, 2013b) The Health Information Technology for Economic and Clinical Health (HITECH) Act consists of a several changes to the regulations of HIPAA Covered entities (healthcare providers who transmit financial and administrative transactions via the internet) including speech-language pathologists and audiologists, are required to be aware of the HITECH Act to remain HIPAA compliant (Romanow, 2010). Although clinicians ideally will receive training on patient privacy laws, numerous speech-language pathologists and audiologists continue to violate both the ASHA Code of Ethics and federal privacy laws on a yearly basis. Common ethical infractions include misrepresentation of diagnostic information and billing for services that were not rendered (The ASHA Leader, 2008). One question that is necessary to ask, however, is whether clinicians are competent in their application of privacy healthcare legislation as it pertains to their work setting. It must be called into question whether clinicians continue to violate privacy legislation due to a gap in their

5 training or because of personal factors such as a lack of or lapse in judgment. The following 5 research aims to examine the sources of information do speech-language pathologists and audiologists may use to learn about privacy legislation and ethical considerations as it pertaining to their place of work. The subsequent research questions will be addressed throughout the remaining chapters of this project. Research Questions The following research questions were addressed in this project. Questions were addressed based on research and analysis of questionnaires. Question 1: Where do SLPs and audiologists learn about patient privacy legislation? Hypothesis 1: SLPs and audiologists will learn about patient privacy legislation from training required by employers. Question 2: How well do SLPs and audiologists understand patient privacy legislation? Hypothesis 2: SLPs and audiologists will be knowledgeable of HIPAA, but will have limited knowledge about FERPA and the HITECH Act. Question 3: What are some of the common infractions in patient privacy legislation in the fields of speech-language pathology and audiology? Hypothesis 3:The most common infractions and of patient privacy legislation and violations of the ASHA Code of Ethics in the fields of speech-language pathology and audiology are billing for services not rendered and breaches in electronically stored information. Question 4: What are the most effective methods of teaching current and future SLPs and audiologists about patient privacy legislation? Hypothesis 4: Clinicians who have received trainings from conferences are the most confident in their knowledge of patient privacy legislation.

6 6 Question 5:How may the current methods of teaching current and future SLPs and audiologists about patient privacy legislation be improved? Hypothesis 5: The current methods of teaching current and future SLPs and audiologists about patient privacy legislation can be improved by requiring both students and current professionals to receive extensive training involving case studies pertaining to speech-language pathology and audiology, updates on changes in legislation.

7 REVIEW OF LITERATURE 7 An Introduction to Patient Privacy Legislation The writers of the ASHA code of Ethics (2010) emphasize that protecting the confidentiality of information involving patients, clients, students, and research participants is not only a legal requirement but also an ethical obligation. As specified in Principle of Ethics I, speech-language pathologists and audiologists are required to protect the confidentiality of the people that they serve. Principle I, Rule M outlines the requirements for protecting the records of patients and research participants; only allowing access to records when permitted to do so. Principle I, Rule N requires that speech-language pathologists and audiologists should not divulge personal information about patients or name participants involved in research unless doing so protects the welfare of the person (American Speech-Language-Hearing Association 2013h). Protecting patient privacy information not only serves to maintain the trust within a clinician-client relationship, but also preserves credibility within the fields of speech-language pathology and audiology. Because speech-language pathologists and audiologists work closely with people with disabilities, it is important that the professionals in these fields are knowledgeable of the laws protecting a venerable population. The Americans with Disabilities Act (ADA) requires employers and healthcare providers to maintain the confidentiality of individuals with disabilities, exclusive of individuals partaking in illegal use of drugs. Congress acknowledged the importance of protecting patient healthcare information by enacting the Health Insurance Portability and Accountability Act (HIPAA) in 1996 and various other laws such as FERPA and the HITECH Act (US). Before patient privacy laws were in place, personal health information could be distributed freely without notification or consent from the patient and for reasons

8 unrelated with a patient s insurance coverage or medical treatment. Patient healthcare 8 information was commonly distributed to lenders who could then deny a patient s application for a credit card, mortgage or an employer who could use the information to make decisions about the status of the patient s employment (U.S. Department of Health & Human Services, 2013d; 2013e). The implications of distributing patient privacy information could affect an individual personally, financially, and health wise (U.S. Department of Health & Human Services 2013d; 2013e). HIPAA consists of a series of provisions that healthcare providers are responsible for upholding to protect workers and their families. One of the most important of these conditions includes limiting health insurance companies from excluding patients from coverage due to preexisting medical conditions. Under HIPAA, patients are able to set boundaries on who is able to view and release vital health information and records. Under HIPAA, patients are also informed how their health information is used and when an information breach has occurred. Healthcare providers are also only allowed to access minimum information required for treatment and diagnosis. Patients also have the right to obtain their healthcare records entitling patients to use and disclose their healthcare information as they please (U.S. Department of Health & Human Services, 2013d; 2013e). Recent changes to HIPAA that are outlined in HIPAA 2013 were imperative to strengthening the protective measures implemented by the original law. Within the 15 years since introduction of HIPAA 1996, the digital age has grown exponentially, complicating the protection of patient privacy information. In recent years, major violations have involved electronic breaches of security --compromising the patient privacy information of many individuals. Other changes include more stringent protections of the amount and type of

9 information disclosed to contractors and subcontractors of healthcare providers and insurance 9 companies (U.S. Department of Health & Human Services, 2013a). Now patients may ask for an electronic copy of medical records and are exempt also from sharing information about treatment with their insurance companies when paying with cash. Lawmakers have revised the law limiting the amount of patient information shared with marketing and fundraising parties and have prohibited the sale of health information without a patient s permission (U.S. Department of Health & Human Services, 2013a). Lawmakers have outlined preventative safeguards that healthcare providers must follow to protect the privacy of health information. Violators are subject to substantial civil and criminal penalties including, but not limited to fines and incarceration (U.S. Department of Health & Human Services 2013d). Table 1 the penalties for corresponding HIPAA violations. The Secretary of the Department of Health and Human Services (HHS) is responsible for verifying the degree of penalty based on the magnitude of the violation and the amount of harm ensuing from the HIPAA violation (American Medical Association, 2013c). With the exception of cases of willful neglect, the secretary of the Department of Health and Human Services is restricted from enacting further civil penalties if the violation is remediated within 30 days. The Department of Health and Human Services Office of Civil Rights is responsible for enforcing the standards of privacy and the Centers for Medicare and Medicaid implements the transaction of security standards (American Medical Association, 2013c).

10 Table 1 10 HIPAA Violations with Corresponding Penalties HIPAA violation Minimum penalty Maximum penalty Individual was unaware that he or she violated HIPAA $100 per violation, and an annual maximum of $25,000 for reoccurring violations $50,000 per violation, and an annual maximum of $1.5 million HIPAA violation due to reasonable cause $1,000 per violation, and an annual maximum of $100,000 of violations that are repeated $50,000 per violation, and an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within necessary time period $10,000 per violation, and an annual maximum of $250,000 for violations that are repeated $50,000 per violation, and an annual maximum of $1.5 million HIPAA violation due to willful neglect and is not corrected within necessary time period $50,000 per violation, and an annual maximum of $1.5 million $50,000 per violation, and an annual maximum of $1.5 million Note. American Medical Association, 2013c

11 11 When clinical research involves patient health information, investigators are subject to the privacy laws outlined by HIPAA (2013) and other laws outlining the provisions of patient confidentiality (National Institutes of Health, 2004). The American Speech-Language-Hearing Association requires the confidential and ethical treatment of research participants. ASHA requires that all stakeholders in a research study including participants, researchers, editors, reviewers and data personnel must be made aware of the ethical and legal obligations pertaining to patient privacy. Consent forms must be obtained and researchers are required to collaborate with institutional review boards when human participants are involved in research. Participants should be able to assume that their personal information is protected and will not be shared when the results of the study are published or the data resulting from the study is shared with other investigators (American Speech-Language-Hearing Association, 2013h). Under both HIPAA and the guidelines established by ASHA, data and personal identities of individuals participating in research studies must remain confidential (American Speech- Language-Hearing Association, 2013h; National Institutes of Health, 2004). Researchers and others involved in handling the data are responsible for disclosing the results of a study without divulging the identifying information of the participants. Data and participants records must also be stored in a way that limits access to authorized individuals. Identifying information must also be removed, concealed and coded in a way that prevents participants from being identified and photographic/video evidence must be properly stored. Written consent of individuals participating or from the parent or guardian of a child participant is necessary as well (American Speech-Language-Hearing Association, 2013h). As speech-language pathologists and audiologists serve school-aged and college-aged populations, professionals in these fields must also be mindful of protecting the privacy of

12 12 student education records. Documenting the assessment, diagnosis, and intervention of communication disorders is a central part of the job of a school-based speech-language pathologist. Receiving a diagnosis for a communication disorder can have long-standing implications for the educational career of the pediatric clients that SLPs and Audiologist serve on a daily basis (American Speech-Language-Hearing Association, 2013a). Federal laws such as the Family Educational Rights and Privacy Act (FERPA) describe the privacy protections speech-language pathologists and audiologists must follow to maintain the confidentiality of information (American Speech-Language-Hearing Association, 2013a). FERPA is a law that specifically outlines the privacy of student education records. The law applies to all schools receiving funding from the U.S. Department of Education. Under FERPA, parents of young students have the rights to view the children s educational records. When students reach the age of 18, or attend a school above high school level, these rights transfer from the parents to the student (U.S. Department of Education, 2013). Post-secondary school institutions must have written permission from eligible students or parents when releasing information from a student s educational record with a few exceptions including, but not limited to audit or evaluation services, accrediting organizations, judicial orders or subpoenas, cases of health and safety emergencies, and school officials with authorized educational interest. (U.S. Department of Education, 2013). Schools may divulge directory information without the consent of the students or parents such as the student s name, address, telephone number, place and date of birth, honors and awards and the dates of attendance. The schools must also allow parents and students enough time to deny the release of information (U.S. Department of Education, 2013).

13 13 Other information such as disability status, accommodations and disabilities services are protected under FERPA and are not permitted to be disclosed to third parties. The Americans with Disabilities Act (ADA) states that educational providers must respect the privacy of students with disabilities (American Psychological Association, 2013). Students with disabilities are not required to disclose their disability to their peers but must make known their accommodation needs to school officials when at a post-secondary educational level. Instructors and officials are expected to treat student disability information as confidential. Under the ADA, schools that do not provide the sanctioned accommodations are subject to penalties and liabilities (American Psychological Association, 2013). FERPA applies to public and private postsecondary records maintained by campus health clinics or related institutions. Even if a school is covered by HIPAA, educational or treatment records covered by the school are excluded from the coverage of HIPAA. Education records are vaguely described defined under FERPA and refer to records related to the student and that are supported by the educational institution or party related to the school (U.S. Department of Health & Human Services, 2008). Treatment records are defined under FERPA as records of a student who is 18 years or older, attending a postsecondary institution and who is receiving services documented by physician, psychiatrist, psychologist, speech-language pathologist, audiologist or another recognized professional or paraprofessional. These records are not permitted to be available to anyone other than the persons providing treatment unless the student chooses to disclose the information regarding treatment (U.S. Department of Health & Human Services, 2008). Student clinicians providing services under the supervision of healthcare professionals under FERPA are considered school officials with legitimate educational interests and are

14 14 granted access to students educational records. FERPA requires that school officials specify the requirements for ascertaining which individuals are considered to be a legitimate educational interest. ASHA requires that graduate students be made aware of their obligations under FERPA and to maintain the confidentiality of identifying information from educational records unless permitted to do so or with parental consent or under on of the provisions of FERPA allowing the disclosure of information without consent (American Speech-Language-Hearing Association, 2013b). Under the Principle of Ethics IV of the ASHA Code of Ethics, Individuals shall honor their responsibilities to the professions and their relationships with colleagues and students (American Speech-Language-Hearing Association, 2010). Acting as a professional in the fields of speech-language pathology and audiology requires that students and instructors protect personal information and to be mindful of to whom information is disclosed. ASHA outlines the guidelines for the confidential relationship between educators and students in the fields of speech-language pathology and audiology (American Speech-Language- Hearing Association, 2013e). Most universities and colleges have precise policies regulating the access, storage and release of confidential student records. However, most colleges and universities do not have official policies on conversations and communications between educators and students. Students should have the right to assume that professors and faculty that have access to students personal records will not widely share educational, disciplinary, and awards-based information (American Speech-Language-Hearing Association, 2010). Maintaining the confidentiality of educational information can be problematic when student clinicians are involved in providing treatment for clients on college and university campuses (American Speech-Language-Hearing Association, 2013b; 2013e; 2013h). Supervisors

15 15 of student clinicians are considered role models for maintaining patient privacy information and should model superb regard for client privacy practices in documenting, securing and storing client and patient records. Supervisors should make student clinicians aware of where and when discussing patient privacy information is appropriate. In a teaching setting such as in a university clinic, sharing client information is appropriate. If a student clinician discusses the same patient s private health information with other students or friends, it would be considered a violation of patient privacy (American Speech-Language-Hearing Association, 2013b; 2013e; 2013h). Failure to comply with FERPA can result in the loss of educational funding, lawsuits and loss of employment by college and university staff (National Association of College and Employers, 2008). In the past few years, U.S. federal government officials have urged healthcare providers to transition from paper records to electronic medical records (EMRs). In 2009, a further push was made towards making medical records electronic under the American Recovery and Reinvestment Act. Government officials have encouraged healthcare providers to transfer paper records to EMRs in order to streamline the process of compiling patients medical records. EMRs are a digital copy of a patient s medical history from a specific clinic or medical practice. EMRs allow medical professionals to track patients medical history over many years and to monitor when patients are due for preventative screenings and check-ups. EMRs also help medical doctors to track when patients are due for vaccinations and to view blood pressure readings over several years. EMRs are not easily obtained or shared with providers outside of a specific practice. Many offices are required to deliver a printed copy of a patient s EMR by mail if requested by specialists, other members of a medical team or health professionals outside the clinic or practice (Health IT, 2013c). EMRs are protected through systems limited access

16 16 requiring PIN numbers and passwords. Access systems limit EMRs to the medical personnel responsible for patients care and treatment. EMRs are also protected by encrypting information stored on medical data bases. By encrypting health information, only those with the key to decrypt the records may view patients records (Health IT, 2013b). Incentives for EMR systems were primarily directed at physicians and healthcare facilities, but other healthcare professionals such as speech-language pathologists and audiologists also may reap the benefits of adopting EMRs in the future. The American Speech- Language and Hearing Association promotes the adoption of these systems and for the purposes of billing, documentation and scheduling in order to streamline and simplify many of the paperwork processes associated with the fields of speech-language pathology and audiology (American Speech-Language-Hearing Association, 2013g). With the introduction of electronic medical records and the ever-growing world of technology, maintaining the confidentiality of patients medical information is becoming increasingly difficult. As speech-language pathologists and audiologists move toward documenting patient information electronically, protecting the personal information of their clients now requires the knowledge of the Health Information Technology for Economic and Clinical Health (HITECH) (Act American Speech-Language-Hearing Association, 2013g). HITECH was approved in 2009 as part of the American Recovery and Reinvestment Act of The HITECH Act was enacted to outline address concerns related to protecting patient privacy information. The HITECH Act both describes the procedures for the electronic transmission of health information and extends the coverage of HIPAA (2013) to cover electronic medical information (U.S. Department of Health & Human Services, 2013a).

17 17 The breach notification rule included in the HITECH Act requires covered entities and associated parties to provide notification following a security breach. A breach is defined as the disclosure or use of protected health information harm without the consent of the persons involved that poses a risk of financial, reputational or other form of harm (U.S. Department of Health & Human Services, 2013f). The HITECH Act provides a guide for specific steps to take when breach occurs, and explicitly states who should be notified when private health information is compromised. First and foremost, the individuals affected should be notified of a breach occurs. When a breach compromises the personal information of 500 or more individuals, the involved healthcare providers are responsible for notifying a prominent media source that a breach has occurred. The Secretary of Breaches of Unsecured Protected Health Information must also be made known of the breach (U.S. Department of Health & Human Services, 2013f). When a breach in protected health information occurs, the effected healthcare provider is liable to the consequences outlined by HIPAA (2013) and may receive up to a maximum punishment of $1.5 million. In the fields of speech-language pathology and audiology, professionals must be weary of the HITECH Act in research settings. Breaches in confidentiality may occur as a result from the improper storage and transmission of records. Researchers are not permitted to create, update or store research or clinical records on their personal computers, flash drives or personal online accounts. If clinical and research data are stored electronically, it should be password protected and client identifications should be made anonymous. Records on portable electronic devices are not permitted to be read or opened in public places as well (American Speech-Language-Hearing Association, 2013e; 2013g; 2013h). As medical records become increasingly paperless, speech-

18 18 language pathologists and audiologists must be aware of the repercussions of electronic security breaches and the related consequences.

19 19 ETHICAL VIOLATIONS Sanctions from the American Speech-Language-Hearing Association s Board of Ethics In addition to governmental agencies, the American Speech-Language-Hearing Association Board of Ethics is also responsible for protecting patient privacy information. It is the duty of the Board of Ethics to publish and amend the ASHA Code of Ethics and to define the responsibilities ASHA members must follow for maintaining licensure and membership (ASHA, 2012a). The ASHA Board of Ethics also is responsible for developing and distributing educational programs on ethics as well as passing judgment on alleged violations of the ASHA Code of Ethics. The Board of Ethics also determines what penalties are assigned to violators of the Code, that may include revoking membership and/or certification. Members of the Board of Ethics have acknowledged that each case is not identical to the next and consequently, each case is decided on an individual basis (ASHA, 2012a). The Board of Ethics follows a stringent, multi-step process to review and adjudicate complaints violating the ASHA Code of Ethics. The Board accepts only paper complaints and possesses the authority to process alleged violations involving nonmembers with the Certificate of Clinical Competence from ASHA, an application for membership and/or certification, a clinical fellow attempting to obtain certification, and members of the American Speech- Language-Hearing Association. (ASHA, 2012a). When complaints are received, the Board issues a notification of the alleged violation to the respondent, state agencies that have supplied licensure, and to any other organization that maintains a Code of Ethics to which the Respondent has subscribed. After the Respondent has been contacted initially, the Board may withhold, suspend, or revoke membership and/or Certificate(s) of Clinical Competence (ASHA, 2012a).

20 20 The Board of Ethics information provided by the complainant(s) and the respondent to make an initial decision on the alleged ethical violation. If there is insufficient evidence to substantiate a violation, the case is considered closed. Any state or federal decision on a violation is also considered adequate evidence to be considered a violation of the ASHA Code of Ethics.. Violations are followed by a suspension, revocation, and/or withholding membership and/or certification (ASHA, 2012a). When a final Board of Ethics decision has been made, sanctions are made public. Prior to 2012, such decisions were posted in an ASHA publication, namely The ASHA Leader). After 2012, EBSCO Host was used in cases in which the penalty included withholding, suspension, revocation of membership and/or Certificates of Clinical Competence. State agencies providing licensure to the respondent are also notified. When the respondent is reprimanded, the Board of Ethics Decision is only made known to the respondent, respondent s employers and those issuing certification and/or membership, and complainant(s). If appropriate, the violation and sanctions are made known to the Association counsel of the respondent. Each party who is informed of the sanctions are forewarned that the decision is confidential and that any breach in confidentiality is also a violation of the ASHA Code of Ethics (ASHA, 2012a). Respondents may appeal the Board of Ethics Decision only if a Respondent can show that the Board of Ethics did not follow the procedural requirements and/or the Board made the decision without substantial evidence (ASHA, 2012a). The ASHA Board of Ethics has made several of its decisions public. In one case, they found a Speech-Language Pathologist guilty of misrepresentation of ASHA certification status by using CCC-SLP on an application for employment before receiving verification of the certification from ASHA (ASHA 2013i). The SLP violated Principle III, Rule A and Principle IV, Rule C and a subpart of Rule B of the ASHA Code of Ethics, that states that individuals

21 21 cannot engage in misrepresentation of credentials. As a sanction, the SLP received 60 months of withholding of membership and certification (ASHA 2013 & 2013i). One speech-language pathologist failed properly to supervise a clinical fellow and did not honor her commitment as a mentor, therefore violating the Principle of Ethics IV that states that individuals should honor their responsibilities to colleagues, students and those belonging to other professions (ASHA, 2010 & 2013k). The sanction for this offense was censure (ASHA, 2013k). Members of ASHA are responsible for maintaining professional relationships with their colleagues, students, and those from other professions. One SLP violated the ASHA Code of Ethics by failing to maintain interprofessional and intraprofessional relationships and by engaging in misrepresentation and deceit (ASHA, 2010 & 2013l). This SLP violated the Principle IV, Rules A, and C. The individual s membership and certification were suspended for six months (ASHA, 2013l). Another SLP was reprimanded for keeping inaccurate and inadequate records as well as removing records from the school building. The same individual also submitted billing and intervention data for when students were not present at school (ASHA, 2013j) The SLP violated several of the parts of the ASHA Code of Ethics including Principle I, Rule M that states that individuals are responsible for maintaining appropriate records of services rendered and Principle I, Rule O that states that individuals cannot charge for service not rendered. The SLP also violated Principle IV, Rule C, stating that individuals cannot be dishonest, fraudulent, or misrepresent their credentials. The sanction for these activities was censure; an official notification of disproval (ASHA, 2010 & 2013j).

22 22 Administrators and medical health professionals often fail to properly store, document, and dispose of protected health information, that is a violation of privacy laws. Government officials suggest switching to electronic filing databases to eliminate various forms of human error that may occur when storing protected health information (U.S. Department of Health & Human Services, 2007; 2013b). HITECH Act also promotes the adoption of electronic storage of protected health information (U.S. Department of Health & Human Services, 2013c). Speech-language pathologists and audiologists are not immune to violations of patient privacy laws. Between 2003 and 2013, there were 25 documented accounts of SLPs and audiologists violating both the ASHA Code of Ethics and patient privacy laws. All of these violations involved the improper storage and documentation of protected health information (The ASHA Leader, 2013a; 2013b; 2013c; 2013d, 2013e; 2012a; 2012b; 2011a; 2011b; 2011c; 2011d; 2010a; 2010b; 2009a; 2009b; 2008a; 2008b; 2007a; 2007b; 2007c; 2006; 2005a; 2005b; 2004a; 2004b; 2003a; 2003b; 2003c; 2002a; 2001a; 2001b; 2001c, 2000). One example of a violation of patient privacy laws due to improper storage and use of protected health information involved a speech-language pathologist who kept inaccurate and inadequate records. The same SLP took records from the school building and failed to properly store and protect clients information (ASHA Leader, 2011a). This SLP and other individuals who did not properly store patient privacy information failed to follow Principle of Ethics, Rule M (Rule M was renamed as rule K in 2011) and Rule K stating that individuals are required to maintain and properly secure information from research, evaluation, diagnosis and intervention (ASHA, 2003; 2010). In the course of 13 years, (from ) there are cases similar to this in which SLPs and audiologists fail to properly store and maintain protected health information. The question

23 23 that must be posed is whether SLPs and audiologists violate patient privacy laws because of flaws in training and education or because shortcomings in character and judgment (ASHA Leader, 2003a; 2004a; 2004a; 2004b; 2005a; 2006; 2007b; 2007b; 2008a; 2008b; 2009a; 2009b 2010a, 2011a; 2011b; 2012a; 2012b)

24 24 METHOD AND RESULTS Where and How Well Do SLPs and Audiologists Learn About Patient Privacy Laws? Participants and Procedure To further understand why speech-language pathologists and audiologists may violate privacy laws, a questionnaire was distributed to practicing SLPs and audiologists. Questions addressed, among other are as, how and where professionals learn about privacy legislation and how confident these professionals are in their knowledge of patient privacy legislation pertaining to their work settings. Respondents were provided with an informed consent statement found in Appendix A. Respondents were contacted via and consented to participate by submitting an on-line anonymous questionnaire that was designed through Google Documents. A complete version of the questionnaire is found in Appendix B. Respondents were contacted through the research supervisor s list of professional contacts who were primarily former undergraduate students. Respondents included 57 practicing, certified, and licensed speech-language pathologists holding a master s degree. All participants were SLPs and as there were no audiologists. Out of the 61 individuals contacted, 57 responded and completed the survey, resulting in an impressive response rate of 93%. As shown in Figure 1, the majority, 33% (19/57) worked in public school settings, followed by hospital (primarily inpatient care) at 15% (15/57), college or university settings at 18% (10/15), early intervention at 9% (5/57), mixed settings at 9% (5/57), and hospital primarily in-patient 5% (3/57).

25 25 9% 5% 34% 26% 8% 18% Figure 1: Respondents work settings. Public school College or university Mixed setting Outpatient facility Early intervention Hospital (primarily in patient) Privacy Legislation Information Sources Question one asked was where SLPs and audiologists obtained information about HIPAA Results revealed that the majority of respondents (30%) learned about HIPAA 1996 from graduate coursework, through employer offered trainings, workshops and continuing education opportunities (see Figure 2). The next two largest information sources came from a combination of graduate coursework, employer offered trainings, workshops, continuing education opportunities as well as in solely graduate coursework, respectively for 30% and 18% of respondents. ASHA conventions or independent research on the internet were least likely to be used as HIPAA information sources. A large proportion of participants were not familiar with HIPAA 2013 changes (29%), but an equally large proportion had learned about the changes from employer required trainings. SLPs and were less likely to learn about HIPAA 2013 changes from undergraduate coursework and through a combination of sources such as regional conferences, ASHA conventions and

26 26 continuing education (see Figure 3). More than half of participants (65%) were not familiar with the HITECH Act and those who were familiar with it received trainings from a variety of sources including a combination of employer offered trainings, workshops and continuing education opportunities (16%) for all three categories. Others learned about the HITECH Act through their own research on the internet (11%) or through a combination of employee offered trainings along with personal research on the internet (11%). Participants were least likely to learn about the HITECH Act through graduate coursework or through a regional or national ASHA conventions (see Figure 4). Twenty one percent of respondents worked in a university or college setting. This group was asked where they learned about FERPA. A large proportion of these, 33%, reported that they learned about FERPA from employer offered trainings, workshops and continuing education opportunities. Others responded that they had learned about FERPA through a combination of employer trainings, and research on the internet 17%, as well as only through research on the internet 17%. As revealed in Figure 5, college setting participants were least likely to have learned about FERPA through graduate coursework, regional conventions, or in undergraduate coursework in combination with other sources of information. It was hypothesized that SLPs and audiologists would learn about HIPAA from training required by employers, but non of the participants indicated that they learned about HIPAA 1996 exclusively from training required by their employers. However, 59% percent of participants responded that they learned about HIPAA 1996 through employer required trainings in combination with another form of training, as revealed in Figure 2. A relatively large percentage of participants were not familiar with HIPAA 2013 changes (29%) but an equally large group

27 27 had learned about the changes from employer required trainings, as revealed in Figure 3. More than half of the participants were not familiar with the HITECH Act (65%) and those who were familiar with it received trainings from a variety of sources including a combination of employer offered trainings, workshops and continuing education opportunities (16%) (see Figure 4). A third of respondents from college clinic settings indicated that they had learned about FERPA from employer offered trainings, workshops and continuing education opportunities (Figure 5).

28 28 2% 2% 2% 2% 3% 4% 2% 30% 7% 5% 2% 4% 3% 16% 18% In graduate coursework, Through employer offered trainings, workshops, continuing education opportunities In graduate coursework, in undergraduate coursework Through employer offered trainings, workshops, continuing education opportunities In undergraduate coursework, In graduate coursework, Through my own research on the internet I am not familiar with HIPAA 1996 In graduate coursework, ASHA convention, Through employer offered trainings, workshops, continuing education opportunities, Through my own research on the internet In undergraduate coursework, In graduate coursework, Through employer offered trainings, workshops, continuing education opportunities, Through my own research on the internet In undergraduate coursework In undergraduate coursework, In graduate coursework, Through my own research on the internet Through my own research on the internet In graduate coursework At an ASHA convention ASHA convention, Through employer offered trainings, workshops, continuing education opportunities, Through my own research on the internet Through employer offered trainings, workshops, continuing education opportunities, Through my own research on the internet ASHA convention, Through employer offered trainings, workshops, continuing education opportunities Figure 2: HIPAA 1996 information sources

29 29 2% 4% 29% 11% 29% 25% A combination of regional conferences and ASHA, employer offered trainings, continuing education and through personal research on the internet A combination of employer offered trainings, continuing education and through personal research on the internet Through employer offered trainings, workshops, continuing education opportunities Through my own research on the internet I am not familiar with HIPAA changes In undergraduate coursework Figure 3. HIPAA 2013 information sources.

30 30 4% 2% 2% 2% 11% 16% 65% Not familiar with the HITECH Act Through employer offered trainings, workshops, continuing education opportunities Through my own research on the internet Through employer offered trainings, workshops, continuing education opportunities, Through my own research on the internet ASHA convention Regional convention, Through employer offered trainings, workshops, continuing education opportunities In graduate coursework Figure 4. HITECH Act information sources.

31 31 8% 8% 8% 8% 33% 17% 17% Through employer offered trainings/workshops/continuing ed opps Through my own research on the internet Through continuing education opportunities, Through employer offered trainings/workshops/continuing ed opps, Through my own research on the internet In graduate coursework Regional convention, Through employer offered trainings/workshops/continuing ed opps In undergraduate coursework, In graduate coursework, Through employer offered trainings/workshops/continuing ed opps Through continuing education opportunities Figure 4. FERPA information sources for the group of respondents who worked in college clinic settings. Confidence in Understanding of Privacy Legislation The second research question asked how well SLPs learned about patient privacy legislation. Results revealed that the majority of respondents were somewhat confident 54% in their knowledge of HIPAA 1996 (see Figure 5). The next largest groups indicated that they were very confident (n=21%) and somewhat unconfident (n=18%). The two smallest groups indicated that they were very unconfident (n=5%) and they were not at all aware of how HIPAA 1996 may relate to their practice (2%). When asked about their knowledge of HIPAA 2013, a majority of participants said that they were somewhat confident and somewhat unconfident of how HIPAA

32 may relate to their practice, 45% and 21%, respectively. The next largest groups indicated that they were very confident 16% and very unconfident 13% in their knowledge of how HIPAA 2013 may relate to their practice. As revealed in Figure 6, the minority 5% indicated that they were not at all aware as to why HIPAA 2013 was important to their practice. A majority of SLPs were not at all aware of how the HITECH Act may relate to their practice 53% and 18% of respondents indicated that they were somewhat confident in their knowledge of the Act. A minority indicated that they were somewhat unconfident (n=14%), very unconfident (n=12%). Only 3% indicated that they were very confident in their knowledge of the HITECH Act (Figure 7). When SLPs who worked in a college clinic were asked about their knowledge of FERPA, 58% of this group indicated that they were very confident in their knowledge of FERPA and 33% responded that they were somewhat confident (see Figure 8). A minority of respondents were somewhat unconfident (8%). It was hypothesized that SLPs and audiologists would be knowledgeable about HIPAA but would have limited knowledge of FERPA and the HITECH Act. A majority of respondents were somewhat confident of HIPAA 1996 and HIPAA 2013 as it pertains to their work, 54% and 45%, respectively (Figures 5 and 6). A majority of respondents were not at all aware of the HITECH Act as it pertains to their practice (53%), whereas 58% were very confident in their knowledge of FERPA (see Figures 7 and 8).

33 33 2% 5% 21% 18% 54% I am not at all aware of how HIPAA 1996 may relate to my practice Very unconfident Somewhat unconfident Somewhat confident Very confident Figure 5. Respondents confidence in their knowledge of HIPAA % 5% 13% 21% 45% I am not at all aware of how HIPAA 2013 may relate to my practice Very unconfident Somewhat unconfident Somewhat confident Very confident Figure 6. Respondents confidence in their knowledge of HIPAA 2013.

34 34 3% 18% 14% 53% 12% I am not at all aware of how the HITECH act may relate to my practice Very unconfident Somewhat unconfident Somewhat confident Very confident Figure 7. Respondents confidence in their knowledge of the HITECH Act. 8% 33% 58% Very confident Somewhat confident Somewhat unconfident Figure 8. Respondents confidence in their knowledge of FERPA (college clinic work setting only).

35 35 Infractions of Patient Privacy The third research question that was asked, what are the most common infractions in patient privacy legislation in the fields of speech-language pathology and audiology? According to published records in The ASHA Leader, between the years , keeping inadequate records and failing to store patient information properly was the single and most common type of violation of patient privacy comprising 44% of total infractions (25/51) (The ASHA Leader, 2013a; 2013b; 2013c; 2013d, 2013e; 2012a; 2012b; 2011a; 2011b; 2011c; 2011d; 2010a; 2010b; 2009a; 2009b; 2008a; 2008b; 2007a; 2007b; 2007c; 2006; 2005a; 2005b; 2004a; 2004b; 2003a; 2003b; 2003c; 2002a; 2001a; 2001b; 2001c, 2000). Failing to keep inadequate records of and failing to properly store patient information properly is both a violation of the HIPAA 2013 Security Rule and the ASHA Code of Ethics (U.S. Department of Health & Human Services, 2013h; American Speech-Language-Hearing Association, 2010). Other violations were not infractions of patient privacy laws but violations of the ASHA Code of Ethics (ASHA, 2010). As documented by The ASHA Leader and made available on EBSCO Host, violations included unprofessional behavior (30%), misrepresenting credentials and licensure (24%), and delegating tasks related to assessment and intervention to underqualified individuals (2%) ( see Figure 9). 2% 24% 30% 44% Inproper handling of patient information Misrepresenting credentials Unprofessional behavior Delegating tasks to underqualified persons Figure 9. ASHA Code of Ethics reported Infractions from the years based on public records from The ASHA Leader and EBSCO Host.

36 36 It was hypothesized that the most common infraction of patient privacy in the fields of speech-language pathology and audiology would be billing for services not rendered and breaches in electronically stored information. The most common violation of patient privacy actually was improper storage and handling of patient records followed by the most common ethical violation of unprofessional behavior (The ASHA Leader, 2013a; 2013b; 2013c; 2013d, 2013e; 2012a; 2012b; 2011a; 2011b; 2011c; 2011d; 2010a; 2010b; 2009a; 2009b; 2008a; 2008b; 2007a; 2007b; 2007c; 2006; 2005a; 2005b; 2004a; 2004b; 2003a; 2003b; 2003c; 2002a; 2001a; 2001b; 2001c, 2000).

37 37 DISCUSSION AND FUTURE DIRECTIONS Results may be used to infer where and how information about privacy laws is most effectively learned. Results may also provide valuable information to undergraduate, graduate, and post-graduate institutions and employers about the most effective ways to instruct professionals and students about patient privacy laws. The fourth research question asked what were the most effective methods of teaching current and future SLPs and audiologists about patient privacy legislation. It was hypothesized that clinicians who have received trainings from conferences would be the most confident in their knowledge of patient privacy legislation. Respondents who were most confident in their knowledge of patient privacy laws received trainings from multiple sources such as continuing education opportunities, employer required trainings, and through their own research on the internet (Figures 10; 14; 16; 20). Participants (12/57) who said they were very confident in their knowledge of HIPAA 1996 indicated that they learned about patient privacy legislation from a variety of sources. The largest group 34% indicated that they learned about HIPAA 1996 through employer offered trainings, workshops, and continuing education. Half of participants (6/12) indicating that they were very confident were required to take a quiz on their knowledge of HIPAA 1996 (Figure 10). Of the participants that said they were very unconfident (3/57) in their knowledge of HIPAA 1996, each received training from a variety of places. The first received training in undergraduate coursework, in graduate coursework, through employer offered trainings, workshops and continuing education opportunities, the second through employer offered trainings, workshops, continuing education opportunities, and the third in graduate coursework. Two of the three participants who indicated that they were very unconfident in their knowledge of HIPAA 1996 said that their employer required them to take a quiz on their

38 knowledge of HIPAA % 8% 8% 8% 8% 17% 34% Through employer offered trainings, workshops, continuing education opportunities In undergraduate coursework, In graduate coursework In undergraduate coursework, in graduate coursework, through employer offered trainings, workshops, continuing education opportunities, through my own research on the internet In undergraduate coursework, in graduate coursework, through employwer offered trainings, workshops, continuing education opportunities Through my own research on the internet Through employer offered trainings, workshops, continuing education opportunities, through my own research on the internet ASHA convention, through employer offered trainings, workshops, continuing education opportunities Figure 10. Source of Training reported by participants who were very confident in their knowledge of HIPAA 1996.

39 39 50% 50% Has not taken a quiz as a requirement of employment demonstrating knowledge of HIPAA 1996 Has taken a quiz as a requirement of employment demonstrating knowledge of HIPAA 1996 Figure 11. Participants who were very confident in their knowledge of HIPAA 1996 who have taken a quiz as a requirement of their employment demonstrating their knowledge of HIPAA Participants who said that they were very confident (9/57) in their knowledge of HIPAA 2013 learned about patient privacy laws from a variety of sources. The largest group of participants indicating that they were very confident learned about HIPAA 2013 changes in employer offered trainings, workshops, and continuing education opportunities (Figure 12). When asked if their employers required them to take a quiz on their knowledge of HIPAA 2013 changes, 55% (5/9) of participants indicated that they were required to take a quiz (Figure 13). The participants who were very unconfident in their knowledge of HIPAA 2013 revisions (7/57) did not indicate where they received their training on the revisions of HIPAA All participants (100%) who indicated that they were very unconfident instead selected I am not familiar with HIPAA changes (Figure 14). When asked if they were required to take a quiz on their knowledge of HIPAA 2013 revisions as it pertains to their work, 0% of participants were required to take a quiz (Figure 15).

40 40 33% 11% 56% Through employer offered trainings, workshops, continuing education opportunities ASHA convention, Through employer offered trainings, workshops, continuing education opportunities Through my own research on the internet Figure 12. Source of training reported by participants who were very confident in their knowledge of HIPAA 2013 changes. 44% 56% Has taken a quiz as a requirement of employment demonstrating knowledge of HIPAA 2013 changes Has not taken a quiz as a requirement of employment demonstrating knowledge of HIPAA 2013 changes

41 41 Figure 13. Participants who were very confident in their knowledge of HIPAA 2013 who have taken a quiz as a requirement of their employment demonstrating their knowledge of HIPAA 2013 changes. 100% I am not familiar with HIPAA changes Continuing education opportunities, employer trainings, ect. Figure 14. Source of training reported by participants who were very unconfident in their knowledge of HIPAA 2013 changes. 100% Has taken a quiz as a requirement of employment demonstrating knowledge of HIPAA 2013 changes Has not taken a quiz as a requirement of employment demonstrating knowledge of HIPAA 2013 changes Figure 15. Participants who were very unconfident in their knowledge of HIPAA 2013 who have taken a quiz as a requirement of their employment demonstrating their knowledge of HIPAA 2013 changes.