Non-Malicious HIPAA Violations - Essay Example

HIPAA Violations Government or law enforcers should not be allowed to levy stiff penalties on hospitals and nurses who divulge patient’s information for protection of their own. HIPAA-Health Insurance Portability and Accountability Act of 1996- is the standard that was created to regulate the electronic transmission of person’s health insurance claims. “However, when this Act was incepted in 1996, the internet was still in its early stages, and with the evolution of the internet, the Act had to be updated periodically” (Fernald 26). The Secretary of Health and Human Services (HHS) is responsible for making recommendations to Congress for updates to this Act. Nancy Lee states, “If Congress did not enact legislation, HIPAA requires the Secretary of HHS to propagate regulations on privacy protections” (Fernald 61). Fernald (2002) argues that the government or law enforcers should not levy medical professionals, who share a patient’s information for protection of their own because they may need to do so in order to promote high quality health care (Fernald 45). Additionally, a medical professional may at time be forced to share a patient’s medical records with the public in order to seek for financial support, in case the patient’s family or friend permits him or her to do so (Fernald 47). Nass and her Co-authors (2009) also support this opinion. They argue that,, in case of emergent diseases or infections, health professionals are faced with the challenge of designing a proper method of controlling the spread of the disease (Ness et. al. 81). One of the most valid means of controlling the spread of a disease’s outbreak is the sharing of patients’ information. Through this, they shall have violated the HIPAA regulations, but the government or law enforcers should not levy penalties on them because such situations are urgent and need quick response. These situations provide valid grounds why the government or law enforcers should not levy medical professionals for protecting their own. Examples of Violations “Right to Revoke” Clause Whenever a nurse is creating their facility’s HIPAA forms, they must be cautious in letting the patients know that it is their rights to revoke the permission for the disclosure of confidential medical information only to the people they name. “Without the information, the HIPAA form is considered invalid, and should the nurses release the information to third parties, such acts shall be considered violation of HIPAA regulations” (Gerard et. al. 187). Release of Wrong Information Sometimes, the release of wrong information of a patient can occur through mistakes and carelessness on the part of the health attendants. While this may seem obvious, handlers of such information should practice utmost caution in release of proper information. Sometimes, patients may have the same names. It is the responsibility of the health officials to arrange medical files properly. They must ensure that the release of such information is only made for the authorized patient (Keller 18). Unauthorized Health Information The healthcare management and the staff they work with must ensure that all health information pertaining to a patient is verified before release. They should check whether such information has been approved for release. It is the right of a patient to request for only the information that they want to be released. Such information may include alcohol/drug treatment and mental health. Yet others may choose to share their information with the entire facility (Lynn 19). Releasing Information to Undesignated Party “The nurses assigned to particular patient should ensure that the authorization of the patient is in place” (Nass et. al. 72). They must also include the “Partners in Health”, PIH, about the patient prior to release. “Consider a HIPAA authorization that permits Mr. X from an insurance company to receive Mr. X’s healthcare records. Mr. X may fail to issue a request f for the information that the insurance company wants. Only the persons listed on Mr. X’s form shall receive the confidential health records” (Hipaa Explained 54). Adhering to the Authorization’s Expiration Date Patients are entitled to set the expiration dates for the HIPAA authorization forms. For instance, if an insurance firm is authorized to obtain PHI for a patient within 6-month duration, the nurses and their staff must ensure that they do not release the confidential information beyond the stated period of authorization. “After the period elapses, they will need to contact the patient and obtain a new HIPAA form before the information can be released to the requestors” (Lynn 52). Lack of Patient’s Signature on HIPAA Forms Handlers of a patient’s information should ensure that before they release a patient’s information, their signatures are on the HIPAA forms. This is highly recommended since there are hackers who can obtain information about a patient and use the same information to harm the patient (Hipaa Explained 62). A patient may sue such health practitioners who release the information to the “wrong parties.” Where a nurse posted on her Facebook page a picture of a child in need of brain surgery, the picture was taken with the little girl in her hospital bed. The nurse was just pleading on her page for thoughts and prayers for the sick girl. Even though, all of her intentions were good, it was still considered as an HIPAA violation. There are other HIPAA violations that are not considered intentional or malicious. One of these instances is recorded in the online article “Prevent Your Mobile Devices from Causing a HIPAA Violation.” Where nurses at a hospital were texting each other patient info for shift and duty purposes for their day to day activities. “Although considered illegal, this was a convenient method for preparing the nurses for the day (Sullivan 112)”. Even though it could have gone unnoticed since none of the nurses had any malicious intent with the information they were texting each other, however, one of the nurses lost her phone with patient personal info which brought the Hospital into the public spotlight for a HIPAA violation. “Since HIPAA violations, especially with digital media has been such an upward trend; there are companies out there that are trying to capitalize on it” (Reeter 39). For instance, to prevent the previous mobile device violation, there is a company that created an application called ‘Tiger Text’, where they provide real-time secure messaging, instead of the regular SMS texting. They back their product up enough to provide the industry’s first Million Dollar Compliance Guarantee against HIPAA violations. There are consequences for these violations, as can be seen in the chart. These violations can be expensive for a Hospital or company. Violation Type Each Violation Repeat Violations/Year Did not know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect-Corrected $10,000-$50,000 $1,500,000 Willful Neglect-Not Corrected $50,000 $1,500,000 There have been many precautions that Hospitals and Clinics are taking to educate their employees to avoid such fines, such as the brochure, “A nurse’s guide to the use of social media.” (Tomes 58) This is given to the student nurses while they are still training to be a Registered Nurse (RN). It goes in detail on the myths, consequences of actions, confidentiality and privacy and most importantly how to avoid disclosing confidential patient information. In addition, some hospitals are banning mobile phones while on duty, and blocking social media sites for all of the work computers. There are, however, examples where people are accused of HIPAA violations, but were found not guilty in court. For example, Doe vs. Green where a paramedic posted on his MySpace page information about a rape victim his ambulance he was driving responded to, he did not mention any names, but he did provide enough information that the local media found the victim’s home. However, the courts sided with the paramedic, stating he did not violate HIPAA. In a recent interview, I did with Kris Rowe, a Registered Nurse at St. Anthony’s Medical Center in St. Louis. He stated that he “got in trouble with the Hospital for a “selfie” he took for his LinkedIn [home page] photo.” Reason being, is that there was a patient in the distant background of the photo. He was actually surprised how quick the hospital noticed the photo and had him remove it. When he discussed it with the Hospital management, they stated they “monitor all of their employees’ personal sites…” Kris also went on to say that he has seen “at least three employees lose their jobs [at the hospital] specifically for social media HIPAA violations.” He explained to me how the hospital was “really cracking down…” on employees with social media sites and their postings. He stated he goes through a one hour, bi-annual training specifically dealing with social media and HIPAA. In addition, for new nurses, it is a full day of training that is a part of the new employee orientation (Keller 24). In his final comments of the interview, he stated that St. Anthony’s is working toward a “zero tolerance policy” for all personal social media sites at work. In my research, the best prevention method is educating the employees and assuring their staff is not left to interpret what a HIPAA violation is on their own, which seems to be the greatest common factor from most of the non-malicious HIPAA violations. Having listed examples above, I am of the opinion that government or law enforcers should be too strict on nurses and healthcare officials who divulge the patient’s health information to the public since sometimes they do so in the best interest of the patient. Work Cited "Ignorance No Defense in Hipaa Criminal Violations, Say Feds." Drug Topics. 149.13 (2005): 38-39. Print. Fernald, Frances. Hipaa Patient Privacy Compliance Guide. Washington, D.C: Atlantic Information Services, 2002. Print. Gerard, P, N Kapadia, J Acharya, PT Chang, and Z Lefkovitz. "Cybersecurity in Radiology: Access of Public Hot Spots and Public Wi-Fi and Prevention of Cybercrimes and Hipaa Violations." Ajr. American Journal of Roentgenology. 201.6 (2013): 186-9. Print. Hipaa Explained. Providence R.I: Rhode Island Bar Association, 2004. Print. Keller, J J. Hipaa Essentials. Neenah: J. J. Keller & Associates, Inc, 2013. Print. Lynn, S. "Hipaa Help: Hipaa Violations Can Land Health-Care Smbs in Major Trouble with the Government-so Treat Ahead of Time." Var Business. 24.3 (2008): 14-15. Print. Nass, Sharyl J, Laura A. Levit, and Lawrence O. Gostin. Beyond the Hipaa Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, D.C: National Academies Press, 2009. Print. Reeter, Alan K. Confidentiality, Privacy, and Hipaa. Tucson, AZ: MEDFILMS, Inc, 2002. Print. Sullivan, June M. Hipaa: A Practical Guide to the Privacy and Security of Health Data. Chicago, Ill: American Bar Association, Health Law Section, 2004. Print. Tomes, J P. "Individual Criminal Liability for Hipaa Violations: Who Is Potentially Liable? or Should We Say, Who Isnt?" Journal of Health Care Compliance. 9.4 (2007): 5-12. Print. Read More