Health Information Management of Legal Aspects - Case Study Example

Running head: HEALTH INFORMATION MANAGEMENT Health Information Management (HIM) Legal Aspects (school) Health Information Management (HIM) legal aspects Case Study #1 Describe the roles that each of the three branches of the US government plays in creating changes in the law and in regulations. (B-1pt)What can you and your professional organization, AHIMA, do to influence this process? Answer: Each branch of the government has their role to play in creating changes in the law and regulations. The legislative branch of the government however plays the major role in initiating these changes (Hamilton, 2004). They frame the words and changes in the law into substantial text, reviewing its application based on specific goals. Legislators are tasked with the responsibility of reviewing the viability of changes in the laws, and establishing the general need for these changes (Hamilton, 2004). These legislators debate the changes, weighing their advantages and disadvantages, and making sound and logical decisions based on their debates and discussions (Hamilton, 2004). A consensus on whether or not such changes are needed usually follow such deliberations (Leid, 2004). Consequently, decisions on the passage of such changes are made by such legislators. After laws and changes are passed, the executive department then implements these laws. The primary task of the executive department is to implement the changes. The implementation of these changes usually calls for the establishment of implementing laws and policies (Leib, 2004). For example, the legislature may establish changes in the law on health insurance (Campbell, 2004). The executive department would then implement these changes by establishing policies which executive officials can follow. These implementing rules and policies would specify functions and duties which would then guide the government officials in their implementation of the changes (Leib, 2004). The judicial body is the adjudicative body which is tasked with determining the constitutionality of any laws and changes in the laws passed by the legislature (Hamilton, 2004). The judiciary interprets the laws and decides on questions of law brought before its jurisdiction. Their task is to determine whether the changes passed violate the constitution or public policy. Individuals or organizations who believe that there are issues of constitutionality in the laws can file the appropriate case with the judiciary (Sobel and Gilgannon, 2001). The judicial body would then proceed to pass its judgment on the case, using the constitution, jurisprudence, and common law to guide its adjudicatory processes. In order to influence the process of legislation, I can coordinate with AHIMA for them to call the attention of legislators and executive officials. A petition letter signed by the members of the organization calling for the need to implement changes in the laws can be addressed to the legislators. Calling the attention of the legislators is an important first step in introducing changes in the laws (Hamilton, 2004). If the AHIMA would point out and specify the issues they are encountering in their organization and in their health care practice, they can attract the attention of the legislators who can then make considerations on whether changes would be needed in the laws. Calling the attention of the executive body would also be important in the establishment of changes in the laws (Hamilton, 2004). Executive officials can also be convinced by the organization to lobby for these changes. Persistent lobbying which is fully supported by evidence can also help in the implementation of these changes. The legislative body has to have the necessary proof to support their decision to change the laws, and the organization can give that proof to them (Hamilton, 2004). References Campbell, T. (2004). Separation of powers in practice. California: Stanford University Press. Hamilton, J. (2004). Branches of government. New York: ABDO. Leib, E. (2004). Deliberative democracy in America: a proposal for a popular branch of government. Pennsylvania: Penn State Press. Sobel, S. & Gilgannon, D. (2001). U.S. Constitution and You, The. California: Barrons Educational Series. Case Study #2 2. (6) A staff physician comes to the Health Information Management Department and complains that another physician has accessed her electronic medical record. She states that she believes that he did this because they are competing for a position at the nearby academic institution. (A-1 pts) What are the possible ethical violations if this complaint is true? (B-1pt) What further information does the HIM director need to acquire to verify the complaint? (C-1pt) If the complaint is valid, how would you respond as the HIM director, and why? (D-2pts) What are some possible “causes of action” that the first physician could file against the violating physician? Against your facility? (E-0.5 pt) If the facility takes no action, what are the possible consequences for that facility? (F-1.5pts) If you receive a Subpoena Duces Tecum (SDT) for the medical record of the complaining physician, how should you respond? Answer 1. Possible ethical violations committed include provisions on the AHIMA Code of Ethics: violation of an individual’s right to privacy and violation of the doctrine of confidentiality in the use and disclosure of information (AHIMA, 2011). The staff physician’s right to the privacy and confidentiality of her medical records were violated by the other physician. Answer 2. Information which the HIM director needs to establish would have to include proof of access. The staff physician makes such claims, but these claims may not be sufficiently supported. The director needs to prove that there was indeed an actual invasion of the staff physician’s privacy (Harman, 2006). The director also needs to establish how the records were accessed and if there were other individuals who helped the violating physician access the records. These individuals would also be liable for violating the staff physician’s rights to privacy and confidentiality (Harman, 2006). Answer 3. If the complaint is valid, as the HIM director, I would file a case of invasion of privacy against the physician who accessed the staff physician’s records (Shnering, Butts, and Cook, 2011). I would also file a case against the facility for failing to secure employee records. In other words, they are also liable for violating the staff physician’s rights to privacy and confidentiality (Schnering, et.al., 2011). Answer 4. If the facility takes no action and implement disciplinary action against the violating physician, it would be liable for violating the ethical provision which indicates the importance of: preserving, protecting, and securing “personal health information in any form or medium and hold in highest regards health information and other information of a confidential nature obtained in an official capacity…” (AHIMA, 2011). The facility’s attention would be called for violating the above ethical provision, specifically for failing to secure the safety their employees’ personal health information. They are also equally liable for violating the patient’s privacy and confidentiality and may be charged with the appropriate actions for their violations (AHIMA, 2011). Every employee in the institutions jurisdiction must feel secure in his privacy, especially his health records in his workplace. The work institution holds an enormous amount of power over an employee just by having custody of such employee records (Harman, 2006). The institution must therefore secure these records, especially when these records may be used unfavorably against the employee. Answer 5. If I would receive a subpoena duces tecum for the medical record of the complaining physician, I would respond accordingly by checking the veracity of the subpoena, informing the violating physician of the subpoena, and informing the institution of the subpoena (Lindh, Pooler, Tamparo, and Dahl, 2009). I would then comply with the subpoena and produce the specific documents being requested. Since the subpoena is a legally binding court order, I cannot refuse compliance. The physician and the institution also cannot order me to refuse compliance. I would also check the specific data being requested, and prevent access to any other data not specified in the subpoena (Lindh, et.al., 2009). References American Health Information Management Association (AHIMA) (2011). Code of Ethics. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_024277.hcsp?dDocName=bok1_024277 Harman, L. (2006). Ethical challenges in the management of health information. New York: Jones & Bartlett Learning. Lindh, W., Pooler, M., Tamparo, C., & Dahl, B. (2009). Delmars comprehensive medical Assisting: Administrative and clinical competencies. California: Cengage Learning. Shnering, P., Butts, D., & Cook, D. (2011). Professional review guide for the RHIA and RHIT examinations. California: Cengage Learning. Case Study #3 You have been asked by the CEO of your hospital to identify which of its vendors are HIPAA Business Associates (BAs), and therefore need a HIPAA Business Associate Agreement. A.-3pts) What criteria will you use to determine which vendors are HIPAA BAs? B.-2pts) Will you include medical students on your list? Why or why not? Answer 1. The criteria I would use in determining which vendors are HIPAA BAs include the following main indicators: that the BA is performing on behalf of the covered entity functions of activities which involve the application or disclosure of protected health information (PHI); and that they are not a member of the entity’s workforce (HIPAA Group, 2012). The function or activity may cover a wide range of activities, including legal, actuarial, accounting, consulting, data processing, accreditation, financial services, and any other services where covered entities may contract out (University of Miami, 2005). I would also use the criteria as laid out in the Code of Federal Regulations (2002) which indicate that business associates are individuals who, in behalf of covered entities, performs or assists in any function related to the use or disclosure of individually identifiable health data, including data assessment, utilization assessment, billing, and repricing. The Code (2002) also specifies the covered entities being those involved in organized health care activities, and those which carry out activities specified for the organization. BAs may also include a business associate of another covered entity. Based on the above criteria, covered entities are not required to participate in business associate contracts with organizations, including the US Postal Service, private couriers, and other electronic services which are vessels for protected health information (US Department of Health and Human Services, 2006). Conduits or vessels transport the data but do not have the right to access it, other than to carry out random evaluation of data in accordance with their federal requirements in the transport of mail. I would also establish who the business associate is by using the criteria of the Health Science Center. They consider business associates as a person or entity to which the Health Science Center would reveal protected data to so that the person or entity can implement, assist, or perform functions for the Health Science Center (UT Health Science Center, 2010). A business associated can be tested using the following questions: Is the Health Science Center disclosing PHI?; Does the recipient of the PHI provide service to, for, or on behalf of the Health Science Center? Based on such considerations, the workforce of the Health Science Center, including faculty, residents, and students are not considered BAs. Health care workers issuing treatment, companies which are conduits of PHI, including postal services, UPS and private couriers, as well as individuals or companies with limited exposure to health information are not considered business associates (UT Health Science Center, 2010). Individuals with whom business associate agreements are laid out include those who are required to sign contracts with special language and provisions as indicated by privacy policies. The following are potential business associates: lawyers, external auditors, professional translators, answering services, consultants, accreditation agencies, shredding companies, data processing institutions, and medical transcription services (UT Health Science Center, 2010). Answer 2. The medical students are not considered as business associates because they are not performing activities which involve the application of protected health information (UT Health Science Center, 2010). They are also members of the entity’s workforce, carrying out functions in order to secure the goals of the institution. Secondly, the role of medical students is not covered in any of the enumerated list of possible business associates. References Code of Federal Regulations (2002). Title 45 - Public Welfare. Retrieved from http://www.gpo.gov/fdsys/pkg/CFR-2002-title45-vol1/xml/CFR-2002-title45-vol1-sec160-103.xml The HIPAA Group (2012). What is the HIPAA. Retrieved from http://www.hipaaba.com/ University of Miami (2005). Business associate (HIPAA). Retrieved from http://privacy.med.miami.edu/glossary/xd_business_associate.htm US Department of Health and Human Services. (2006). Are the following entities considered "business associates" under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?. Retrieved from http://www.hhs.gov/hipaafaq/providers/business/245.html UT Health Science Center (2010). Determining who is a Business Associate. Retrieved from http://www.uthscsa.edu/hipaa/assoc-who.asp Case Study #4 A threat to privacy of the electronic health record (EHR) is someone who steals a desktop computer, laptop, external hard drive, thumb drive, or CD containing patient information. What options can you recommend to health care practitioners to safeguard PHI data from hardware thieves? What are the advantages and disadvantages of each option? Answer 1. Encryption of data. In order to secure hardware from data thieves, data can be encrypted. Encrypting data would ensure that only individuals with the authority to access the data would know what key to apply in order to decrypt data (Kim, 2012). In effect, even if the data would be stolen, the data would be virtually useless to the hardware thieves. Encryption of data also limits the number of individuals who can access the data (Kim, 2012). As all records are now in computers and these computers are often part of the hospital network, it may be easy for anyone to access these records even when they are not looking for it. Encrypting the data would ensure that even if the data were to be easily seen in the hospital network, the essential information would still be intact (Kim, 2012). Encryption is however not full proof. Skillful data hardware thieves may be able to use their skills in order to break through the encryption and thereby access essential data (Kim, 2012). Decrypting data may also require the expertise of skilled technicians which the hospital may not always have access to (Kim, 2012). Answer 2. Another way of securing hardware from thieves is to create strong firewall systems which can prevent the hacking of data and retrace electronic signature back to the possible hardware thieves (Roach, Jr., 2008). Securing such a system is beneficial because it can prevent hacking and any other unauthorized access. It can be disadvantageous in the sense that it is sometimes costly to implement into the system (Roach, Jr., 2008). Hospitals may not have access to funds to secure such technical manpower. This type of system also needs constant upgrades (Roach, Jr., 2008). Answer 3. Restricting the number of individuals who can access the medical records is also another means of preventing any hardware theft. Separating the database system of hospital employees with the hospital patients is one of the first steps which can be taken in order to eliminate unauthorized access to PHI as well as employee records (Brathwaite, 2002). By separating the access points, it would be difficult for hospital employees to access any employee or patient data without the proper authorization. Separating the systems would also secure each system in instances when the other system may be compromised (Brathwaite, 2002). This can however be tedious for the hospital administrators who have to establish two separate secure systems for the hospital. It can also be back fire on the health personnel who may need immediate access to patient records for treatment purposes (Brathwaite, 2002). Going through the channels of security would slow down their efficacy. Answer 4. Physically securing the computers and laptops which contain PHI can also be implemented in order to prevent hardware theft (Morley and Parker, 2009). Computers and laptops which contain PHI must be placed in areas which can be accessible to authorized personnel alone. This is advantageous because it physically restricts access to the computers. It also secured easy visibility for people wanting to access the computers (Morley and Parker, 2009). It is however disadvantageous because it may be difficult to implement because computers can be used sometimes by any personnel to access patient records (Morley and Parker, 2009). References Brathwaite, T. (2002). Securing e-business systems: a guide for managers and executives. New York: John Wiley & Sons. Kim, K. (2012). Proceedings of the international conference on IT convergence and security 2011. New York: Springer. Morley, D. & Parker, C. (2009). Understanding computers: today and tomorrow, comprehensive. California: Cengage Learning. Roach, William, Jr. (2008). Medical records and the law. Michigan: Jones & Bartlett Publishers. Read More