Risk Management Position in Healthcare Designated Record Set HIPAA Privacy Laws - Research Paper Example

Risk Management Position Paper in Healthcare Designated Record Set HIPAA Privacy Laws Abstract The Privacy rules and the Health Insurance Portability and Accountability Act (HIPAA) regulate what information regarding the health of an individual can be used and disclosed. Every individual has the right towards privacy. Covered entities and practitioners who do not observe confidentiality of protected health information (PHI)- especially the designated record set (DRS)- are subject to penalties under the HIPAA. This paper analyzes a case study of a doctor who breached the rules of the HIPAA, and was sentenced. The paper outlines a risk management program, gives the potential recommendations that can be implemented to avert undue risks and harms. The paper provides supporting work for the risk management plan as well as the counterarguments to it. In the end, the conclusion establishes the need for a risk management plan. Keywords: HIPAA, risk management, health care, laws Risk Management Position Paper in Healthcare Designated Record Set HIPAA Privacy Laws Introduction The rights of the people seeking health care have been the subject of much debate over the past decades. One of the rights of the patients is to access their health information and to modify it if it is deemed to have any discrepancy. Several legislations have been passed to grant the patients their due rights and to protect the abuse of medical information and health records of the patients. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by President Clinton. The Act has two aspects: it provides confidentiality to the records of the patients and prevents fraud and abuse and it makes sure that insurance and health care is portable. Health information refers to the information, either stored in any form, or oral; it is given to a health care provider and is related to the past, present and future state of health of an individual. The Privacy rules and the Act regulate what information regarding the health of an individual can be used and disclosed. This information is known as the protected health information (PHI), and organizations which are liable to conform to the Privacy rules are called covered entities. The Designated Record Set (DRS) refers to the group of health records that have been maintained by the covered entities, including the medical and billing information of the patients, enrollment, claims adjudication as well as the medical record management systems use for health plans. Its utility is for decision making about individuals. All hospitals, clinics and other health care providers are required to comply with the HIPAA (Abbey, 2008). Failing to do so can have dire consequences for the individuals involved. Every individual has the right towards privacy. They are entitled to disclose the information that they want to reveal, while keeping the rest private. Privacy has been part of the American law since a very long time. However, many heath care practitioners are not aware of the advances and amendments that have taken place in the laws, to incorporate more privacy aspects so that the privacy of the individual is upheld. Many of them are not aware of the repercussions of breaching the legislations. Like all other federal laws, there are provisions that ascertain observance of the legislation through potential penalties to those who violate the Privacy rules (Iyer, Levin, & Shea, 2006). Problem statement The paper explores a similar case where a doctor fails to observe the privacy of the patients and is sentenced to at least four years in prison. The paper analyzes the issue in light of the DRS HIPAA laws, and gives recommendations on how risk management can be implemented in a health care institution to avert any such incidences in the future. The HIPAA epitomizes the statement “Be careful of what you ask for” and this paper takes this statement forward by suggesting a risk management plan (Marcinko, 2005). Position A licensed cardiothoracic surgeon from China became the first one to be sentenced for four months in jail for violating the HIPAA rules. Dr. Huping Zhou was a former employee of the UCLA School of Medicine in 2003. He was working in the US when he received a notice for performance-based reasons on 23 October 2003. This notice was not related to any privacy violations. However, on the evening he received the notice for his dismissal, Dr. Zhou accessed medical records of his supervisor and colleagues. This was not the first only time that he accessed medical records illegally. In the next four weeks, he accessed medical records at three more occasions, with the number of times he accessed records totaling up to a number of 323 according to the FBI. The UCLA patient records included records of many celebrities as well, including Elizabeth Banks, Leonardo DiCaprio, Drew Barrymore and Arnold Schwarzenegger. Charges were filed against him in 2009, and in January 2010, Dr. Zhou pled guilty to four misdemeanors counts of violating the privacy laws of the HIPAA. According to the Attorney defending Dr. Zhou, Zhou was oblivious to the fact that accessing medical records was illegal. However, Dr. Zhou was sentenced for four months and was fined a sum of $2,000 (HDM Breaking News, 2010). Dolan (2010) observes that a vital component of ensuring that a practice is sound and professionally acceptable is having a risk assessment. Stephen Aborn, executive director of Andrews International, a Valencia, California-based investigative and security services provider, asserts that health care providers can not afford to take privacy issues lightly and “no one is 100% bulletproof, but from a liability standpoint, you've taken measures to protect the information”. Thus it follows that a risk management plan needs to be enforced in order to avoid any risks and psychological, financial and economical harms violations of privacy laws can incur. Risk management is strategy development, execution and review. It includes the identification of internal risks, such as business, operational, physical and technology, or external, such as environmental, social and compliance risks (Muller, Jooste, & Bezuidenhout, 2006). A risk assessment program needs to be made that raises the awareness of the practitioners regarding the Privacy laws. Education empowers the practitioners and enables them to use information in a way that does not come into conflict with the rules and regulations of the HIPAA. Health care organizations need to identify compliance gaps to predict information risks. Health care service providers need to regulate the access of patient records by personnel. Access should be limited to authorized staff only, and protected health information should only be disclosed to the people who are immediately involved in the provision of health care. Health care service providers need to identify sensitive date and security rules can be implemented, like passwords, so that leakage of data can not occur. The management and filing of records also needs to observe a protocol so that leakage of confidential data is checked at all levels. Printing of private information should not be done in open, public places; rather, secure lines need to be used. Moreover, only authorized staff needs to be entrusted with the duty of printing, faxing etc. of sensitive data. E-mails should be encrypted, and secure communication channels need to be used. Moreover, health care practitioners need to be encouraged to record data in detail so that there is evidence that privacy laws have been complied with (NextLabs, 2009). The execution of the risk management plan requires the cooperation of the health care personnel and their employees. The staff needs to understand the importance of complying with the HIPAA. Moreover an effective risk management plan requires continuous reevaluation of the program so that compliance gaps are covered regularly. Supporting work When the UCLA found out that Dr. Zhou had been misusing his authority and had accessed medical records illegally, it released a statement regarding the risk management measures that it will take. According to the spokesman, the UCLA gives the privacy and confidentiality of the information of its patients top priority. The UCLA has ensured that prompt termination of access code takes place when employees are dismissed from service. The UCLA cooperated with the US Attorney and abided with the laws of the HIPAA, and made sure that the US Attorney initiatives on risk management are followed. The UCLA has taken many steps to extend the maintenance of the privacy of the patients. It has not only extended the auditing capacities of its information systems. A reevaluation of the clinical information systems was done, and they were improved upon in order to warrantee patient confidentiality and mitigate the risk of breaches of Privacy laws. The UCLA was also prompt to introduce a standard of professional practice that required all students and practitioners to take HIPAA training and a certification module. The security rule of the HIPAA has three main category safeguards: administrative, physical and technical. Technical safeguards are defined as the regulation of access to computer and electronic systems to protect communications transmitting PHI over open networks, where the chances of non-authorized individuals from illegally accessing the information are high (Murphy & Waterfill, 2010). One of the provisions of the technical safeguard policy includes that covered entities should document risk assessment and risk management programs. Counterargument If a weak policy is implemented, it can lead to ad hoc changes in the security and risk management infrastructure of the covered entities, such as in firewalls, proxy etc. Ad hoc decisions do not meet the criteria of the HIPAA and can make the regulation of risk management infrastructure difficult for people who make regular changes, as well as the misuse of PHI by individuals. In light of the technical safeguards of the HIPAA security rule, exception-based risk management can result in a chain of policy exceptions in infrastructure platform and application configurations that are so intangible and complicated that they become cumbersome and difficult to fathom. IT risk management technology can some times make it difficult for security personnel to perform efficiently (Axzo Press & Supremus Group, 2008). Conclusion Thus, in conclusion, compliance with the rules of the HIPAA is of the utmost importance, not only to prevent the organization from litigation, but also to ensure a high standard of professional conduct by the health care practitioners. Risk assessment under the HIPAA requires the identification of all the threats to PHI and patient confidentiality of DRS, and a review of all the technology used for security measures as well as the likely losses if security measures were not implemented (Stephen S. Wu & American Bar Association Section of Science & Technology Law, 2007). A risk management plan needs to be charted and implemented to protect the information of the patients and to raise the awareness amongst professionals regarding the illegal access of medical information. Where risk management is falling short of the standard due to the weaknesses in the security policy, a review of the risk management program is necessary. Risk management cohesion can also be increased by bridging compliance gaps between policy and practice. Reference List Abbey, D. C. (2008). Compliance for Coding, Billing & Reimbursement, 2nd Edition: A Systematic Approach to Developing a Comprehensive Program. New York: CRC Press. Axzo Press, & Supremus Group (2008). Hipaa Training and Certification: Job-Role-Based Compliance + Certblaster & CBT, Instructor's Edition. Supremus Group LLC. Dolan, P. L. (2010). HIPAA violation leads to jail time. Retrieved from http://www.ama -assn.org/amednews/2010/06/07/bisb0607.htm HDM Breaking News (2010). Prison for HIPAA Privacy Violator. Retrieved from http://www.healthdatamanagement.com/news/hipaa_privacy-violation-conviction-breach-40202-1.html Iyer, P. W., Levin, B. J., & Shea, M. A. (2006). Medical legal aspects of medical records. Arizona: Lawyers & Judges Publishing Company. Marcinko, D. E. (2005). Insurance and risk management strategies for physicians and advisors: a strategic approach. Massachusetts: Jones & Bartlett Learning. Muller, M., Jooste, K., & Bezuidenhout, M. (2006). Health Care Service Management. Juta and Company Ltd. Murphy, M., & Waterfill, M. (2010). The New Hipaa Guide For 2010: 2009 ARRA ACT for HIPAA Security and Compliance Law and Hitech Act Your Resource Guide to the NEW Security and Privacy Requi. Indiana: AuthorHouse. NextLabs (2009). HIPAA. Retrieved from http://www.nextlabs.com/html/?q=hipaa Stephen S. Wu, & American Bar Association Section of Science & Technology Law (2007). Guide to HIPAA security and the law. Illinois: American Bar Association. Read More