Protecting patient privacy in health care is more than a moral obligation it is the law. The law requires heath care facilities and providers to have measures in place to safeguard against a security breach of all patients’ protect health information. Health care organizations and providers have to face the fact, violations of protected health care information happens, knowing how to minimize the opportunities for violations and breaches in security are key. This paper will review a security breach scenario from St. Joh’s Hospital (University of Phoenix) and address how companies’ should respond in the event of a security breach, necessary staff training and implementation of a successful management plan. The Scenario
St. John’s Hospital had sound policies and procedures in place to protect confidential client information and serve as a model for other institutions within their area. In one area of the hospital, the IS department which has restricted-access, printouts have been discarded without being shredded. Employees of the IS department, who are working late, witnessed cleaning staff reading these printouts. The Problem
A health care facility or provider that submits claims electronically are subject to HIPAA. HIPAA’s federal privacy regulations protect patient medical records and other identifiable health information created or received by a health care entity (Coons, JD, 2001). Discarding printouts that contain protected or confidential information in a manner, that leaves the information open to viewing, constitutes a potential violation of the HIPAA regulations set by federal law. The employees of the cleaning staff, who are reading the information in the reports, constitute a breach in security.
Based on the fact that there is no need to view, use, or have access to this information. The nature of their role and responsibilities, to complete their tasks, is not centered around the utilization of this information, therefore the company is responsible for any misuse of the PHI contained in these reports. A security breach is an impermissible use or disclosure of protected information under the Privacy Rule that compromises the security or privacy of protected health information (PHI) (U.S. Department of Health & Human Services, n.d.). In order for St. John’s hospital to know the extent of the security breach, St. John’s needs to perform a risk assessment, taking into consideration the following factors set forth by the U.S. Department of Health & Human Services.
1. The type of PHI involved including patient identifiers
2. The unauthorized employee or person who used the PHI.
3. Was the PHI acquired or taken out of the facility or was it just viewed
4. Was the risk to the PHI mitigated and if so how.
For the purpose of this paper, the risk assessment identified a security breach. Responding to the breach
In the scenario, management has a moral and legal responsibility to respond to the security breach and ensure that it does not happen again, understanding “healthcare information security and privacy is a major ethical and legal issue. In particular, the moral principle of personal autonomy suggests that individuals have the right to control all matters related to their own body, including their personal health information. This directly translates into public expectations and legal requirements that health care providers shall secure the privacy and confidentiality of patients’ health records” (Kamoun, 2014). At first consideration, one may think, all St. John’s need is to shred the reports, and problem is solved. A shredder is a good place for management to start; however, it is not all that the organization must consider. St. John’s Hospital needs to perform a risk assessment as identified in “the Problem” section of this paper.
The organization also needs to review the policies and procedures, develop and provide updated employee education on HIPAA, security breaches, what to do if a violation occurs, and the organization and department managers should reintroduces the organization’s code of ethics, identifying the employee’s moral and legal obligations. The manager must also have a clear, comprehensive management plan to ensure continued PHI security. Managing threats to PHI are more difficult today than in the past. Understanding where these threats come from is the first step in being able to prevent a breach through implement policies and process for mitigation. Three of the main risks that contribute to a security breach of PHI are lost or stolen computers and equipment, internal misuse of data both intentional and unintentional (as in our scenario) and threats from computer and IT system hackers (Paster, 2013). Education and Training
St. John’s IT department manager should start with educating their staff in what to do if they see a breach in security with PHI. HIPAA security standards require policies and procedures that govern the receipt and removal of electronic data both internally and externally (Coons, JD, 2001). All employees of the organization need to be educated on HIPAA, they all have a moral and legal obligation to know and understand what constitutes PHI and what a security breach is. It is the responsibility of the senior leaders and department managers to have or develop policies and procedures that prevent, detect, contain, and correct any security violation within the organization (Coons, JD, 2001). Employees need to be educated on what their moral and legal obligation is when they see a potential for or an actual violation of PHI. The organization needs to be clear and consistent with the processes and policies of discipline of employees who violate HIPAA. This should be part of the mandatory yearly education required of all employees.
Every manager needs to have a plan for maintaining or updating policies and procedures as regulations and the health care industry changes. Managers are responsible for holding mandatory employee education on a routine basis, this should include new employee orientation, changes to policies and procedures, changes to HIPAA and other federal regulations and how to deal with data safeguards and security breaches. Another important part of a manager’s responsibilities should include a walkthrough of the department, looking for potential areas where PHI could potentially be vulnerable to others who have no reason to see it. This will ensure no PHI is subject to employees, vendors or customers that do not have a need to utilize or view the data.
The management plan must also contain a process to address security incidents to use in future prevention planning (Coons, JD, 2001). One important process to include is the beach notification requirements where the organization is required to notify affected individuals of such a breach and dependent on the number of persons affected there may need to be media announcements and inform the Secretary through HHS at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html. It is also to note that covered entities are required to comply with specific administrative requirements by providing proof of written policies and procedures regarding breach notifications and employee training.
Managing threats to PHI are more difficult today than in the past. Understanding where these threats come from is the first step in being able to prevent a breach through implement policies and process for mitigation. At the core of HIPAA, are patient privacy and the protection of PHI. Heath care facilities and providers need to have measures in place to safeguard against a security breach of any patients protect health information. Organizations are required to have specific policies and procedures in place to ensure a security breach does not happen. Even as organizations like St. John’s have policies and procedures in place to minimize the potential for a security breach, security breaches occur. Providing employees with the necessary training and education, in addition to having a solid management plan will help to minimize a breach. The management plan needs to be all encompassing to cover routine monitoring and education.
If St. John’s Hospital had sound policies and procedures in place to protect confidential client information and serve as a model for other institutions within their area, it is safe to say that the focus needs to be placed on education of employees, in particular what their responsibility is when they whiteness a breach in security of PHI. Organizations should also have a code of ethical conduct that identifies the expectation of all employees, vendors, suppliers and contracted personnel in making the protection of HIPAA and PHI their top priority, understanding how even an action as innocent as a discussion of a patient in non-private areas put PHI at risk. Organizations that make security of PHI the responsibility of everyone vs. one department or area is more likely successfully to minimize the risk or potential of a security breach, this is what all health care organizations and providers should strive for.
Coons, JD, L. R. (2001, May). Security Breaches: Tips for Assessing and Limiting Your Risks. The Journal of Medical Practice Management, 3(1), 385-388. Kamoun, F. (2014, January). Human and Organizational Factors of Healthcare Data Breaches: The Swiss Cheese Model of Data Breach Causation and Prevention. International Journal of Healthcare Information Systems and Informatics, 9(1), 42. Paster, M. (2013, July). Avoiding health data breaches: A comprehensive security plan. Retrieved from http://healthitsecurity.com/2013/07/24/avoiding-health-data-breaches-a-comprehensive-security-plan/ Rhodes, MBA, RHIA, CHPS, CPHIMS, FHIMA, H. (n.d.). Developing Breach Notification Policies and Procedures: An Overview of Mitigation and Response Planning. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044673.hcsp?dDocName=bok1_044673 U.S. Department of Health & Human Services. (n.d.). Health Information Privacy. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/