11/14/2013

RESPOND TO ISSUES OF CONFIDENTIALITY MA 104

This essay examines various elements of the Health Insurance Portability and Accountability

Act, also known as HIPAA. For the purpose of this assignment, this essay will examine a typical visit to

a doctors office. The focus will be to identify the various organizational, administrative, physical and

technical safeguards that a doctors office should have in place to protect health information (PHI) as

well as provide guidance in needed areas for compliance. In particular, this essay will focus on ePHI,

given my IT background and given the future of how medical records will be maintained. Although all

healthcare information written and oral should be addressed with HIPAA. The importance of

protecting the confidentiality of patient information requires a synergy of effort from all staff

members.

The Health Insurance Portability and Accountability Act (HIPAA), was passed by Congress in

1996 and deals with security of healthcare information. The HIPAA regulations apply to health care

providers who transmit any health information electronically, health plans including Medicare and

Medicaid programs, health care clearinghouses and healthcare business associates. HIPAA defines a

health care provider as a provider of medical or health services or any other person or organization

who bills, or is paid for health care in the normal course of business. The intention is to protect the

individuals privacy and confidentiality throughout the gathering, transmitting and storing of

healthcare information. The various components of HIPAA cover physical, organizational,

administrative and technical safeguards. Privacy is important and confidentiality is a necessity. The

accessibility based on the intimate nature of the health data could be devastating for those whose

privacy is violated. With the injection of technology and the Internet, health data is being transmitted

in digital form and maintaining the confidentiality of patient information includes electronic, written

and oral communication.

11/14/2013

Upon review of a typical doctors office visit, one can observe the physical safeguards. First,

the objective is to limit and control access to all areas where PHI is transferred or stored. The facility

access controls could include, door locks, electronic access and video. Physical safeguards would also

include the placement of monitors in relation to foot traffic as well as to the patient. One would want

only the physician or designated employees to view the computer monitors so the placement of the

monitors requires consideration. Privacy screens on the monitors can help limit any unauthorized

viewing of information on a screen. Placement of the patient waiting area check-in line or bill paying

station should also be separated to mask conversations with other waiting patients or visitors.

Technical safeguards are an area that that is becoming increasing important for healthcare

providers to comply. Some technical security solutions would be to consider access controls that

enable authorized users to access the minimum necessary information needed to perform job

functions. Providing a unique user ID to identify the user and the activity as well as defining an

automatic log off after an allocated amount of idle time are two areas to provide technical

compliance. Another critical provision for technical safeguards is to provide encryption for idle as well

as transmitted data. The next standard of audit controls places hardware, software or procedures to

record and examine activity of PHI.

Administrative safeguards require the organization to develop policies and procedures to

prevent, protect and contain security of information systems. Once these policies and procedures

have been adopted, it would be the responsibility of the organization to develop sanctions for the

staff that fail to comply. Training for all staff would be required and there should be staff designated

as the responsible party to notify upon the realization of a security breach.

11/14/2013

Organizational safeguards would include third party associates maintaining contracts

incorporating HIPAA compliance. In addition, the practice must provide documentation of the policies

and procedures, keep these items updated and available for staff to review and follow.

During the recent visit to the healthcare facility, staff left the computer logged on when they

left the exam room. This would provide the patient access to the database and opportunity for

corruption or availability to view information not specific to the individual. In addition to the

computer system availability, some visitors, (the pharmaceutical representatives, aka Drug Reps) were

observed walking in the work areas within the work environment. The visitor was not escorted and

was available to see patient information. Observation during the visit only surfaced two infractions,

both of which were employee related infractions leading to non-compliance.

To remediate the two infractions, one would make sure that an unauthorized user could, not

access the computer in the exam room. This could be accomplished by the employee locking the

screen upon leaving the station or by implementing a screen saver requiring password re-entry, and

appropriate access controls implemented. In addition, providing a security screen time out after three

minutes of idle time would also limit access.

Visitor escorts should be enforced at all times. Even if you were to require a badge system for

visitors, it would be critical that they would not be provided unsupervised access to areas with PHI.

The most important remediation effort would be to train staff on the proper procedures for logging

on and off computers and a strict enforcement of a visitor policy.

11/14/2013

Failure to comply may not only result in regulatory actions, such as fines, but also direct

business loss from lawsuits, damage to reputation and the loss of the publics trust. Organizations

that deal with personal health information are expected to comply with HIPAA regulations or suffer

stiff fines. Some civil fines have ranged from $100 for each violation up to $25,000 for general

violations. If the breach is considered willful violations, the fines can go up to $1.5 million. And if this

isnt scary enough one can also be facing serious jail time. So its in everyones best interests that

HIPAA be followed for the safety of our patients and our careers. It is our role and responsibility to be

the safe keepers of your patients private information.