StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Risk Management Position in Healthcare Designated Record Set HIPAA Privacy Laws - Research Paper Example

Cite this document
Summary
This paper aims to analyze a case study of a doctor who breached the rules of the HIPAA and was sentenced.  The paper outlines a risk management program gives the potential recommendations that can be implemented to avert undue risks and harms. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER95.9% of users find it useful
Risk Management Position in Healthcare Designated Record Set HIPAA Privacy Laws
Read Text Preview

Extract of sample "Risk Management Position in Healthcare Designated Record Set HIPAA Privacy Laws"

Risk Management Position Paper in Healthcare Designated Record Set HIPAA Privacy Laws Abstract The Privacy rules and the Health Insurance Portability and Accountability Act (HIPAA) regulate what information regarding the health of an individual can be used and disclosed. Every individual has the right towards privacy. Covered entities and practitioners who do not observe confidentiality of protected health information (PHI)- especially the designated record set (DRS)- are subject to penalties under the HIPAA. This paper analyzes a case study of a doctor who breached the rules of the HIPAA, and was sentenced. The paper outlines a risk management program, gives the potential recommendations that can be implemented to avert undue risks and harms. The paper provides supporting work for the risk management plan as well as the counterarguments to it. In the end, the conclusion establishes the need for a risk management plan. Keywords: HIPAA, risk management, health care, laws Risk Management Position Paper in Healthcare Designated Record Set HIPAA Privacy Laws Introduction The rights of the people seeking health care have been the subject of much debate over the past decades. One of the rights of the patients is to access their health information and to modify it if it is deemed to have any discrepancy. Several legislations have been passed to grant the patients their due rights and to protect the abuse of medical information and health records of the patients. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by President Clinton. The Act has two aspects: it provides confidentiality to the records of the patients and prevents fraud and abuse and it makes sure that insurance and health care is portable. Health information refers to the information, either stored in any form, or oral; it is given to a health care provider and is related to the past, present and future state of health of an individual. The Privacy rules and the Act regulate what information regarding the health of an individual can be used and disclosed. This information is known as the protected health information (PHI), and organizations which are liable to conform to the Privacy rules are called covered entities. The Designated Record Set (DRS) refers to the group of health records that have been maintained by the covered entities, including the medical and billing information of the patients, enrollment, claims adjudication as well as the medical record management systems use for health plans. Its utility is for decision making about individuals. All hospitals, clinics and other health care providers are required to comply with the HIPAA (Abbey, 2008). Failing to do so can have dire consequences for the individuals involved. Every individual has the right towards privacy. They are entitled to disclose the information that they want to reveal, while keeping the rest private. Privacy has been part of the American law since a very long time. However, many heath care practitioners are not aware of the advances and amendments that have taken place in the laws, to incorporate more privacy aspects so that the privacy of the individual is upheld. Many of them are not aware of the repercussions of breaching the legislations. Like all other federal laws, there are provisions that ascertain observance of the legislation through potential penalties to those who violate the Privacy rules (Iyer, Levin, & Shea, 2006). Problem statement The paper explores a similar case where a doctor fails to observe the privacy of the patients and is sentenced to at least four years in prison. The paper analyzes the issue in light of the DRS HIPAA laws, and gives recommendations on how risk management can be implemented in a health care institution to avert any such incidences in the future. The HIPAA epitomizes the statement “Be careful of what you ask for” and this paper takes this statement forward by suggesting a risk management plan (Marcinko, 2005). Position A licensed cardiothoracic surgeon from China became the first one to be sentenced for four months in jail for violating the HIPAA rules. Dr. Huping Zhou was a former employee of the UCLA School of Medicine in 2003. He was working in the US when he received a notice for performance-based reasons on 23 October 2003. This notice was not related to any privacy violations. However, on the evening he received the notice for his dismissal, Dr. Zhou accessed medical records of his supervisor and colleagues. This was not the first only time that he accessed medical records illegally. In the next four weeks, he accessed medical records at three more occasions, with the number of times he accessed records totaling up to a number of 323 according to the FBI. The UCLA patient records included records of many celebrities as well, including Elizabeth Banks, Leonardo DiCaprio, Drew Barrymore and Arnold Schwarzenegger. Charges were filed against him in 2009, and in January 2010, Dr. Zhou pled guilty to four misdemeanors counts of violating the privacy laws of the HIPAA. According to the Attorney defending Dr. Zhou, Zhou was oblivious to the fact that accessing medical records was illegal. However, Dr. Zhou was sentenced for four months and was fined a sum of $2,000 (HDM Breaking News, 2010). Dolan (2010) observes that a vital component of ensuring that a practice is sound and professionally acceptable is having a risk assessment. Stephen Aborn, executive director of Andrews International, a Valencia, California-based investigative and security services provider, asserts that health care providers can not afford to take privacy issues lightly and “no one is 100% bulletproof, but from a liability standpoint, you've taken measures to protect the information”. Thus it follows that a risk management plan needs to be enforced in order to avoid any risks and psychological, financial and economical harms violations of privacy laws can incur. Risk management is strategy development, execution and review. It includes the identification of internal risks, such as business, operational, physical and technology, or external, such as environmental, social and compliance risks (Muller, Jooste, & Bezuidenhout, 2006). A risk assessment program needs to be made that raises the awareness of the practitioners regarding the Privacy laws. Education empowers the practitioners and enables them to use information in a way that does not come into conflict with the rules and regulations of the HIPAA. Health care organizations need to identify compliance gaps to predict information risks. Health care service providers need to regulate the access of patient records by personnel. Access should be limited to authorized staff only, and protected health information should only be disclosed to the people who are immediately involved in the provision of health care. Health care service providers need to identify sensitive date and security rules can be implemented, like passwords, so that leakage of data can not occur. The management and filing of records also needs to observe a protocol so that leakage of confidential data is checked at all levels. Printing of private information should not be done in open, public places; rather, secure lines need to be used. Moreover, only authorized staff needs to be entrusted with the duty of printing, faxing etc. of sensitive data. E-mails should be encrypted, and secure communication channels need to be used. Moreover, health care practitioners need to be encouraged to record data in detail so that there is evidence that privacy laws have been complied with (NextLabs, 2009). The execution of the risk management plan requires the cooperation of the health care personnel and their employees. The staff needs to understand the importance of complying with the HIPAA. Moreover an effective risk management plan requires continuous reevaluation of the program so that compliance gaps are covered regularly. Supporting work When the UCLA found out that Dr. Zhou had been misusing his authority and had accessed medical records illegally, it released a statement regarding the risk management measures that it will take. According to the spokesman, the UCLA gives the privacy and confidentiality of the information of its patients top priority. The UCLA has ensured that prompt termination of access code takes place when employees are dismissed from service. The UCLA cooperated with the US Attorney and abided with the laws of the HIPAA, and made sure that the US Attorney initiatives on risk management are followed. The UCLA has taken many steps to extend the maintenance of the privacy of the patients. It has not only extended the auditing capacities of its information systems. A reevaluation of the clinical information systems was done, and they were improved upon in order to warrantee patient confidentiality and mitigate the risk of breaches of Privacy laws. The UCLA was also prompt to introduce a standard of professional practice that required all students and practitioners to take HIPAA training and a certification module. The security rule of the HIPAA has three main category safeguards: administrative, physical and technical. Technical safeguards are defined as the regulation of access to computer and electronic systems to protect communications transmitting PHI over open networks, where the chances of non-authorized individuals from illegally accessing the information are high (Murphy & Waterfill, 2010). One of the provisions of the technical safeguard policy includes that covered entities should document risk assessment and risk management programs. Counterargument If a weak policy is implemented, it can lead to ad hoc changes in the security and risk management infrastructure of the covered entities, such as in firewalls, proxy etc. Ad hoc decisions do not meet the criteria of the HIPAA and can make the regulation of risk management infrastructure difficult for people who make regular changes, as well as the misuse of PHI by individuals. In light of the technical safeguards of the HIPAA security rule, exception-based risk management can result in a chain of policy exceptions in infrastructure platform and application configurations that are so intangible and complicated that they become cumbersome and difficult to fathom. IT risk management technology can some times make it difficult for security personnel to perform efficiently (Axzo Press & Supremus Group, 2008). Conclusion Thus, in conclusion, compliance with the rules of the HIPAA is of the utmost importance, not only to prevent the organization from litigation, but also to ensure a high standard of professional conduct by the health care practitioners. Risk assessment under the HIPAA requires the identification of all the threats to PHI and patient confidentiality of DRS, and a review of all the technology used for security measures as well as the likely losses if security measures were not implemented (Stephen S. Wu & American Bar Association Section of Science & Technology Law, 2007). A risk management plan needs to be charted and implemented to protect the information of the patients and to raise the awareness amongst professionals regarding the illegal access of medical information. Where risk management is falling short of the standard due to the weaknesses in the security policy, a review of the risk management program is necessary. Risk management cohesion can also be increased by bridging compliance gaps between policy and practice. Reference List Abbey, D. C. (2008). Compliance for Coding, Billing & Reimbursement, 2nd Edition: A Systematic Approach to Developing a Comprehensive Program. New York: CRC Press. Axzo Press, & Supremus Group (2008). Hipaa Training and Certification: Job-Role-Based Compliance + Certblaster & CBT, Instructor's Edition. Supremus Group LLC. Dolan, P. L. (2010). HIPAA violation leads to jail time. Retrieved from http://www.ama -assn.org/amednews/2010/06/07/bisb0607.htm HDM Breaking News (2010). Prison for HIPAA Privacy Violator. Retrieved from http://www.healthdatamanagement.com/news/hipaa_privacy-violation-conviction-breach-40202-1.html Iyer, P. W., Levin, B. J., & Shea, M. A. (2006). Medical legal aspects of medical records. Arizona: Lawyers & Judges Publishing Company. Marcinko, D. E. (2005). Insurance and risk management strategies for physicians and advisors: a strategic approach. Massachusetts: Jones & Bartlett Learning. Muller, M., Jooste, K., & Bezuidenhout, M. (2006). Health Care Service Management. Juta and Company Ltd. Murphy, M., & Waterfill, M. (2010). The New Hipaa Guide For 2010: 2009 ARRA ACT for HIPAA Security and Compliance Law and Hitech Act Your Resource Guide to the NEW Security and Privacy Requi. Indiana: AuthorHouse. NextLabs (2009). HIPAA. Retrieved from http://www.nextlabs.com/html/?q=hipaa Stephen S. Wu, & American Bar Association Section of Science & Technology Law (2007). Guide to HIPAA security and the law. Illinois: American Bar Association. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Risk Management Position in Healthcare Designated Record Set HIPAA Research Paper”, n.d.)
Risk Management Position in Healthcare Designated Record Set HIPAA Research Paper. Retrieved from https://studentshare.org/social-science/1739528-risk-management-position-paper-in-healthcare-designated-record-set-hipaa-privacy-laws
(Risk Management Position in Healthcare Designated Record Set HIPAA Research Paper)
Risk Management Position in Healthcare Designated Record Set HIPAA Research Paper. https://studentshare.org/social-science/1739528-risk-management-position-paper-in-healthcare-designated-record-set-hipaa-privacy-laws.
“Risk Management Position in Healthcare Designated Record Set HIPAA Research Paper”, n.d. https://studentshare.org/social-science/1739528-risk-management-position-paper-in-healthcare-designated-record-set-hipaa-privacy-laws.
  • Cited: 0 times

CHECK THESE SAMPLES OF Risk Management Position in Healthcare Designated Record Set HIPAA Privacy Laws

Privacy and health

Beyond the hipaa privacy Rule: Enhancing Privacy, Improving Health Through Research.... privacy and Health Name Institute Professor Course Date Introduction All the health care providers operating electronically can define health privacy as the practice of establishing national standards for protection of individual's health information and medical records.... hellip; This protection of one's confidential medical reports was declared in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) under the privacy, Security and Breach Notification Rules....
3 Pages (750 words) Research Paper

HIPAA Privacy Standards in April of 2003

Department of Health and Human Services 1). Relatively, the patient has the right to examine and get a copy of their health information that is within a “designated record set” The “designated record set” is the cluster of records used by a covered entity in part or in whole (to make decisions) that includes billing records, plan enrolment, payment, claims and management record of systems (United States Department of Health and Human Services 12).... Yes, there are certain requirements for covered entities to have written privacy policies....
2 Pages (500 words) Essay

U07d2 Laws Balancing Access and Protection

The Practical Guide to hipaa privacy and Security Compliance.... Also, with the growing attention to a clean and green world, most of the medic Running Head: u07d2 laws BALANCING ACCESS AND PROTECTION u07d2 laws Balancing Access and Protection Submitted by: Setara Azizi Number: XXXXXXXXXCapella UniversityTutor's Name:With the changing times and the growing technology, the healthcare industry has also been growing tremendously.... Similar to the many laws that have been developed over the years, the Privacy Rule also works on the need for independence and personal space in terms of the collection and distribution of healthcare information....
2 Pages (500 words) Essay

Regulatory and legislative issues paper

The healthcare law selected for this report is already in effect, and is part of the Health Insurance Portability and Accountability Act (hipaa), which was passed in 1996.... The hipaa is a very large impetus for healthcare, and is divided up into many different aspects, so that… Therefore, this report examines the hipaa Security Rule specifically.... The Security Rule is a key part of hipaa -- federal legislation that was passed into law in August 1996....
4 Pages (1000 words) Essay

HIPAA education

Organization needs to have one hipaa privacy/security officer who will be in charge of implementing HIPAA compliance step by step along with all the forms, documents, policies and procedures.... (Summary of the hipaa privacy)The security training will cover HIPAA national standards protecting individuals personal health information in electronics form and safeguards needed to ensure the integrity, confidentiality of health related information.... SUMMARY OF THE hipaa privacy RULE (2011),online from http://www....
2 Pages (500 words) Term Paper

Important aspects of HIPPA

Effect of the hipaa privacy rule on health research: proceedings of a workshop presented to the National Cancer Policy Forum.... HIPAA is one of the complex federal laws that focus on healthcare sector, the act was one of the responses of the Congress to the healthcare reforms and it affects the whole of healthcare industry.... Impact on privacy of health information of patientsHIPAA is one of the civil rights laws that give patients the right to control use of their information on health; the other important aspect of HIPAA is that it is mandatory....
2 Pages (500 words) Essay

Mobile device policy in healthcare

Breaching of privacy laws especially when one opens PHI application and forgets to close, and accessed by unauthorized persons.... In its broadest definition, PHI refers to any information regarding health status, Mobile Device Policy in healthcare Use of mobile devices and applications is becoming a common place in health care institutions.... It is because of containing such information that PHI deserves treatment and handling with highest possible security to protect privacy....
1 Pages (250 words) Essay

HIPAA Security Policy

The Practical Guide to hipaa privacy and Security Compliance.... Impact of security culture on security compliance in healthcare in the United States of America: A strategic assurance approach.... I would then follow the relevant steps in implementing an efficient privacy rule (Online Tech, 2015).... mportant HIPAA security policy requirementsOne of the most important security policy requirements of HIPAA is the privacy rule....
2 Pages (500 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us