In 1996 Congress enacted HIPAA to protect the privacy and security of protected health information maintained by health care providers, which include health insurance companies, hospitals, doctors, and employers who sponsor self-insured health plans (“Health Insurance Portability and Accountability Act Of 1996 (HIPAA)”, 2011). HIPAA is enforced by the Department of Health and Human Services.
There are two sets of regulations issued by the HHS; Standards for Privacy of Individually Identifiable Health Information, the ‘privacy rule’ and the Security Standards for Individually Identifiable Health Information, the ‘security rule. ’ The privacy rule requires entities to implement policies and procedures. This is to ensure the members use and disclose protected health information, PHI only for permissible purposes and to ensure patients and the insured have the right to access and amend their PHI.
The security rule requires entities to implement policies and procedures to protect against threats to ensure confidentiality, integrity, and availability of PHI (“Health Insurance Portability and Accountability Act Of 1996 (HIPAA)”, 2011). HIPAA violations can result in criminal and civil penalties. The Department of Health and Human Services establishes the civil penalty structure for HIPAA violations. The department HHS, Office of civil Rights, OCR enforces the privacy standards; Center for Medicare and Medicaid enforces the security rule.
The HHS determines the amount of civil penalty based on the nature and extent of the violation and the harm resulting from the violation. In 2012 a group of ear and eye doctors in Massachusetts reported the theft of an unencrypted personal laptop as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). The laptop contained personal health information of MEEI patients and research subjects. Reporting the theft of a laptop containing electronic PHI is required under the Breach Notification Rule.
During the investigation the OCR indicated that Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, known as MEEI, failed to take the correct steps to comply with the requirements of the Security Rule. They failed to implement the security measures sufficient to ensure the confidentiality of electronic PHI. The impact of the violation affects MEEI patient population the most. By law the patients who were affected will be notified. Those patients will need to atch what happens with their health information and their personal information. Personal identity, credit history, and health information will need to be carefully watched for inaccurate information or authorized alterations. OCR’s investigation indicated the failure to comply with the security rule requirements had occurred over an extended period of time. MEEI apparently did not have adequate policies and procedures in place relating to the confidently and access of the electronic PHI.
OCR emphasizes the importance of confidential health information and the special attention that must be paid to safeguarding the information stored or transported on portable devices (Massachusetts Provider Settles HIPAA Case after Investigation, 2012). MEEI must come up with a corrective action plan that must be approved by the OCR, including reviewing, revising, and maintaining policies and procedures to ensure the confidentiality of electronic PHI and policies and procedures that restrict access to electronic PHI.
An independent monitor will be set up to conduct assessments of MEEI semi-annually and report to HHS for a period of three years. There will also be a fine of $1. 5 million. The OCR believes the violation was severe and the potential risk for harm was widespread. Administratively MEEI failed to demonstrate good ethical practices by not ensuring the privacy of protected health information. They also did not educate the staff regarding HIPAA. Legally, MEEI could be at a higher risk for lawsuits related to the breach of confidentially.
Other ethical issues include the doctors’ medical license. Not following the correct plan could result in losing their license to practice. More fines could place a financial burden on the facility and cause the facility to close. The loss of patients for not keeping information protected is also an issue. Although the article did not include any MEEI comments, the managers should have a clear understanding of what their responsibilities will be; to ensure the confidentially and to ensure that staff are equally prepared and aware of policies and procedures and patient privacy.
Their responsibilities lie with the organization, to the patients served by the organization, and to the employees of the organization. All patient information needs to be treating with dignity and respect. It will be the manager’s responsibility to make sure the staff is in compliance with all policies and procedures and the HIPAA rules and regulations.