Confidentiality

By: Steven Byerly

MHA 690 Health Care Capstone

Professor: Dr. Sherry Grover

May 23, 2012

Breach of confidentiality at UCLA by over 120 employees

• As Fox news reported the California Department of Public Health released a statement stating that over 120 hospital staff inappropriately viewed patient health records between January of 2004 and June of 2006. (www.foxnews.com) The blame falls directly on the hospital administrators for not taking appropriate steps to ensure this type of activity does not occur by adequately training their staff as to what the appropriate uses of patient information is. Since this is a problem with current staff a new training protocol should be implemented to train, retrain, or refresh all staff on HIPAA guidelines in protecting the privacy of patients. New hires will also be required to go through the HIPAA training course as protecting patient information must be a top priority for all health care organizations.

What is considered protected information?

• According to HIPAA protected health information is considered individually indentifiable health information held or disclosed by a covered entity. Patient health information includes: patient’s name; Social Security number or medical record number; specific dates such as a birth, admission, discharge, or death; or any other information that may be used to identify a patient. This may include information about past, present, or future physical and mental conditions; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare. (Cascardo, 2012) A practice must refrain from discussing any aspects of progress notes, court records, domestic violence police reports, mental health documents, etc, with anyone unless the patient has signed a release form in advance.

What is a valid release or authorization form?

• A specific description of the information to be used or disclosed

• The name of the person(s) or organization that will be authorized to release the information

• The name of the person(s) or organization to whom the information is authorized to be released

• A description of the purpose of the use of the disclosure

• A date or even of expiration

• The signature of the individual/patient and date, the form may also be signed by a personal representative but must include the relationship that exist between the two

Authorization must inform the patient

• The right to revoke the authorization

• The potential for redisclosure by persons who receive the information

What constitutes a breach of HIPAA?

• A breach essentially means that there has been an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the patient health information. This breach can cause significant risk of financial, reputational, or other harm to the affected individual.

Typical Security risks include:

• Unauthorized access by employees

• Misuse of authorized access

• Ineffective disposal of patient health information

Minimum Necessary Rule

• It is extremely important that staff remember HIPAA’s minimum necessary requirement rule which states that only the minimum necessary patient health information should be shared to satisfy a particular purpose. If information is not required to satisfy a particular purpose then it must be withheld. It is important for staff to understand that access is allowed only for the function they need to perform such as a pharmacist would only need to access the patient’s history of prescriptions in order to perform their job function.

Conclusion

• Patient privacy and protection under HIPAA is the responsibility of all staff at all times. When patient information is mishandled then the patient as well as the community lose their trust in the organizations ability to provide high quality care while also protecting sensitive patient health information. Following the HIPAA guidelines is of the upmost importance and adherence to these policies is expected of all staff at all time. Failure to do so will result is disciplinary actions for the staff involved.

References

• Cascardo, D. (2012). What to do before the Office of Civil Rights comes knocking: Part 1. Medical Practice Management, May/June, 337-340. Retrieved from ProQuestdatabase.