medical office administration assignment 2
TRANSCRIPT
HIPAA corporate compliance plan
Assignment #2
JULY 18, 2015
HIPAA Background of Privacy and Security Rules
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. HIPAA addresses several rules, all of which the Office of Civil Rights enforces. One of them is the HIPAA Privacy Rule, which was enacted in 2003. This particular rule “protects the privacy of individually identifiable health information” (Services, n.d.). This rule requires health care providers to (Malone, 2013):
Disclose patient information to the patient within 30 days when they request that information. Providers need a patient’s written consent before disclosing patient information, such as when transferring records from one provider to another. Other times it is not necessary to get a patient’s consent, such as in the circumstance of the provider suspecting child abuse.
Use the minimum necessary rule, in which they can only disclose the littlest amount possible of a patient’s information.
Allow patients to request that changes be made to their health record if the patient feels that there has been an error made in the chart.
Outline the disclosure of patient’s PHI. Employ a privacy officer, who is the contact source for patients who feel like, in some
way, that their privacy has been infiltrated.
The Department of Health and Human Services states that the major goal “of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being” (Summary of the HIPAA privacy rule, n.d.). In other words, the HIPAA Privacy Rule strives to protect patients from fraud, while still providing them with the best care possible.
Another rule that the Office of Civil Rights enforces is the HIPAA Security Rule, which has set the “standards for the security of electronic protected health information” (Services, n.d.). This rule went into effect in 2005, and helps keep safe any electronic information within a healthcare facility. There are three parts to this rule: administrative, physical, and technical (Malone, 2013).
Administrative: This part requires providers to outline to patients the privacy practices that are used in that particular facility, and must be written down and given to patients upon request. It also keeps the minimum amount of people from accessing a patients charts (i.e., Ms. Brown is coming in to see Dr. Green. Dr. Brown, who is not treating her, should not access Ms. Brown’s records); and requires facilities to have proper training on HIPAA and on the handling and care of PHI.
Physical: This part requires facilities to properly erase and dispose of “old computer equipment, or any other electronic system that houses patient information” (Malone, 2013). Password protection must be put in place, and systems to block out any unauthorized access. Patient information should be
placed in a place where it is out of sight of any other patients, as well as in a place inaccessible to them.
Technical: This part requires that any patient information sent electronically must be encrypted and sent over protected networks.
The Office of Civil Rights states that the “major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.” (Summary of the HIPAA security rule, n.d.)
The main reason for this manual is to give current and future health care workers ideas on how to protect a patient’s PHI while still giving them the best care available. Outlined are 10 examples on how to keep the HIPAA Privacy Rule enforced.
PRIVACY POLICIES
1. Unless written consent has been given by the patient, never leave medical information regarding the patient with another party, even if it is a relative. (Lindh, Pooler, Tamparo, Dahl, & Morris, 2014)EXPLANATION: It is an invasion of the patient’s privacy to leave personal medical information with someone who is not authorized (in other words, the medical office does not have written consent from the patient) to hear it.
2. Only speak of a patient with those who are involved with their care, i.e., the doctor who is treating the patient. (Lindh, Pooler, Tamparo, Dahl, & Morris, 2014)EXPLANATION: This reduces the amount of unnecessary people knowing (such as a receptionist) about a patient’s care.
3. When leaving a message when the patient is not available, leave the telephone number and, if applicable, that you are returning the patient’s call; never leave any medical information or mention the purpose of the call, and never leave test results. (Lindh, Pooler, Tamparo, Dahl, & Morris, 2014)EXPLANATION: It is a violation of the patient’s right to privacy if you leave confidential information (i.e., test results) with someone, especially if it is someone the patient does not want to know (or the patient’s representative).
4. Never discuss confidential patient information inside or outside the medical facility, especially if it is not your concern. (Lindh, Pooler, Tamparo, Dahl, & Morris, 2014)EXPLANATION: This is an invasion of a patient’s privacy, and someone else, like another patient in the reception area, can overhear.
5. Always keep medical records away from where patients can easily see or access it – in a locked filing cabinet or drawer. (Lindh, Pooler, Tamparo, Dahl, & Morris, 2014)EXPLANATION: This helps reduce the incidence of identity theft or insurance fraud. Somebody (patient or otherwise) not authorized to see them could gather information and use it for their own use.
6. If placing a patient chart outside the exam room, make sure to face the patient’s name towards the wall. (Judson & Harrison, 2013)
EXPLANATION: This maintains the patient’s privacy, and other patients passing by the room won’t be able to see who is in the room, along with other PHI.
7. When a person is claiming to have legal right to make any medical decisions for a patient, always ask to see the legal papers, and verify their identity. Preferred is a signature authorizing disclosure; you can also verify with the patient if they are able. (Judson & Harrison, 2013) EXPLANATION: This protects the patient from any potential harm in any way. It also protects against the possibility of giving confidential information to an unauthorized person not involved with the patient’s care.
8. When requests are made to provide PHI, only provide what is being asked (i.e., insurance companies only need the portion of a patient’s medical record that concerns their visit) (Judson & Harrison, 2013).EXPLANATION: This is the minimum necessary rule; by following this rule, only information that is requested will be given. This protects patient privacy.
9. All computers must be password protected. Employees must have their own personal password and must never share that password. (Malone, 2013)EXPLANATION: This protects against improper use and access by persons not authorized to view sensitive material, thus protecting patient privacy.
10. All patient information that is to be sent electronically must be encrypted, and sent only over a network that is protected. (Malone, 2013)EXPLANATION: This keeps PHI that is being electronically sent from being viewed by unauthorized persons.
CONSEQUENCES OF HIPAA VIOLATIONS
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law to help protect patients and their protected health information. By accepting a job in the health care field, we are accepting the responsibility of protecting our patients. Therefore, if we in some way violate (intentionally or unintentionally) the HIPAA regulations, there is a price to pay – and a pretty hefty one at that!
Malone outlines in her textbook, Medical Office Management, the fines and penalties that people are charged with when they violate HIPAA. The following are HIPAA violations: (Malone, 2013)
Unintentional violation
This type of violation can cost $100 per violation, with $25,000 as an annual maximum for any repeat violations.
Violation due to reasonable cause, but not due to willful neglect
This type of violation can cost $1,000 per violation, with $100,000 as an annual maximum for any repeat violations.
Violation due to willful neglect, but violation is corrected within the required time period
This type of violation can cost $10,000 per violation, with $250,000 as an annual maximum for any repeat violations.
Violation due to willful neglect that is not corrected within the required amount of time
This type of violation can cost $50,000 per violation, with $1.5 million as an annual maximum for any repeat violations.
The maximum penalties for all types of violations is $50,000 per violation, with $1.5 million being the annual maximum. In addition to the above penalties, any person who violates HIPAA, can face the following penalties:
Violation: obtaining or disclosing PHI can result in a $50,000 fine, and imprisonment of up to 1 year.
Violation: false pretenses, such as claiming to do research when they are actually not, can result in a $100,000 fine and imprisonment of up to 5 years.
Violation: intention of selling or transferring any obtained information can result in a $250,000 fine and imprisonment of up to 10 years.
In conclusion, HIPAA is a very large and daunting subject, but it is very important to learn, especially if you are entering the health care field, where there is patient information at everybody’s fingertips. I think that people should think very carefully about the penalties before
committing any type of violation (intentionally or not). Violating patient’s privacy can be very damaging to them, whether it be telling an unauthorized family member that the patient has 6 months to live, or using your ability to access patient information for your own personal gain (selling it or using the information to intentionally hurt someone).
Works CitedGastroenterology, P. (2013, May 12). Privacy Policy. Retrieved from Portland Gastro:
http://www.portlandgastro.com/wp-content/uploads/2009/11/Privacy-Policy-09232013.pdf#page=1&zoom=auto,-99,792
Judson, K., & Harrison, C. (2013). Law & Ethics for the Health Professions 6e. New York: McGraw-Hill.
Lindh, W. Q., Pooler, M. S., Tamparo, C. D., Dahl, B. M., & Morris, J. A. (2014). Delmar's comprehensive medical assisting: administrative and clinical competencies 5e. Clifton Park: Delmar.
Malone, C. (2013). Medical office management . Upper Saddle River: Pearson.
Services, D. o. (n.d.). Health Information Privacy. Retrieved from U.S. Department of health and human services: http://www.hhs.gov/ocr/privacy/index.html
Summary of the HIPAA privacy rule. (n.d.). Retrieved from U.S. department of health and human services: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Summary of the HIPAA security rule. (n.d.). Retrieved from U.S. department of health and human services: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
