11/14/2013

RESPOND TO ISSUES OF CONFIDENTIALITY

MA 104
This essay examines various elements of the Health Insurance Portability and Accountability
Act, also known as HIPAA. For the purpose of this assignment, this essay will examine a typical visit to
a doctors office. The focus will be to identify the various organizational, administrative, physical and
technical safeguards that a doctors office should have in place to protect health information (PHI) as
well as provide guidance in needed areas for compliance. In particular, this essay will focus on ePHI,
given my IT background and given the future of how medical records will be maintained. Although all
healthcare information written and oral should be addressed with HIPAA. The importance of
protecting the confidentiality of patient information requires a synergy of effort from all staff
members.
The Health Insurance Portability and Accountability Act (HIPAA), was passed by Congress in
1996 and deals with security of healthcare information. The HIPAA regulations apply to health care
providers who transmit any health information electronically, health plans including Medicare and
Medicaid programs, health care clearinghouses and healthcare business associates. HIPAA defines a
health care provider as a provider of medical or health services or any other person or organization
who bills, or is paid for health care in the normal course of business. The intention is to protect the
individuals privacy and confidentiality throughout the gathering, transmitting and storing of
healthcare information. The various components of HIPAA cover physical, organizational,
administrative and technical safeguards. Privacy is important and confidentiality is a necessity. The
accessibility based on the intimate nature of the health data could be devastating for those whose
privacy is violated. With the injection of technology and the Internet, health data is being transmitted
in digital form and maintaining the confidentiality of patient information includes electronic, written
and oral communication.

11/14/2013

Upon review of a typical doctors office visit, one can observe the physical safeguards. First,
the objective is to limit and control access to all areas where PHI is transferred or stored. The facility
access controls could include, door locks, electronic access and video. Physical safeguards would also
include the placement of monitors in relation to foot traffic as well as to the patient. One would want
only the physician or designated employees to view the computer monitors so the placement of the
monitors requires consideration. Privacy screens on the monitors can help limit any unauthorized
viewing of information on a screen. Placement of the patient waiting area check-in line or bill paying
station should also be separated to mask conversations with other waiting patients or visitors.
Technical safeguards are an area that that is becoming increasing important for healthcare
providers to comply. Some technical security solutions would be to consider access controls that
enable authorized users to access the minimum necessary information needed to perform job
functions. Providing a unique user ID to identify the user and the activity as well as defining an
automatic log off after an allocated amount of idle time are two areas to provide technical
compliance. Another critical provision for technical safeguards is to provide encryption for idle as well
as transmitted data. The next standard of audit controls places hardware, software or procedures to
record and examine activity of PHI.
Administrative safeguards require the organization to develop policies and procedures to
prevent, protect and contain security of information systems. Once these policies and procedures
have been adopted, it would be the responsibility of the organization to develop sanctions for the
staff that fail to comply. Training for all staff would be required and there should be staff designated
as the responsible party to notify upon the realization of a security breach.

11/14/2013

Organizational safeguards would include third party associates maintaining contracts

incorporating HIPAA compliance. In addition, the practice must provide documentation of the policies
and procedures, keep these items updated and available for staff to review and follow.
During the recent visit to the healthcare facility, staff left the computer logged on when they
left the exam room. This would provide the patient access to the database and opportunity for
corruption or availability to view information not specific to the individual. In addition to the
computer system availability, some visitors, (the pharmaceutical representatives, aka Drug Reps) were
observed walking in the work areas within the work environment. The visitor was not escorted and
was available to see patient information. Observation during the visit only surfaced two infractions,
both of which were employee related infractions leading to non-compliance.
To remediate the two infractions, one would make sure that an unauthorized user could, not
access the computer in the exam room. This could be accomplished by the employee locking the
screen upon leaving the station or by implementing a screen saver requiring password re-entry, and
appropriate access controls implemented. In addition, providing a security screen time out after three
minutes of idle time would also limit access.
Visitor escorts should be enforced at all times. Even if you were to require a badge system for
visitors, it would be critical that they would not be provided unsupervised access to areas with PHI.
The most important remediation effort would be to train staff on the proper procedures for logging
on and off computers and a strict enforcement of a visitor policy.

11/14/2013

Failure to comply may not only result in regulatory actions, such as fines, but also direct
business loss from lawsuits, damage to reputation and the loss of the publics trust. Organizations
that deal with personal health information are expected to comply with HIPAA regulations or suffer
stiff fines. Some civil fines have ranged from $100 for each violation up to $25,000 for general
violations. If the breach is considered willful violations, the fines can go up to $1.5 million. And if this
isnt scary enough one can also be facing serious jail time. So its in everyones best interests that
HIPAA be followed for the safety of our patients and our careers. It is our role and responsibility to be
the safe keepers of your patients private information.