In this paper there will be information about the Health Insurance Portability and Accountability Act (HIPAA). This paper will discuss both the privacy and security aspects of HIPAA as well the crucial elements and systems that must be followed in order for both rules to be successful. The consequences of breaking the policies of this health care act will result in fines and/or up to ten years in prison depending on the violation that was committed. The main purpose of HIPAA is to assure that all individuals’ health care information is protected as well as the protection of each patient’s health and well-being.
Health Insurance Portability and Accountability Act
There are people all over the United States who are required to share their personal information with physicians and other medical professionals. Fortunately the health care environment guarantees patient confidentiality for all of their sensitive and health-related information. There are several acts that the United States Department of Health and Human Services (HHS) have developed in order to ensure all patients are given the proper medical confidentially that they deserve. One specific act is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act required HHS to develop regulations that would protect the privacy and security of certain health information. In the end two separate rules were published: Standards for Privacy of Individually Identifiable Health Information and The Security Standards for the Protection of Electronic Protected Health Information. HIPAA is an important aspect of health care especially-when it comes to the safety of all patients (Andrews, 2010). Due to the strict privacy and security acts of this program, the consequences are extremely severe.
One of the more important rules of HIPAA is the privacy rule, which “establishes national standards to protect individuals’ medical records and other personal health information” (Summary of The HIPAA Privacy Rule 2003). This aspect also applies to several health plans, health care clearinghouses, and other health care providers that perform electronic health care transactions. Due to the privacy rule, without proper patient authorization there are serious limits and safeguards that prevent anyone from sharing a patient’s medical information. Another crucial part of this rule is the fact that patients have the legal right to review and examine their health records, as well the authority to request any corrections they see necessary to repair. This becomes important when a patient finds incorrect information on their file that any of the medical staff failed to recognize such as birthdate or a blood type. Having a patient review their file is a common way that mistakes are corrected. In order to protect and enforce the privacy of patient medical records, there are several comprehensive programs that are required through clinical information systems.
There are three main clinical systems that were created to protect a patient’s privacy of their medical records. The first system-called patient care systems-“stores information about a patient’s medical history, diagnoses, and treatment plans” (Glandon & Smaltz, 2008). The organizations that choose to provide this care are also responsible for making sure that each patient’s medical information is available only to those who are authorized to view it. Another clinical system is called Public health information systems. These systems are in charge of supporting disease prevention and surveillance programs. Protecting public health is not a simple task; it requires knowing how to properly add and store health-related information about each individual. Without this system, any sort of leakage of sensitive information could lead to discrimination in employment or insurance eligibility. The final clinical information system, which is referred to as the medical research information system, is responsible for studying patterns of certain diseases in specific populations by using patient records. This act of studying common patterns is a way to prevent the reoccurrence of any fatal diseases and protect the health of others. Due to the fact that most of a patients’ data is accessible to many investigators, it is important that information security measures are taken to provide the necessary privacy. In order to establish this aspect of HIPAA, it is important for health care companies to appoint the responsibilities of enforcing the guidelines of HIPAA to the proper unit of the health care department. Some companies rely on compliance or specific privacy offices to ensure these obligations (Glandon & Smaltz, 2008). The fear of having no privacy can lead to individuals avoiding treatments or clinical tests because they feel their medical records are not protected properly. This fear puts the health of others in danger and can lead to bigger and more dangerous issues in the future.
The other important aspect of the Health Insurance Portability and Accountability Act is the security rule, which “focuses on administrative, technical and physical safeguards specifically as they relate to electronic protected health information” (Yale University, 2013).With such critical information being stored electronically the security rule is also responsible for protecting the system against any sort of failure, including external tragic events that could take place randomly such as a fire or a power outage. These crucial files are usually copied to a removable disk to ensure that all files will not be lost. This type of information can be stored in computer hard drives, memory cards, any kind of removable digital memory media or all transmission media that can be used to exchange information such as the internet (HIPAA, 2013). Preventing unauthorized viewing of electronic protected health information (ePHI) can become difficult due to the variety of ways information is stored. Overall the major goal of the Security rule is allow the development of new technologies that will help to improve the quality of care as well as protect all the sensitive health information that is shared and documented (Summary of The HIPAA Security Rule 2003).
There are several measures that must be taken in order to secure all the different types of medical information. A proper security policy should include the three following elements: physical security, technical controls over access, and management policies (Glandon & Smaltz, 2008). These elements should be known by all staff and enforced by management. When it comes to the proper amount of physical security there is no such thing as having too little or too much. The most common forms of physical security include hardware and data file security. Hardware securities defend computers from unauthorized access or viruses entering private files (Das, Kant, & Zhang, 2012). These are usually the first step of security that is taken in order to enforce the security portion of HIPAA throughout the medical records.
Another element that helps secure private files is technical safeguards. Theses safeguards include ideas that are as simple as having a password that only authorized individuals are aware of or even creating a specific encryption that only the employees of a health care company are able to translate. Creating audit logs is great way to view who is logged into specific patients’ information and when they did so. This enables any supervisor to have superior knowledge of who accesses what information. The final element that a security policy should provide is the enforcement of all management policies. These could include having written company security polices that are available for employees to review at any time. Making sure that all employees are aware of all security polices is important in order to ensure the safety of all medical records. These policies can be addressed in employee training, which is another important part of any management position. Employee training is where all questions should be answered and all policies should be understood. Employees also need to be informed of the disciplinary actions that will follow if any sort of the management policy is broken or disobeyed.
There are always repercussions when it comes to breaking the rules; HIPAA has several consequences due to the disobedience of the people. There is a general penalty “for failure to comply with requirements and standards” (Penalties Under HIPAA, 2013). This is the more common penalty that occurs; it requires the person who violated the rules to pay one hundred dollars for each violation and may not exceed $25,000 throughout a one year time frame. The other offense that includes any “wrongful disclosure of individual identifiable health information” (Penalties Under HIPAA, 2013) has a more in-depth punishment rate. This includes situations where an individual shares another individual’s health information to an unofficial person. Also, the obtainment of another individual’s medical information when it is not needed or asked for any specific medical reason is also included in this offense. The first penalty that is sentenced in this situation is that the violator will not be fined more than $50,000 and/or imprisoned up to one year. If the offense is committed under false pretenses the violator will not be fined any more than $100,000 and/or imprisoned for up to five years. The biggest penalty occurs if the offense is committed with the intention of selling an individual’s medical record for certain advantages. In this case the violator will be fined no more than $250,000 and/or imprisoned for no more than ten years. Because the information protected under HIPAA laws is invaluable and incredibly sensitive, legislators made sure to implement punishments that will hopefully deter potential wrong doers from breaking the law.
Unfortunately, the severe consequences that the Health Insurance Portability and Accountability Act endorses, does not intimidate everyone. The Health Insurance Portability and Accountability Act is still the most effective act and it helps to protect the privacy of individually identifiable health information, as well as secure the electronic protected health information. When the proper elements to both the privacy and security rules are followed, the more successful HIPAA will be.
Andrews, J. (2010). What Are Some Pros & Cons Of HIPAA. Retrieved from http://www.livestrong.com/article/75368-pros-cons-hipaa/ Das, S., Kant, K., & Zhang, N. (2012). Hardware and Security: Vulnerabilities and
Solutions. Handbook on Securing Cyber-Physical Critical Infrastructure (pp. 305-326). Waltham, MA: Elsevier Inc. Glandon, G.L., & Smaltz, D. H. (2008). Austin and Boxerman’s Information Systems for Healthcare Management
(7th ed.) (pp. 118-127). Chicago: Health Administration Press, HIPAA. (2013). West Virginia State Privacy Office. Retrieved From http://www.privacy.wv.gov/HIPAA/Pages/default.aspx Penalties Under HIPAA. (2013). UC Davis Health System: Compliance Program. Retrieved From http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html Summary of The HIPAA Privacy Rule (2003). United States Department of Health and Human Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html Summary of The HIPAA Security Rule (2003). United States Department of Health and Human Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html Yale University. (2013). Security. Health Insurance Portability and Accountability Act. Retrieved from http://hipaa.yale.edu/security