In the health care business, there are certain standards and laws that have been put in place to protect our patients and their personal health information. When a health care facility fails to protect their patient’s confidential information, the US Government may get involved and facilities may be forced to pay huge sums of money in fines, and risk damaging their reputation. The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996. This Act was put into place in order to improve the efficiency and effectiveness of the health care system. The HIPAA law includes a Privacy rule and a Security Rule.
Hospitals, Doctors, and employees in the medical field are expected to adopt the national standards and aim to keep patient information confidential. When a hospital or medical employee fails to meet the standards set, lawsuits can ensue and they can be fined large sums of money relating to the incident. The Privacy Rule establishes national standards to protect individual’s medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The Privacy rule requires appropriate safeguards to protect personal health information. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records. The Security protects individual’s electronic personal health information that is created, received, used or maintained by a covered entity. The Security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Office for Civil rights (OCR) is responsible for enforcing the HIPAA standards.
When a complaint is filed, it is the job of the OCR to investigate. OCR may also conduct compliance reviews to determine if the health organization is in compliance with the HIPAA laws. When the OCR accepts a complaint from an individual, they will notify the person and the covered entity named in it. Then both parties will submit information about the incident. The OCR will review the information to determine whether or not a violation has occurred. When violations have occurred and have been proven, the US Government will impose a fine that they see appropriate.
When Health organizations such a private medical practices, hospitals, and clinics fail to meet the standards described in the HIPAA act, investigations, bad press, and fines are surely to follow. There have been a number of cases in the past few years that have been investigated for HIPAA violations. One of the more recent and highly publicized cases was that of Massachusetts General Hospital (MGH). On March 6, 2009 is was reported that an employee of MGH had removed from the hospitals premises a folder of documents that included the private healthcare information (PHI) of approximately one hundred and ninety two patients.
The employee had removed the folder from the hospital’s medical records room, so that she could bring her work home with her in order to complete some paperwork. The information that was included in these files were documents that had billing encounter forms that contained the names of the patients, their date of birth, social security numbers, addresses, phone numbers, medical record number, the patients diagnoses and proposed course of treatment, their provider and the providers address and phone numbers.
The folder also contained documents that included the practices daily office schedule for three days and the medical record number for 192 patients. The employee was aware that she was not permitted to remove this confidential information from the hospital premises. In doing so, she violated the HIPAA law. On March 9, 2009, the employee who removed the documents from the hospital was commuting to work on a subway train. According to the complaint that was filed, the employee had removed the folder containing the documents from her bag and placed them in the seat beside her.
The documents were not in an envelope and they were bound only by a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train. The documents were never recovered. This incident was later reported to the Office of Civil rights (OCR) by a patient who was informed by the hospital that his medical records had been lost by an employee and left them on a subway train. The One hundred and ninety two patients involved had been patients of the hospitals Infectious Disease
outpatient practice, which includes HIV/AIDS patients. The fact that the patients involved in this case were potentially AIDS patients, made the violation that much more serious. Investigators had to take in to account that these people had their medical records lost, and in those records were their phone numbers and addresses and possibly their place of employment. If these documents fell into the wrong hands, the potential for destroying the patients’ lives was very high.
Had a person with malicious intent got ahold of their information, they could have harassed the patient and possibly spread their personal information around, which could have had devastating consequences. The Office of Civil Rights began their investigation of Massachusetts General following the March 2009 Complaint. Because of the potential violations that MGH faced, they agreed to pay the United State Government $1,000,000 to settle potential fines. MGH is one of the nation’s largest and oldest hospitals.
The Hospital is highly regarded and respected, and many hospitals took notice when the investigation into possible HIPAA security law violations began. In addition to agreeing to pay the United States Government one million dollars, the hospital and the General Hospital Corporation agreed to sign a Resolution Agreement with the United States Department of Health and Human Services (HHS). The agreement required that the hospital develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients.
In signing this resolution agreement, it was the HHS hope that other hospitals and clinics throughout the nation would recognize that the OCR is very serious about investigation every claim that is filed with them. The OCR wants other hospitals to see that if a violation has occurred and a patient’s privacy has been violated, there will be consequences. The OCR wanted to make an example out of Massachusetts General Hospital. In addition to the fines and the signing of the resolution agreement, OCR and HHS asked MGH to enter into a Corrective Action Plan.
The HHR wanted the hospital and its employees to not only be held responsible and made an example out of, they also wanted the hospital to raise the awareness of its employees. The Corrective Action Plan (CAP) was designed to develop and implement a comprehensive set of policies and procedures that ensure the patient’s private health information is protected when Removed from the hospitals premises. It was to ensure that the employees were trained and informed of the new policies and procedures so that future mistakes could be prevented.
The hospital was also required to have the Director of Internal Audit Services of Partners HealthCare System Inc. to serve as an internal monitor who will conduct assessments of MGH’s compliance with the CAP and render semi-annual reports to the HHS for a 3 year period. It was the mistake of one person that caused so many changes in MGH’s system. It was a costly mistake, but ultimately is has helped the United States Government make hospitals aware that if the standards set are not followed then there will be consequences.
The HIPAA laws that are set in place are meant to protect patients. Even the US Government and the employees of MGH are someone’s patients, and they would also want their privacy respected. Hospitals across the nation, private practices, doctors and healthcare facilities should take notice, they need to make sure their employees are trained and informed of the policies and procedures regarding patient’s privacy and security. Every hospital in the nation should raise their own standards so that they are above the ones set for them.
Patients will take notice and be appreciative and more trusting when receiving care. In conclusion, this HIPAA violation could have possibly been prevented had MGH implemented the Action Plan in the beginning. The hospital should have had a program that required all employees to take prior to starting work with the hospital. Had the employee that left the documents on the subway been through a class on HIPAA laws and the correct way of handling PHI, maybe the incident never would have occurred.
Hospitals should hold a class as part of the hiring process to thoroughly train their employees on this issue. It could be used as a preventive measure and save the hospital from large fines in the future. References * FierceHealthcare. com, HIPAA violations. Feb 25 2011 (54198) * HHS. gov. News Release MGH HIPAA violation. Feb 24 2011 * US Department of Health and Human Services. HIPAA Law, July 19, 2011 * Zigmond J, Modern Healthcare, ISSN: 0160-7480, 2011 Feb 28; Vol. 41 (9), pp. 13 * http://www. hhs. gov/ocr/privacy/hipaa/understanding/index. html.