As more and more technology is applied in the running of hospital systems, the relative risk associated with technological applications in the hospital also increases. The use of electronic health records is considered one of the most basic but vital processes in the hospital with a great number of hospitals already having some form of system managing their records. From a regulatory perspective, these records hold a lot of private information that has to be kept that way. The Health Insurance Portability and Accountability Act was set up to ensure health facilities remain accountable for how patients and the patient records under their care are handled. Any violations are examined by the Department of Human and Health Services and a resolution reached between the two parties. This paper will look at some of the resolutions reached due to violations of HIPAA and the plans that healthcare organizations need to put in place to ensure compliance of these information standards at all times.
In July 2020, Lifespan ACE entered into a Resolution Agreement with the department of health and human services. It is alleged that the facility violated the section of HIPAA related to theft of devices. Lifespan had reported the loss of a company laptop that led to the unauthorized access of thousands of patient data and records exposing private information of their patients. An investigation by the Office of Civil Rights determined that despite the theft being uncontrollable, the facility had not followed HIPAA guidelines that require health facilities to encrypt their mobile devices and ensuring that even in the event of theft, patient data would not be compromised ( Department of Health and Human Services, 2020). The OCR determined that Lifespan ACE had breached HIPAA laws.
Delegate your assignment to our experts and they will do the rest.
As a result of these breach of laws relating to electronic Private Health Information (ePHI), the health facility was given a financial penalty where it had to pay $1,040,000 to the OCR for the privacy breach. The institute also agreed too enhance device and media controls to ensure that ePHI stored in any of the mobile devices in its care is safe even in the event of theft or loss of the mobile device ( Department of Health and Human Services, 2020). A two-year monitoring period was also prescribed for the firm as a part of the penalty imposed.
To ensure that ABC healthcare facility does not suffer from the same issues as raised above, a health system improvement plan that is compliant with federal standards needs to be put in place. A 3-month timeline can be given to allow every department to standardize their reporting documents, and train staff adequately on how to report and document issues. Federal initiatives push for organizations to adopt certain transaction standards and standard code sets for these transactions in order to achieve HIPAA compliance. The latest HIPAA transaction standards that ABC healthcare will be implementing is the ASC X12N version 5010 together with NCPDP D.0 which is normally used in pharmacy transactions (CMS, 2016b) (Wager, Lee & Glaser, 2017). The timeline will be observed for compliance with HIPAA standards after which a 2 nd 3-month timeline can be given to allow compliance with the Centers for Medicare and Medicaid standards. These standards include the “NCPDP's SCRIPT Standard for e-Prescribing, ASC X12N standard for Health Care Eligibility Benefit and Response, and NCPDP's telecommunications standard” (Wager, Lee & Glaser, 2017). Once these standards are met, ABC healthcare will be in a better position to serve its clients and collaborate with other relevant institutions much more easily.
An efficient risk analysis strategy for ABC healthcare facility would be one that is more proactive than reactive. A proactive approach would involve looking at the issues as part of a larger healthcare ecosystem rather than simply advocating for patient safety or minimal legal exposure for the facility (Nejm Catalyst, 2018). The components of the proactive risk management strategy shall include education and training of staff on standards and regulations; implementing procedures for documenting and responding to patient complaints. The strategy will also include a communication plan with clear guidelines on what needs to be done and by who to prevent confusion and promote order during emergencies and also normal events. A contingency plan shall also be included to cater for events such as pandemics, terror attacks or even long-term power loss among others. The contingency plan will outline the standards to be followed and the team responsible for the implementation of these standards.
The use of ePHI has come a long way and has enabled the healthcare system to grow significantly. The healthcare authorities through regulations such as HIPAA are however working to ensure that healthcare organizations are abiding by the acceptable standards of operation thus ensuring safety of patient information and also the quality of their outcomes. In the event that an organization breaches these regulations, they can enter a resolution with the OCR afterwhich a penalty may be imposed on them in a bid to encourage them to perform better next time. This is all done with the interests of the patient in mind as the government always acts in public interest.
References
Department of Health and Human Services (2020). Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach. HHS . https://www.hhs.gov/about/news/2020/07/27/lifespan-pays-1040000-ocr-settle-unencrypted-stolen-laptop-breach.html
Nejm Catalyst (2018). What Is Risk Management in Healthcare? Innovations in Care Delivery . https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0197
Wager, K. A., Lee, F. W., & Glaser, J. P. (2017). Health care information systems: A practical approach for health care management (4th ed.). Retrieved from https://www.vitalsource.com
