Hipaa Violation

Course Project Rough Draft MGH HIPAA violation case Jennifer Brummage Medical Law and Ethics In the health care business, thither are certain standards and laws that have been put in place to protect our affected roles and their psycheal health discipline. When a health care facility fails to protect their uncomplainings confidential information, the US G overnment may get intricate and facilities may be forced to give way huge sums of money in fines, and assay damaging their reputation. The wellness Insurance Portability and Accountability Act (HIPAA) was established in 1996.This Act was put into place in order to improve the efficiency and military posture of the health care system. The HIPAA law includes a Privacy rule and a Security Rule. Hospitals, Doctors, and employees in the medical field are expected to adopt the guinea pig standards and aim to keep patient information confidential. When a hospital or medical employee fails to meet the standards stigmatise, lawsu its can ensue and they can be fined large sums of money relating to the incident.The Privacy Rule establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy rule requires appropriate safeguards to protect personal health information. The rule as well as gives patients rights over their health information, including rights to examine and obtain a copy of their health records.The Security protects individuals electronic personal health information that is created, received, used or maintained by a covered entity. The Security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and warranter of electronic protected health information. The function for Civil rights (OCR) is responsible for enforcing the HIPAA s tandards. When a complaint is filed, it is the job of the OCR to investigate. OCR may also conduct compliance reviews to determine if the health organization is in compliance with the HIPAA laws.When the OCR accepts a complaint from an individual, they will nonify the person and the covered entity named in it. Then both parties will submit information about the incident. The OCR will review the information to determine whether or not a violation has occurred. When violations have occurred and have been proven, the US Government will impose a fine that they see appropriate. When Health organizations such a private medical practices, hospitals, and clinics fail to meet the standards described in the HIPAA act, investigations, bad press, and fines are surely to follow.There have been a proceeds of cases in the past few years that have been investigated for HIPAA violations. One of the more recent and highly publicized cases was that of Massachusetts General Hospital (MGH). On bunt 6 , 2009 is was reported that an employee of MGH had withdraw from the hospitals premises a cusp of documents that included the private healthcare information (PHI) of approximately one hundred and ninety two patients. The employee had removed the folder from the hospitals medical records room, so that she could bring her work home with her in order to complete some paperwork.The information that was included in these files were documents that had billing encounter forms that contained the names of the patients, their date of birth, social security numbers, addresses, rally numbers, medical record number, the patients diagnoses and proposed course of treatment, their provider and the providers address and phone numbers. The folder also contained documents that included the practices daily office schedule for three days and the medical record number for 192 patients.The employee was aware that she was not permitted to remove this confidential information from the hospital premises. In doing so, she violated the HIPAA law. On March 9, 2009, the employee who removed the documents from the hospital was commuting to work on a resistance train. According to the complaint that was filed, the employee had removed the folder containing the documents from her bag and placed them in the seat beside her. The documents were not in an envelope and they were bound precisely by a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train.The documents were never recovered. This incident was later reported to the Office of Civil rights (OCR) by a patient who was apprised by the hospital that his medical records had been lost by an employee and left them on a subway train. The One hundred and ninety two patients involved had been patients of the hospitals Infectious Disease outpatient practice, which includes HIV/AIDS patients. The fact that the patients involved in this case were potentially AIDS patients, made the violation that much more serious.Investigators had to take in to account that these people had their medical records lost, and in those records were their phone numbers and addresses and perhaps their place of employment. If these documents fell into the wrong hands, the potential for destroying the patients lives was very high. Had a person with malicious intent got ahold of their information, they could have harassed the patient and possibly spread their personal information around, which could have had devastating consequences. The Office of Civil Rights began their investigation of Massachusetts General following the March 2009 Complaint.Because of the potential violations that MGH faced, they agreed to pay the United State Government $1,000,000 to settle potential fines. MGH is one of the nations largest and oldest hospitals. The Hospital is highly regarded and respected, and many hospitals took banknote when the investigation into possible HIPAA security law violations began. In addition to agreeing to pay the United States Government one million dollars, the hospital and the General Hospital Corporation agreed to sign a Resolution Agreement with the United States Department of Health and Human Services (HHS).The agreement required that the hospital convey and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. In signing this resolution agreement, it was the HHS hope that other hospitals and clinics throughout the nation would recognize that the OCR is very serious about investigation every(prenominal) claim that is filed with them. The OCR wants other hospitals to see that if a violation has occurred and a patients privacy has been violated, there will be consequences.The OCR wanted to make an usage out of Massachusetts General Hospital. In addition to the fines and the signing of the resolution agreement, OCR and HHS asked MGH to enter into a Corrective Action Plan. The HHR wanted the hospital and its employees to not only b e held responsible and made an example out of, they also wanted the hospital to raise the awareness of its employees. The Corrective Action Plan (CAP) was designed to develop and implement a comprehensive set of policies and procedures that ensure the patients private health information is protected whenRemoved from the hospitals premises. It was to ensure that the employees were trained and informed of the new policies and procedures so that future mistakes could be prevented. The hospital was also required to have the Director of Internal Audit Services of Partners HealthCare System Inc. to take to heart as an internal monitor who will conduct assessments of MGHs compliance with the CAP and render semi-annual reports to the HHS for a 3 year period. It was the mistake of one person that caused so many changes in MGHs system.It was a costly mistake, but ultimately is has helped the United States Government make hospitals aware that if the standards set are not followed then there w ill be consequences. The HIPAA laws that are set in place are meant to protect patients. Even the US Government and the employees of MGH are souls patients, and they would also want their privacy respected. Hospitals across the nation, private practices, doctors and healthcare facilities should take notice, they need to make sure their employees are trained and informed of the policies and procedures regarding patients privacy and security.Every hospital in the nation should raise their own standards so that they are above the ones set for them. Patients will take notice and be appreciative and more trusting when receiving care. In conclusion, this HIPAA violation could have possibly been prevented had MGH implemented the Action Plan in the beginning. The hospital should have had a program that required all employees to take prior to starting work with the hospital. Had the employee that left the documents on the subway been through a class on HIPAA laws and the clear up way of ha ndling PHI, maybe the incident never would have occurred.Hospitals should hold a class as part of the hiring process to thoroughly train their employees on this issue. It could be used as a preventive measure and save the hospital from large fines in the future. References * FierceHealthcare. com, HIPAA violations. Feb 25 2011 (54198) * HHS. gov. News Release MGH HIPAA violation. Feb 24 2011 * US Department of Health and Human Services. HIPAA Law, July 19, 2011 * Zigmond J, Modern Healthcare, ISSN 0160-7480, 2011 Feb 28 Vol. 41 (9), pp. 13 * http//www. hhs. gov/ocr/privacy/hipaa/understanding/index. html