Protecting patient privateness in wellness attention is more than a moral duty it is the jurisprudence. The jurisprudence requires heath attention installations and suppliers to hold steps in topographic point to safeguard against a security breach of all patients’ protect wellness information. Health attention organisations and suppliers have to confront the fact. misdemeanors of protected wellness attention information happens. cognizing how to minimise the chances for misdemeanors and breaches in security are cardinal. This paper will reexamine a security breach scenario from St. Joh’s Hospital ( University of Phoenix ) and turn to how companies’ should react in the event of a security breach. necessary staff preparation and execution of a successful direction program. The Scenario
St. John’s Hospital had sound policies and processs in topographic point to protect confidential client information and service as a theoretical account for other establishments within their country. In one country of the infirmary. the IS section which has restricted-access. printouts have been discarded without being shredded. Employees of the IS section. who are working tardily. witnessed cleaning staff reading these printouts. The Problem
A wellness attention installation or supplier that submits claims electronically are capable to HIPAA. HIPAA’s federal privateness ordinances protect patient medical records and other identifiable wellness information created or received by a wellness attention entity ( Coons. JD. 2001 ) . Discarding printouts that contain protected or confidential information in a mode. that leaves the information unfastened to sing. constitutes a possible misdemeanor of the HIPAA ordinances set by federal jurisprudence. The employees of the cleaning staff. who are reading the information in the studies. represent a breach in security.
Based on the fact that there is no demand to see. usage. or have entree to this information. The nature of their function and duties. to finish their undertakings. is non centered around the use of this information. therefore the company is responsible for any abuse of the PHI contained in these studies. A security breach is an impermissible usage or revelation of protected information under the Privacy Rule that compromises the security or privateness of protected wellness information ( PHI ) ( U. S. Department of Health & A ; Human Services. n. d. ) . In order for St. John’s infirmary to cognize the extent of the security breach. St. John’s needs to execute a hazard appraisal. taking into consideration the undermentioned factors set Forth by the U. S. Department of Health & A ; Human Services.
1. The type of PHI involved including patient identifiers
2. The unauthorised employee or individual who used the PHI.
3. Be the PHI acquired or taken out of the installation or was it merely viewed
4. Was the hazard to the PHI mitigated and if so how.
For the intent of this paper. the hazard appraisal identified a security breach. Reacting to the breach
In the scenario. direction has a moral and legal duty to react to the security breach and guarantee that it does non go on once more. understanding “healthcare information security and privateness is a major ethical and legal issue. In peculiar. the moral rule of personal liberty suggests that persons have the right to command all affairs related to their ain organic structure. including their personal wellness information. This straight translates into public outlooks and legal demands that wellness attention suppliers shall procure the privateness and confidentiality of patients’ wellness records” ( Kamoun. 2014 ) . At first consideration. one may believe. all St. John’s demand is to tear up the studies. and job is solved. A shredder is a good topographic point for direction to get down ; nevertheless. it is non all that the organisation must see. St. John’s Hospital needs to execute a hazard appraisal as identified in “the Problem” subdivision of this paper.
The organisation besides needs to reexamine the policies and processs. develop and supply updated employee instruction on HIPAA. security breaches. what to make if a misdemeanor occurs. and the organisation and section directors should re-introduce the organization’s codification of moralss. placing the employee’s moral and legal duties. The director must besides hold a clear. comprehensive direction program to guarantee continued PHI security. Pull offing menaces to PHI are more hard today than in the yesteryear. Understanding where these menaces come from is the first measure in being able to forestall a breach through implement policies and procedure for extenuation. Three of the chief hazards that contribute to a security breach of PHI are lost or stolen computing machines and equipment. internal abuse of informations both knowing and unwilled ( as in our scenario ) and menaces from computing machine and IT system hackers ( Paster. 2013 ) . Education and Training
St. John’s IT section director should get down with educating their staff in what to make if they see a breach in security with PHI. HIPAA security criterions require policies and processs that govern the reception and remotion of electronic informations both internally and externally ( Coons. JD. 2001 ) . All employees of the organisation demand to be educated on HIPAA. they all have a moral and legal duty to cognize and understand what constitutes PHI and what a security breach is. It is the duty of the senior leaders and section directors to hold or develop policies and processs that prevent. detect. contain. and right any security misdemeanor within the organisation ( Coons. JD. 2001 ) . Employees need to be educated on what their moral and legal duty is when they see a possible for or an existent misdemeanor of PHI. The organisation needs to be clear and consistent with the procedures and policies of subject of employees who violate HIPAA. This should be portion of the compulsory annual instruction required of all employees.
Every director needs to hold a program for keeping or updating policies and processs as ordinances and the wellness attention industry alterations. Directors are responsible for keeping compulsory employee instruction on a everyday footing. this should include new employee orientation. alterations to policies and processs. alterations to HIPAA and other federal ordinances and how to cover with informations precautions and security breaches. Another of import portion of a manager’s duties should include a walkthrough of the section. looking for possible countries where PHI could potentially be vulnerable to others who have no ground to see it. This will guarantee no PHI is capable to employees. sellers or clients that do non hold a demand to use or see the information.
The direction program must besides incorporate a procedure to turn to security incidents to utilize in future bar planning ( Coons. JD. 2001 ) . One of import procedure to include is the beach presentment demands where the organisation is required to advise affected persons of such a breach and dependant on the figure of individuals affected there may necessitate to be media proclamations and inform the Secretary through HHS at hypertext transfer protocol: //www. Department of Health and Human Services. gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction. hypertext markup language. It is besides to observe that covered entities are required to follow with specific administrative demands by supplying cogent evidence of written policies and processs sing breach presentments and employee preparation.
Pull offing menaces to PHI are more hard today than in the yesteryear. Understanding where these menaces come from is the first measure in being able to forestall a breach through implement policies and procedure for extenuation. At the nucleus of HIPAA. are patient privateness and the protection of PHI. Heath attention installations and suppliers need to hold steps in topographic point to safeguard against a security breach of any patients protect wellness information. Organizations are required to hold specific policies and processs in topographic point to guarantee a security breach does non go on. Even as organisations like St. John’s have policies and processs in topographic point to minimise the potency for a security breach. security breaches occur. Supplying employees with the necessary preparation and instruction. in add-on to holding a solid direction program will assist to minimise a breach. The direction program needs to be all embracing to cover everyday monitoring and instruction.
If St. John’s Hospital had sound policies and processs in topographic point to protect confidential client information and service as a theoretical account for other establishments within their country. it is safe to state that the focal point needs to be placed on instruction of employees. in peculiar what their duty is when they whiteness a breach in security of PHI. Organizations should besides hold a codification of ethical behavior that identifies the outlook of all employees. sellers. providers and contracted forces in doing the protection of HIPAA and PHI their top precedence. understanding how even an action every bit guiltless as a treatment of a patient in non-private countries put PHI at hazard. Organizations that make security of PHI the duty of everyone vs. one section or country is more likely successfully to minimise the hazard or potency of a security breach. this is what all wellness attention organisations and suppliers should endeavor for.
Coons. JD. L. R. ( 2001. May ) . Security Breachs: Tips for Assessing and Limiting Your Risks. The Journal of Medical Practice Management. 3 ( 1 ) . 385-388. Kamoun. F. ( 2014. January ) . Human and Organizational Factors of Healthcare Data Breaches: The Swiss Cheese Model of Data Breach Causation and Prevention. International Journal of Healthcare Information Systems and Informatics. 9 ( 1 ) . 42. Paster. M. ( 2013. July ) . Avoiding wellness informations breaches: A comprehensive security program. Retrieved from hypertext transfer protocol: //healthitsecurity. com/2013/07/24/avoiding-health-data-breaches-a-comprehensive-security-plan/ Rhodes. MBA. RHIA. CHPS. CPHIMS. FHIMA. H. ( n. d. ) . Developing Breach Notification Policies and Procedures: An Overview of Mitigation and Response Planning. Retrieved from hypertext transfer protocol: //library. ahima. org/xpedio/groups/public/documents/ahima/bok1_044673. hcsp? dDocName=bok1_044673 U. S. Department of Health & A ; Human Services. ( n. d. ) . Health Information Privacy. Retrieved from hypertext transfer protocol: //www. Department of Health and Human Services. gov/ocr/privacy/hipaa/administrative/breachnotificationrule/