Administrative Ethics Paper HCS335 April 17th, 2011 Administrative Ethics Paper Organizations today are constantly under watch because of Health Insurance Portability and Accountability Act (HIPAA). Today an organization must take specific measures to protect an individual’s private health information. As technology advances with the coming future, protection as become increasing difficult, covering all the basis and guidelines brought forth by HIPAA laws. A major concern of the federal government is an intended or unintended breach of HIPAA regulations. Along with HIPAA, came the creation of the Privacy Rule.
The Privacy Rule according to Mir, (2011), “restricts the use and disclosure of health information except by the individual, persons granted access by the individual, or as authorized and required by the privacy rule” (p. 11, para. 2). In 2009, President Obama endorsed the American Recovery and Reinvestment Act (ARRA). The ideals of HIPAA was growing quickly, the growth was complete with the aid of the Health Information Technology for Economic and Clinical Health Act (HITECH), which is a part within the ARRA. This growth not only covered health care providers and health care organization, but also the organization’s business associates.
Everyone within an organization is responsible to protect health information, and the Office for Civil Rights (OCR) has no problem enforcing these new guidelines. Especially if there is a breach of information, and it is not reported by the organization (Boerner, 2009). Issue and impact A breach of any kind of patient information can be costly to an individual and the entire organization. A breach is a devastating issue for all parties involved, especially for the individual, whose privacy has been violated. Pertinent patient information could destroy a patient’s life that it can become deadly.
Individuals steal medical information, and use it for personal use, causing problems within the patient’s medical record. This can cause wrong diagnoses, wrong medications could be administered and could be detrimental the patient’s health. However, this issue does not only impact the patient, it impacts the organization that obviously does not have the provisions necessary to protect a patient’s information. If the organization has a breach of patient information, all parties must be notified immediately, this includes the OCR. A breach of patient information within any organization undermines its trust and reputation within the community.
In the article, written by Angela K. Dinh, “Breach Notification Rule: Where Are We? ” explains the ramifications of a breach and the damage a breach can cause. Facts The highly respected Ponemon Institute provides research data regarding patient’s privacy and data security. The institute’s latest research states that more than 69% of health care organizations do not believe that protecting patient information is not a main concern. To bring this issue into reality, the OCR reported that in November 2010, more than five million patients information were affected by a breach.
These statistics include with more than 190 registered offenses, approximately 185 were as a result of theft or loss, and unlawful entry. These figures are staggering and have a financial impact more than two million dollars for one specific organization. The Ponemon Institute estimates the financial liability for the entire population of the United States hospitals calculates to approximately $12 billion (Dinh, 2011). To comprehend is implications of the OCR’s fines for an organization; a health care organization must understand the importance of the patient’s right to protected health information and the ramifications if there is a breach.
Recently the OCR penalized two prestigious health care organizations, the first was the Massachusetts General paying a settlement of one million dollars, and Cignet Health of Maryland with fines up to $4. 3 million dollars. The financial costs do not stop for any organization that has been fined by the OCR. The organization must face the financial burden of putting in place correction actions and the loss of trust within the community is financially devastating for years to come (Means, 2011). Health care organizations must recognize the three events that can bring about an audit from the OCR.
The first any breach or a complaint of a breach. The second is a complaint of a privacy violation by an employee or a patient. The final event for an audit by the OCR is if the organization files an application for its economic stimulus payments. An organization must provide proof that it is compliant of all HIPAA regulations, and the education of staff is up-to-date of all policies and procedures. If any of these three red flags goes up the OCR will investigate and audit the organization for compliance (Posa & Terry, 2011). Ethical and legal issues
An organization plays a role in society as an honorable facility to heal, protect, and cause no harm. A breach can be extremely harmful to both the patient and the organization. Any breach of confidentiality is both an ethical, and a legal issue. The organization is trusted with a patient’s information and is to protect it. This Protected Health Information (PHI) can be released with limitations. If any agency does have a breach of any patient’s confidential information, the organization has opened the door for the OCR to come in and perform an audit.
If the organization is guilty of a breach, fines can be horrendous and financially debilitating. Managerial responsibilities Managerial responsibilities are to promote the organization’s mission. The responsibility to ensure that the training of staff members is appropriate, and he or she understands all HIPAA rules and regulations can be difficult. Provisions and guidelines are set for all staff to be educated and tested yearly regarding HIPAA guidelines. Signed documentation of all staff is necessary to ensure that each individual understands and acknowledges HIPAA regulations, and all consequences of violating these regulations.
Confidentiality is important to the integrity of the organization that managers oversee that staff follows these rules and regulations set forth by the federal government. Fines for any kind of breach are hefty and could be financially debilitating to any organization. Managers need to make sure that new employees have background checks and sign confidentiality agreements. A security plan must be in place and the monitoring of all activity should be frequent. Limited access restricts certain employees from viewing personal information not necessary for the staff to complete specific job requirements.
Managers need to require that all workstations should be secure and clean when staff is not available. A Compliance Officer should be available with a secure voice mail to allow staff to report any non-compliance issues, including a breach of security. This officer along with an ethics committee is to investigate any alleged instances thoroughly and report to all involved if a breach as occurred without delay (Posa & Terry, 2011). Another way for management to uphold guidelines and protect the organization and consumers from any breach of information is to conduct a risk analysis.
This analysis is important and can help the organization to recognize any threats, vulnerabilities, and controls to both internal and external systems. The above chart displays different examples of controls that provide protection against any external attack against an organization. Deterrent controls can minimize the opportunity of intentional attack. Preventative controls defend vulnerabilities and diminish any risk of attack. Corrective controls troubleshoot and diminish the outcome of an attack. Detective controls unearth attacks and activate both preventative and corrective controls to stop it.
Supporting the proposed solution An organization needs to understand its limitations when protecting the information of its consumers. Without this understanding and prevention it can leave the organization open to enormous fines and threaten its position within the community. Trust is important, a community must be able to trust an organization otherwise it will fail itself and the community. The OCR is looking out and is ready to investigate all alleged complaints of any breach. An organization must be ready to show that it has failsafe provisions, policies, and procedures in place that protect both itself and the consumer.
This will also protect the integrity and the financial future of the organization. Conclusion An organization must have preventive policies and procedures in place to protect itself from any kind of breach of consumer information. Managers must uphold these guidelines and enforce them to protect the honor and reliability of the organization. Staff must be honest and follow these guidelines. Reporting any unlawful or unintentional breach of privacy must be done immediately for investigation by both the compliance officer and an ethics committee.
Not reporting any suspicion of a breach of privacy no matter how small could cause an OCR audit and can be financial damaging to any organization. Illustrations Figure 1- Simple rational model, Online Image, Retrieved fromhttp://www. security-risk-analysis. com/introduction. htm References Boerner, C. M. (2009). Breach Notification, New Regulations, and HIPAA Privacy and Security. Journal of Health Care Compliance, 11(6), 25-69. Retrieved from EBSCOhost. C & A Security Risk Analysis Group. (2003). Introduction to risk analysis. Retrieved from http://www. security-risk-analysis. com/introduction. html Means, C. 2011, April 5). Five insights on what OCR privacy fines mean for providers. HITECH Watch. Retrieved from http://www. hitechwatch. com/story/five-insights-what-ocr-privacy-fines-mean-providers Dinh, A. K. (2011). Breach Notification Rule: Where Are We? Journal of Health Care Compliance, 13(2), 43-73. Retrieved from EBSCOhost. Mir, S. S. (2011). HIPAA Privacy Rule: Maintaining the Confidentiality of Medical Records, Part I. Journal of Health Care Compliance, 13(2), 5-14. Retrieved from EBSCOhost. Posa, R. , & Terry, M. (2011). What does a HIPAA audit look like? Podiatry Management, 30(2), 87-92. Retrieved from EBSCOhost.