2
Introduction
The Health Insurance Portability and Accountability Act was originally enacted in 1996, implemented and enforced by the Department of Health and Human Services (HHS) (Mercuri, 2004, p. 25). Although the tenets of this rule, the rights and protections of the individual are not new by any means and have existed from antiquity, the emergence of electronic health records was (Mercuri, 2004, p. 25; Vivian, 2009; McLeod, 2007; Moskop. et.al., 2006). Accordingly, HIPAA has undergone several revisions and most recently enacted and enforced the self-reporting portion of the HIPAA rules. In fact (Vivian, 2009), “[…] the HHS issued the HITECH Breach Notification Guidance.3 Provisions of this Guidance [on August 29, 2009 to further protect individuals, their privacy and the contents of their patient records]”. Based on this, institutions must take more precautions to assure patient privacy and protections, safeguard their information and must notify anyone whose information was intentionally or unintentionally breached (Vivian, 2009). Since HIPAA violations carry stiff penalties, anywhere from $100- $250,000 fine, and may include time in jail, and HIPAA compliance is also tied to health institution and hospital accreditation, violations, intentional and unintentional data breaches pose serious threats to all involved (McLeod, 2007; Vivian, 2009; Mercuri, 2004, p. 36; ALLOFE Solutions, 2011).
Yet, the loss of trust may prove the most detrimental because patients can choose to opt out of the hospital, institution and opt out of HIPAA electronic reporting (Mercuri, 2004, p. 26, 27). In fact, only their masked information would remain under the latter, devoid of any sensitive or identifying details (Mercuri, 2004, p. 25, 26). This defeats the purpose of HIPAA and the reasons for which it was developed, enacted, implemented and enforced Moskop, et.al., 2006, p.53, 54) .
Through the exploration of the following case, this becomes clear. Most HIPPA violations are preventable, foreseeable and therefore require specific plans engaging the Information Technology Department, Human Resources, the Data base administrations and all other departments and personnel within insurance and healthcare institutions (Mercuri, 2004, p. 26). Failure to train, educate, certify and maintain information security in the physical and virtual realm can and does result in costly breaches (ALLOFE, 2011; Vivian, 2009; Mercuri, 2004, p. 26, 27).
Security Breach Case
The administration at St. John’s Hospital takes pride in its sound policies and procedures for the protection of confidential client information. In fact, it serves as a model for other institutions in the area. However, printouts discarded in the restricted-access Information Services (IS) department are not shredded. This violates HIPAA policy and understandably leaves patients open to potential breaches. Much more than this, personnel working late have observed the cleaning staff in the restricted IS area reading discarded document printouts on numerous occasions.
For obvious reasons, this scenario illuminates numerous HIPAA violations, the potentiality for breaches, and the intentional acts that increase the severity of the violations and thereby induce the possibility of self-reported HIPAA violations (Vivian, 2009; Moskop. et. al., 2006, p. 54). Whereas, the dividing line between those HIPAA violations and the potentiality of privacy breaches, data or information security and intent are murky, this incidence necessitates action (Vivian, 2009).
Rationale for Actions
Snooping and Breaches
This case is not so dissimilar from that of Kaiser Permanente’s Bellflower hospital. Rather, it reflects many of the same actions. (Vivian, 2009) After all, Bellflower Hospital failed to keep its employees from snooping in “the medical records of Nadya Suleman, the mother who set off a media frenzy after giving birth to octuplets in January 2009.” Yet, this security breach at this hospital, resultant of personnel snooping and/or record discovery, was only one of several cases at this hospital (2009). To this end, the HHS revealed it discovered five more security breaches in eighteen months (2009). It obtained a settlement of $100,000 (2009). Additionally, Kaiser Permanente fined its Bellflower hospital $ 250, 000 (2009).
Yet, the real costs of those HIPAA violations and the breaches are unknown. In the cases of electronic data (Mercuri, 2004), life or death consequences for the patient may be a click away (p. 27; Moskop, et.al., 2006, p. 53, 54)) Therefore, one can posit that Bellflower Hospital had to implement mandatory training and/or disciplinary action and had to submit its information policies and HIPAA compliance plans to the hospital board, the accreditation board, Kaiser Permanente and the department of Health and Human Services (Vivian, 2009; McLeod, 2007; ALLLOPE Solutions, 2011). It also had to notify the persons whose information was breached in compliance with HIPAA (Vivian, 2009).
Identity theft
Yet, the potential abuses of discarded printout documents or documents left in the memory of copy and fax machines, computers, etc. also pose viable risks (Mercuri, 2004, p. 26, 27). As Mercuri (2004) details a situation in which an unidentified visitor to a rehabilitation clinic enters the facility to steal discarded patient printouts for the personal information, access to the patients’ identities, social security numbers, etc., personnel from a medical institution took the discarded document printouts and then took them home and engaged in willful identity theft (Mercuri, 2004, p. 27). Although software encryption is available to delimit this in such cases, the point here is to elucidate how potentially harmful discarded printout documents can be (Mercuri, 2004, p. 27; Vivian, 2009). Even when they are in protected areas, failure to encrypt or otherwise shred and dispose of the documents violates HIPAA and its best practices (Vivian, 2009; Mercuri, 2004, p. 27).
Obviously, these violations should have been self-reported (Vivian, 2009). If they had been, fines and/or other penalties would have been imposed (Vivian, 2009; Mercuri, 2004, p. 25; Moskop, et.al., 2006). Other compliance measures and reports would have been required to maintain accreditation, too (McLeod, 2007). Yet, these two scenarios demonstrate the ways simple baskets of discarded printout documents can and do induce the need for HIPAA self-reported breaches and violations, the potentiality for costly settlements and the loss of public trust. All of these prove detrimental to the patients, the institutions charged with such breaches and HIPAA violations and the cooperation the HHS needs to achieve the goals for which HIPAA was developed.
St. John’s Hospital-Potential Courses of Action
Because the St. John’s scenario fails to detail any previous actions, HIPAA training requirements or institutional procedures, it is difficult to know whether actions were taken (McLeod, 2007; Vivian, 2009; ALLOFE Solutions, 2011). Assuming that the personnel working late, who observed the cleaning staff in the restricted area submitted reports anonymously to the IS administrator, then the IS manager is culpable (Vivian, 2009). If the staff who observed such actions failed to report it or failed to remind the cleaning staff their actions were serious violations of HIPAA laws, then they are also blameworthy (Vivian, 2009). If Human Resources received reports and did nothing, then, it, too, is culpable (2009).
Of course, the personnel working in the IS restricted area in which the discarded printout documents were not shredded are guilty of intentional HIPAA breaches, which are serious (Vivian, 2009; Businesswire, 2004). They may result in fines, imprisonment, and/or loss of employment (Vivian, 2009; Moskop, et.al., 2006). The cleaning persons are also guilty of intentional HIPAA breaches provided that St. John’s Hospital required HIPAA training during employment. Although this is suggested for all personnel in institutions charged with patient care, records, insurance, and the like, it is not mandatory. Therefore, the cleaning personnel’s intent and/or culpability are somewhat unclear (Vivian, 2009).
Regardless, this discovery mandates self-reporting. Since a breach is defined as (Vivian, 2009), “the unauthorized acquisition, access, use, or disclosure of patient health information (PHI), this arguably substantiates that a breach has occurred at St. John’s Hospital. Assuming this information had not been (Vivian, 2009) “[…] rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology and methodology specified in the HHS Guidance [this is a self-reportable offense].” After all, the discarded printout materials were readable, not de-identified in any way, shape or form and therefore (Vivian, 2009) unsecured, it was usable, readable and decipherable to the cleaning people. It thereby engendered unauthorized use by unauthorized persons. Much more than this, the nature and scope of this breach and potential misuse is unknown.
Chain of Command and Responsibilities
The IS Department/ Information Management Supervisor should be notified. She/he is accountable for the practices in the department (Businesswire, 2004; O’Carroll, 2003, p. 122). Moreover, this IS/IT manager should have undergone extensive HIPAA training and/or certification ALLOFE Solutions, 2011; Vivian, 2009). Additionally, this manager should have received extensive training in encryption and security software. Most likely, this person would be responsible for implementing the IT security procedures relative to backups, software and firewall updates and all access levels. This includes access to the secure IS areas and the unsecured ones, as well.
The IS department personnel would have undergone HIPAA training and/or certification training, as well. Additionally, these personnel should have been required to attend classes with the 2009 HIPAA self-reporting inclusions and/or any other updates. Moreover, these personnel should have been required to participate in an online HIPAA class and test every six months. In fact, this would be true for anyone in St. John’s Hospital working with patient record (O’Carroll, 2003; Business wire, 2004) ALLOFE Solutions, 2011; McLeod, 2007)s.
All other institutional personnel should have been trained in HIPAA protocols and procedures when they were hired and/or at various stages of the HIPAA implementation and revision process (Mercuri, 2004, p. 26). These personnel should have to recertify, retrain and/or retest every year. This group would include the cleaning personnel in this scenario. However, one could veritably argue that cleaning personnel charged with restricted areas like the IS departments, should have more training and undergo retraining and retesting every six months.
Human Resources, those charged with hospital or patient communications and relations and/or accreditation would most likely follow the HIPAA training, certification, and/or test and retest protocols, as IS personnel and all other staff working with patient records would.
Policies and Procedures
If these training procedures, tests and/or certification schedules were maintained, Human Resources would maintain the records relative to such. It would monitor such and help develop, implement and enforce the related policies. Failure to obtain a certain level of training and/or retest would result in several actions including written warnings, suspensions and the like. Failure to comply with HIPAA practices through unintentional acts would result in disciplinary action articulated within the IS policies and the Human Resources policies (Vivian, 2009; McLeod, 2007). These disciplinary actions could range from verbal warnings to suspensions and/or dismissal if the act inspires abuse. This reflects the policies and disciplinary actions of the HHS with its three tires. (Vivian, 2009) Distinguished from one another by the level of intent, the abuse or potentiality thereof and the severity of the breach(es) and violation (s), disciplinary actions within the hospital should mirror those of the HHS.
Reporting Breaches
Breaches like those in the St. Johns’ hospital scenario should have been reported to the IS manager. Since this manager is charged with the department and HIPAA compliance, this is understandable. This manager would also have to report this breach and violation to the Human resources department for disciplinary action purposes, to the Hospital administrator, those charge with hospital relations and patient relations and to the HHS. Failure to comply with the latter could result in a more grave violation based on the 2009 HIPAA revision. After all, these documents were not made unreadable or unusable (Vivian, 2009).
Granted, the hospital may well be fined in this case, may be made to provide evidence of further staff training, IS and HIPAA compliance measures implemented to thwart further breaches or delimit them and might even be required to submit such reports to their accreditations boards as well as the HHS (Mercuri, 2004, p. 26). Additionally, of course, the patients whose records were potentially misused would have to be notified as stipulated by the self-reporting clauses of HIPAA (Vivian, 2009). The hospital relations/patient relations personnel would be charged with such. However, this notification would most likely require legal guidance and the notification of the Hospital Board members and administration. Undeniably, the discovery of such patients affected would require concerted efforts and time. After all, this has been an ongoing process.
Conclusion
The breach disclosed within the St. John’s hospital case was avoidable. Without question, the IS department in which this occurred was trained in HIPAA. It should have implemented encryption software such as the PGP Corporation offers in partnership with Norton security software (Mercuri, 2004, p. 28; Businesswire, 2004; Symantec, Corporation, 2011). This software encrypts the printouts and makes them illegible. If this were not feasible for the job performed by the IS staff, then a shredding schedule should have been implemented. The IS department manger should have assured it was adhered to and disciplined those who failed to comply. Nevertheless, all discarded printout documents, encrypted or unencrypted should have been shredded. Yet, its failure to do so in this case especially because it involved unencrypted documents induced conditions for self-reporting to the HHS and patient notification (Vivian, 2009).
For this reason, the IS personnel in the restricted department should receive suspensions. It is unknown whether they received written or verbal warnings previously. The cleaning people should be interviewed by Human Resources and the IS Manager to determine the level of breach, the level of intent and/or abuse. After all, the HHS will require such (Vivian, 2009). Disciplinary actions should also be taken.
The IS Manager should have to undergo further training or retraining (ALLOFE Solutions, 2011; Mercuri, 2004). She/he might be suspended or fined. Additionally, of course, the IS manager will be charged with satisfying the HHS HIPOAA compliance requirements, maintaining data and information security protocols and revising the existing HIPAA practices and policies to meet the HHS guidelines. Moreover, the IS manager will be charged with the installation of encryption software for all mobile and computing devices, the necessary staff training and the disposal of unencrypted documents. Moreover, the IS manager, together with the hospital administrator, Human Resources and hospital relations will have to draft a letter and an apology to the patients affected.