This assignment aims to improve one’s understanding of American Recovery and Reinvestment Act (ARRA), Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability and Accountability Act (HIPAA) and the breach notification rule.
All these acts share a significant association by influencing the safety and confidentiality of Protected Health Information (PHI) (Murphy and Waterfill 19). This project explicates the meaning of the breach and its exclusions. This project also develops a general idea of breach notification rule. It also discusses steps taken by a covered entity when reporting a breach of PHI affecting more than 500 individuals and less than 500 individuals. Finally, the project discusses how to cushion PHI from breach.
Breach and its exceptions
Breach refers to illegal possession, contact, application or revelation of confined health data. This is violation on the safety or confidentiality of such data, apart from when a prohibited individual gets a revelation of such information and retains it (Klosek 17). This definition excludes several elements relevant to safety and confidentiality of confined health information.
The first exclusion relates to course of action if a staff member or a person operating under the authority of a covered entity gains access to confined health data by accident (Klosek 23). This could happen in genuine faith, over the duration of employment or authority from the covered individual. The second exception relates to unintended disclosure of confined health information from a certified individual at a facility operated by a protected individual (Klosek 28).
The definition of breach does not offer the required response to this situation. The third exception relates to revealing of information received from a disclosure that happens in a facility owned by a protected entity to another individual (Klosek 32). The definition does not identify the appropriate response to this violation.
An overview of the breach notification rule
The United States Department of Health and Human Services (DHHS) developed a set of laws on the privacy of health data (Murphy and Waterfill 23). The laws require healthcare providers, health movements, and other entities to inform individuals when a breach on their health data emerges. These laws practice requirements contained in HITECH Act (Murphy and Waterfill 31). The secretary of DHHS receives a notification of violation on confined healthcare data touching on more than 500 persons.
The secretary of DHHS should receive reports of violations affecting less than 500 persons annually (Murphy and Waterfill 34). The law also expects trade acquaintances of protected individuals to report the covered person of any violations linked with them. The laws developed after considerations on public comments regarding an April 2009 request for data and consultations with Federal Trade Commission (Murphy and Waterfill 38).
Steps, a covered entity must take following a breach
When a violation on unsecured PHI occurs, a covered entity must notify all the affected individuals (Green and Bowie 20). If a trade associate uncovers violation, he/she must alert the covered entity of the violation and make out individuals who could have violated the data. Provisions in the act require timely delivery of notifications without hindrance within a period of sixty calendar days (Green and Bowie 24).
A delay on notifications is applicable if their delivery would affect an inquiry or pose a risk to national security. Notification of violation on unsecured confined health data applies through various methods. A notice applies to covered individuals or their next of kin if the individuals are deceased. Notification through phone calls applies in urgent cases where a threatening misuse of data is anticipated (Green and Bowie 29).
If the violation established affects more than 500 persons, notification applies through well-known media outlets within the area where it occurred. Notifications to the secretary of DHHS on violations affecting more than 500 persons apply when a violation uncovers while those affecting less than 500 persons apply on an annual basis (Green and Bowie 34). Another method of notifying individuals on violations applies through a posting by the secretary on the website of DHHS for individuals more than 500.
The requirements needed by a covered entity when reporting breach affecting more than 500 persons and less than 500 persons are similar. A covered entity should meet the following requirements when reporting a breach on PHI:
- The protected entity should identify the best method of reporting the violation. This is dependent on the nature and urgency of the violation uncovered.
- In the report, the covered entity should specify the category of individuals affected.
- The report should indicate whether it is an initial violation or an appendix to a previous notification.
- A report should provide information indicating the name of the covered entity, contact details, and location. The covered entity should be a health plan, healthcare provider or healthcare-clearing house.
- Business associate information applies if the violation relates to a business associate. The information gives the name of associate, contact details and location of the associate.
- The report should provide detailed information regarding the breach. The information should indicate the period of violation, the period it uncovers, estimated number of persons affected by the violation, location of violated data, PHI involved in the violation, any protective measures prior to the contravention, and a concise depiction of the infringement (Green and Bowie 47).
How to protect PHI from breach
A number of strategies apply in improving the safety and confidentiality of PHI. One of the strategies is conducting safety evaluations to establish possible threats and factors predisposing PHI to vulnerability (Halpert 23). The aim of such evaluations is to ascertain the time, individuals and methods involved in violating PHI.
Another strategy for protecting PHI is implementing all the principal procedures, technologies and legal provisions on PHI protection (Halpert 34). Legal provisions on PHI protection lack proper implementation thus encouraging violators. However, routine inspection on healthcare facilities will enhance implementation.
Conducting impactful training for an employee enhances their knowledge on the best protection measures as well as the expected response incase a violation uncovers (Halpert 40). Training should encompass all employees and individuals attached to a covered entity as they all have access to information. Another strategy is developing a PHI violation plan (Halpert 47). This strategy anchors on the belief that a violation can occur anytime and in an unexpected manner that will require a quick and well thought-out response.
The plan should provide clear duties and tasks for all employees in an occurrence of a breach. Protecting health information is extremely valuable especially in the ethical conduct of medical practitioners. A patient should give consent to a doctor or any other person in possession of their health information for their information before disclosure to third parties.
Green, M., and Bowie, M. Essentials of Health Information Management: Principles and Practices. New York: Cengage Learning, 2010. Print.
Halpert, Ben. Auditing Cloud Computing: A Security and Privacy Guide. New York: John Wiley & Sons, 2011. Print.
Klosek, Jacqueline. Protecting Your Health Privacy: A Citizen’s Guide to Safeguarding the Security of Your Medical Information. New York: ABC-CLIO, 2010. Print.
Murphy, M., and Waterfill, M. The New HIPAA Guide for 2010: 2009 ARRA Act for HIPAA Security and Compliance Law and HITECH Act .Your Resource Guide to the New Security and Privacy Requirements. New York: Author House, 2010. Print.