Violating laws meant to ensure that patients’ information is not disclosed to the wider public is a very serious matter. This is because patients’ health information is very delicate and should be handled with utmost discretion. Ethical values have been formulated to ensure that the patients’ interests are given consideration to avoid harming these patients in one way or another.
When patient’s information is disclosed to an unauthorized third party, then the law comes in and legal action is taken against an offender. This paper discusses a recent administrative ethical issue with the aim of applying governing law to the issue.
The article titled “Healthcare Provider to Pay $1.5M HIPAA Fine” (2012) gives a scenario of a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule of security.
This potential violation was noted by the U.S. Department of Health and Human Services (HHS) after Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI) reported a break in and loss of “an unencrypted laptop with electronic protected health information (ePHI) of MEEI patients and research subjects”. In other words, MEEI failed to comply with the privacy standards hence, put ePHI at stake (Healthcare Provider to Pay $1.5M HIPAA Fine, 2012).
This kind of incidence may gravely impact on MEEI because the patients and research subjects may sue the institution if the information gets to them. This is because, according to the HIPAA security rule, MEEI breached the already laid down ethical and legal issues related to protection of health related information that could be used to harm the involved individuals.
The population affected most by this violation of the law is the patients and the research subjects, whose unencrypted information was contained in the stolen laptop. The intention of the thieves is not known and may have intended to harm one of the clients. In addition, clients would develop a negative attitude towards MEEI and it would run out of patients and research subjects.
Information on these individuals is very important in public health practice and research because it is meant to help in identification, monitoring and response to particular morbidities, mortalities and disabilities in given populations (Thacker, 2003). The impact of this incidence on the patients and research subjects would mean that they would not be willing to participate in future researches by the institution due to fear of a recurrence of the same.
The solution of paying a fine of $1.5M came about after the office for Civil Rights (OCR) under the department of health and human services gave its stand on the whole issue after evaluating the report submitted by MEEEI about the theft. According to the OCR, MEEI did not comply with the ethical principle that advocates for protection of individuals’ privacy and respect for individuals’ dignity.
This is because it failed to store patients’ and research subjects’ information in an encrypted version. The fact that the laptop contained patients’ and research subjects’ information that had not been discretely coded in a manner that could not be understood by unauthorized persons justifies this.
Therefore, anyone accessing the stolen laptop was able to view this information thus publicly exposing the clinical details of the concerned individuals. According to the ethical principle on privacy, individual identifiable health information should be protected from unauthorized persons.
In the case mentioned in the referred article, this does not seem to be the case since information had been stored in raw form. This shows that the ethical principle of privacy and confidentiality was not observed (U. S. Department of Health & Human Services, 2012a).
MEEI failed to ensure that security was well maintained in the organization in correspondence to HIPAA security rule. Therefore, there was a breach of this legal law that sets standards to govern the security of ePHI. MEEI failed to meet the requirements that seek to protect the privacy and security of identifiable health information.
MEEI had deliberately ignored the essentials of HIPAA security rule because negligence was found to have occurred over a relatively long duration of time. This indicates a disregard for the law, which requires a very punitive action.
The management responsibilities are vital in ensuring that the HIPAA privacy and security rule is attained and maintained. The management team at MEEI should have complied with the HIPAA privacy and security rule with regard to certain elements that need to be kept in check. One responsibility is that the management ought to have made a thorough risk analysis of the confidentiality of the information contained in the laptop (a portable device).
According to the HIPAA security law, the administration is meant to conduct risk analysis in the security management process. Risk analysis is related to disaster preparedness and mitigation hence the need to evaluate the possibility of putting ePHI at risk (U. S. Department of Health & Human Services, 2012b).
The security management process entails various steps and one step may affect subsequent steps. Due to the failure of performing a thorough risk analysis, MEEI was not able to implement effective security measures aimed at protecting its ePHI contained in portable devices.
Therefore, a second management role that streams down from the first role is implementation of effective security measures meant to safeguard created, maintained and transmitted ePHI stored in portable devices. One such measure is to store ePHI in files that are not easily recognizable and which require passwords for them to open. The third management responsibility that was overlooked is developing or delegating someone to develop and implement policies and procedures that restrict access to ePHI.
These are meant to ensure that accessibility to ePHI is only permissible to authorized health personnel. One such policy would be to ensure that ePHI is ciphered in a way that is only understood by authorized health professionals, whose main aim is to promote justice and beneficence of the patients and research subjects.
The final management responsibility with reference the case in question is the adoption and implementation of policies and procedures that govern security to ensure timely response. These policies are meant to address any issue related to security through conducting periodic assessments of the security system in reference to the HIPAA security rule.
Non-compliance to the privacy and security rule calls for legal action taken to administer and reinforce the standards under this rule. Therefore, violation of the HIPAA privacy and security rule as indicated by the Department of Health and Human Services OCR was resolved through payment of $1.5M by MEEI. In addition, the organization made a commitment to improve its policies and procedures to ensure that the HIPAA privacy and security rule is achieved and well maintained.
In the current contemporary world where everything is electronic, information is stored in computers. However, protection of information is very important especially in the case of portable devices since they are likely to be used by various persons. In a health setting, privacy and confidentiality of patients’ information is very important to avoid inflicting harm or injury on them. Therefore, abiding by the HIPAA privacy and security rule is not an option, but a mandatory requirement.
References
Healthcare Provider to Pay $1.5M HIPAA Fine. (2012). Campus Safety Magazine. Web.
Thacker, S. B. (2003). HIPAA Privacy Rule and Public Health: Guidance from CDC and the U. S. Department of Health and Human Services. Web.
U. S. Department of Health & Human Services. (2012a). Summary of the HIPAA Privacy Rule. Web.
U. S. Department of Health & Human Services. (2012b). Summary of the HIPAA Security Rule. Web.