HIPAA Privacy Rule Violation In Patient’s Health Information Disclosure
Overview of HIPAA Privacy Rule
Question 1
The action of Jane coder’s treatment of Brenda and her records has raised legal issues. The actions that the Jane coder did has violated and breached the Health Insurance Portability and Accountability Act 1996 (HIPAA). The standards of the privacy rule states that the disclosure and the use of the individual health information is called the protected health information is a subject of privacy information. The major or the vital part of the privacy rule is to provide assurance to the individuals regarding the health information and to see that it is properly protected (McGraw, 2013). At the same time the privacy rule also mentions that the flow of the health information is carried out in a proper way and it promotes the higher quality of the healthcare. Thus, fostering the protection of the public health information and wellbeing of the patient. The privacy rule provides information regarding the usage of the information and at the same time provides protection of the privacy of the people that are seeking the provisions of healthcare. Provided that the market place of healthcare is diverse, the rule has been designed to be comprehensive as well as flexible. Thus, it covers the disclosures and the usage of what needs to be addressed (Luxton, Kayl & Mishkind, 2012).
The privacy rule of the HIPAA states have a basic principle and it defines the circumstances that limit the disclosure and the usage of the health information. HIPAA provides protection to the health information of a patient and it covers the entities to which the information is disclosed. Thus, the entity that is using the health information can disclose the information only under the two circumstances (Wu, Ahn & Hu, 2012). Firstly, the information can be disclosed only when the privacy rule permits the disclosure. Secondly, the individual who is the subject of the information authorizes the usage of the information in writing. A covered entity can disclose the information only on two different occasions. Firstly, it is disclosed to an individual only when a request is processed regarding its access. Secondly, when an authority is conducting an investigation or an enforcement action. Thus, from the above mentioned information, it can be concluded that actions of Jane coder regarding the disclosure of the treatment and records of Brenda is a legal violation (Greene, 2012).
Medical malpractice for failure to warn is a legal issue that regarding Brenda’s OB/GYN and her delivery of a premature baby and preterm labor. This sure raises the issue of the Arbutus Hospital and the department of OB/GYN. In this particular scenario, it is important to mention that the anti-retroviral drug prescribed by the OB/GYN is though safe for the general population but it has complication with the mothers that are taking this medicine during their pregnancy. The OB/GYN is unaware of the issue of the birth defects and the OB/GYN also ignored the alerts of the HER warning of the birth defects. The OB/GYN also did not provided any discussion on the potential side effects of the drug which is prescribed to Brenda. The legal procedures can be followed both against the OB/GYN and Arbutus Hospital (Pradarelli, Campbell & Dimick, 2015).
Breach of HIPAA Privacy Rule by Medical Coder
This means that even though the OB/GYN department had the idea that the drug has potential to cause injury to the Brenda, the OB/GYN failed to warn, report the same information to Brenda. Thus, considering the scenario Brenda can sue OB/GYN and the other associated health professionals for failing to warn Brenda and the significant health issues associated with the medication. The cases are known as failure to warn issues and the cases are highly technical. Thus, to successfully register case against the OB/GYN, it must be shown that the outcome has some of the known risks of procedure. While it is also important to include the fact that the risk is not insignificant and the doctor has failed to warn against the risk. Thus, even if there is a breach in the duty of care, a claim cannot be established if the patient is unable to establish the evidence of his or her suffering or loss.
The billing office submitted the medical records to the Medicaid, which is the insurer of Brenda’s Heath coverage till Brenda gets enrolled into the employer-sponsored health plan. The billing officer was under the pressure from the upper financial management. Thus, the billing officer ensured that the codes are submitted with the best interest of the hospital in mind. The billing officer entered some extra codes so that the hospital does not accrue any loss and the hospital continues to treat under the purview of Medicaid (Centers for Medicare & Medicaid Services (CMS), 2012). This is a violation of the vicarious liability and the above mentioned scenario shows that it is a deliberate act where the principles of liability are applicable. Although the billing officer was under pressure from the upper authorities of the hospital (Baicker et al., 2013).
Question 2
The mentioned case study is an ethical issue and it is a kind of situation where a person is required to choose one option out of the two alternatives, which is evaluated as wrong (unethical) or right (ethical). The ethics include the dilemmas like the what type of decision is (bad or good)? The language is wrong or right; the responsibilities and the rights; how to have a good life (Peters, 2015).
The facts presented in the case study include the following:
- Kendra Brown is a technician on the registered health information and is also an assistant director on the health information services at the memorial hospital.
- Sue Davidson is the facility risk manager and he along with Dr. Philip Russel went to Kendra’s office to see the requests on all the patients in the past 2 years that have done gastric bypass surgery by the Dr. Lester Brown.
- Kendra however reminds Sue that there is a departmental policy which states that the study requests can only be made for 24 hours. It is an important to mention that the both Sue and Kendra have been close friends and they have worked for 15 years in Memorial hospital.
- The matter of urgency is stated by Sue and Dr. Russel that a patient has died after the surgery and the family is trying to file a lawsuit against the hospital. Sue also stated that that there have been previous incidents where the patients of Dr. Brown died after surgery.
- It is also important to highlight that the Kendra’s mother is also scheduled to have her gastric bypass surgery by Dr. Brown and this made Kendra to run through the list.
- Later on Kendra found that there is a complication in the records and they indicated that the patients that have done gastric bypass surgery by Dr. Brown have faced issues related to the re-admitting to hospital, and other medical complications. Kendra even found that 24 out of the 78 patients have died due to the complications of the procedures. After finding this data, Kendra felt that the there is a need to warn her mother regarding the surgery and she also felt that her mother must consult another surgeon from the same hospital.
- After all these Kendra called her mother and said about what she found after unearthing the data. Sue however hears the conversation between Kendra and her mother. Sue confronted Kendra regarding the content of the discussion and with her mother.
The stakeholders in this situation includes Kendra Brown, Kendra Brown’s mother, Memorial Hospital authorities, Seu Davidson, Dr. Lester Brown.
The values at stake needs to be described at the individual level. Kendra Brown is the Director of the Health Information Services and thus she will be face the ethical issue considering the fact that she shared confidential information with her mother. Kendra’s mother now knows certain confidential information and the fact that she now knows that getting the surgery done by Dr. Brown might jeopardize her life. The reputation of the memorial hospital authorities is at stake considering the fact that Kendra’s mother can share the same information with other people. Seu Davidson also does not have the authority to check the patient records and it takes 24 hours. Whereas, Kendra said that the departmental policy requires 24 hours.
Protecting Patient Health Information
The options that are available to evaluate the stakeholders include ethical principles, organizational policies. These options can be used as a guiding principle to evaluate the performances and the conduct of the various stakeholder associated with the case study. It is important to note that these options can be considered or taken into account because the stakeholder by some way or the other violated the ethical principles and the organizational policies.
The alternatives or what else that could have been done include the following. Firstly, when Kendra came to know about the complications regarding the death of the majority of the patients that have done gastric bypass surgery from Dr. Brown felt the need to call and share the same information with her mother. Here, an important aspect is that Kendra knew that her mother is going to have a gastric bypass surgery done by Dr. Brown made Kendra feel that complication might arise with her mother as well. It might jeopardize the life of her mother and this made Kendra think in a biased way. The information Kendra shared with her mother could have been shared in a different way. Kendra could have shared her concern by informing her mother that she can have her gastric bypass surgery done by another doctor because Dr. Brown will be unable to conduct the surgery and will be unavailable for that day, all other surgeries have already been cancelled (Crossan, Mazutis & Seijts, 2013).
The decisions made by Kendra can be justified by fact that when she came to know about the complications with each and every case that Dr. Brown operated made Kendra believe that there is an urgency. This urgency is justified considering that 24 out of the 78 patients expired after the surgery due to complication.
The decision made in the step 5 can be implemented ethically by interacting effectively and sharing the information which will not hamper the image of the Memorial Hospital and Dr. Brown as well. The implementation will include a general procedure of communication and molding the information so that the real motive can be conveyed easily.
The evaluation of the outcome of the decision can done ethically. Firstly, it is important to note that the decisions made in the step 5 is based on the ethical grounds and this will not jeopardize image of the Memorial Hospital.
This issues can be prevented from recurring by take a wide range of measures. Firstly, one of the biggest measure is to train the employees that handle confidential data and revealing the same will led to ethical violations. It is important to mention that ethical violations are rampant if the laws that prohibit such actions are not stringent. Thus, stringent laws also require the stringent implementation and enforcement of the same. Secondly, the organizational policies also need to be revamped so that the it can include the provisions of ethical violations and the legal violations pertaining data sharing and data access (Craft, 2013).
Reference
Baicker, K., Taubman, S. L., Allen, H. L., Bernstein, M., Gruber, J. H., Newhouse, J. P., … & Finkelstein, A. N. (2013). The Oregon experiment—effects of Medicaid on clinical outcomes. New England Journal of Medicine, 368(18), 1713-1722.
Centers for Medicare & Medicaid Services (CMS), HHS. (2012). Medicare and Medicaid programs; electronic health record incentive program–stage 2. Final rule. Federal register, 77(171), 53967.
Craft, J. L. (2013). A review of the empirical ethical decision-making literature: 2004–2011. Journal of business ethics, 117(2), 221-259.
Crossan, M., Mazutis, D., & Seijts, G. (2013). In search of virtue: The role of virtues, values and character strengths in ethical decision making. Journal of Business Ethics, 113(4), 567-581.
Greene, A. H. (2012). HIPAA compliance for clinician texting. Journal of AHIMA, 83(4), 34-36.
Luxton, D. D., Kayl, R. A., & Mishkind, M. C. (2012). mHealth data security: The need for HIPAA-compliant standardization. Telemedicine and e-Health, 18(4), 284-288.
McGraw, D. (2013). Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data. Journal of the American Medical Informatics Association, 20(1), 29-34.
Peters, R. S. (2015). Ethics and Education (Routledge Revivals). Routledge.
Pradarelli, J. C., Campbell, D. A., & Dimick, J. B. (2015). Hospital credentialing and privileging of surgeons: a potential safety blind spot. Jama, 313(13), 1313-1314.
Wu, R., Ahn, G. J., & Hu, H. (2012). Towards HIPAA-compliant healthcare systems. In Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium (pp. 593-602). ACM.