HIPAA: Protecting Patient Privacy in Healthcare Settings - Essay Sample

Introduction

Health insurance portability and accountability act is a US federal law that was explicitly designed to guide the patient's information and records during the treatment process initiated by a doctor, nurse, therapist, or any other health professional. The first resolution agreement is the case of the employees, or instead nurses at UCLAHS who were reported for having sneaked to check the electrically protected patient's information on repeated occasions, without getting the respective patient's consent. UCLAHS agreed to pay a fee of $865,000 to pay up for the potential alleged HIPAA violations (Centers for Disease Control and Prevention, 1997). To prevent this in the future, a corrective plan was suggested by the Office of Civil Rights, and UCLAHS was instructed to implement the relevant privacy and security strategies, policies, or procedures of training its employees. The targeted employees were those who were accessing the electronically protected data information, sanction and report the offenders, and also design a standard monitor for assessing this compliance for three years.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

The second resolution agreement is the case of Massachusetts general hospital failing to install the appropriate measures and strategies to protect the personal health information for about 192 patients. Patients who were suffering from chronic and other critical conditions of illnesses like HIV/AIDS alleged the Mass General Hospital for exposing their PHI, intentionally occasionally, due to weak protective security and privacy measures. The allegation was ascertained by OCR, who did their investigation and found Mass General Hospital lacked privacy and security technologies of protecting PHI. As a result, a fee of $1,000,000 was implied in the hospital to pay for the HIPAA violation. As a corrective plan, OCR advised the hospital officials to introduce security measures of data protection, and henceforth, train its employees accordingly on the procedures and policies of using them (Centers for Disease Control and Prevention, 1997).

The third resolution agreement was taken by Rite Aid Corporation, which agreed to pay $1 million to pay for the HIPAA violations. The drug store was convicted for failing to abide by the privacy rules as stipulated by the OCR and the Federal Trade Commission act laws. The PHI for individuals taking drugs was found in industrial trash, and so the corporation was charged for weak discharge. However, Rite Aid agreed to take a corrective plan suggested by OCR and FTC, to improve the policies and strategies governing how they safeguarded their PHI (Centers for Disease Control and Prevention, 1997). Closely related to this, the fourth resolution agreement case was the case of CVS pharmacy, who also failed to dispose-off the patient's drug labels and prescriptions correctly in accordance to the HIPPA laws. A fee of $2.25million was thus paid to pay for the violation, and a corrective plan was agreed on by the corporation to implement adequate policies in the pharmacies to govern the disposal process in a way that does not provoke the OCR rules.

The last case provided for the resolution agreement is one between HHS and Providence, where Providence health care failed to accurately store the electronically stored patient's data, following the loss of numerous laptops in the year 2005, 2006, respectively. The backup media for the patients could not be retrieved, and this acted as a confirmation to the HHS, that Providence did not have the necessary privacy and security software to keep the media, which could have allowed for easy retrieval of data.

Evaluation of the Resolution Agreements

The cases are closely interrelated, since; they all involve health care facilities; there is a loss of patient PHI in every case; there are a fee application and an additional corrective plan agreement and that OCR is the universal controlling regulatory body along with FTC in a few scenarios. However, they also differ in some occasions including; the first two discussed cases involve an online loss of patient information, while the third and fourth involves physical loss of information brought up by poor disposal of the drug labels and descriptions; the last case also discusses different from the rest in that there was a loss of the hardware (laptops), that contained the individual patient's PHI while in the other cases, it was data only getting lost (Centers for Disease Control and Prevention, 2003). Also, not all the instances involve privacy rule regulation, like the last case, which was purely a security rule regulation because there is no evidence that someone accessed the information, only that there were no backup criteria. Based on the analysis of these cases, I was positively motivated by the OCR acts, which work tirelessly to impart a strict violation fee to resolve the violations made. Besides, the corrective plans helped the health care facilities to have a second thought on their violations by putting immediate measures for uplifting the security and privacy of PHI.

Possible Recourse After HIPAA Violation

Are there any possibilities that a patient may sue a health care organization for HIPAA violated rules? The answer is No! It is not possible that a patient continues to seek damage despite realizing that their HIPAA has been broken and severe harm caused. The key reason for this is because HIPAA does not allow for a private representation of patients for a particular cause of action.

Meanwhile, patients can show their dissatisfaction by taking the appropriate legal measures generally for the health care providers for compensations against violating the state laws (Centers for Disease Control and Prevention, 2003). It may also be too expensive to file a case with HIPAA when there is no guarantee of winning. As a result, the patients only have the chance to file petitions of HIPAA violations to the federal law government, which consists of bodies such as OCR and FTC that are purely mandated with roles of handling patient's complaints and performing constant investigations to ensure that the rules and standards are adhered to.

References

Centers for Disease Control and Prevention (CDC. (1997). Cardiac valvulopathy associated with exposure to fenfluramine or dexfenfluramine: US Department of Health and Human Services interim public health recommendations, November 1997. MMWR. Morbidity and mortality weekly report, 46(45), 1061. Retrieved from https://www.ncbi.nlm.nih.gov/pubmed/9385873

Centers for Disease Control and Prevention. (2003). HIPAA privacy rule and public health. Guidance from CDC and the US Department of Health and Human Services. MMWR: Morbidity and mortality weekly report, 52(Suppl. 1), 1-17. Retrieved from https://www.safetylit.org/citations/index.php?fuseaction=citations.viewdetails&citationIds[]=citjournalarticle_5738_12