Introduction

The Standards for Privacy of Individually Identifiable Health Information was established that helped to create a set of national standards for the protection of certain health informations. The United States Department of Health and Human Services (HHS) distributed the privacy rules and implemented the privacy policy to fulfill the requirement of the Health Insurance Portability and Accountability Act 1996 (HIPAA) (HHS, 2018). According to this rule, the use and disclosure of individual’s health information is prohibitory as it is termed as ‘covered entities’ moreover, it provides the patient with the opportunity of enforcement, breach notification and security rights (Rodrigues et al., 2013). In the case study, breaching of such privacy is mentioned, where the obstetrics nurse disclosed a 15-year-old girl’s identity, who admitted to hospital after severe labor. The nurse further contacted the higher authority to resign from her duties and stated all her mistakes. She was aware of the fact that by disclosing the identity of the young pregnant patient, she has breached the privacy policy by HIPAA. This assignment will be discussing specific requirements to perform the investigation of the study. Further, this assignment will identify the incident as actually breaching of privacy or not. The stance of the hospital about the breaching complies with the HIPAA rules or not will be discussed in details. Finally, my take on the situation, as the privacy officer in the organization will be discussed.

This assignment will focus to align the case study provided with the HIPAA law to understand the situations of healthcare privacy breaching and necessary actions that needs to be taken.

Investigation process of breaching

According to the HIPAA rules for privacy protection of patients, there is a flow of process, which need to be followed in case of breaching of HIPAA norms.  Breaching should be investigated as breaking the privacy rules or disclosing the identity of the patient can lead to higher risk in the society. The covered entity or the patient, whose identity has been disclosed, can provide the organization with required notification about breaching. Further, undergoing risk assessment to confirm the health information breaching would not be necessary in such situation (Wang & Huang, 2013). However, if the risk assessment procedure is followed, few factors need to be assessed such as the type of information disclosed or importance of that identification to re-identify the person. The second issue that need to be assessed is to identify the person the identification was disclosed, as it determines the severity of breaching. The third issue that should be kept in mind is the information disclosed to a third person, was acquired or viewed by the accused or was correct. This issue is also critical as acquired perception about the patient can harm his/her social image. The final topic that need to be mentioned in the risk assessment is about the severity of the protected information, breaching of which can affect the life of patient (Rodrigues et al., 2013).

In the mentioned case study, the 15-year-old girl, whose identity has been disclosed, did not know about the breaching of the privacy rules.  The patient hid her pregnancy from her family, despite of the fact that her mother and aunt both are nurses in the hospital. Therefore, it was mandatory for the hospital authority to maintain her privacy. However, as per the statement of the Obstetrics (OB) nurse, she disclosed the identity of the patient to he daughter, who identified the girl. Therefore, in such case, a notification should be given to the OB nurse, seeking the reason and situation of the breaching (Wang & Huang, 2013). The patient should be noticed about the breaching of her personal information using a simple notice in which, small description of the breach, including the date, time and situation, the type of information disclosed, small description of the four step action taken against the accused and the contact information of the privacy officer will be mentioned. A further notice will be sent to the family members of the patient about her pregnancy, despite the fact that she did not wanted her family members to know about her pregnancy. the final step will be notify The United States Department of Health and Human Services (HHS) about all the breaches within the hospital including the case mentioned here, as it is important for the healthcare facilities in USA to inform the HHS about such breaching. These steps will be taken to investigate the breaching (HHS, 2018).

Authenticity of the breaching according to HIPAA

According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), breaching of the patients protected health information involves medical or lab reports and the hospital bill as these document contains the mane of the patient, disclosing of which is against the rule of HIPAA. Further, the rule demonstrates that unintentional breaching of HIPAA rule that could or could not harm the patient is also not accepted under the provision of this law. While carrying the risk assessment of the HIPAA disclosure, the hospital authority have to conduct the investigation to understand the level of breaching (American Society of Health-System Pharmacists, 2012). Further, the organization can term the unintentional action as disclosure or breaching the information as use. Evaluation of the breaching and risk assessment process involves four main processes; these are nature of breaching and its extent, unauthorized person, acquisition and extent of risk that has been mitigated. Further, the hospital authorities with the help of HHS officers try to figure out the effect of such breaching by an impact analysis, in which social, mental and physical effect of breaching on the patient is assessed (Trinckes, 2012).

The case demonstrates the situation, in which the OB nurse unintentionally breached the core rule of the nursing ethics and disclosed the name of the young pregnant girls name to her daughter. This action was unintentional, but the patient information was leaked to an unauthorized person and the nurse shared the information to her family members. Furthermore, the information was spread to the entire society, despite the fact that the patient wanted to hide her identity from her family members, the action of the nurse revealed her identity to everyone in the society. Upon risk analysis, it was observed that the nature of the breaching was unintentional but the extent of breaching was enough to disclose the identity of the patient. The breaching of HIPAA law involved an unauthorized person, the daughter of the OB nurse, who knew about the patient and disclosure of the identity helped her to recognize the patient. All these fact indicated to the fact that despite being an unintentional breaching, the nurse violated the law of HIPAA by revealing the identity of the patient. Therefore, this incidence is an actual breaching of HIPAA law related to protected health information (Trinckes, 2012).

The differences and similarities between the hospital’s stance and HIPAA

Maintaining the privacy and confidentiality of the nature of patient records is an important section of the patient care and it is the responsibility of the hospital authority to comply with the HIPAA laws of the HHS department of USA. However, there are five agreement and relationships present that can be established between the healthcare entities to lessen the burden of HIPAA laws on the healthcare facilities. These are affiliated covered entity, data use agreement, trading partner agreement, chain of trust agreement, and business associated agreement (El Emam, 2013). The HIPAA’s prime goal is to obtain confidentiality, data integrity and availability to protected health information within the organization and outside the organization as well. However, the chain of trust rue is determined by the organization, in which it provides the data to the healthcare information technology department to store the patient data in the database for further implication. Therefore, the HIPAA cannot interfere with such policies of the organization, in which sharing of data is for the beneficiary of the patient (American Society of Health-System Pharmacists, 2012).

As the privacy protection department head, I am aware of the organizational policy about patient data protection and compliance of it with that of the HIPAA norms. Therefore, after the nurse accepted her fault, investigation for risk assessment and impact assessment of the breaching was done. Risk assessment included several factors such as intentional, unintentional, acquisition, the person, to whom, the details were disclosed the impact of the disclosure of the identification and so on. All these processes were similar to that of the HIPAA norms and its notification and investigation policy. However, the hospital authority had one more factor in their privacy protection policy, which is the experience and impact of the accused employee within the organization (Malin, Emam & O’keefe, 2013). The hospital believes that if any veteran employee breach any of the hospital or HIPAA policy and the effect of it is minimal on the patient’s life, then the employee should be provided with another chance to stay in the organization. On the other hand, according to HIPAA, breaching of any kind of privacy policy, intentionally and unintentionally are considered, as breaching and the government possess the right to decide the future of the employee with the organization. Therefore, these are differences and similarities between the hospital’s stance and the HIPAA norms about the breaching incidence and the suspension of the OB nurse from the organization (El Emam, 2013).

Immediate action or not

According to the HIPAA law, the department of health and human services in USA decides the time and duration of action taken against the violator of the HIPAA law. According to the HIPAA law, if the employee unknowingly violates the HIPAA law for the first time, there are provision of penalty and if the violator accepts that she/he violated the law with willful action, then they are penalized with $50,000. Here a law infraction should be mentioned, which states that, if the person willfully and deliberately discloses the patient’s identity, then there are provision for one year imprisonment with the penalty of $50,000 and if the action is committed through deception, then the penalty increases to $1,00,000 and the imprisonment increases to 5 years. Further, if the violator sells the identity of the patient to someone else, the fine can high as $2,50,000 and the imprisonment increases up to 10 years (HIPAA, 2018).

In the mentioned case, the OB nurse, while disclosing the identity of the 15-year-old pregnant girl, to her daughter, was not aware of the HIPAA of the norms and unintentionally violated the norm. However, the impact of her action was very harmful and despite of the fact, that patient wanted to hide her identity even from her family, the entire community get to know her condition. Therefore, the nurse’s unintentional action hampers the patient’s autonomy and violated the HIPAA law. On the other hand, this was the first instance of HIPAA violation from the nurse and she herself accepted her fault. Hence, being the privacy officer of the hospital, I will notice the patient about the HIPAA violation and will wait for her reply (HHS, 2018). Further, I will conduct risk assessment about the violation and until then, the nurse will be sent for administrative leave and will wait for the risk assessment results. Furthermore, final action against her will be taken based on the impact of violation and the hospital will comply with the HIPAA rules. Firing the nurse is not an option as she is an honest employee of the organization and therefore, this complicated patient was assigned to her observation. Therefore, she will not be fired immediately from her work and the authority will wait for the risk assessment results for taking further action against her.

Conclusion

Protection of patient’s autonomy and privacy is the first and the most important priority of any healthcare facility worldwide. In USA, the department of health and human services has created a law namely the health information portability and accountability act 1996. The act has been revised several times and currently the 2009 act is applied in all the healthcare facilities throughout the USA. In this assignment, being a privacy officer, I had to decide and determine an act of HIPAA violation. A nurse unintentionally violated the HIPAA law, by disclosing the patient’s identity to her daughter, which affected the patient as the entire society get to know her identity. I determined the act as violation of HIPAA and complied it with the hospital’s rules and regulation. Further, the similarity and differences of the hospitals stance, with respect to HIPAA was described. Finally, my decision of sending her on administrative leave instead of immediately firing her from her job was described with proper argument backed with HIPAA violation rules and regulations.

References

American Society of Health-System Pharmacists. (2012). ASHP statement on use of social media by pharmacy professionals: developed through the ASHP pharmacy student forum and the ASHP section of pharmacy informatics and technology and approved by the ASHP Board of Directors on April 13, 2012, and by the ASHP House of Delegates on June 10, 2012. American Journal of Health-System Pharmacy, 69(23), 2095-2097. https://www.ajhp.org/content/69/23/2095.short?sso-checked=true

El Emam, K. (Ed.). (2013). Risky Business: Sharing Health Data while Protecting Privacy, 1^st Edn, pp. 124-234,  Trafford Publishing. https://books.google.co.in/books?hl=en&lr=&id=D91RR3dDlr0C&oi=fnd&pg=PR5&dq=HIPAA+rules+&ots=PqpeEnsWdj&sig=LZsTp_XVHtiE2TRlda0IM_id684

HHS. (2018). Summary of the HIPAA Privacy Rule. HHS.gov. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

HIPAA (2018). Reality of HIPAA Violations and Enforcement – HIPAA.com. HIPAA.com. Retrieved from https://www.hipaa.com/the-reality-of-hipaa-violations-and-enforcement/

Malin, B. A., Emam, K. E., & O’keefe, C. M. (2013). Biomedical data privacy: problems, perspectives, and recent advances, volume 20, Issue 1, 1 January 2013, Pages 2–6, https://academic.oup.com/jamia/article/20/1/2/2909264

Rodrigues, J. J., De La Torre, I., Fernández, G., & López-Coronado, M. (2013). Analysis of the security and privacy requirements of cloud-based electronic health records systems. Journal of medical Internet research, 15(8). https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3757992/

Trinckes Jr, J. J. (2012). The definitive guide to complying with the HIPAA/HITECH privacy and security rules, 1^st Edn, pp. 35-57,  CRC Press. https://books.google.co.in/books?hl=en&lr=&id=QIDkVW7SN80C&oi=fnd&pg=PP1&dq=HIPAA+rules+violation+&ots=BVYAHxUHD3&sig=nHampcNoeKqjKvQIiMtexDp2ahY#v=onepage&q=HIPAA%20rules%20violation&f=false

Wang, C. J., & Huang, D. J. (2013). The HIPAA conundrum in the era of mobile health and communications. Jama, 310(11), 1121-1122. https://jamanetwork.com/journals/jama/article-abstract/1732507?redirect=true