HIPAA Privacy & Security Rules (ANSWERED)

QUESTION

Legal & Regulatory Issues in Health Information

Selected Topic

HIPAA privacy and security rules. Audience: all healthcare organizational employees

The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. It gives patients more control over their health information. It sets boundaries on the use and release of health records.

Why is HIPAA important to privacy and security? Because it establishes information security standards that all healthcare organizations must adhere to. HIPAA compliance ensures covered entities understand and take steps to prevent the risks that could compromise patient data.

So, in summary, what is the purpose of HIPAA?

• To improve efficiency in the healthcare industry
• To improve the portability of health insurance
• To protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.

Training Manual Assignment

Every organization has the responsibility for training employees to ensure that they do their jobs properly, effectively and have the knowledge they need to operate in the work environment and company culture. Training programs are resources that strengthen employees and develop employee skills needed to fulfill their obligation to the organization successfully. Healthcare organization training programs present learning and development opportunities in areas like compliance and risk management, ethics, HIPAA, malpractice, social intelligence, teamwork and team building, interpersonal skills, computer ethics, and diversity and inclusion. For this assignment students are expected to develop a training manual to guide employees in one of the areas mentioned in the assignment instructions. Your training manual should also include an outline of the materials included and a timeline detailing when the training will be provided.

Week 2: Course Project Topic Submission (40 points)

Select a topic from the list below or present a topic of your own to your professor for approval.

Your professor will approve topics following assignment submission.

Training Topics:

1. Organizational compliance with privacy and confidentiality regulations. Audience: all organizational employees
2. Legal and ethical implications of medical abandonment for clinical staff and organization. Audience: clinical staff (physicians and nurses)
3. Role of advance directives in treatment and end-of-life healthcare decisions. Audience: clinical staff (physicians and nurses)
4. HIPAA privacy and security rules. Audience: all healthcare organizational employees 5. Informed consent in emergency situations. Audience: emergency room staff (clinical

and administrative)

6. Minimizing malpractice cases with proper medical record documentation. Audience: clinical staff (physicians and nurses)
7. Legal and ethical considerations in the implementation and maintenance of an electronic medical record. Audience: HIM and IT departments

Submit your topic with a brief explanation of the topic. Do research and begin writing the training manual.

Week 5: Course Project Outline Submission (40 points)

Begin working on your training manual. You are responsible for ensuring academic integrity and citing all references in APA format.

Research the specific legislation (state and/or federal) that is clearly related to the topic and audience.

Conduct other professional and academic research and apply course readings, as needed.

See the DeVry Library – Professional References document located in the Course Project – Training Manual folder in the course Files.

Based on your research findings, scope, and depth of the intended manual, determine what key areas you plan to discuss in your training.

Identify how your training manual could be used in conjunction with a risk management program in healthcare.

Develop and submit the training manual outline. Detailing the items that will be covered in your training manual.

Utilize the Course Project Outline template

(https://devryu.instructure.com/courses/84450/files/12841230?wrap=1)

(h ps://devryu.instructure.com/courses/84450/files/12841230/download?download_frd=1) , also located in the Course Project – Training Manual folder in the course Files.

Week 8: Final Training Manual Submission (120 points)

Submit the training manual.

Requirements

Content

Although the Course Project Training Manual will be written as an academic paper in Microsoft Word, it is really a training manual for the identified audience. The intent is that students use this training manual for interview purposes upon graduation to a potential employer.

While creating your training manual be sure to include internal and external forces impacting your topic. For example, specific state and/or federal statutes, accreditation standards, regulations, risk management, organizational policies and procedures, and other applicable legal processes.

The original content must:

(1) be supplemented with specific legislation (state and/or federal statue, regulation and/or legal guidance) and clearly related to the selected topic and audience, and

(2) incorporate a minimum of four professional references. Keep in mind that paid or politically motivated legal sources are not authorized for the purpose of this assignment.

Example References:

1. A state or federal governmental source to support specified legislation (must be .gov if using internet source) – Required
2. The current course textbook
3. A peer-reviewed journal from DeVry’s online library databases 4. Scholarly or professional source such as AHIMA, HIMSS, etc.

Formatting

The training manual must be five to seven full pages in length (excluding title and reference pages), double-spaced, in third person, and formatted according to APA guidelines. Please see DeVry’s research, writing, and APA resources in the Student Resources section for further guidance.

At minimum, the following content must be included and written in third person.

Title page: Include the title of the paper, the author, the university name, a running head, and page numbers.

Table of contents: List the main heading sections of the paper and the pages where they are located.

Introduction: Introduce the topic or issue to your audience, give overview of the training, and describe what the manual entails. The introduction also previews the main ideas and the order in which they are covered and establishes a tone of the document.

Training objectives: Explain to the audience objectives and outcomes of the training and why it is required

Training schedule: Identify the individual responsible for conducting the training and any required professional credentials they must hold. List who must attend the training by job role/title and when they must attend (new hire, annual, as required (identify when it is required)).

Body (using proper APA headings): The body will encompass the actual training and must start off with an introduction and overview of the legislative, regulatory, or legal foundation (authority) for the training, including citation to all HIM, legal, and ethical sources. It may include original graphics, flow charts, and so on to illustrate content and resources that the employee would need to be compliant with the topic. Break out the main ideas using applicable APA headings when the topic has changed. State the main ideas, highlight major points in each idea, provide evidence, and include the information you found during your research and investigation. Identify how your training manual could be used within a Risk Management program.

Conclusion: The conclusion should synthesize rather than introduce new material or repeat the main ideas verbatim unless there is a rephrasing of the thesis. The conclusion should recap what the audience is to gain from the training.

APA reference page: Use the citation format as specified in the Syllabus, which is APA. All resources cited in the body of the paper must be included on the reference page.

Additional Requirements

Other requirements include the following with additional guidance outlined in the DeVry Library APA Resources. (Links to an external site.) (http://library.devry.edu/apa.html)

All margins in APA format are one inch.

It must be written in third person using academic language from the perspective of a health information management professional.

It must be double-spaced, with 12-point font, and must include page numbers and applicable APA headings to delineate major and/or required topics.

A minimum of four references are required as noted above (anonymous authors, blogs, and paid sites or web pages are not acceptable) using an appropriately formatted APA reference page

All DeVry University policies are in effect including the Academic Integrity policy.

All content must be original for this course and each student. The resources should not dominate the content and be no more than 20% of the overall project. Turnitin may be used to identify the percentage of originality in each student’s submissions.

Any questions about this assignment may be discussed in the Course Q & A Forum. Course project template link in APA 7 format that may also help with starting the week 8 course project training manual APA 7th Edition Course Project

ANSWER

Legal & Regulatory Issues in Health Information: HIPAA Privacy and Security Rules

The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 and fully implemented in 2003. Since then, the Act has created a significant impact on healthcare organizations. The complexity of the regulations contained in HIPAA makes training a much-needed step for a healthcare organization seeking to improve the delivery of care. These regulations are included in the five titles, which aim to familiarize the members of a healthcare organization with the privacy and security of the patient’s medical records as provided by the law. Among the core functions of HIPAA is to provide rules on the disclosure and sharing of protected health information (PHI). Therefore, the HIPAA security rule is complementary to the privacy rule, and entities must implement physical, administrative, and technical safeguards to protect protected health information’s privacy.

According to the Health and Human Services department (HHS) of the U.S., HIPAA is a security rule that requires the HHS secretary to develop regulations that protect the privacy and security of various pieces of health information. Therefore, the legislation for this rule is the HHS department headed by the secretary, and the audience is all healthcare organizations’ employees. This training manual will address specific areas in the HIPAA rules, most especially PHI, and how physical, administrative, and technical efforts can contribute to the protection of PHI’s privacy.

Administrative Safeguards

A. Policies and Procedures

Administrative safeguards infer efforts by the organization in creating and updating policies and procedures that help employees learn and train sufficiently to protect PHI security. The administrative measures will;

1. Train employees on their access rights
2. Legal aspects involved in handling PHI
3. And the sanction policies in place for the discipline of employees who violate the HIPAA provisions.

At the same time, these efforts will enlighten the employees and the whole organization regarding information access internally in the workstations, law enforcement, and other legal bodies. The information types contained in the access policies include health records, transactions, and other processes done within the organization.

B. Release of Information

Case scenario: You are in the release of Information (ROI) section of the hospital, and you are notified that a subpoena has been issued to the hospital with regard to Mr. X’s information. The clerk has told you that the issued subpoena does not have clear information on why they need to access Mr. X’s records. At the same time, the subpoena has been issued by an attorney who has not disclosed the course for the said action. In this case, you must thread carefully because of the HIPAA privacy and security rules. Therefore, there are important steps you will have to follow to ensure you do not compromise the confidentiality of Mr. X, who might not be aware of the situation. Furthermore, you do not know for sure if Mr. X was a patient in the hospital. At this point, it calls for the review of the HIPAA provisions regarding the release of information.

Most healthcare organizations understand that the patient’s privacy is paramount, lest they face legal battles with the patients and long-term professional scuffle. Therefore, it is their responsibility to ensure that the employees are aware of the HIPAA privacy and security rules. In the case scenario, you have a role to involve the organization in responding to the issued subpoena. First, you have to consider factors relating to who issued the subpoena. Usually, the judge, an attorney, or a court clerk can issue a subpoena by signing it. These are different from a court order and have to be handled differently.

If your organization is a HIPAA-covered provider, you may disclose information to the subpoena issuing party if the requirements in the notification are met as required by the Privacy Rule. However, before responding, you must notify the subject of the information, i.e., Mr. X, about the request for their information. The notification gives the person a chance to either object or responds in another manner. Additionally, you have to seek a qualified protective order as an organization from the court.

C. HIPAA Versus Family Members, Personal Representatives, and Power of Attorney

HIPAA does not restrict sharing of information by covered entities such that they have to give written permission to share or discuss PHI with family members and any other involved personnel. However, providers need to ask for written consent from patients. If the patient is of sound mind and has the capacity, the health care organization needs to ask them for permission to discuss their health information with others.

A Deceased Person

A deceased person’s PHI needs to be shared with the surviving family members as recognized by the HIPAA privacy rule. At the same time, PHI used for treatment purposes and other circumstances that require authorized disclosure can be shared with the family members.

Children

When it comes to children and their parents, the privacy rule will allow a parent to view their children’s medical records if they are minors. In this case, parents act as their children’s personal representatives, consistent with the state laws or any other. However, there are exceptions under the HIPAA privacy rules that exempt the parent from being a personal representative. For instance;

1. If the child is in charge of consenting to their care, the parent’s consent is not needed under the applicable state law or any other relevant law.
2. When the court appoints a person to be in charge of the child’s care or gives direction as a law body, the parent is also exempted from the personal representative role.
3. If the parent agrees to the presence of a confidential relationship between the patient and the minor, they cease to be the child’s personal representative.

The Power of Attorney

A power of attorney does not change anything in the Privacy Rule regarding how an individual grants another person the power to influence health care decisions. The state law will continue to apply because the intent of personal representatives in healthcare is to complement and not change practice in healthcare powers. The non-applicable power of attorney in healthcare is those which serve a function other than health care. These exclusions include a power of attorney to close on real estate, which does not give authority to exercise individual rights according to the HIPAA Privacy Rule.

Technical Efforts to Safeguard PHI’s Privacy

Encryption- Access Keys

Physical efforts complement technical safeguards because of the restriction to access. The security established to ensure technical safeguarding of privacy infers controlled access to computer systems to protect PHI transmitted electronically. Therefore, technical safeguards determine who has the authority to access patient medical records and they access these records.

Passwords

Considering PHI requires safeguarding when it is transferred to another location, encryption is required to ensure the information is not tampered with. The major privacy concern with many organizations is the loss of information or access by unauthorized personnel. Encryption creates unreadability until an access key or password is added, so it can be used to protect all devices. Therefore, encryption can serve as a second step to technical safeguards after authorized access to computer systems. However, a third-party program that locks an e-mail text is more powerful than a password.

B. E-Mail Transmission

As a general rule for most healthcare organizations, free and public web e-mail services should not be used to transmit PHI as they are not secure enough. Moore and Frye (2019) recommend cloud-based platforms with a server compliant with HIPAA to send e-mails. However, the platforms do not have control over e-mail transmission to the e-mail received from the cloud server.

Example 1

Ensure that e-mail attachments and any information shared through these cloud-based platforms do not contain PHI. Instead, use electronic health record systems to access information. Otherwise, patient portals can relay any PHI needed.

Example 2

There are extra steps in safeguarding e-mail information by verification and issuing disclaimers for use. The sender is expected to verify who the e-mail is addressed to as the intended recipient, put in correct spellings, and ensure that the e-mail content is compliant with HIPAA privacy and security rules. When the e-mail has clinically relevant information, you, as the sender, should have a printed copy of the same and attach it to the patient’s medical records.

Example 3

For the sake of the sensitive nature of the information provided in the e-mail, it is advisable to add a disclaimer whenever you send an e-mail. For example, you could get information such as a warning to the recipient not to read the contents of the e-mail if they are not the intended owners and also notify them of the presence of PHI. Moreover, you could warn that unauthorized use, copying, disclosure, distribution, or acting as per the directions of the e-mail when you are not the intended user is prohibited and has legal consequences. As an extra step, ensure that you ask the recipient to confirm by telephone or return e-mail if they have received the e-mail or have concerns with the e-mail.

Procedures, Software, and Equipment

As a concern for security breaches occurring worldwide in corporate environments, it is critical to implement procedures, software, and equipment meant to protect PHI from any compromise or unauthorized access.

Backing Up

In backing up, organizations should seek to incorporate encryption and decryption, even in restoring and transmitting patient information electronically.

Destroying PHI

To maximize privacy and security, organizations should seek to destroy PHI when it is no longer needed for a specific function through the guidance of pre-laid policies and procedures. However, destroying these documents should be done carefully to ensure they are not readable or decipherable through methods such as shredding, puling, and burning. For records stored electronically, overwriting with non-sensitive data is acceptable. At the same time, degaussing and incinerating can help get rid of the files. The U.S. Department of Health and Human Services recommends that healthcare organizations choose appropriate and practical methods to protect PHI technically.

Physical Efforts to Safeguard PHI’s Privacy

The safeguard procedures in this category are the physical aspects of the PHI that must be protected against, like a location, file, building, or secured area.

A. General Access Badges

The facility must ensure that access is managed by putting measures in place like authorized and monitored access and termination of access for individuals no longer part of the organization. By limiting physical access, Moore and Frye (2019) agree that it will limit the chances of a privacy breach to other important parts of the organization.

B. Materials Moving in and Out of the Organization

Materials moved into and out of the facility, like copiers and electrocardiogram machines, should undergo supervision before they are moved. The organization needs to have access badges for all employees and personnel handling any material within the facility. Access badges are also important as they have the same nature as passwords and need safeguarding from breaches. Otherwise, secure and restricted areas will likely be compromised within a healthcare organization, thereby threatening PHI and possible legal consequences.

C. Isolation and Data Backups

According to Andriole (2014), isolation of computer devices and data backing is the most crucial step towards ensuring physical safeguards of PHI’s privacy. Nonetheless, giving direct access to authorized personnel only, maintaining copies of information, laying emergency contingency protocols, and disposing of devices properly also contribute to the physical measures against violating PHI’s privacy (Andriole, 2014).

Physicians are positioned to protect their patients from any form of harm, and that extends to safeguarding their health information in all possible ways. This is a joint function of both practitioners and other stakeholders, who might be subject to the aftermath of any breach of patient health records confidentiality. Therefore, it is advisable to lay physical guidelines regarding handling materials with information, access to records storage rooms, and exchange of physical information between physicians regarding patients.

Conclusion

HIPAA provides a methodological risk analysis tool to guide covered entities and their business associates in identifying and understanding risks to privacy and security of Protected Health Information physically, technically, and administratively. Additionally, HIPAA helps healthcare organizations identify gaps in their HIPAA compliance and analyze the nature and seriousness of these risks and gaps to healthcare, especially in privacy matters (Kels, 2020). Therefore, the HIPAA Privacy and Security Rules can work in conjunction with risk management programs in healthcare to ensure that any perceived risks are managed in time and prevent healthcare privacy crises (Blanke and McGrady, 2016).

The security rule contained in the risk management programs is significant in the HIPAA Privacy Rule as it protects a subset of the information contained in the latter rule. The Security Rule also protects individually identifiable health information created, received, and maintained or transmitted electronically by the hospital as a covered entity. In the Security Rule, this information is known as the e-PHI or electronically protected health information (Kels, 2020). When the physical, technical, and administrative safeguards are done collaboratively, they ensure there is security and privacy of the physical and electronic PHI.

In summary, this training manual will help the whole organization understand the three safeguards, i.e., physical, technical, and administrative safeguards against a possible breach of PHI. At the same time, the organization will understand how HIPAA’s privacy and security rules can work in conjunction with risk management programs to ensure compliance, safety, and assurance of patient information protection and avoidance of future compromise.

References

Andriole, K. P. (2014). Security of Electronic Medical Information and Patient Privacy: What you Need to Know. Journal of the American College of Radiology, 11(12), 1212-1216.

Blanke, S. J., & McGrady, E. (2016). When it Comes to Securing patient health information from Breaches, your Best Medicine is a Dose of Prevention: A Cybersecurity Risk Assessment Checklist. Journal of Healthcare Risk Management, 36(1), 14-24. https://doi.org/10.1002/jhrm.21230

Kels, C. G. (2020). HIPAA in the Era of Data Sharing. JAMA, 323(5), 476-477. https://doi:10.1001/jama.2019.19645

Moore, W., & Frye, S. (2019). Review of HIPAA, Part 1: History, Protected Health Information, and Privacy and Security Rules. Journal of Nuclear Medicine Technology, 47(4), 269-272. https://doi.org/10.2967/jnmt.119.227819

A. (2020). Court Orders and Subpoenas. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html

To get your original copy of this  paper, please Order Now

Related Questions

Strategic Decision Models (ANSWERED)