Compliance Violations
There were several compliance violations in the aforementioned case, but the three of them were particularly significant. The first violation concerned a USB drive being left unattended in the IT department and exposed to the view of other people through an open door. Such a situation demonstrates a breach of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which requires facilities to prevent electronic devices potentially containing electronic protected health information unattended. Essentially, a person with an unauthorized status could potentially steal the USB drive and gain access to patients’ information.
Another situation described in the case involved patients’ vital signs logs once again being left for everyone to see in the staff break room. It constitutes a violation of the same law, namely the HIPAA Security Rule, which prohibits leaving protected health information unmonitored. The logs could be viewed by a person who should not access to them. Finally, the third situation concerned the same USB drive being unattended for a prolonged period of time. According to the HIPAA, it is required that all electronic devices are stored in secure and safe locations (Pozgar, 2019). Yet, in the current case, the door to the room with the USB drive was open, and there was a chance it could be accessed by an unauthorized person.
Regulatory Stakeholders
The Joint Commission is the primary body which is responsible for conducting assessments and granting accreditation to ABC Health Systems (AHS). The Joint Commission evaluates healthcare organizations to ensure that they comply with the standards required for providing medical services under Medicaid and Medicare. Despite the fact that the Joint Commission does not have any authority to assess hospitals’ compliance with the HIPAA, it has its own requirements which reflect the document’s provisions. For instance, according to the Joint Commission standards, the security and integrity of personal protected health information in the absence of staff must be maintained by hospitals using locking mechanisms (“Medical,” 2020).
Failure on the part of AHS to comply with these standards may lead to their Medicare and Medicaid licenses being revoked. Office for Civil Rights is the main government body which has the responsibility of ensuring HIPAA compliance (“HIPAA,” n.d.). The agency also allows citizens to file complaints against hospitals if they believe that their HIPAA rights have been violated. Moreover, individuals can complain to the state Board of Medicine. As a result, hospitals may face penalties if they breach the HIPAA rules.
Patient and Provider Rights
As stated earlier, the aforementioned violations concern failure to comply with the HIPAA standards. According to the law, providers have to ensure that medical records of patients are stored in a secure location where they cannot be accessed by any unauthorized individual. HIPAA clearly states that the covered entities have to implement technical, administrative, and physical safeguards to prevent instances of electronic records from being compromised. Hospitals are responsible for storing all sensitive information out of sight of people without official access to it and install mechanisms such as locked file cabinets and ID cards (“Policy,” n.d.). Patients have a right to file a complaint against entities and individuals who fail to deliver on their responsibilities outlined in the law.
They also have a right to access their personal records, add changes to them, and must receive a notice on when and how their health information was used by the hospital. Patients also have responsibilities since they have to provide accurate information on their health status, insurance, address, and telephone number. Under HIPAA, hospitals may encounter fines for violations or even become criminally liable if the use of protected information was intentional.
Compliance and Risk Management Factors of the Medical Records
Organizations which provide medical services have to implement mechanisms and safeguards which would be capable of maintaining the security and integrity of medical records and protected health information. The issues which were inherent to the three situations include free access to areas which should be inaccessible by unauthorized people. Additionally, there was an issue concerning the electronic device, which could potentially store protected information being left unattended.
Finally, there were patients’ medical records also left without any proper monitoring and not locked in a cabinet. All of these situations constitute risk management challenges since they all involve considerable exposure of sensitive information to the threat of being accessed by a person without any authorization. Thus, the organization ultimately failed to comply with the regulations and did not deliver an appropriate level of security on its premises. At any moment, a person with malicious intent could easily have accessed the patients’ information and could potentially leave unnoticed. It is clear that the organization has to introduce risk assessment first to determine all vulnerabilities in its infrastructure and protection mechanisms and then implement measures to minimize all risks.
Plan of Action
The plan of action for the organization has to include five major steps which will allow it to ensure successful protection of patients’ information. The organization must conduct routine risk analyses to have a clear understanding of its vulnerabilities (Vanderpool, 2019). The procedure must involve investigations of complaints made by both employees and clients, as well as checks of the areas particularly vulnerable to violations. The person in charge of the risk management has to keep a record of all conducted inspections and report to the top management of the hospital. Additionally, all employees have to receive instructions on how they should approach protected information.
Every staff member has to understand which premises they cannot access and how they have to utilize the protected health information of patients. Physical safeguards, including ID cards, have to be introduced to restrict access to certain areas for various individuals (Shay, 2017). Systems which would automatically prevent unauthorized access by scanning employees’ IDs are the most effective way to prevent any violations. The organization also has to encrypt all devices such as USB drives and laptops and appoint a risk manager responsible for the implementation of the action plan.
References
HIPAA enforcement. (n.d.). Health Information Privacy. Web.
Medical record – security. (2020). The Joint Commission. Web.
Policy & guidelines for physical security. (n.d.). Yale University. Web.
Pozgar, G. (2019). Legal aspects of health care administration (13th ed.). Jones & Bartlett Learning.
Shay, D (2017). The HIPAA security rule: Are you in compliance? Family Practice Management, 24(2), 5–9.
Vanderpool, D. (2019). HIPAA compliance: A common sense approach. Innovations in Clinical Neuroscience, 16, 38–41.