Healthcare Informatics and Technology
The purpose of this research is to conduct an analysis of the use of information technology resources and assess their applicability to the United General Hospital. Specifically, the report is aimed at devising policy statements to address certain issues related to the patient’s healthcare records and align them with HIPAA regulations. The specific areas that required an update of policy statements focus on privacy, security, and disclosure of the PHI records, ways of their handling, as well as disposal, access, and control of these records. The paper also calculates the possible risks that are likely to occur when dealing with PHI and identifies specific areas requiring training to ensure that the employees and staffs are conversant with the HIPAA rules and regulations and that they are aware of the duties they should perform within the organization to guarantee the integrity and confidentiality of the PHI systems.
Policy Manual Introduction
Patient data or health record is one of the most sensitive types of information that needs to be protected and secured in a stable system to prevent any loss or information leak. Patient record protection is therefore necessary and important to the organization because it helps to maintain the security, confidentiality, and privacy of patients’ health information. Patient health information is of great importance and should not be disclosed to third parties. Maintaining confidentiality, privacy, and security of information helps the organization preserve its dignity and win public trust and loyalty. Patients’ health records protection promotes fundamental values within the institution. Some of these values include personal independence in making personal decisions, respect, dignity, and worth not only for human beings but also for being a part of the hospital system. Protection of patients’ health information is a legal requirement as provided by federal and state rules and regulations. Rules, regulations, guidelines, and standards for patients’ health records protection are provided in The Health Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) Omnibus rule in 2013. Patients must be guaranteed the safety of the personal health information they provide to health professionals. When they are not guaranteed the confidentiality of their information, they have the right to withhold critical information that could compromise safety, quality, and the outcome of their healthcare experience. Consequently, analyzing the risks involved due to the failure to properly protect patients’ health information and focusing on legal requirements based on the protection of such records is essential for understanding the need for training to enlighten individuals on the requirements for patients’ data protection. It also gives insight into patients’ health policy development and promotes its further understanding.
Apart from being prone to compromise, the United General Hospital’s PHI systems face the following risks and ethical issues of concern.
Inaccurate Patient Information
Inaccurate information leads to the risk of increased liability of the patient to clinicians and the organization as a whole. Patient care decisions are made based on the accuracy of patients’ information. There are various reasons and causes that result in inaccurate patient information. Patients’ records of information need to be updated regularly to ensure that the system is always current (Taitsman, Grimm, and Agrawal 2013). During the transfer, data may be lost or destroyed, resulting in inaccurate information about the patient (Wager, Lee, and Glaser 2017). Another cause of inaccuracy is the theft of identities within organizations where patients’ health records are manipulated by changing the data of the victim in the system. As a result, insurance companies could be billed and charged for medical services that were not provided to the actual policyholders. Additionally, the treatment of the actual policyholder could be guided by inaccurate information that was provided neither by the health service provider nor by the patients themselves.
Unauthorized Access to Information
Patient’s health information records should be private and confidential. The systems, whether paper or electronic, should be free of unauthorized access to prevent the breach of privacy and confidentiality of information (Taitsman, Grimm, and Agrawal 2013). Unauthorized access to information may result in massive data loss and erroneous entry that could have significant implications not only regarding patients’ privacy but also for the organization’s overall privacy and integrity. Unauthorized access compromises the privacy of the patients because their data and personal health information are made public or open to other parties without their consent, which is against the law regarding the privacy and confidentiality of patient’s information (Hoadley et al. 2012). Unauthorized access affects both the electrical health record system and the paper one.
Potential Malpractice Liability
Patient’s health information records are prone to malpractice, especially if they are not well protected. Paper system of patients’ health records can be easily accessed by anybody, especially if these records are not well kept, since they require no password for authorized access, thus subjecting the organization to potential liability that could arise in case of such malpractices (Hoadley et al. 2012). The same case applies to the electronic health records system. Some of such liabilities include data loss or destruction, inaccurate data entry, and errors that are related to the process when the data are being transitioned from a paper system to an electronic one.
Measures of Reducing Risks
The United General Hospital can avoid the above risks by devising a real-time way of updating its systems to ensure that accurate information is entered into it. To improve the security of the electronic system, the United General Hospital can install firewalls, software aiming to detect intrusions, and strong antivirus software to protect the confidentiality of information and prevent malicious damages (Rezaeibagha, Win, and Susilo 2015). The hospital can also have strong, specifically developed policies and procedures that are geared toward maintaining the safety and integrity of the system. Such policies would require few people with the authority to access the system, making it clear that the employees who have the authority to access the system must not share the password or ID with any other party.
Additionally, the United General Hospital can implement a system audit randomly and regularly to determine compliance to hospital standards and HIPAA provisions. The hospital should make use of audit trails to monitor the activities of the system and identify potential intrusions in order to ensure the integrity and confidentiality of the system. The hospital should also focus on providing training to the clinicians and ensuring their constant engagement as they are the people who will be interacting with the system (Wager, Lee, and Glaser 2017). It will also equip them with relevant knowledge that will help them use the system effectively, thus reducing the chances of making errors.
United General Hospital Access and Disclosure of PHI Policy Statement in Compliance with HIPAA
The following policies, procedures, and provisions are the guiding parameters for the transfer, release, provision of access to, or exposure of any form of patients’ health information to any other party that is not an employee of United General Hospital that provide insight into PHI.
- PHI is only accessible to a limited number of employees as required by HIPAA, those who either work directly for the United General Hospital, with their access limited to their job description or require IT descriptions to perform their duties. Such employees do not have the authority to access the PHI of their family members or relatives (McDavid, 2013). In case they wish to access and copy the PHI of their relatives, they have to seek relevant authorization from their seniors. Access to personal PHI must follow the relevant procedures and guidelines.
- Authorization satisfying all HIPAA requirements may guarantee the disclosure of PHI for any purpose. However, all the uses and disclosures must be consistent with the terms of conditions of such authorization.
- PHI may be disclosed without the patient’s consent, but it must be limited to legal and public policy purposes as established by HIPAA. However, such disclosures must be subject to the United General Hospital’s PHI use and disclosure requirements and procedures. The following are some of the situations that guarantee permission for disclosure: law enforcement investigations, judicial proceedings, policy health activities, limited research, specialized government functions, and eye or tissue donations.
- PHI disclosure within the United General Hospital is subject to the minimum necessary standards for the accomplishment of the intended purpose of disclosure as guided by HIPAA.
- With the assurance from business associates about their commitment to maintaining the security of the information obtained, the United General Hospital may disclose PHI. However, in such instances, privacy officers must be contacted to give authorization, after determining the credibility of the contract.
- The United General Hospital may give de-identified information in compliance with HIPAA requirements. However, it can happen only after the hospital ascertains that the risk involved in sharing such information is minimal and that the information will not be used in combination with other types of it to identify the patient. It could be ensured by having an expert conduct a review and advise accordingly.
- Unless otherwise stated, PHI may not be removed from the United General Hospital premises, and in case a third party under special circumstances is required to transport such PHI, the vendor must be licensed by the state for carrying such services as a courier and should be legally bound in case of breach of the service agreement.
Training Areas for Accessing and Disclosing Information
According to HIPAA, not everyone should be trained on accessing and disclosing information, and the training should be designed in such a way that the employees will be able to carry on their duties. Therefore, the employees within the same organization may be trained differently. The United General Hospital will focus the training of its employees on the following topics in relation to access and disclosure of information. They include but are not limited to identification of the PHI, knowledge of the minimum set of required rules, rules and conditions as to when, where, and how PHI can be disclosed, the significance and the need for PHI’s confidentiality, the importance of trust and integrity, especially for those who have the authority and right to access PHI, rights of the patients and their authorization to access PHI, and business associates’ obligations when seeking access to PHI (Reddy and Aggerwal 2015). Additionally, everyone must be trained on the consequences of not complying with HIPAA rules, regulations, and compliance standards
Alignment with the Regulatory Requirement
HIPAA Regulations and Requirements
Covered entities are required to implement relevant and appropriate administrative, technical, and physical safeguards to protect and guarantee the privacy of the PHI. Consequently, it means that the hospital must ensure the presence of the relevant rules and regulations that should be aligned with the HIPAA requirements. The implemented rules should guarantee the safety of patients’ information and regulate the disposal of such PHI (Koontz, 2015). The United General Hospital’s problem was that it had inadequate rules and regulations related to the handling of PHI and its consequent disposal.
HIPAA rules and regulations require that privacy be binding to all forms of PHI, both electronic and paper ones. The regulations extend to providing provisions related to the disposal of such information. PHI may be disposed of after some given period of time, and even as the information is being disposed of, rules and regulations related to such disposal must be followed. According to McDavid (2013), HIPAA provisions employees must also receive relevant training in relation to the rules governing the disposal of such information. Since HIPAA rules do not provide specific guidelines on the disposal and handling of such information, the respective organization should provide these rules and regulations instead. However, the organization will have to be considerate of the risks that could arise in case of mishandling of patients’ information. Special attention should also be given to information that may lead to theft of identity. This information contains details like the names of the patients, their social security numbers, driver’s license number, and debit or credit card information.
HIPAA rules provide guides on the disposal of PHI paper records, which may be disposed of by burning, shredding, pulping, or destroying the records in a way so PHI could not be read or be reconstructed. PHI cannot be disposed of in a dumpsite or at any other point that the public or any other unauthorized person could access. However, PHI may be disposed of in a locked dumpsite that can only be accessed by authorized persons. HIPAA regulations ensure that insured and covered organizations have the right to contact a business associate to dispose of other records on their behalf (McDavid, 2013). Nonetheless, such vendors should form an agreement contract with the organization, and the organization disposing of PHI must maintain the records in a secured area until they are picked by the vendor.
Areas Breaching the HIPAA Regulations
The United General Hospital failed to meet all the stated provisions by not having an adequate policy that would address PHI handling and disposal. There is a need to update and align the existing hospital’s rules with the HIPAA regulations to reduce the risks associated with such sensitive information (Alqahtani, 2017). The United General Hospital failed to dispose of PHI, which is a violation of HIPAA provisions, and therefore, it was liable for risks that could occur due to improper disposal methods.
The hospital did not have appropriate disposal and handling policies, and it was not strict in matters of who should access the PHI, which is against HIPAA regulations. The hospital also did not have the appropriate disposal mechanism as it did not dismantle or disfigure PHI that was in the form of papers, meaning that the sensitive information was readable, which is also against HIPAA regulations (McDavid, 2013). The hospital also failed to hire a business associate to dispose of the records on its behalf and neglected its duty of maintaining the security, privacy, and confidentiality of PHI.
Policy Statements in Relation to Handling and Disposing of Patients’ Information Records
Apart from maintaining high privacy, confidentiality, and safety of PHI, there will be a guiding provision ensuring that handling and disposing of the patient’s health information maintained in either electronic or paper forms are conducted in a manner that is safe and not against the HIPAA provisions.
Procedures for Discarding Paper Materials
- The United General Hospital will have containers that are lockable and secure to use for collecting the materials that are supposed to be discarded.
- The lockable containers will be strategically placed so that authorized users will have easy access to them.
- All materials to be disposed of that contain PHI and any other sensitive information will be placed in lockable containers awaiting disposal.
- No other materials other than those containing PHI and other types of sensitive information will be placed in the lockable containers.
- The discarded materials in the lockable containers will only be handled by authorized personnel.
- The materials discarded in the container will be emptied at regular intervals. However, in case the containers are filled before the emptying period, security personnel and the privacy officer will coordinate the emptying process.
- In case a material is placed in the lockable containers by mistake, security personnel will be notified of the eventuality of making arrangements for its removal.
Procedures Guiding Discarding of Electronic Materials Containing PHI
- In case computers and any other magnetic storage media are being taken for repair or service, the objects used to store PHI must be removed by the person authorized to handle them before the aforementioned items are moved.
- Unless adequate information and security standards are determined and guaranteed by authorized IT experts, PHI will not be stored in any portable media, such as laptops, desktops, computer storage media, and hard drives.
- Destruction and disposal of the materials containing PHI contents will be handled only by authorized privacy officers.
- It is the obligation of the United General Hospital to review these policies and procedures from time to time to keep them relevant and in line with HIPAA regulations.
- Finally, the United General Hospital’s coalition partner has the individual responsibility of making the necessary internal arrangements to implement the policy and ensure full compliance and accountability.
Training of the workforce on the ways and means of disposal of information is one of the key HIPAA requirements. However, HIPAA does not provide specifications regarding who should be trained and in what areas it should be done. It is the responsibility of the organization to determine which employees to train and in what areas, depending on its needs. The United General Hospital will train its employees on the ways and means of disposing of PHI. Specifically, they will be trained on the requirements and regulations as provided by HIPAA. The employees to be trained are those that are directly involved in the disposal of PHI materials. Training will also be offered to those responsible for the supervision of the disposal process and to the volunteers who wish to be involved in the material handling and disposal. Areas to focus on are the discarding procedures where the materials are awaiting destruction. They will also be trained and enlightened on the policies guiding the disposal process.
The management should be in a position to devise the right mechanism to guide the process of access to electronic PHI. Such a mechanism should have emergency access enabled. The mechanism should be able to restrict access and provide it to limited employees who directly deal with PHI information and privileged entities (Taitsman, Grimm, and Agrawal 2013). Additionally, the mechanism should allow various types of access control, including, but not being limited to unrestricted access control, mandatory access control, time-of-the-day access control, classification access control, and subject-object separation access control.
Management should make it clear that the access to PHI system is only granted to people who have been authorized to have direct access to the system. In the case of receiving password to the system, no worker should be sharing their password with others in order to prevent malicious damage and erroneous entry made, as well as any other form of tampering with the data (Rezaeibagha, Win and Susilo 2015). Therefore, management should put more emphasis on the importance of maintaining a high level of privacy regarding the patient’s health information.
Management and employees are individually and collectively responsible for maintaining the security and privacy of PHI records. They should engage in a process of creating an organizational culture that respects and values the patients’ right to privacy, shaping an environment that will facilitate the maintenance of the privacy of PHI (Koontz, 2015). The organizational culture must also pay attention to the access and control measures that have been put in place by the management.
Policy Statement for Role-Based Security Access to Patients’ Records
The employees play different roles in the organization, meaning that there is a need for access to PHI records for varying reasons. The amount and level of access to PHI records is limited to the extent that will enable the workers to perform their duties effectively.
- Different employees based on their roles will have different and unique usernames or passwords, which will be used to provide them with access to the patient’s records.
- The usernames will be used to segregate users by their roles, and they will determine the extent to which they can have access to PHI.
- The password should be created in compliance with HIPAA requirements; a strong password should contain uppercase and lowercase letters, and numbers, be at least eight characters in length, and have some special characters.
- Passwords and usernames will not be shared among the employees, and each employee will be responsible for maintaining the security of their passwords, as they are private and confidential.
- When logged in to the records, and when the employee is escorting a patient or another member of the hospital the window with logged-in information should not be shared or exposed, meaning that the rest of the employees and patients present cannot have access to it.
- Access to certain programs and software is limited to a few employees who have been authorized. It is important because it will reduce the chances of malware entry and possible damage to the system.
- For users who change their responsibilities, access privileges will be changed accordingly. For those who terminate their employment with the hospital or otherwise retire from the employment, access will be terminated with immediate effect.
- The assigning of usernames and passwords will be centralized and will be determined by the system administrator who will be in charge of resetting the employees’ passwords in case users forget them or their usernames.
Setting Security Levels for Accessing Patients’ Records
Setting high-security levels for accessing patients’ records is paramount for maintaining optimal security and safety of the system. Different organizations use various methods of setting security levels. These methods are used in order to set the security levels to enable access to patient’s records.
The first important element is creating unique usernames and passwords, which are given to those limited employees who have the privilege to access the system. Usernames and passwords ensure that the system can only be accessed by people who have been given the authority to do so by the organization (Gonzalez et al. 2012).
Another method is having a limit on the number of times that a password can be attempted. HIPAA states that a good system should allow a maximum of five password attempts. It serves to prevent the system from malicious password-guess access. If the number of attempts exceeds five, the administrator is notified of attempted malicious access to the system (Gonzalez et al. 2012). HIPAA positions that organizations should have security and privacy officers — however, in most cases, organizations prefer to have one officer performing two duties. Additionally, it is important to have a system with an email alert capability. The system is set in a way that the owners of information are notified of any attempted change of data without their consent or awareness. Finally, organizations can adopt a web-based access management solution, which will facilitate the implementation of role-based access control. According to Laureate Education (2016), a web-based access system supports the system within the intranet, portals, and extranet, as well as monitors the exchange of infrastructures and protects the servers and directories, among other files.
Information technology has become one of the key adoptions in the health industry over the past decades. Most organizations have transitioned from a paper system to an electronic one, which requires proper management for maintaining the privacy, security, and confidentiality of the patients’ information. Patients’ information is vital and sensitive as it is used for making key decisions. HIPAA provides relevant rules and regulations that guide organizations in matters of handling their PHI. HIPAA additionally provides relevant rules on procedures for implementing PHI privacy security policies as well as guiding the organization on full compliance. United General Hospital is not an exemption from such a system. Policy statements applicable to the United General Hospital, in this case, are policies on access and disclosure of PHI, handling and disposal of the PHI that the organization has kept for too long, and finally, the policies on the role-based access control of patients’ records. United General Hospital should adopt the above-recommended policy statements in the specified areas to ensure full compliance and address most of the issues that were not initially addressed, thus achieving the security of their PHI system.