Privacy Requirements in Healthcare Administration

Solution Preview

Privacy and HIPAA:
High-profit security failures have made privacy protection a top of-mind issue for many organizations. In some cases, hackers have gained access to online networks and systems. They have stolen personal customer names, addresses, passwords and credit card information. The financial costs of such breaches are often significant, and cost companies tens of thousands to millions. The damage to a company's credibility, trustworthiness, brand and its reputation often costs far more. When we think of cyber risk we tend to think of security breaches, but when we look at it through a privacy lens, the range of risks broadens significantly (Ernst & Young, 2012).

What are the privacy requirements under HIPAA?:
The Privacy Rule:
The Privacy Rule was intended to protect the privacy of all individually identifiable health information in the hands of covered entities, whether or not the information is or has been in electronic form. The rule stipulates that: the first "set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care"(HIPAA- 65 Fed. Reg. at 82464).

The Privacy standards:
- Give patients new rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed
- Restrict most disclosures of protected health information to the minimum needed for healthcare treatment and business operations
- Provide that all patients are formally notified of covered entities' privacy practices
- Enable patients to decide if they will authorize disclosure of their protected health information (PHI) for uses other than treatment or healthcare business operations
- Establish new criminal and civil sanctions for improper use or disclosure of PHI
- Establish new requirements for access to records by researchers and others
- Establish business associate agreements with business partners that safeguard their use and disclosure of PHI.
- Implement a comprehensive compliance program, including but not limited to:
- Conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements
- Reviewing functions and activities of the organization's business partners to determine where Business Associate Agreements are required
- Developing and implementing enterprise-wise privacy policies and procedures to implement the Rule
- Assigning a Privacy officer who will administer the organizational privacy program and enforce compliance
- Training all members of the workforce on HIPAA and organizational privacy policies
- Updating systems to ensure they provide adequate protection of patient data (HIPAA Primer)

Explain why confidentiality of health information has been a controversial public policy issue:
More and more, breaches keep occurring in health care, in particular, breaches are a huge challenge because there are so many ways patients could be impacted. The biggest risk involves ...