Legal, Ethical & Social Issues


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Preface that internal investigation identified employee/ neighbor accessed individual PHI via EMR outside of what is necessary to perform job.
  • Update your dates. This is intended to give you ideas for tool selection.
  • At 2130 Bob Evans Jr arrived in Medical Records department requesting his father’s records for personal transport to his father’s new physician. While the son was away, another staff member asked for a copy of the authorization form to be placed into the record. The error was noted at this point. The son was not happy, but staff explained the procedure to them and assured him that the records would be delivered to the new physician before he was able to complete his journey.
  • As a covered entity we have policies and procedures to address all of these issues. We have reviewed some of the steps that we have already taken in compliance with our process.
  • HIPAA security: review administrative, technical and physical safeguards implemented. Review original risk assessment, analysis and decisions regarding addressable standards to see if we still meet test of reasonable and appropriate measures. Are there things that should change that would help prevent this type of situation in the future? ( HIV test sealed electronically for security)
  • Legal, Ethical & Social Issues

    1. 1. Case Study #2 Presented by: Peter Gilbert , Derrick Hawkins, Cheri Krampert, Natalie Schwartz MD
    2. 2. Summary of Situation <ul><li>Hospital has received complaint about disclosure of PHI from family member </li></ul><ul><li>Immediate Response: </li></ul><ul><ul><li>Engage Chief Privacy/Security Officer, Patient Advocate and Risk Management </li></ul></ul><ul><ul><li>Determine if family member is legally the patient personal representative </li></ul></ul><ul><ul><li>Inform family member that organization has Policies and Procedures regarding use and disclosure of PHI </li></ul></ul><ul><ul><li>Initiate formal complaint process </li></ul></ul><ul><ul><li>Initiate internal investigation </li></ul></ul>
    3. 3. Internal Risk Identification <ul><li>Outside ED physician request for PHI </li></ul><ul><li>Blue Cross/ Blue Shield request for PHI </li></ul><ul><li>Team member access to PHI </li></ul><ul><li>Family member request for medical records </li></ul><ul><li>Family member request for clinical trial data </li></ul>
    4. 4. Outside ED Physician Request <ul><li>ED Physician calls and requests fax of medical information </li></ul><ul><li>Request comes from covered entity for patient treatment </li></ul><ul><li>Procedures followed: </li></ul><ul><ul><li>Requested that release request be faxed from hospital with secure number identified for receipt of record </li></ul></ul><ul><ul><li>Minimal necessary information faxed </li></ul></ul><ul><ul><li>HIPAA compliant exchange of treatment information with covered entity </li></ul></ul>
    5. 5. Blue Cross/Blue Shield request <ul><li>BC/BS requests additional medical information to review denial </li></ul><ul><li>Request comes from covered entity for payment </li></ul><ul><li>Procedures followed: </li></ul><ul><ul><li>Followed established procedure for release of information to BC/BS </li></ul></ul><ul><ul><li>Minimal necessary information faxed to secure fax </li></ul></ul><ul><ul><li>HIPAA compliant exchange of payment information with covered entity </li></ul></ul>
    6. 6. Team Member access to PHI <ul><li>Hospital employee “snoops” into a former employee’s and neighbor’s medical record and shares HIV positive status at a neighborhood block party </li></ul><ul><li>HIPAA violation: </li></ul><ul><ul><li>Deliberate and wrongful disclosure of PHI </li></ul></ul><ul><li>State Legal issue: </li></ul><ul><ul><li>Information disclosed has additional protections under state law </li></ul></ul><ul><li>Business impact </li></ul>
    7. 7. Team Member Access to PHI <ul><li>Follow Security Incident Procedure </li></ul><ul><li>Run Audit trail </li></ul><ul><li>Interviews </li></ul><ul><li>Assess current security safeguards </li></ul><ul><li>1) Administrative </li></ul><ul><li>2) Technical </li></ul><ul><li>3) Physical </li></ul><ul><li>Document all steps used and all findings carefully and accurately and file in HIPAA records, not in patient chart </li></ul><ul><li>Review last HIPAA training dates and staff signatures </li></ul><ul><li>Review dates of last random dept audit trail and findings </li></ul><ul><li>Review employee’s current job responsibilities and access to PHI </li></ul><ul><li>Suspend employee’s PHI access (e.g. password) until completion of investigation </li></ul><ul><li>If employee is found to have violated the Privacy Rule, she will be subject to the most stringent hospital </li></ul><ul><li>disciplinary action, in accordance with its written P&P, up to and including termination </li></ul><ul><li>Due to: </li></ul><ul><li>Severity of organizational exposure ,and </li></ul><ul><li>The involvement of PHI covered under “special protections”. </li></ul><ul><li>The employee will also assume personal liability- both civil and criminal penalties </li></ul><ul><li>Examine hospital’s current compliance policies, corporate compliance training, auditing programs, and ongoing monitoring for changes that need to be made </li></ul><ul><li>Review the process of compliance oversight in hospital departments and need for changes </li></ul><ul><li>Foster an institutional culture promoting legal and ethical behaviors </li></ul><ul><li>Post HIPAA FAQ’s on Intranet/ newsletters </li></ul><ul><li>Monthly department meetings to review P&P’s </li></ul><ul><li>Provide a written response to the patient documenting in detail what the violation was and what information was revealed </li></ul><ul><li>If aggrieved party notifies the Office of Civil Rights, report details of investigation, if requested, by federal, state, and/or local agencies. </li></ul>Chief Privacy Officer IT Department Human Resources Department Director Supervisor Patient Advocate Risk Management Chief Privacy Officer Risk Management Patient Advocate Local Govt. agencies Chief Privacy Officer Risk Management Patient Advocate Department Director Supervisor Human Resources Department Director Supervisor Risk Management Government agencies Chief Privacy Officer Department Director IT Department Risk Management Investigation Incidence Response/ Disclosure Mitigation Corrective Sanctions Corrective Action Plans Processes:
    8. 8. Family member Request for PHI <ul><li>Bob Evans Jr. requesting his father’s records to take to his father’s new doctor </li></ul><ul><ul><li>Records Clerk initially agreed to provide PHI to son </li></ul></ul><ul><ul><li>Another staff member noted that proper legal authorization was not provided by the son </li></ul></ul><ul><ul><li>Staff contacted the new doctor, received a formal request and transferred the minimum data that was required. </li></ul></ul>
    9. 9. Family member Request for PHI <ul><li>Error was noted before PHI was provided to the son </li></ul><ul><li>Multiple checks and verifications prevented an improper disclosure of PHI </li></ul><ul><li>Medical Records Staff Management will address proper procedures with all staff at next staff meeting </li></ul><ul><li>Privacy Officer was notified of near miss </li></ul>
    10. 10. Clinical Trial Request <ul><li>Patients son requested records from clinical trial </li></ul><ul><li>Response: </li></ul><ul><ul><li>Engage Chief Privacy Officer and IRB engaged in immediate investigation to detect and contain the issue </li></ul></ul><ul><li>Investigation yields following information: </li></ul><ul><ul><li>Independent consultant discussed preliminary results of trial </li></ul></ul><ul><ul><li>Violation of the authorized use of information </li></ul></ul><ul><ul><li>BAA with consultant in place </li></ul></ul><ul><ul><li>Other participant identities were not disclosed </li></ul></ul>
    11. 11. Clinical Trial Request <ul><li>Contain: </li></ul><ul><ul><li>Contractor terminated due to BAA violation </li></ul></ul><ul><li>Correct: </li></ul><ul><ul><li>Update HIPAA training to emphasize privacy as it relates to clinical research </li></ul></ul><ul><ul><li>IRB and Chief Privacy Officer to review all current research and clinical trials for compliance to </li></ul></ul><ul><ul><ul><li>Research Use/ Disclosure without Authorization </li></ul></ul></ul><ul><ul><ul><li>Research Use/ Disclosure with Authorization </li></ul></ul></ul>
    12. 12. Event Summary <ul><li>Breach of Patient Privacy </li></ul><ul><ul><li>Inappropriate access of PHI by employee </li></ul></ul><ul><ul><li>Wrongful Disclosure of PHI by employee </li></ul></ul><ul><ul><li>Disclosure of confidential HIV related information </li></ul></ul><ul><ul><li>Breach of Business Associate agreement </li></ul></ul><ul><ul><li>Failure to protect the privacy of subjects and maintain confidentiality of research data </li></ul></ul>
    13. 13. Next Steps <ul><li>Review Security Policies </li></ul><ul><ul><li>Pros: Risk of Fewer Violations </li></ul></ul><ul><ul><li>Cons: Cost to Implement Changes </li></ul></ul><ul><li>HIPAA Refresher Training </li></ul><ul><ul><li>Pros: Raise Awareness </li></ul></ul><ul><ul><li>Cons: Cost </li></ul></ul><ul><li>CEO to Formally Apologize to Victims </li></ul><ul><ul><li>Pros: May diffuse issue </li></ul></ul><ul><ul><li>Cons: Liability </li></ul></ul><ul><li>Engage Public Relations </li></ul><ul><ul><li>Pros: Formulate Public Relations Plan </li></ul></ul><ul><ul><li>Con: Negative Publicity </li></ul></ul>
    14. 14. Questions