Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Legal, Ethical & Social Issues

802 views

Published on

Published in: Technology, Business
  • Be the first to comment

Legal, Ethical & Social Issues

  1. 1. Case Study #2 Presented by: Peter Gilbert , Derrick Hawkins, Cheri Krampert, Natalie Schwartz MD
  2. 2. Summary of Situation <ul><li>Hospital has received complaint about disclosure of PHI from family member </li></ul><ul><li>Immediate Response: </li></ul><ul><ul><li>Engage Chief Privacy/Security Officer, Patient Advocate and Risk Management </li></ul></ul><ul><ul><li>Determine if family member is legally the patient personal representative </li></ul></ul><ul><ul><li>Inform family member that organization has Policies and Procedures regarding use and disclosure of PHI </li></ul></ul><ul><ul><li>Initiate formal complaint process </li></ul></ul><ul><ul><li>Initiate internal investigation </li></ul></ul>
  3. 3. Internal Risk Identification <ul><li>Outside ED physician request for PHI </li></ul><ul><li>Blue Cross/ Blue Shield request for PHI </li></ul><ul><li>Team member access to PHI </li></ul><ul><li>Family member request for medical records </li></ul><ul><li>Family member request for clinical trial data </li></ul>
  4. 4. Outside ED Physician Request <ul><li>ED Physician calls and requests fax of medical information </li></ul><ul><li>Request comes from covered entity for patient treatment </li></ul><ul><li>Procedures followed: </li></ul><ul><ul><li>Requested that release request be faxed from hospital with secure number identified for receipt of record </li></ul></ul><ul><ul><li>Minimal necessary information faxed </li></ul></ul><ul><ul><li>HIPAA compliant exchange of treatment information with covered entity </li></ul></ul>
  5. 5. Blue Cross/Blue Shield request <ul><li>BC/BS requests additional medical information to review denial </li></ul><ul><li>Request comes from covered entity for payment </li></ul><ul><li>Procedures followed: </li></ul><ul><ul><li>Followed established procedure for release of information to BC/BS </li></ul></ul><ul><ul><li>Minimal necessary information faxed to secure fax </li></ul></ul><ul><ul><li>HIPAA compliant exchange of payment information with covered entity </li></ul></ul>
  6. 6. Team Member access to PHI <ul><li>Hospital employee “snoops” into a former employee’s and neighbor’s medical record and shares HIV positive status at a neighborhood block party </li></ul><ul><li>HIPAA violation: </li></ul><ul><ul><li>Deliberate and wrongful disclosure of PHI </li></ul></ul><ul><li>State Legal issue: </li></ul><ul><ul><li>Information disclosed has additional protections under state law </li></ul></ul><ul><li>Business impact </li></ul>
  7. 7. Team Member Access to PHI <ul><li>Follow Security Incident Procedure </li></ul><ul><li>Run Audit trail </li></ul><ul><li>Interviews </li></ul><ul><li>Assess current security safeguards </li></ul><ul><li>1) Administrative </li></ul><ul><li>2) Technical </li></ul><ul><li>3) Physical </li></ul><ul><li>Document all steps used and all findings carefully and accurately and file in HIPAA records, not in patient chart </li></ul><ul><li>Review last HIPAA training dates and staff signatures </li></ul><ul><li>Review dates of last random dept audit trail and findings </li></ul><ul><li>Review employee’s current job responsibilities and access to PHI </li></ul><ul><li>Suspend employee’s PHI access (e.g. password) until completion of investigation </li></ul><ul><li>If employee is found to have violated the Privacy Rule, she will be subject to the most stringent hospital </li></ul><ul><li>disciplinary action, in accordance with its written P&P, up to and including termination </li></ul><ul><li>Due to: </li></ul><ul><li>Severity of organizational exposure ,and </li></ul><ul><li>The involvement of PHI covered under “special protections”. </li></ul><ul><li>The employee will also assume personal liability- both civil and criminal penalties </li></ul><ul><li>Examine hospital’s current compliance policies, corporate compliance training, auditing programs, and ongoing monitoring for changes that need to be made </li></ul><ul><li>Review the process of compliance oversight in hospital departments and need for changes </li></ul><ul><li>Foster an institutional culture promoting legal and ethical behaviors </li></ul><ul><li>Post HIPAA FAQ’s on Intranet/ newsletters </li></ul><ul><li>Monthly department meetings to review P&P’s </li></ul><ul><li>Provide a written response to the patient documenting in detail what the violation was and what information was revealed </li></ul><ul><li>If aggrieved party notifies the Office of Civil Rights, report details of investigation, if requested, by federal, state, and/or local agencies. </li></ul>Chief Privacy Officer IT Department Human Resources Department Director Supervisor Patient Advocate Risk Management Chief Privacy Officer Risk Management Patient Advocate Local Govt. agencies Chief Privacy Officer Risk Management Patient Advocate Department Director Supervisor Human Resources Department Director Supervisor Risk Management Government agencies Chief Privacy Officer Department Director IT Department Risk Management Investigation Incidence Response/ Disclosure Mitigation Corrective Sanctions Corrective Action Plans Processes:
  8. 8. Family member Request for PHI <ul><li>Bob Evans Jr. requesting his father’s records to take to his father’s new doctor </li></ul><ul><ul><li>Records Clerk initially agreed to provide PHI to son </li></ul></ul><ul><ul><li>Another staff member noted that proper legal authorization was not provided by the son </li></ul></ul><ul><ul><li>Staff contacted the new doctor, received a formal request and transferred the minimum data that was required. </li></ul></ul>
  9. 9. Family member Request for PHI <ul><li>Error was noted before PHI was provided to the son </li></ul><ul><li>Multiple checks and verifications prevented an improper disclosure of PHI </li></ul><ul><li>Medical Records Staff Management will address proper procedures with all staff at next staff meeting </li></ul><ul><li>Privacy Officer was notified of near miss </li></ul>
  10. 10. Clinical Trial Request <ul><li>Patients son requested records from clinical trial </li></ul><ul><li>Response: </li></ul><ul><ul><li>Engage Chief Privacy Officer and IRB engaged in immediate investigation to detect and contain the issue </li></ul></ul><ul><li>Investigation yields following information: </li></ul><ul><ul><li>Independent consultant discussed preliminary results of trial </li></ul></ul><ul><ul><li>Violation of the authorized use of information </li></ul></ul><ul><ul><li>BAA with consultant in place </li></ul></ul><ul><ul><li>Other participant identities were not disclosed </li></ul></ul>
  11. 11. Clinical Trial Request <ul><li>Contain: </li></ul><ul><ul><li>Contractor terminated due to BAA violation </li></ul></ul><ul><li>Correct: </li></ul><ul><ul><li>Update HIPAA training to emphasize privacy as it relates to clinical research </li></ul></ul><ul><ul><li>IRB and Chief Privacy Officer to review all current research and clinical trials for compliance to </li></ul></ul><ul><ul><ul><li>Research Use/ Disclosure without Authorization </li></ul></ul></ul><ul><ul><ul><li>Research Use/ Disclosure with Authorization </li></ul></ul></ul>
  12. 12. Event Summary <ul><li>Breach of Patient Privacy </li></ul><ul><ul><li>Inappropriate access of PHI by employee </li></ul></ul><ul><ul><li>Wrongful Disclosure of PHI by employee </li></ul></ul><ul><ul><li>Disclosure of confidential HIV related information </li></ul></ul><ul><ul><li>Breach of Business Associate agreement </li></ul></ul><ul><ul><li>Failure to protect the privacy of subjects and maintain confidentiality of research data </li></ul></ul>
  13. 13. Next Steps <ul><li>Review Security Policies </li></ul><ul><ul><li>Pros: Risk of Fewer Violations </li></ul></ul><ul><ul><li>Cons: Cost to Implement Changes </li></ul></ul><ul><li>HIPAA Refresher Training </li></ul><ul><ul><li>Pros: Raise Awareness </li></ul></ul><ul><ul><li>Cons: Cost </li></ul></ul><ul><li>CEO to Formally Apologize to Victims </li></ul><ul><ul><li>Pros: May diffuse issue </li></ul></ul><ul><ul><li>Cons: Liability </li></ul></ul><ul><li>Engage Public Relations </li></ul><ul><ul><li>Pros: Formulate Public Relations Plan </li></ul></ul><ul><ul><li>Con: Negative Publicity </li></ul></ul>
  14. 14. Questions

×