Assessment Of The Organization's Compliance With Hipaa Regarding The Use And Disclosure Of Phi For Research

. HIPAA privacy rules are complicated and extensive, and set forth guidelines to be followed by health care providers and other covered entities such as insurance carriers and by consumers. HIPAA is very specific in its requirements regarding the release of information, but is not as specific when it comes to the manner in which training and policies are developed and delivered within the health care industry. This paper will discuss how HIPAA affects a patient's access to their medical records, how and under what circumstances personal health information can be released to other entities for purposes

Health care organizations generally volunteer to seek accreditations from the Joint Commission by allowing expert surveyors evaluate their facility. The surveyors are made up of a multi-disciplinary team that spends an average of two days inspecting health care facilities. The purpose for the inspection is to evaluate a health care facilities standards, staff, regulations, policies and procedures, and quality improvement, and performance measurement. The Joint Commission surveyors generally look to see if the organizations governing board is taking part in ensuring that the facilities has facilitated safety and quality assurance program.

Under the HIPAA compliance audit program if a healthcare organization has attested and is later audited and found not to be compliant with HIPAA, the organization could face penalties including giving back the meaningful use incentive money. (Goedert, 2013) provided the following ways to ensure compliance: conduct mock audits, make sure all data within the organization is encrypted, computer access is logged, network security gaps have been filled, policies and regulations have been updated and expanded, and most importantly that all staff complete annual HIPAA training courses with emphasis on privacy and security.

All healthcare providers, health organizations, and government health plans that use, store, maintain, or transmit patient health care information are required to comply with the privacy regulations of the HIPAA

Developing, implementing, and monitoring Business Associate Agreements to ensure that privacy concerns, responsibilities, and requirements are addressed

What provisions apply? When patients go to the Emergency Room, the patient registration staff always comes in and makes sure all patient demographics are correct along with the insurance information. After, everything is verified the patient signs a HIPAA privacy authorization form, which you decide if you want to disclose your personal records. When I sign I usually initial 3 parts of the form and sign at the bottom. I think it is great that we sign every time, because it protects you, and no body wants their medical records disclosed to the general public.

In most offices, and outpatient services has a team where the physician is unable to monitor the team at all times. For example, in a pharmacy setting there are pharmacists, pharmacy technicians, and clerks at times. The majority of the time the clerks have the most patient contact where the pharmacists are unable to monitor them at all times making sure protected health information is not spread. In the HIPAA rules, covered entities include health plans, health care clearinghouses, and health care professionals who electronically transmit any health information in connection with transactions for which HHS has adopted standards (Tomes, 2007). In writing, the people who are liable for violations are one those providers who bill electronically are covered entities. Directors or officers can commit violations by selling individually identifiable health information to a drug company for marketing purposes, they can also be charged if the director and or officer aided a covered entity’s commission of the HIPAA criminal act, and lastly can be heavily prosecuted if they commit identity theft utilizing patients protected health information (Tomes,

The HIPAA Rules require that when a HIPAA covered entity a provider, a plan, a clearinghouse or a business associate of a covered entity uses or discloses PHI, or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make "reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." (Duane Morris LLP , 2013) Under the HIPAA Rules, covered entities and business associates are required to identify which workforce members need access to what kind of PHI to carry out their job functions. In addition under the HIPAA Rules, covered entities and business associates are required to establish protocols that define the minimum necessary amount of PHI for routine uses, disclosures and requests, and how to apply the minimum necessary standard with respect to non-routine uses, disclosures and requests. Minimum necessary violations should be investigated and, if appropriate, reported according to the new breach notification rules. Business associates may be directly liable for minimum necessary standard violations. Covered entities may be liable for business associates' minimum necessary standard violations.

Personal health information includes a patient’s name, address, birthdate and social security number. It also includes a person’s health or mental status whether it is in the past, present or future. HIPAA gives people the right to have access to their medical records. It also states that people have the right to either give consent or deny consent of their information being shared or released. All health care facilities, insurance companies, pharmacies, vision, and dental offices must adhere to the HIPAA guidelines. Though patients have a right to their information being kept confidential, their information may be shared for necessity in regards to treatment, billing, to protect the public health, and if the law requires disclosure. Penalties are set in place for violations of the HIPAA laws ("HIPAA summary,"

Compliance 360 has identified a number of areas which it can augment healthcare organizations to improve the audit process for Joint Commission audits. The program intuitively links contractors to regulations as evidence of compliance and monitors risk trends to

The hospital accounting department will also be off limits except only for those personnel that are authorized. Extra vigilance must be place on all medical record rooms, since the hospital still has paper medical records. All medical staff will receive training so that they understand the importance of HIPAA. This policy will guarantee that we have controls in place in regards to accessing patient information and staff access is monitored.

On February 20th 2003 the HIPAA security rule was published by (HHS) the Department of Health and Human Services. Entities with small health plans were given over three years to comply with the security rule, while the larger entities had two years from the publications original date to comply. The HIPAA security rule is the same as it has been since its implementation more than 10 years ago. On January 25, 2013 the act was amended by the Omnibus Rule to add the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Security Rule defines all of the administrative, physical, and technical safeguards that must be incorporated into an organizations HIPAA security compliance plan. There are five categories in which the HIPAA security rules are grouped in. Those five groups include three safeguards categories: administrative; physical and technical safeguards. Along with organizational standards and finally documentation requirements followed by policies and procedures.

Release or not to release is the question in today’s healthcare? Being a patient, and going to a doctor’s appointment has really changed versus how it was years ago. Most of us as patients know that we have a right to our own health information, but how is this beneficial to us as patients and healthcare providers? As healthcare is increasingly becoming complex what are ways to enforce these policies and rules? HIPAA rules and standards will need to be the same in each state so there is interoperability the proper way, but will we be able to really accomplish this? This paper will discuss these aspects and ways to overcome these obstacles that are occurring.

Monitoring HIPAA compliance by ensuring proper release of information by way proper forms given to patient and ensuring an understanding of legal rights.

3.) Under HIPAA, covered entities (healthcare providers, health plans and healthcare clearinghouse) must comply with the privacy rules. A covered entity may develop its own privacy rules that would accommodate its own needs of protected health information (PHI) management but it most comply with the HIPAA guidelines. It is the responsibility of the entity to put in place a privacy official to oversee the policies, procedures and be on hand and available to be contacted in reference to the privacy rule. A patient should be given a privacy notice act at his/her health facility stating how their (PHI) is being used and to whom it will be shared. The covered entity should include in the notice their duty to assure the patients privacy as well as how and whom to contact if there is a complaint or they feel that their rights have been violated. As of 2009 the Office of Civil Rights (OCR) handles complaints that are made on privacy policies, procedure and practices of HIPAA covered entities.