Question

HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient’s record, together with the disclosed information. The group shall examine the case and write a case study analysis addressing the following:

Recommendations (10 points) Determine and discuss specific strategies for preventing such HIPAA violations in the future. What should be done and who should do it to make sure that such violations do not recur?

Answer 1

Privacy breaches in health care occur due to carelessness or employees not understanding the HIPAA rules. The main strategy is to train the employees about HIPAA and have regular refresher session to ensure that the rules are followed. The following are the strategies followed to prevent HIPAA violations.
• Never disclose passwords: Every employee is given an unique password to login and assess sensitive information. This should not be shared or written down anywhere and kept privately. The employer should keep a check that these passwords are not shared with other employees.
• Never leave documents unattended: The portable devices and documents should not be left unattended. If found so financial penalties should be issued. Even if the health care employees are busy they should not leave paper documents in areas where it can be viewed by unauthorised individuals, patients or by other health care workers. This can be prevented by warning the employees who are not taking sufficient care with the patient files.
• Do not share patient information by texting: Text messages are easy way and quick access to communicate. Only through approved such as a secure health care text messaging platform the employees can communicate about the health information.
• Don’t throw patient documents in trash: The documents of the patients should be kept secured and disposed off securely when no longer needed. The documents should not be thrown off in regular trash cans. It should be discarded securely.
• Don’t access patient records unwantedly: The records of the patients should not be viewed by the healthcare providers without any reasons. It should be accessed it if the patient needs treatment, payment and follow up care. If the medical records are accessed without authorisation the result will be termination or criminal penalties.
• Report HIPAA violations: If you see an employee violating the HIPAA rules it is very important to report and take action so that it can prevent similar incidents from occurring in the future. First report it to the organization if no action is taken then report it to the compliance officer.