HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient’s record, together with the disclosed information. The group shall examine the case and write a case study analysis addressing the following:
Recommendations (10 points) Determine and discuss specific strategies for preventing such HIPAA violations in the future. What should be done and who should do it to make sure that such violations do not recur?
Privacy breaches in health care occur due to carelessness or
employees not understanding the HIPAA rules. The main strategy is
to train the employees about HIPAA and have regular refresher
session to ensure that the rules are followed. The following are
the strategies followed to prevent HIPAA violations.
• Never disclose passwords: Every employee is given an unique
password to login and assess sensitive information. This should not
be shared or written down anywhere and kept privately. The employer
should keep a check that these passwords are not shared with other
employees.
• Never leave documents unattended: The portable devices and
documents should not be left unattended. If found so financial
penalties should be issued. Even if the health care employees are
busy they should not leave paper documents in areas where it can be
viewed by unauthorised individuals, patients or by other health
care workers. This can be prevented by warning the employees who
are not taking sufficient care with the patient files.
• Do not share patient information by texting: Text messages are
easy way and quick access to communicate. Only through approved
such as a secure health care text messaging platform the employees
can communicate about the health information.
• Don’t throw patient documents in trash: The documents of the
patients should be kept secured and disposed off securely when no
longer needed. The documents should not be thrown off in regular
trash cans. It should be discarded securely.
• Don’t access patient records unwantedly: The records of the
patients should not be viewed by the healthcare providers without
any reasons. It should be accessed it if the patient needs
treatment, payment and follow up care. If the medical records are
accessed without authorisation the result will be termination or
criminal penalties.
• Report HIPAA violations: If you see an employee violating the
HIPAA rules it is very important to report and take action so that
it can prevent similar incidents from occurring in the future.
First report it to the organization if no action is taken then
report it to the compliance officer.
HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Dis...
HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the...