This is an essay Julie LeQuire (co-founder of LEVELEARNING) wrote not too long ago for a course:
The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect the privacy of protected health information and ensure standards for secure means of transmission of the protected health information. While the necessity exists to protect and secure a patient’s protected health information, the legal reality is that liability claims are expensive and can harm the reputation of a provider and negatively influence the provider’s eligibility to government programs such as Medicare. The Patient Protection and Affordable Care Act of 2010 has introduced significant change to the regulatory environment for healthcare providers. One notable change incurred by the acts is that Medicare and Medicaid now require providers to provide and implement a compliance program as a condition of their enrollment in the program. The baby boomer population is now a large part of the Medicare program which makes Medicare a large consideration for providers who will be depending on Medicare programs and Medicare eligibility for payment of services.
LEVELEARNING is committed to offer the educational materials that will assist in learning the vital points of compliance in the healthcare setting. A well informed employee will be an asset in the aspect of understanding the legislation and rules that pertain to the privacy and security of protected healthcare information. Liability and costly mistakes can be avoided with compliant procedures and current knowledge of the laws.
Among the considerations that deal with fraud and adequate documentation of services, the privacy and security of protected health information is paramount in a required compliance program. It is clear that healthcare providers have the obligation to implement a compliance program and train the employees on a continual basis in order to be aware of the continual ongoing changes in compliance regulations for Medicare and all third-party payers.
The U.S. Department of Health and Human Services recently revealed on February 22, 2011 that they imposed a civil money penalty of $3 million dollars on Cignet Health in Maryland due to violations of the HIPAA privacy rule. The charge stemmed from the refusal of the insurance company to allow forty-one patients’ requests to access their medical records. The HIPAA Privacy Rule states that a covered entity must provide a patient a copy of their medical record if requested within 60 days of the request. This example serves to warn that compliance adherence can assist in avoiding expensive liability claims.
Another example of misuse of protected health information occurred at the UCLA Health System at Los Angeles in July of 2011. The Department of Health and Human Services Office for Civil Rights revealed that violations occurred when two celebrity patients were admitted for care. The charges resulted due to employees accessing the protected health information of the celebrity patients through their electronic health record without permission or reason to access the private information. Georgona Verdugo, the Director of the Office of Civil Rights was quoted as stating, “Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider. Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law,” The monetary fine amounted to $865,000 for the UCLA Health System and a strict corrective compliance plan was mandated.
Innocent mistakes can also lead to disastrous consequences if the healthcare employee is not aware or properly trained regarding privacy rules and regulations. A data breach that affected 20,000 patients occurred at the Stanford Hospital and Clinics resulted in a $20 million lawsuit. The breach occurred when a billing company that was contracted as a business associate posted a spreadsheet of emergency room patients to a student website that offered homework assistance. The spreadsheet was intended to explain how to convert data into a bar graph. Regrettably the spreadsheet contained patient names, account numbers, diagnosis codes as well as admission and discharge dates. The spreadsheet remained on the site for eleven months until a patient discovered the private information disclosure. The significance of internal employees being comprised of compliance regulations, but also the companies contracted that also handle protected health information is vital in order to remain compliant.
Compliance is a reality that demands continuing education and awareness. An educated and compliant employee is a very valuable asset in the healthcare arena.