Question

Scenario: You are the Chief Executive Officer [CEO] of a health services organization. This organization has inpatient and outpatient facilities, home healthcare services, and other services that meet your patient population’s needs. It also has a world-renowned AIDS treatment center. The organization has always enjoyed an excellent reputation and its quality of care is known to be excellent. Unfortunately, your organization has recently been featured in every media vehicle known to man. The reason: Someone downloaded the names of 4,000 HIV+ patients seen in your HIV clinic and posted the list on the Internet. The Board of Trustees is furious and wants to fire you. You have been able to convince them that they need to keep you as CEO to fix this major crisis. You hire a computer security consultant who comes into your organization, disguised as a nurse manager. After three days, she comes to you with the following report.

• Nurses log in to the computer system with their passwords and then walk away, leaving the system open and running.

• Dr. Jones leaves his password taped to his PC on a piece of paper.

• Fax machines and printers are in open rooms without locks.

• One password can access the entire database in the hospital including human resources.

• There are no programs reminding staff to change their passwords on a regular basis.

• She pretended to forget her password and other nurses gave her their password.

• She requested sensitive patient files and staff provided her with the files without question

You must address the following:

• A brief assessment of the problems that your organization faces from a ‘big picture’ health care management point of view. This should be a high-level overview of the category/categories of problems that your organization currently faces. (1-page maximum)

• An overview of key laws, regulations, and guidelines that are relevant to the scenario. Be sure to support your assessment with examples of why you believe each law, regulation, and/or guideline is relevant. (1-page maximum)

• The identification of 2 similar situations that have occurred within the health care industry in recent years. A brief explanation of how the identified organizations handled the crisis and an assessment of whether this approach would work for your organization. (1-page maximum)

• An explanation of how your organization could best handle this crisis. (1-page maximum)

RUBRIC: Sources, Management issues, Legal issues, Two situations, Recommended actions.

Answer 1

Assessment of problems

• Lack of confidentiality to patients and health care team.

Respecting patients confidentiality and privacy are considered as the patients’ rights. Confidentiality is the key virtue for trust building in physician-patient relationship. While law considers confidentiality as absolute except for legal situations, despite efforts to maintaining confidentiality, sometimes breaching confidentiality is unavoidable but not necessarily unethical. There is no Iranian unified ethical guideline to define clear approaches to patient confidentiality in clinical setting

confidentiality has drastic impact on their trust . The patients may conceal some information from physician, and less likely to refer to the physician for treatment or follow up especially who gets familiar with privacy concerns of them through new technologies including mobile apps and internet sharing.To keep all medical data confidential, it is necessary to identify the scope of the problem

• Insufficient law and lack of regulations

Insufficient law and lack of regulations have left ethical challenges of management unsolved. There is only no regulation but also no clarification in circumstances in which confidentiality is not absolute.

Some of the ethicists’ turns to patients benefit while some other consider the risk imposed to the third party, in their decision-making and solving the dilemma. [Data sharing for the sake of patients benefit is acceptable; sometimes it is permitted without patients’ consent.]

• Do not follow ethics

​​​​​​​The other main problem in our health system is the secure process of electronic health recordings. While the patient’s information is documented as electronic documents all health care providers may have access to the records by using their own password; however, if they forget theirs, they can use the others passwords. There is no policy defining the level of password strength or no tracking system to control who has the access to patients’ information.

• Problems with physician patient relationship

​​​​​​​There is no clear boundary and framework for keeping confidentiality which necessitates it’s clarifying through an appropriate national policy. Because of this necessity and also because many of the patients are not aware of their rights, most of the times the physicians do not observe the importance of maintaining confidentiality. In addition, many of the physicians and hospital staff are not aware of their duty of providing confidential services.

• Lack of health information privacy

​​​​​​​Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals’ dignity. At the same time, health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care

• Lack of security in data system

​​​​​​​Security helps keep health records safe from unauthorized use. When someone hacks into a computer system, there is a breach of security(and also potentially, a breach of confidentiality). No security measure, however, can prevent invasion of privacy by those who have authority to access the record (Gostin, 1995).

• Lack of knowledge in operating health system among health members

​​​​​​​Solving problems and making optimal decisions in healthcare is heavily dependent on access to knowledge. ... A well-organized and effective strategy for knowledgemanagement in healthcare can help organizations achieve these goals.In this there is no knowledge for members to operating health system.

• Insufficient organisation management team

​​​​​​​Teamwork and collaboration are especially essential to care of patients in a decentralizedhealth system with many levels of health workers. ... Teams can also work together to develop health promotion for diverse communities and instill disease prevention behaviors amongst patients.

• Key laws, regulations and guidelines to be followed

1. Safeguarding Privacy and Ensuring Quality Care

Health Information Technology for Economic and Clinical Health Act (HITECH) promotes standardized electronic health records (EHR). The act was implemented in 2009 to address the privacy and security concerns of patient data, EHR files and how they’re shared. HITECH strengthens the enforcement of HIPAA’s protected patient information rules, requiring the Department of Health and Human Services Office for Civil Rights to conduct periodic provider audits and stiffening penalties for breaches of information, meaning a provider or facility found noncompliant can face a fine of up to $1.5 million.

2.Fighting Fraud and Abuse

3.Protecting Healthcare Workers and the Public

The Occupational Safety and Health Administration (OSHA), created by the Occupational Safety and Health Act of 1970, within the U.S. Department of Labor sets and enforces workplace safety standards. This includes a multistep compliance process for protecting healthcare workers, covering everything from the handling of x-ray machines to protocols dealing with infectious agents and diseases in accordance with prevention control guidelines set by the Centers for Disease Control and Prevention (CDC).

4.Staying On Top of Regulations

In a fluid regulatory landscape, healthcare compliance will only grow more complex, and the need for qualified professionals to lead organizations through the regulatory minefield will grow more intense. Experience in public policy, law, loss prevention, and strategic management, coupled with an agile workstyle and innovative mindset, are some of the valuable knowledge bases, and skill sets expected in the role. A master’s degree in healthcare management, particularly with a focus on healthcare compliance, can help to provide the needed expertise and credentials for tomorrow’s successful compliance leaders.

4

Electronic Policy Libraries

Most healthcare organizations have replaced paper policy and procedure manuals with electronic policy libraries available on the organization’s intranet, which greatly enhances access. To optimize the usefulness of electronic libraries:

• Provide indices by policy name, subject, and sponsoring domain (administration, nursing, pharmacy, etc.)
• Incorporate “word search” functionality in order to facilitate searches for pertinent policies irrespective of their issuing domains. Without such a search function, staff may have difficulty locating the policy they are seeking.
• Do not prohibit access to policies of one domain to personnel in other domains. There may be legitimate reasons why persons in other departments may need to refer to those documents.
• Immediately remove a policy that has been officially retired or replaced from the “active” database and transfer it in the designated archives.
• Create an electronic archive for storing “retired” or prior versions of policies. This will facilitate access in response to legal discovery requests. Check with your corporate compliance office regarding organizational document retention policies.

Examples of similar situation in recent year

1. AMCA Data Breach: 25 Million Patients, Investigations Ongoing

In early May, an 8-K filing with the Securities and Exchange Commission revealed billing services vendor American Medical Collection Agency was hacked for eight months between August 1, 2018 and March 30, 2019.

Since the breach was revealed, at least six covered entities have come forward to report their patient data was compromised by the hack. However, the majority of the impacted providers are still continuing to investigate the scope of the breach, so the total amount of affected patients will be unclear into the foreseeable future.

So far, up to 12 million patients from Quest Diagnostics were affected. The hacked system included a trove of personal and financial data from the lab testing giant, including Social Security numbers and medical information.

Up to 7.7 million LabCorp patients were also potentially impacted, as well as 422,000 patients of BioReference. Recently, two more covered entities have been added to the tally: PenobscotCommunity Health Center in Maine with 13,000 affected patients, and Clinical Pathology Laboratories with 2.2 million patients.

And just this week a sixth provider, Austin Pathology Associates, reported at least 46,500 of its patients were impacted by the event. Shortly after, seven more covered entities reported they too were impacted:  Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX.

In total, more than 774,640 patients have been added to the breach by these covered entities (Natera did not disclose how many of its patients were impacted), bringing the total number of impacted patients to more than 25 million.

AMCA’s parent company has since filed bankruptcy, while the billing services vendor, Quest and LabCorp are facing numerous investigations and lawsuits.

2. Dominion National: 2.96 Million Patients

Insurer Dominion National reported a nine-year hack on its servers, which potentially breached the data of 2.96 million patients.

An internal alert revealed unauthorized access on its systems, which prompted an investigation. Officials said they found the unauthorized access began as early as August 25, 2010, nearly nine years before the breach was discovered in April 2019.

The servers contained enrollment and demographic information of current and former members of Dominion National’s vision plan, and data of individuals’ dental and vision benefits. Data of plan producers and health providers were also compromised.

How handle these situation

Create thorough policies and confidentiality agreements

Drawing up all encompassing and wide-ranging confidentiality agreements or policies means that everybody on your medical team knows exactly what is expected of them in every eventuality. It must be read from cover to cover by every staff member and signed. It can also be regularly shared with patients to demonstrate that your organisation upholds strict confidentiality procedures.

2. Provide regular training

People adhere best to policies and practices when they fully understand why they are in place. Holding regular training sessions for all your staff members, from administrators to doctors and nurses, helps to reinforce how essential confidentiality requirements are, and provides a refresh of staff duties and expectations.

For best results, make these training times fun and a good opportunity to learn while getting to know colleagues. Taking a creative approach to the topic and introducing games can also help the information be more engaging whilst also being a positive experience for your staff.

3. Make sure all information is stored on secure systems

As the standard of healthcare improves and populations expand the amount of patient data being stored has increased astronomically. As a result, many practices and clinics may face challenges in correctly storing this information, both in terms of where huge data quantities can be saved and making the information easily accessible. Alongside these systematic difficulties it is essential that the highest level of security and digital protection is used when storing patient data. Purchasing platforms or using cloud providers that ensure your data is safe is the best way to look after this.

Furthermore, it is important that only strictly necessary personnel have access to this data. Levels of password protection that controls access is also worth considering and investing in.

4. No mobile phones

An easy way to eliminate possible threats to patient confidentiality is to strictly limit or remove mobile phones from patient areas. This ensures that no one could either maliciously or accidentally record or photograph private records or information. According to research by Imperial College healthcare NHS trust in London 65% of doctors used SMS to communicate with colleagues about a patient, opening up concerns about privacy.

This can sometimes be a difficult rule to enforce given the proliferation of digital devices. However, regularly reminding staff and patients why it is in their best interests can help to reduce any resistance.

5. Think about printing

Once all your technical solutions and security is in place it can be tempting to think you have everything sorted. However, printed materials that contain key patient information are often overlooked. Labels, forms and printed notes can easily be misplaced, or even stolen, if they are in a busy area. Having streamlined, easy-to-use and secure printing systems is well worth investing in.

Brother’s print solutions for healthcare provide Cerner certified print solutions. They can link seamlessly with secure cloud storage, PDF and can provide password protected printing.