Question

Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety

After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s gender, a description of patient’s medical condition, and numerous quotes from the hospital about such unusual sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy Rule’s standard for such actions. The investigation also indicated that the disclosures did not meet the Rule’s de-identification standard and therefore were not permissible without the individual’s authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy.

What is the significance of the issue?

In addition to the actions taken in the case study, what else could the entity do to improve its processes so that the situation does not happen again?

Answer 1

The significance of the issue is that the hospital failed to comply with the HIPAA Security and Privacy rules such as breach of confidential information of the patients and non-compliance to the standards. OCR (Office for Civil Rights) is an agency within the U.S Health Department which is responsible to enforce the privacy rules and standards set by HIPAA (Health Insurance Portability and Accountability Act- to protect patient’s data). The best way the OCR needs to do is to investigate the complaints that were filed with them.

In addition, to the actions taken in the case study, the additional steps the entity need to do is to improve its processes so that the situation does not happen again are:

- Effective implementation of change management- It is not sufficient if the entity drafts policies, educates, and trains employees however it is important that they are implemented (put in action) effectively.

- Monitoring and Evaluation- This is the control phase wherein the implemented policies are monitored for further evaluation. If there is still a gap in non-compliance, then the entity needs to redraft the policies for accuracy in compliance.

Thus, it is pertinent to say that policy implementation and monitoring make the entity efficient in compliance with the standards.

Note- If you like the answer, please provide an up-vote as it would be quite encouraging for me. Thank you.