With the advent of the use of technology in the health care systems, it is now more crucial than ever to pay attention to how patient-protected health information (PHI) is handled. Even if many of the processes have been automated, it is also essential to ensure the safety of PHI when using any paperwork in any of the operations. The health care systems are now a target for attackers; hence, the stakeholders need to look into the existing loopholes that could lead to patient-protected health information exposure. This starts from how they handle triage to the way documents are disposed of, discussions of PHI in public, protection of machines in clinics, and many other ways. Consequently, there should be set policies to help guide the privacy of PHI.
The Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA legislation was established in 1966 that sets guidance in the standards of protecting sensitive patient health information as it flows from one practitioner to another and addresses the improvement of health insurance coverage limitations. The HIPAA privacy rule provides information about the data protected, who is covered, and how health information should be used. The HIPAA security rule on the other hand provides a standard for the protection of health information transferred electronically.
The impact HIPAA has had over the years can be said to be both negative and positive. Prior to the establishment of HIPAA, there was no national legislation that dealt with the protection of patient data. It brought about the need for clear legislation about the security of patient health information. Although it got to be implemented way later after its establishment, it set a precedent for other laws that were to be enacted much later. HIPAA also gave patients more rights in accessing their health records. This access allows for transparency and helps patients choose to be more involved in their care. Patients also felt the impact HIPAA made on insurance. It set the pace to limit the effects of pre-existing conditions for people when seeking health insurance. The insurance company could not take pre-existing conditions as consideration for offering insurance for about six months. There was a significant increment of knowledge by patients about their rights, which led to more clinics having to protect patient information or risk being sued.
With HIPAA came an overabundance of caution (Raths, 2017), as many misinterpretations showed misunderstandings of the HIPAA protection. In the beginning, it was seen as a set of guidelines with a complex framework governing the disclosure of protected health information (Cohen & Mello, 2018). The way HIPAA is structured, there seems to be an assumption of the sources of health information. Sources like e-commerce sites, insurance companies, and gyms do not seem to be under the legislation, making it seem like the law is meant to restrain medical practitioners. The legislation has also led to medical practitioners being too uptight about sharing patient information; hence the patient finds their next doctor does not have enough information on their health history.
The Title II Administrative Simplification Act
The Title II Administrative Simplification Act is a part of the general HIPAA legislation that aims to help reduce fraud by developing national standards in electronic healthcare transactions. The Act also aids in the provision of national identifiers for employers, providers, and health insurers (Edemekong et al., 2021). The Title II Act outlines what it considers as offenses and the penalties set for those offenses. It is an important Act as it provides an outline to ensure fraud does not take place in healthcare transactions.
This Act set a standard that protected medical practitioners from giving away patient health information to the wrong entities. The police or any other person with power could not misuse their authority to access PHI as they had to have a court order, a warrant, or a subpoena. It also states that whoever hands over the information must try to give away as little information as possible. It helped govern how biometrics are used to secure biometric information (Jayanthilladevi, Sangeetha & Balamurugan, 2020). The Act provided a right for individuals to access their PHI and even edit the information.
Data Breach Case
Montefiore Medical Center in New York is an academic medical center that also acts as a teaching hospital. They announced that they discovered two of their staff had accessed medical records without authorization. One of them had done this for five months in 2020, while the other, between January 2018 and July 2020, managed to obtain medical records of approximately 4,000 patients. The type of information accessed seems quite sensitive as it included the last three digits of social security numbers, first name, last name, emails, and date of birth. The employees were found as logs by Montefiore’s FairWarning software showed there had been unauthorized access.
The sections of the HIPAA compliance that dictate security rules were violated. It requires staff to have set roles in the system that limit who accesses what. There should be more sensitization on the repercussions of this breach to the rest of the staff, plus a $100,000 fine even though there was no said evidence that the data was used for financial fraud. The structure set in place at Montefiore Medical Centre that determines user roles in the system should also be updated such that only specific people can view certain sensitive information. The system admin should also check Montefiore’s Fair Warning software more often so they can detect a breach early.
As we have seen, the general HIPAA legislation and the Title II Administrative Simplification Act have had a positive impact on the health care system and have changed the public’s perspectives on how the privacy of patient information is treated. Although the legislation did not envision having some of the adverse effects it has had, it only shows there are gaps to be filled in light of policies set to protect PHI. A better job should be done to educate the public about compliance with the legislation and let them contribute to making it better.
As an example, the University of Florida Student Health Care Center would be at risk of facing the same breach Montefiore Medical Centre faced. To avoid the breach, the physical security of hard copy medical records and files should be taken seriously. They should be under lock and key, and only authorized personnel should be able to unlock the store using biometrics. They should also set up different rights for different profiles on the system. Intrusion prevention and detection systems should be set to log each user’s activity on the systems, even something as basic as printing. They should use case studies to educate their staff about the importance of HIPAA compliance. The education should not be presented in terms of instilling fear as that causes misinterpretation, but it should be focused on knowledge acquisition and comprehension.
Cohen, I., & Mello, M. (2018). HIPAA and Protecting Health Information in the 21st Century. JAMA, 320(3), 231.
Edemekong, P., Annamaraju, P., & Haydel, M. (2021). Health Insurance Portability and Accountability Act. StatPearls.
Jayanthilladevi, A., Sangeetha, K., & Balamurugan, E. (2020). Healthcare Biometrics Security and Regulations: Biometrics Data Security and Regulations Governing PHI and HIPAA Act for Patient Privacy. 2020 International Conference On Emerging Smart Computing And Informatics (ESCI).
Raths, D. (2017). Comply with patient medical record requests: providers must confer with federal HIPAA guidance as well as state laws. Behavioral Healthcare Executive, 37(1), 48-51.