Confidentiality in Health Care
The Health Information Portability Accountability Act was enacted to prevent patient’s private health information from being disclosed without authorization. The Health Information Portability Accountability Act has different sections which define what covered entities are, and explain what minimum necessity is in relation to patient’s private health information. This paper also discusses what the penalties may be for different types of private health information breaches under the Health Information Technology for Economic and Clinical Health Act. Confidentiality in Health Care
Under the Health Information Portability Accountability Act (HIPAA) Privacy Rule which applies to covered entities defines covered entities as health plans, health care clearinghouses, and health care providers who transmit any health information electronically in connection with transactions (Miller and Schlatter, 2011). These transactions concern billing and payment for services or insurance coverage. Covered entities can be institutions, organizations, or persons. The Privacy Rule only applies to covered entities so many organizations that use, collect, access, and disclose identifiable health information will not have to comply with the Privacy Rule if they do not meet the definition of a covered entity. The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of and requests for protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is based on current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. This HIPPA provision requires a covered entity to develop and implement policies and procedures that are appropriate for the organization. The covered entity’s policies and procedures must identify the persons or classes of persons within the organization who need access to the information to carry out their job duties, the types of protected health information needed and the conditions to such access (Miller and Schlatter, 2011). As part of the American Recovery and Reinvestment Act, congress established the Health Information Technology for Economic and Clinical Health (HITEC) Act to broaden and increase the HIPAA scope of protecting the privacy and security of personal health information. HITEC requires a covered entity and business associate to notify appropriate parties regarding the breach of unsecure private health information. Anyone who violates these provisions is subject to increased civil and criminal penalties. The Department of Justice is responsible in enforcing criminal penalties while the Department of Health and Human Services’ office of Civil Rights is responsible for enforcing civil penalties. HITEC has a three-tier civil monetary penalty structure with fines ranging from $100 to $1,500,000 depending on if the violation was unknown, if there was just cause for the violation, or if the violation was due to willful neglect (Davis, 2009). As for the criminal penalties, a person is guilty if they knowingly and wrongfully disclose private health information persons can be fined, imprisoned or both. A breach of private health information is defined as the acquisition, access, use, or disclosure of unsecured private health information, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual (Davis, 2009). In the article “Nurse Pleads Guilty to HIPAA Violations” a licensed practical nurse from Arkansas accessed a patient’s private health information then shared that information with her husband, who called the patient and told the patient he intended to use the information against the patient in a legal proceeding. The nurse was fired from her job and both were indicted on federal...
Please join StudyMode to read the full document