MGH HIPAA violation case
Medical Law and Ethics
In the health care business, there are certain standards and laws that have been put in place to protect our patients and their personal health information. When a health care facility fails to protect their patient’s confidential information, the US Government may get involved and facilities may be forced to pay huge sums of money in fines, and risk damaging their reputation. The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996. This Act was put into place in order to improve the efficiency and effectiveness of the health care system. The HIPAA law includes a Privacy rule and a Security Rule. Hospitals, Doctors, and employees in the medical field are expected to adopt the national standards and aim to keep patient information confidential. When a hospital or medical employee fails to meet the standards set, lawsuits can ensue and they can be fined large sums of money relating to the incident. The Privacy Rule establishes national standards to protect individual’s medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy rule requires appropriate safeguards to protect personal health information. The rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records. The Security protects individual’s electronic personal health information that is created, received, used or maintained by a covered entity. The Security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Office for Civil rights (OCR) is responsible for enforcing the HIPAA standards. When a complaint is filed, it is the job of the OCR to investigate. OCR may also conduct compliance reviews to determine if the health organization is in compliance with the HIPAA laws. When the OCR accepts a complaint from an individual, they will notify the person and the covered entity named in it. Then both parties will submit information about the incident. The OCR will review the information to determine whether or not a violation has occurred. When violations have occurred and have been proven, the US Government will impose a fine that they see appropriate. When Health organizations such a private medical practices, hospitals, and clinics fail to meet the standards described in the HIPAA act, investigations, bad press, and fines are surely to follow. There have been a number of cases in the past few years that have been investigated for HIPAA violations. One of the more recent and highly publicized cases was that of Massachusetts General Hospital (MGH). On March 6, 2009 is was reported that an employee of MGH had removed from the hospitals premises a folder of documents that included the private healthcare information (PHI) of approximately one hundred and ninety two patients. The employee had removed the folder from the hospital’s medical records room, so that she could bring her work home with her in order to complete some paperwork. The information that was included in these files were documents that had billing encounter forms that contained the names of the patients, their date of birth, social security numbers, addresses, phone numbers, medical record number, the patients diagnoses and proposed course of treatment, their provider and the providers address and phone numbers. The folder also contained documents that included the practices daily office schedule for three days and the medical record number for 192 patients. The employee was aware that she was not permitted to remove this confidential information from the hospital premises. In doing...