week 3 disc 2

Prior to beginning work on this discussion, review the details on the  Health Information Privacy: The HIPAA Privacy RuleLinks to an external site.  webpage. By Day 1 of Week 1, your instructor will divide the class into two groups for this discussion. Group 1 will address Option 1 and respond to those in Group 2; Group 2 will address Option 2 and respond to those in Group 1.

Option 1: Case Study: Electronic Health Records An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule.

· Research the privacy rule and examine the section of the rule that addresses this violation.

· Imagine that you are an information management coordinator at this facility; analyze the possible actions that you would take to resolve this conflict using the most current version of the law. Remember, you are addressing this from a research perspective.

Things to repond to

Hello Class,

I was given Option 2 for this week's discussion.

The privacy rule shows that due to sending out protected information we failed to have proper Data Safeguards.  Having proper safeguards can limit the release of protected health information and is necessary to have administrative, technical and physical safeguards. Having safeguards covered entities can help keep them in compliance and should be able to catch both errors that are intentional and unintentional. When these safeguards are not in place a covered entity can be held liable and could be fined and other penalties. 

The first action to take as a privacy and security officer would be to notify the participant of the mistake and offer to pay for any social security freeze and credit watch. Most times this can be left to the side and till the participant finds out and also the credit could be hurt so the sooner the patient is notified the better. Next would be to check the system error and why the error happens and will need to fix the error. This also may need to look at the software and if possible may need to update or possibly a new system. And then create a new way to policy to start checking all letters and mailers as a way to double check the system. This may have to include hiring new staff to ensure this doesn't happen again as once it is too many times already. The last thing that would need to be added is to be an audit to make sure compliance is being followed. Overall this should prevent and future release of patient information as well as the audit should catch any more errors to fix.

2. Hello Class,

I was assigned to option 2. Due a programming error, social security number has been disclosed to research participants. Although it is an accident and not intentional, it violates HIPPA as there is an exposure of PHI. This privacy rule would fall under the section of data safeguard as it is a technical error. An organization should have a data safeguard to avoid any exposure of PHI. Although the case study does not discuss much to this error, this can fall under the section of Mitigation and workforce training and management. I find that technical error can involve human error as maybe the social security number was accidentally selected as one of the things to be shared to the research participants.

As a privacy and security officer, I would initially contact the legal and compliance department to notify them of this issue and discuss further matters on what to do next. I would then investigate the incident to see how the PHI was exposed and who was involved. The next step is to notify all the individuals who were affected by this incident. This would need to be handled as a high priority. The individuals that were involved may need to provide proper training again or may need to face the consequences depending on the organizations policies.