Health Data Management and Violating HIPAA in a Hospital Setting

Health Data Management and Violating HIPAA in a Hospital Setting

Statement of Facts

In the field of health, the Health Insurance and Accountability Act (HIPAA) is the legislation that contends with patient’s health data management.HIPAA has two broad purposes: to facilitate the transferability of employee health insurance benefits between public and private sector jobs and to safeguard the sanctity and privacy of individual protected health information.  Because Congress procrastinated and did not enact enabling privacy legislation by August 1999, the Department of Health and Human Services went on to create and implement privacy regulations pursuant to HIPAA. After the required comment period, these regulations became law on April 14, 2001, with an effective date of April 23, 2003.

The Health Insurance and Accountability Act (HIPAA) protects individually identifiable health information, which refers to any information related to the condition of the patient, treatment, or billing that reasonably identifies the patient. Information is individually identifiable if it explicitly identifies the patient by name, identifier, address, social security number, phone number, or similar information; or if the content provides some information that permits reasonable deduction of the patients’ identity(U.S. Department of Health & Human Services, 2007). Health information legislation and regulations such as HIPAA, typically protects information that connects patient identification with other health information. Healthcare organizations must therefore protect the privacy and security of individually identifiable health information to comply with the law.


Patient privacy is a seminal issue in clinical health care delivery. Similarly, no issue in health care clinical management carries with it such profound legal and ethical issues as patient health care information management and the safeguarding of private patient information. The potential adverse consequences of an impermissible breach of patient privacy for the patient, the patient’s family and significant others, providers, and the health care clinic and organization make its safeguarding a critically important management issue. The federal HIPAA Privacy and Security Rules, applicable to a broad range of health care providers and organizations make patient information privacy management more manageable, although also administratively burdensome(McWay & Rhia, 2010).

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and mandated administrative simplification regulations that govern privacy, security, and electronic transactions standards for healthcare information. HIPAA also protects health insurance coverage for workers and their families when they change or lose their jobs. HIPAA regulations require that all patients’ information areas be analyzed to determine the potential for breaches of patient privacy and information security. According to McWay & Rhia(2010) providers and entities covered by HIPAA must exercise reasonable caution under all circumstances to disclose only the most minuscule aggregate of PHI so as to comply with their legal duties owed to patients and others. HIPAA addresses confidentiality by requiring covered entities by law to maintain the privacy of individual’s information. Authorizations for disclosure of patient information are required by law under HIPAA. Effective April 14, 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gave an individual the right to “have a covered entity that is a healthcare provider amend (or correct) protected health information (PHI) with reference to him or her in designated record sets…for as long as the covered entity maintains the information.” The covered entity can deny the request for amendment or correction if the entry did not originate from the covered entity, or is not fragment of the specified record clique, or is accurate and complete.

The Privacy Rules do several important things for patients. They afford them greater autonomy over private health data. They also set strict limits on how individual health information is gathered, stored, and released by health careproviders and organizations, holding covered providers and health care organizations legally accountable for impermissible breaches of patient privacy. Informed consent, albeit not necessarily in writing, is a prerequisite for the use or dissemination of PHI for purposes of Treatment, Payment, or Operations (TPO). Health care systems, plans, providers, and clearinghouses that conduct financial transactions electronically must be committed to compliance with the letter and spirit of HIPAA in receiving, processing, storing, transmitting, and otherwise handling PHI.

HIPAA’s privacy standards represent the first comprehensive federal guidelines for protection of PHI. Supplemental guidance and protections are found in state and local case law, statutes, and administrative rules and regulations. Protection extends to any individually identifiable health information, maintained or transmitted in any medium, held by any covered entity or business associate of a covered entity.Covered entities must also obtain adequate contractual assurances from businessassociates that the latter will appropriately safeguard patient PHI that comes tothem. Examples of activities that may be conducted by business associates includebenefit management, billing, claims processing, data analysis, quality improvementmanagement, practice management, and utilization review. If a business associate isfound to have violated HIPAA, the covered entity must first attempt to “cure”(correct) the breach (violation) of contract and, if unsuccessful, terminate thecontract with the noncompliant business associate and report the matter to the  Secretary of the Department of Health and Human Services for possibleadministrative action.

Each employee, contractor, and consultant is a fiduciary, owing a personal duty to patients to take all reasonable steps pursuant to HIPAA to safeguard their PHI. All employees and other providers must receive HIPAA training during initial orientation and periodically thereafter to update their knowledge of HIPAA.Providers and entities covered by HIPAA must exercise reasonable caution under all circumstances to divulge barely the least necessitous amount of PHI so as to comply with their legal duties owed to patients and others.

On the first visit to any covered provider, all patients must be made aware of the facility’s HIPAA privacy policy. Direct care providers must issue a Patient Notice of Privacy Practices to all patients at first contact and make a good-faith attempt to obtain their written acknowledgment of receipt of the document. In addition, providers must post their entire patient notice of privacy practices in their facility in a prominent location for patients to see.

Normally, a covered entity may use and disclose a patient’s PHI for purposes of treatment, payment for services, and internal health care operations of the business without the patient’s authorization or consent. These disclosures are referred to as routine uses.

Regarding patient informed consent for routine uses of PHI, providers are required only to make a god faith effort to obtain informed consent for treatment, payment, and health care operations. Covered entities have the right to request restrictions on the use or disclosure of their PHI.However, covered entities are not necessitated to consent to such constraints. There are three general classifications of PHI disclosures under HIPAA: permissive and mandatory (both without patient authorization or consent), and authorized. Permissive disclosures include those necessary for TPO. This includes, among other possibilities, communication between and among treatment team members, determination of coverage of health services, and peer/ utilization review activities(Scott & Petrosino, 2008).Required disclosures are those made pursuant to legal mandates, such as a court order or state reporting statutes for suspected abuse; communicable diseases, including sexually transmitted diseases; and gunshot wounds. Authorized disclosures encompass broad disclosure authority pursuant to valid written and signed patient authorization.

Regarding minors’ PHI, the privacy rule generally allows a parent to have access to the medical records about his or her child as the minor’s personal representative, when such access is not inconsistent with state or other laws.  According to the Privacy Rule, there are three situations in which the parent would not be the personal representative of a minor. These exclusions include: (1) in situations where a minor is the individual who approves to care and the approval of a parent is not obligatory under state legislations or any other applicable law. For example, when the minor is emancipated; (2) in situations where a minor gets health care at the pronouncement of a court of law or another individual is picked by a court of law; and (3) in circumstances where, and to the degree that, the minor’s parent consents that the minor and the provider of health care might have a confidential connection. Nonetheless, even in such exceptional situations, the parent may have access to the health documents of the minor that are related to the health care in cases where state or any other relevant regulation necessitates or allows such parental access.

Standard operating procedures pursuant to HPAA’s Privacy Rules

  1. Staff will not allow patient records to be placed or to remain in open (public) view.
  2. Staff will not discuss patient protected health information (PHI) within the hearing/ perceptive range of third parties not involved in the patient’s care.
  3. Patients and other non-employees/contractors/ consultants are not permitted access to the patient’s records room.
  4. Except where authorized, permitted, or required by law, PHI disclosures require HIPAA-compliant written patient/client authorizations and written requests by requestors for information.
  5. The records of Patient might not be separated from a health facility, except for transit to and from secure storage, or otherwise as authorized, permitted, or required by law.
  6. Written requests by patients for their health records will be expeditiously honored.
  7. Patient records may be placed in chart holders for clinic providers, provided that appropriate and reasonable actions are taken to protect the patients privacy. This may range from: limiting access to patient care areas and escorting non-employees in the area, ensuring that the areas are supervised, and placing patient/ client charts in chart holders with the front cover facing the wall rather than having PHI ona patient obvious to anyone.
  8. Providers may leave phone messages for patients on their answering machines. Minimize the information divulged on the answering machine to basic minimum such as clinic name and number and any other information necessary to confirm an appointment, asking the individual to call back.
  9. The clinic is required to give notice of its privacy policy to every individual receiving treatment on the date of first service delivery and to obtain the patients’ on paper acknowledgment of receipt.
  10. The clinic also must post its entire policy in the facility in a clear and prominent location where individuals are likely to see it.

Being seen in a waiting room and hearing one’s name called constitute incidentaldisclosures that do not violate HIPAA. According to the Department of Health andHuman Services,a sign-in sheet may not, however, list diagnoses.Providers may also transmit patient health records to other providers withoutpatient authorization or consent if the new providers are treating the patients forthe same conditions as the sending providers. This includes transfer of an entirepatient health record (including documentation created by other providers) ifreasonably necessary for treatment.

Providers are not normally required to document a disclosure history unlesspatient authorization is required for disclosure; however, it would be prudent riskmanagement to create and maintain such a history. What is required is that coveredproviders and entities exercise reasonable caution under all circumstances todisclose only the minimal necessary amount of PHI to comply with their legalduties owed to patients and others.

However, The Health Insurance and Accountability Act, Privacy Rule does not affect entities that are workers’compensation insurers, employers or administrative agencies, with the exception of the extent that they might otherwise be covered entities(U.S. Department of Health & Human Services, 2007). Such entities require access into the healthdata of persons who have been wounded during working hours or employees whosuffer from an illness that is presumed to be work-related so as to process and settle demands as well as to harmonize care under employees’ compensation systems. As a rule, such health related data is gotten from healthcare institutionswhich are under the Privacy Rule.The Privacy Rule acknowledges the justifiable necessity of insurers and other bodies concerned with workers’ compensation regularities to have admittance to person’s health data as sanctioned by state or other legislations. As a result of the considerable flexibility of the HIPAA, the Privacy Rule allows for disclosures of health information for the purposes of compensation of workers’ in distinctive ways.

  1. Disclosures without individual authorization. The Privacy Rule allows covered entities to divulge PHI to insurers, employers, state administrators, as well asany other individuals or entities concerned with employees’ compensation schemes with no prior authorization by the individual. This encompasses programs instituted by other legislations such as the Black Lung Benefits Act, the Energy Employees’ Occupational Illness Compensation Program Act, the Longshore and Harbor Workers’ Compensation Act, as well asthe Federal Employees’ Compensation Act.
  2. Disclosures with individual authorization. In addition, covered entities maydisclose PHI to workers’ compensation insurers and others involved in workers’compensation systems wherein the person has granted hisapproval for the issue of his health information to the entity. The individuals’ consent must specify the elements and meet the prerequisites stipulated at 45 CFR 164.508.
  3. Minimum Necessary. Consistent with HIPAA’s Privacy Rule main theme,covered entities are required reasonably to limit the amount of PHI disclosedunder 45 CFR 164.512(l) to the minimum necessary to accomplish theworkers’ compensation purpose. Under this requirement, PHI may be revealed for such ends to the full extent sanctioned by state or any other legislation. Additionally, covered entities are compelled sensibly to cap the expanse of PHIdivulged for compensation reasons to the bare minimum required. Entities areallowed to reveal the total and forms of safeguarded health information thatare necessitous to get compensation for health care offered to an ill or injuredemployee.

HIPAA-related patient complaints should first be directed to an organization’s HIPAA, privacy officer. A grievance can also be filed with the Office of Civil Rights, U.S. Department of Health and Human Services.An alleged PHI violator is prohibited from taking retaliatory action against a complainant. Potential sanctions for HIPAA Privacy Rule violations include civil and criminal penalties. Civil penalties of between $100 and $25,000 per violation are enforced by the Office of Civil Rights, Department of Health and Human Services. Criminal sanctions of 1 to 10 years’ imprisonment and $50,000 to $250,000 fines are enforced by the Department of Justice.


Protecting confidential health information is everyone’s job. Organizations in the health care industry hold some of the most personal and private information about an individual. Medical information can provide an understanding of what kind of lifestyle an individual has led, how long he or she is likely to live, and what ails and aches he or she currently suffers. It is in the best interest of health organizations to retain the privacy of its confidential information, and through the HIPAA it is a legal requirement. The Health Insurance and Accountability Act provides the legal framework in the handling of health data ensuring that patient privacy is handled with utmost care, and patient information is treated withuttermost confidentiality.


Hunt, K. (2004). Cancer Registry Management: Principles & Practice (Revised ed.). United States of America: Kendall Hunt.

McWay, D., & Rhia, J. D. (2010). Legal and Ethical Aspects of Health Information Management (3 ed.). Clifton Park, NY: Cengage.

Scott, R. W., & Petrosino, C. L. (2008). PHYSICAL THERAPY MANAGEMENT. St. Louis, Missouri: Mosby, Inc.

U.S. Department of Health & Human Services. (2007, August 13). Understanding Health Information Privacy. Retrieved April 2015, from U.S. Department of Health & Human Services:

Do you need an Original High Quality Academic Custom Essay?