USA: +1(669)289-8683
USA: +1(669)289-8683

Protecting Patient Data

 

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Part I: Policy Manual Introduction (1–2 pages)

United General’s hospital administrator reviews the hospital’s policy manual and discovers that it inadequately addresses the area of patient records. The hospital administrator tasks you with reviewing the hospital policy manual and reporting on the thoroughness of its coverage of patient records. After a review of the policy manual, you report that the coverage of patient records is sparse and outdated. The hospital administrator then asks you to update the policy manual.

The policy manual introduction should include:

  • An update to the manual’s introduction to include more depth in the area of patient records. As you write this section, describe the purpose of patient record protection and its importance to the organization.
  • An explanation of the legal requirements for protecting patient health records.

Part II: Risk Assessment (3–5 pages)

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Because Pete compromised Winnie’s patient records, the hospital administrator tasks you with identifying other potential risks that the hospital and the primary care physicians may need to address to protect patient records.

Your risk assessment should:

  • Identify risks to both electronic and paper patient records, and recommend remedies United General can put in place to protect the records from compromise.
  • Create policy statements that comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations addressing access to and disclosure of electronic and paper patient records.
  • Describe relevant training topics that will educate the staff on accessing and disclosing patient records.

Part III: Alignment with Regulatory Requirements (3–5 pages)

Winnie’s lawsuit refers to United General’s violation of patient record protection and privacy regulations as the prime cause of the problem. This has now opened United General to governmental inquiries as well as to federal lawsuits.

Write a 3–5 page APA style paper addressing the following:

  • Review the requirements of the HIPAA regulations and identify areas in the case study that breached HIPAA regulations, remembering your analysis of the hospital’s policy manual—the policies applicable to patient record handling and disposal require an update to align with HIPAA regulations.
  • Create policy statements that align with HIPAA regulations that address patient health care record handling and disposal.
  • Describe relevant training topics for staff in order to educate them on the handling and disposal of patient records.

Part IV: Managerial Oversight (3–4 pages)

During Pete’s exit interview he states that he did not receive managerial direction or training in regard to accessing computer systems and online patient records. The hospital administrator reviews the management training manual and finds that the area detailing instructions that management needs to give to staff is sparse. The hospital administrator asks that you write a section of the management training manual to provide clear instructions for management oversight in the area of handling and accessing patient records. As part of managerial oversight of hospital staff, access to patient records should be restricted and only available to appropriate staff members. For instance, in this case study, Pete should not have had access to Winnie’s patient record.

This section of the management training manual should:

  • Include clear instructions for management oversight in the area of handling and accessing patient records.
  • Include policy statements for role-based security level access to patient records.
  • Describe methods to set security levels for accessing patient records to support the policy statements.

Note: The paper should be 10–16 pages, not including the title and reference pages. Your Assignment must be written in standard edited English. Be sure to support your work with 4–6 specific citations from this week’s Learning Resources and additional scholarly sources as appropriate. Refer to the Essential Guide to APA Style for Walden Students to ensure that your in-text citations and reference list are correct. Your Assignment should show effective application of triangulation of content and resources to show your conclusion and recommendations. 

1

Running head: PATIENT DATA

15

Running head: PATIENT DATA

Protecting Patient Data

Walden University

Since the inception of recording-keeping medical records have earned a place in society where the population of medical data from each individual patient is essential not only to trend progression but also as a general record-keeping system of a patients overall health. Accordingly, a patient file tends to generally contain: Hospital summaries (admittance, discharge, and follow-up care), radiological images, consultation reports, list if medications, allergy information, physical exams, etc. However, certain things such as the exchange of information between lawyers, doctors, and medical indemnity providers tend to be excluded based on current law and should not to be taken as part of a patient’s medical record (Ken, 2009). As such, patient records tend to contain a significant amount of sensitive information that must be safeguarded thus the need to provide proper safety and security measures are essential to patient care.

Since compilation, storage, and access of information is such an important part of patient care it is essential to provide proper safeguards to prevent unauthorized access such as steel enclosures with locks for those still utilizing paper records or complicated encryptions methods for those utilizing electronic medical records. However, with the enactment of newer laws and compliance measures of meaningful use the value of a safe and secure medical record system should not be overlooked. Thus, a comprehensive record-keeping system that is secure and fulfills the needs of patients, physicians, various other health care providers, insurance billers, and other third party entities is of the utmost importance. After analysis of United General’s policy manual some of the proposed changes below could a comprehensive update that is able to fulfill all requirements:

· Records should be kept in a secure electronic format that is legible, easily understood, written with American Medical Association approved acronyms and/or abbreviations, and easily transmissible from one organization to another.

· The medical record, at a minimum, must contain a thorough history, physical examination findings, tests and/or procedures performed on the patient along with their results, possible consultations, assessment and plan, medication history, and any other medically relevant information that allows a comprehensive compiling of patient-specific medical data.

· The medical record should include all possible discussions regarding any proposed procedures and/or the treatment options, along with risk to benefit analysis, in order to clearly demonstrate that all options were presented to the patient and they were allowed to choose without prejudice or cohesion.

· The medical record must safeguard, via encryption methods, files of any written consent issued by AND to the patient for any and all medical treatment including but not limited to surgical and/or medical procedure(s).

· The medical record should document ANY type of a patient compliance including but limited to refusal of consent to undergo treatment such as testing, medical and/or surgical procedures, vaccination, and ingestion of medication. Any and all refusal against medical advice MUST be documented.

· All telephone conversations in which medical information is discussed shall, to the proper extent of the law, be monitored and/or recorded for quality and training purposes to ensure adequate record keeping.

· All information pertaining to allergies (food and/or medicinal) or any other conditions that may demand special attention or bring harm to a patient shall be documented in the medical record.

· The medical records should incorporate details of any clinical opinion reached upon by the medical practitioners. The records should also be comprehensive with the follow-up recommendations and the compliance should be monitored.

· The medical record should have provisions that include nightly reconciliation of data that has been inputted throughout with in-session automatic saving of information that is being typed and/or uploaded to ensure that not pertinent data is lost. An additional security provision calls for monthly testing to ensure the system is not vulnerable to security threats and have a back-up access in the vent of a primary system failure.

· The medical record shall employ security protocols that not only limits unauthorized access but alerts, in real-time, unauthorized access to the patient records and secure areas of a building in order to reduce any potential loss in secure information.

While the proposed information above is not a comprehensive list it does serve to provide as a starting point regarding the restructuring and importance of United Generals agreement not only to safe guard medical information but also be HIPPA compliant. According to Thakkar & Davis (2009), the purpose and importance of safe and secure health records allows for a legalized form of record keeping that keeps track of decision making in patient care that helps improve quality and safety by containing patient information in a centralized source. Thus, the proposed changes below help identify the importance and purpose of proper medical record keeping along with keeping in compliance with HIPPA:

· HIPPA serves as an ultimate authority in setting national standards that protects and respects the privacy of an individual pertaining to how and when their medical information is accessed

· HIPPA compliance to safeguard a patient’s health information is to be adhered by limiting, within reason, the unnecessary sharing and usage of information along with utilizing accessed information for its specific intended purpose(s).

· Agreements will be established with service providers, who can execute tasks on behalf of the patients, in a secure manner while ensuring that patient information is not disclosed to those who are not authorized to be in possession of such material.

· Develop and implement a training program that teaches individuals to not only safeguard patient information but also continuous monitoring of who accesses patient information to determine how that information will be used.

· Establish protocols that detect possible systemic breeches. In addition, develop a step-wise approach that gathers information in a manner that can inform a patient about a data breech.

· Electronic medical records help improve the level of involvement a patient has regarding their medical decisions. Active involvement in decision-making allows patients to track and manage their health care needs while taking into account ultimate end goals.

· A medical record allows for a complete legal and business accord that documents all facts of medical care even when multiple providers are being used. This documentation not only gives patients piece of mind because it enables patients to keep track of their medical care.

· Electronic medical records allow the dissemination of information, especially in emergency situations, within a moments notice ensuring that that the patient receives the best care possible.

· Digital records allow a reduction in administrative cost because the organization of clinical documents are in a digital format that allows the searching of information relatively easy. In addition, a digital format allows for increased efficiency especially when it comes to prescription refills, scheduling and automatic reminders, and referrals.

· Electronic records allow for a comprehensive familial managed care by assisting caregivers the ability to track, update, and interpret information especially in situations where most family members see the same physician (Kaelber, 2008).

While the collection, storage, and retrieval of patient information is essential for both the physician and patient, concerns for those with proper authority with access along with securely storing that information is of great concern. Based on the situation that occurred with United General Hospital, several ramifications along with proposed remedies to prevent compromises in medical records will be suggested. Most of these suggestions can apply to both electronic and paper records, however, electronic records will be the main focused since federal law dictates that an electronic format will comply with most facets of health care reform.

· Both paper and electronic formats are subject to unauthorized access and present a liability for the physician and/or medical care facility thus is important to safeguard information. Regarding electronic medical records, they are subject to intended or unintended destruction/loss, inappropriate data entry/corrections, and errors arising to transcription. To remedy this situation one must take care to ensure that a master list is consistently updated to ensure those with proper access retain it and those who lose those privileges no longer have access. All of this could be linked to the individual identification cards. In addition, a complex security algorithm would keep files safe because it would require extensive decryption methods.

· Paper formats would also be subject to unauthorized access a bit easier than electronic records. In addition, they are subject to being lost, stolen, damaged, and easily redacted since all it requires is access and a pen to change information. Paper record keeping is very inefficient since it requires special places for them to be held along with debilitating need for constant consumption of paper. The inefficient method of data gathering, storage, and retrieval make this method have an astronomical labor cost because it requires a team a significant amount of time to ensure proper protocol is followed. However, since this method is being phased out in order to comply with new federal laws the focused has shifted into making electronic records the safe mainstay option for all medical facilities.

· While electronic medical records have the potential to interfere with patient interaction, thus preventing establishing a solid and trustworthy bond, several steps could be taken to ensure the patient does not feel neglected. Once should interview the patient, write down relevant facts on a sheet of paper or memorize them, then seek a computer after the visit to formulate a comprehensive medical record.

· Unauthorized access to both electronic and paper medical records is of great concerned, however, just as mentioned previously the more barriers that are put into place such as complex security algorithms for digital formats and locking paper documents in a steel enclosure make it rather difficult for someone looking to steal information they are not privileged to.

Now, based on the information provided, one can easily deduce that security should be of the utmost concern when dealing with sensitive information that can be found in a patient’s medical record. A private practice and/or medical facility should always adhere to standards that not only prevents unauthorized access to medical records but ensure that the hospital is diligent in training their staff to not disseminate any information whether its of a close family friend, relative, or complete stranger. Privacy and security should be a top priority along with patient care. Thus, the creation of policy within the hospital setting that complies and/or mirrors that of Health Insurance Portability and Accountability Act will be elucidated below as follows:

· The development of policies and procedures that dictate proper storage and security methods for onsite and offsite retrieval methods for medical records for those who are authorized to do so.

· Maintaining an up-to-date list, that is reviewed weekly, to ensure those who active within the hospital system have proper access to material that is needed to effectively do their job while inactivating those who no longer have a relationship with the hospital.

· Proper labeling of files and related information to ensure proper storage and retrieval of records while ensuring that unauthorized access is prevented.

· The development and implementation of automatic back-up files that enables authorized users to focus on their work while having peace of mind knowing the information is not only being automatically saved but also backed-up in the event of primary total system failure.

· Ensuring that third-party vendors are consistently meeting all protocols of safety and proper management of information through quarterly meeting that allows concerns to be voiced and suggestions being made.

· Creating a custom unit that ensures the needs of the organization are bing met, such as policies and procedures, while addressing requests to modify components of the electronic medical record to add/upgrade encryption capability, amount of available storage, and further analysis of metadata to extrapolate vital information (Wafa, 2010).

The invaluable experience of training allows for those to gain a skill in which they are either not proficient at or serves to remind those who are experienced to become current with any proposed changes so they are found to be in compliance with policies and procedures. Thus, the following topics serve to inform staff on the proper methods of accessing and disclosing patient information:

· Information and Security confidentiality should be at the forefront of patient care especially when involving a patient’s medical record. Improved security measures decrease the amount the hospital needs to spend (reduced cost of possible litigation) while ensuring healthier outcomes and increasing patient trust in the organizations ability to keep records safe. Accordingly, increased patient trust allows for an increased compliance thus allowing for a more cohesive approach into an informed decision regarding specifics of their medical care. In addition, it is important create mock simulations that demonstrate what impact data breeches could have on the organization and patients since they could potentially tarnish the reputation of the medical organization as well as having lasting emotional and financial impacts to the patient. According to the United States Health and Human Services (n.d), a poorly performing organization that lacks proper safety protocol measures exacerbate the vulnerability of information leaving exposed to cyber attacks, which could maliciously use information and destroy both the patient and hospitals reputation.

· Compliance with HIPPA statues serves to protect not only the well being of the patient but also all of the information that is collected from them. Medical practitioners have a responsibility to safeguard patients sensitive information and provide the highest quality of medical care. At a minimum, demographic information regarding past, present, or the future physical or mental health should be safeguarded along with medication history.

· All personnel that provide medical care must not only adhere to HIPPA but must also comply with any changes that rise to ensure the safety and quality of patient of patient care is never compromised. As such, all providers should understand certain standard financial and administrative proceedings that could affect patient care and ensure that everything is being done to safeguard patient information.

A lawsuit involving one of the former patients United General use to provide medical care for enables us to analyze the level of oversight when it came to patient confidentiality and security. As such, a violation of patient privacy was noted when information was not only accessed but also distributed in a manner that was not consistent with hospital protocol and HIPPA compliance. United General failed to comply with regulations in protecting the privacy and security of health information, thus violating the rules set forth by HIPPA. This is a serious violation that has opened United General to governmental inquiries as well as to federal lawsuits. Now, based off that notion, some areas that breeched HIPPA compliance will be analyzed:

· Collection, Use, and Disclosure of patient’s Information: According to HIPPA, medical care providers should ALWAYS obtain consent before collecting patient data, when disclosing or using personal health information with other medical professionals pertinent to diagnosis, and to whom information can be discussed with. Just with everything else, federal law provides exception to the rule and shall be followed accordingly.

· Security: Medical records, whether paper or electronic format, shall reside in a safe and secure environment where proper safeguard procedures have been take to ensure integrity and confidentiality. Accordingly, medical providers should be vigilant and conduct monthly or quarterly assessments regarding access to sensitive information as well as ongoing training depicting scenarios that dictate responsibilities that one should have when accessing medical records. In addition, modification of protocols that ensure all medical professionals understand that medical records are to be accessed for a legitimate purpose and take reasonable steps to ensure they are protected from theft, loss, unauthorized disclosure, and use.

· Storage: A patient record, whether digital or paper format, should be stored in a secure manner that prevents theft, unauthorized access, and intended or unintended destruction and/or modification of information. Care should always be taken to ensure that a back-up source is always available to access in the event of catastrophic failure of resources.

The above-mentioned HIPPA analysis is not an all-encompassing venture that exposed all of the areas needing attention, however, it does provide a solid foundation in order to address essential areas of weakness. Thus, it is in the best interest for United General to develop policies that mimic those established by HIPPA in order to educate medical providers on the importance of handling and disposing of patient health care records:

· Patient access to medical records are to be done strictly by the patient who request them or to a person that have appointed with their information as long as there is proper documentation to do so. Additionally, patients may legally access their records for free but shall pay a fee, in compliance with state/local/federal law, in order to have their records printed. All information shall be kept confident unless otherwise expressed by the patient and state/local/federal law.

· All information must be inputted in a legible manner that is consistent with American Medical Association standards dealing with detailing and acronyms. Information must be easily deciphered when presented to other health care professionals to ensure there is uniformity in “language” to coordinate medical care that best serves the patients interest.

· Access to patient medical records shall be accessed by those with specific purpose and with proper credentials to coordinate patient care. Those who do access information must take great care that information is not easily seen and/or access. Medical professionals accessing patient records shall document each time the record is being accessed to ensure that proper accountability is taken by those in possession with sensitive information. The patient has the ability to deny or consent to the release of information
.

· Safeguarding information shall always be of the highest concern not only for the best interest of the patient but also for the medical organization. Secure medical information not only keeps the patient at peace but also allows the medical provider and medical care facility to provide the best quality of care without compromising safety and value.

· All information shall by heavily encrypted against attempted breech, however, if such an event occurs a full investigation shall ensue. The patient must be notified and given a full briefing that includes information regarding the type of information that was taken along with steps in order to rectify the situation.

Now, based on the present information it is imperative to have medical personnel trained on the proper protocols to ensure that each person is HIPPA complaint. Thus, there are several topics that must be covered to educate them on the handling and disposal of patient records. Some of which include:

· Types of Protected information: HIPPA dictates that virtually all facts of patient information is deemed sensitive and requires diligence when accessing information. Identifiable information such as race, sex, demographics, and diagnosis should be safeguarded. The only time patient information s not classified at “protected” is when it interferes with public safety and other exceptions deemed by law.

· Who must comply with HIPPA regulations: Everyone who delivers medical care who may be directly and/or indirectly involved should be bound to all HIPPA regulations. Accordingly, health care providers who perform financial and administrative actions are also held to the same standards as those providing care.

· Importance of safety and security of patient information: The security and safety of patient information has a directly proportional relationship with quality of care. Accordingly, secured patient information leads to better outcomes and more satisfied patients. This enables the health care facility to provide more services and be trusted provider who can be trusted with all facets of patient care.

Those who are uninformed because they lack proper training or proper protocols within the training manual have not been fairly treated because they are misinformed. Thus, it would appear that blame could be placed not only on the employee but also the facility that should have ensured that employees receive the necessary information with complete understanding of what it entails. It is imperative that United General address the sparse areas within the manual to update and convey its intended message. Thus, several of the points below serve to initiate handling and accessing patient records:

· First would be to establish the organizational mission and value while ensuring that each person understands that a collaborative effort is needed in order to be compliant. Emphasis should be placed on the imperative nature of safety and security regarding patient information. Management should also provide ongoing training outlining changes along with potential revisions the organization may implement as supplement a holistic approach in privacy and security.

· Second would be proper and official documentation of all findings to ensure that a record exists to validate any claims that may arise. Documentation allows both the employer and employee understand what is required from each other and the moment the other party is not holding up their end of the contract, documentation of such an event should occur.

· Third would be analysis of existing security measures in order to understand and predict potential pitfalls where an employee may lack understanding. The integrity and availability of policy information must be presented to the employee in a manner where there is no reasonable doubt regarding what steps should be taken in order to not only abide by hospital policy but also those set forth by HIPPA.

· Fourth would be to develop an action plan on behalf of the employee that involves risk analysis of different scenarios where the appropriate action plan is selected based on the identified risk. The action plan should take into account HIPPA policies with incorporated flexibilities that enables personnel the ability to focus on the high priority threats as well as the vulnerabilities.

· Fifth would be to establish firm policies regarding the meaningful use of information accessed in order to be utilized for direct patient care. Policies should dictate that information accessed should be strictly limited to patient care of whom you are directly involved in.

· Sixth would establish an ongoing monitoring of information with quarterly updates to ensure all employees are up to date and are equipped with the necessary tools to ensure they perform their job correctly. Auditing serves as an assessment tool that serves as a legal documentation regarding who, what, when, where, and why thing can/need to be done.

The above provided suggestions serve as an excellent foundation to addresses the potential inadequacies involving the oversight in the United General handbook. As such, United General should have developed a role-based security protocol that enables users specific access to certain aspects of patient care while restricting other aspects of the medical record. According to Rupp (2016), role-based security allows for automatic parameters to be set in order to limit or grant specific privileges to sensitive information. In this particular case United General would benefit from establishing a role-based security access for patient records. The following would serve as a preliminary measure to establish role-based access:

· Encryption of all sensitive data to be accessed from verified personnel

· Color-coded ID’s to demonstrate the level of access a specific medical provider has.

· Quarterly or annual mandatory password change consisting of alphanumeric values.

· Routine security audits with simulated system threats from non-authorized users to allow further development of security protocols

· Implementation of back-ups to ensure access in the event of primary system failure.

The above presented security measure held aid the medical facility not only in the development but also implementation of role-based security access. Thus, security level access can be further refined into specific department along with job position type and lastly a ranking list that defines the type of care being provided with the specific type of access necessary to complete desired tasks. Thus, the information presented throughout elucidated many points and provided excellent examples of how policies can be developed based on the types of situations that can/will be encountered.

References:

Rupp, S. (2016). Keys to maintaining the security of a practice’s ehr data
. Retrieved from

Electronic Health Reporter: http://electronichealthreporter.com/role-based-access-

control-audit-trails-password-protection-encryption-consent-keys-maintaining-

security-practices-ehr-data/ on January 27, 2017.

Ken, T. (2009). Patient privacy-the new threats. Physicians Practice Journal, 19(3).

Accessed on January 27, 2017.

Thakkar, M., & Davis, D.C. (2009). Health information technology: benefits of ehr and hie: risks, barriers, and benefits of ehr systems. Retrieved from http://www.kumc.edu/health-informatics/hispc/for-consumerspatients/risks-and-benefits-of-electronic-health-records.html on January 27, 2017.

Kaelber, D., & Pan, E.C. (2008). The value of personal health record (phr) systems. AMIA Annual Symposium Proceedings, 343–347.

Wafa, T. (2010). How the lack of prescriptive technical granularity in hipaa has compromised patient privacy. Northern Illinois University Law Review. 30(3).

Still stressed with your coursework?
Get quality coursework help from an expert!
Order now