Privacy and security is significant for any institution operating under offices because of clients, which prompts for the need of protecting the flowing information. In the context of a hospital, there is need for protecting the client's information in order to assure them of their privacy and security. Privacy is always important when attending to the clients since it provides an environment where the latter can open up to their doctors. Privacy refers to what the protected; information about the patient and the determination of the personalities permitted to use while security refer to the way of safeguarding the information through ensuring privacy to information (Rodrigues, 2010). The patients also need security because of the inevitability of serene environment for their recovery. Even though St. John's hospital presents good strategies in terms of their sound policies, this is not enough in ensuring confidentiality in the information of the clients. The cleaning staff, referred to as the subordinate staff, still have access to the discarded printout meant for keeping the information about the clients. Considering that the cleaning staff have already accessed the information, there is need for appropriate action towards them besides an action by the IS administrator.
Response to the situation
The cleaning staff have not done wrong in this situation since the source of whole challenge is from the management. Avoiding the utility of the paper shredder is one of the major cause of the circumstance facing the company (Rodrigues, 2010). The hospital does not use paper shredder on the documents, which contain vital information about the clients. This explains why the cleaning staff have an easier access to the information. Paper shredder is important for any institution who would like to keep vital secret about their organization otherwise it would expose their weakness. This applies the same to the information provided by the clients. The use of paper shredder on the already used document is essential for the hospitals since it assures security of the information provided by the client. This hospital needs the use of paper shredder to that the employees do not leak any information, about the client, to the third party. The machine shreds the document into small pieces making the written words unreadable.
The state of the organization shows that it has not been complying with the guidance provided by HIPAA privacy rules. There is need for proper management that assures of protection for the patient's information. The management has not put proper strategies that look into the state of the flowing information. HIPAA presents a set of rules that guides the management in the context of ensuring privacy and security for the patients. The hospital has the challenge of presenting privacy and security of the patient hence the best response would be complying to the HIPAA Privacy Rules. The HIPAA lists standards within which the hospital can relate with the patients while ensuring their privacy and security. The rules provides determines the information type that needs protection and the situations in which disclosure may be inevitable. The HIPAA privacy rules also defines when an individual can have right of controlling the use of his personal information (Rodrigues, 2010). This rule is often important to PHI because of their universality in application since the hospital can use it any situation including electronic, paper and oral. This privacy rule is applicable in the situation of the hospital because the latter need a better way of ensuring privacy and security for their patients.
Type of training
Training forms one of the essential factors in the process of seeking for a solution to the challenge facing the institution. It refers to the process of providing acclimatizing the hospital'semployees to a newly introduced strategy. The most basic training will involve caring for the clients. The employees should be aware of the ways in which they should be caring for the clients to ensure that they understand the message type given by the latter. Caring for the clients forms the basis of training as it provides the foundation for which all the training will occur. Caring for the client goes together with minding about their privacy and security; hence, it would be important to train the employees on how to care for their subjects. Training provides assurance for meeting the objective of any laid down strategy since it makes every individual within the premises enlightened.
Considering the situation of the company, I would consider offering training on better ethics of how to relate to the patients. This would involve training the employeeson the best way of relating to the clients considering that the clients always have different attitudes. I would train them on how discern the information needed for disclosure and those that should remain private. The employeeswould also need to understand the best ways storing information, which the client may be considering as confidential. There is also a need for being knowledgeable about when to share client's information. This training is important, especially when considering the need of complying with the HPA privacy rules (Nass et al., 2009). The training would make it easy for the employeesto work within the provision of the privacy rules.
A training on how to keep private the information presented by the client is also important to ensure that there is no disclosure. The employees at the hospital need to consider the use of the electronic devices in ensuring the privacy of client's information. Computers are important device as they present a safety filing system where the individual can keep information about client for easy retrieval (Harman & AHIMA, 2006). The employee would only need to assign a password to the computer to ensure that third parties cannot access the information.
Implementing the management plans
Use of paper shredders and other electronic devices
There is need for paper shredders in every office inside the institution. Apart from putting the paper-shredding machine in every office, I would consider training the employees on using the paper shredders. I would advise them to shred the papers on the exit of the patients to ensure that no party have access to the information. Anyindividual, who would fail to do so, would be a subject to punishment by the administration. Putting the paper shredders in every office besides advising the employees to use them would be important in avoiding unnecessary leakage of information to the other individuals. Installing proper computer facilities will also help in implementing the management plans. I would advise the employees to secure their transmission mechanism such as email. For instance, the use of unencrypted email would not comply with HIPAA since it presents possibility for the leakage of the information to third party. Consequently, the implementation process would involve developing safe and secure method of electronically storing and transmitting mandatory public health reporting (HRSA, 2013).
Compliance to the HIPAA
The compliance to the HIPAA privacy rules is important in the implementation of the management plan. There is need to make the employees aware of all the HIPAA rules ensuring that all their actions are within the provision of the privacy rules. The HIPAA informs the employees on the situations when they can expose information about a client and when they ought to keep the information private. The table below shows the description of patient's data privacy and protection:
WHEN YOU CAN, MUST, AND CANNOT SHARE PHI
Without Written Patient Permission
Only With Written Patient Permission
With the patient
For treatment, payment, and health care operations purposes
When the patient agrees to share PHI
In the case of incidental use or disclosure
In the public interest
For a limited dataset (which includes PHI but direct identifiers of individuals and their relatives, household members, and employers have been removed) for the purposes of evaluation, public health, or health care operations
With the patient (or their personal representatives) when they request access to, or an accounting of, disclosures of their PHI
With HHS when it is undertaking a compliance investigation or review or enforcement action
Any other PHI with any other entity
Exceptions to this include:
Business associates under a business associate contract
Personal health information that has been de-identified so that it cannot link back to the patient
All other instances in which you plan to use or disclose PHI for reasons other than treatment, payment, health care operations, or activities otherwise permitted or required by the Privacy Rule
The above plan shows that the employee can only disclose patient's PHI in case an individual would like to access the information for other treatment purposes. However, the HPPA also shows that the employee should disclose less than 30% of the patient's information in case of the treatment purposes. The employee should not disclose information about the status of the client, in case of HIV / AIDS to save the image held by the latter. The employee should also avoid informing the client about releasing their PHI since…