Nursing Research HIPAA Proposal Patient Privacy Protection

Nursing Research HIPAA Proposal

Patient privacy protection is a cornerstone of any patient bill of rights and is a major goal of any nurse or medical professional. Without privacy, the basis of trust necessary to facilitate patient healing simply can not occur. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) increasingly dominates the nursing landscape. Safeguarding private patient information is not just important. It is the law. HIPAA provides federal protection for personal health information that is held by the affected organizations (and their contractors) and gives patients a wide spectrum of rights related to that information. Such organizations include health care providers (doctors, nurses, etc.), heath plans (insurance, HMOs, etc.) or health care clearinghouses (entities that process nonstandard information) or student records at universities. An organization is required to know if it is an entity covered by HIPAA in order to comply with the law. Once the records are no longer needed, their appropriate and secure disposal are the responsible of the health care provider or other applicable entity in the health care chain. Any unauthorized disclosure of the patient information is that entities responsibility.

Comprehensive HIPAA training is essential to proactively following the law and effectively preserving patient privacy rights. Such training needs to be regular and standardized to make sure that it adheres to HIPAA standards. Every organization is responsible to make sure that its training program is up-to-date with information about the latest HIPAA updates and regulation. Included in any training program should be information about the significance of patient privacy and the grave implications of violating the law in terms of penalties and in impact upon the patient. In this arena, it is important for the health care provider to know who is authorized to have access to the sensitive patient information, whether it be the patient's friends, family members, friends, or others designated by the patient as involved in their care.

Privacy preservation is not just to be expected in the area of storage and in the transport of the information, but also in the area of disclosure of the information as well. Additionally, HIPAA is a system that specifies set methods of administrative, physical and technical safeguards for the affected organizations in order to use to facilitate the potentially conflicting goals of confidentiality, availability and integrity of Electronic Medical Records (EMR). EMR is becoming more technical with mandatory training for medical personnel in equipment, safeguarding EMRs and in the complications of outsourcing of EMR management to contractors. Security risks can also apply to Electronic Health Information transferred from Peer-to-Peer (P2P) file sharing applications. The Federal Trade Commission (FTC) has written a guide to P2P security issues to guide businesses which collect and store patient sensitive information. The FTC also covers the safeguarding of Electronic Protected Health Information on Digital Copier machines.

While all of the above responsibilities may seem impossible to carry out, in the following study, the author provided a possible pragmatic solution that provides leeway in certain situations with regard to HIPAA observance and enforcement by health care providers and related entities. When such violations do not result in actual harm, punishments might be a bit lighter that outright suspension or firing. In this way, the balance between protecting patient privacy and being overly zealous in enforcement of HiPAA.

B. Problem Identification

We all have been around the water cooler, the lunch room, the rest room, the hall way, the smoking area, or even online at work and enjoy hearing some salacious gossip about a fellow employee, friend or family member. While the information is about us or coworkers, it is not a problem. However, when that juicy gossip includes guarded patient information, it becomes literally a federal case in the form of a HIPAA.

Certainly, most doctors or nurses can remember talking over a serious patient issue in a relaxed setting and getting helpful advice. However, we have also probably heard nasty and vindictive comments about patients and their health problems. This is particularly the case if they are a difficult patient or if they have given the nurse, doctor, or orderly a hard time in the process. This is a risk with all hospital employees from the cook to the CEO, especially in the case of inexperienced new employees or student hospital interns.

This problem was recognized and analyzed in the October, 2010 issue of the journal of Academic Medicine when it published a study which analyzes data from 65 participant medical students to study unprofessional activity online. While the study was about the online activities of medical students, it reflects upon other medical personnel as well, particularly since many of these students will soon be in the health care workforce. As the journal notes, U.S. medical schools have alarmingly reported cases of unprofessional online content by their medical students. The 65 medical students took part in a qualitative study that explored medical students online posting activities in medical school.

While they say they avoided HIPAA violations (the study did not mention if it tested their HIPAA knowledge level) or illegal activities, students disagreed as to what constituted inappropriate postings. In this author's opinion, this could prove problematic when there are gray areas that require a person's best judgment. Students They felt that their postings were guided by common sense and that the schools were too intrusive into their privacy (ibid., 71). Certainly, such cavalier attitudes about private information online may change as the person changes and grows as a professional. However, it might not. This is a concern for hospitals as EMRs become more and more a rule in the health care environment.

Solution Description

Perhaps before this author describes what they feel is an appropriate solution to such a problem (or other casual work place violations of HIPPA), we should discuss two probable nonsolution situations. While HIPPA violation should always be taken seriously and patient information should always be safeguarded, some enforcement may be too zealous and actually counterproductive. In a 2010 legal case, a former UCLA Health System employee was the first person in the United States to be sentenced to federal prison for violating HIPAA by after pleading guilty to accessing and reading confidential medical records of supervisors and high-profile celebrities. According to the U.S. District attorney, he did not sell or use the information in any other way. ("Californian sentenced to," 2010). Certainly, this may too extreme. Perhaps the former employee should be fined, sued or in some other way punished. However, prison time does seem a bit much.

A similar situation is dealt with in the Notre Dame Law Review suggests what may be a more pragmatic solution, especially if there is no profit or the disclosure of patient information does not go too far. In September 2007, actor George Clooney and a female passenger were injured in a motorcycle accident. During the hospital stay, curious nurses and staff peeked into the patient medical records with no medical reason, resulting in 27 nurses and staff being suspended for one month without pay. Clooney expressed dismay at the severity of the punishment. After all, as the author states, was the hospital served without the services of 27 curious, but otherwise harmless employees for an entire month? (Brill, 2007, 2105).

As the journal author points out, the disclosure was harmless, but many are not. What is problematic is that there is no private cause of action or an individual remedy provided by HIPAA. If the violation is severe enough, it is up to the Department of Health and Human Services (HHS) to enforce a criminal conviction or for a hospital to discipline an employee (ibid., 2106).

While a hospital should can not fix HIPAA (this is up to Congress), they could show some leeway in the enforcement of the statute, especially if the patient does not want to proceed with disciplinary action or the incident did not result in actual harm. In this way, the act could be pragmatically enforced. Perhaps the patient themselves could be brought into the enforcement question by querying them or giving them options that they could choose from as to the employees disposition. In this way, it could have a sobering effect upon violators of HIPAA and preserve patient privacy while not being so draconian that it has a chilling upon patient care or a negative impact either way upon a health care institution's or its employees' professional reputations.

C. Research Support

As noted above, HIPAA has become a huge issue in the arena of EMR in all areas of medicine, including evidence-based nursing. Also, other areas of nursing have been touched. We will need to review some of the scholarly literature to view the parameters of this issue prior to proposing solutions. The new Obama administration's healthcare policies have a direct impact upon HIPAA in general and Act compliance in particular. The American Recovery and Reinvestment Act of 2009 also incorporates rule changes that privacy advocates and lawmakers have been seeking. For instance, patients may request an audit trail showing all electronic disclosures of information and that they be notified of any unauthorized disclosure/use. Protection extends to personally controlled electronic health data, contractors that work on behalf of health care providers and health plans and health care clearinghouses. The Act requires that individually identifiable health information that is transmitted or physically transported outside a health care unit, it requires encrypted or rendered scrambled unauthorized individuals. There are extra penalties for violations on the sale of individual patient information or its unauthorized use for marketing/fund raising and the Act strengthens enforcement and oversight (Manchikanti & Hirsch, 2009, 299).

A HIPAA violation is everyone's nightmare. Institutional reaction to and punishment of the principles involved is critical. Under HIPAA, the Secretary of the Department of Health and Human Services (HHS) has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. They can not impose civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended) ("Hipaa violations and," 2011).

Outsourcing in healthcare complicates information relation and retrieval. While HIPAA makes no distinction between a U.S. business and one based in a foreign country, advocates urge at least let consumers know that patient record services are being outsourced overseas ("Are your electronic," 2011). This leads into HIPAA issues with regard to EMR that figure so largely in the new legislation. Such technologies include electronic records, cell phone text encrypting, wireless networks and RFID technology (Kerr, 2009, 315-317).

Outside of the area of EMR, other issues regarding the ability of the head nurse to assign staffing for the personnel on their floor, including CNAs under their control. HIPAA interpretations can affect the use of clinical protocols is the interpretation of Health Insurance Portability and Accountability Act (HIPAA) regulations by restricting the CNAs from their access to the resident chart, even though they carry out many patient interventions under the direction of the nursing staff (Colon-Emeric, et. al., 2007, 1408). Indeed, it has even affected nursing research. In one journal article published in the Journal of the American Dental Association, a longitudinal study regarding dental nurses ended up de-identifying patient data collected before the advent of HIPAA in order to make sure that sensitive patient data was protected, even though those patients were no longer part of the study due to death or due to their family choosing another nursing home for their care (Levy, Radcliff, Williams & Hutt, 2009, 57). In another study regarding stroke survivors who were being surveyed in a nursing study, HIPAA problems were headed off by having the participants to sign a HIPAA waiver so that the strictures of the law did not restrict the study (Ostwald, Davis, Hersch, Kelley & Godwin, 2010, 175). In a study published in the Journal of Nursing Administration, a HIPAA waiver was also used in recruiting patients for study as human subjects, in order to follow the interpretation of HIPAA, 2010, 44).

However, HIPAA is not just the province of research into experiential nursing, but also as a cornerstone of patient rights. As mentioned above, protecting the security of patient rights is essential to understanding and proactively following HIPAA. This is a critical problem in nurse reporting, both on paper and in electronic format via EMRs. In the format of EMRs and in the era where much of this information will be going out over the World Wide Web with Web 2.0, this is certainly a critical issue.

In the Journal of Rehabilitation Nursing, it emphasizes the need for nurse reports to be HIPAA compliant. For this reason, the authors Law and Amato call for an information sheet on HIPAA to be included in all hospital manuals, including nurse reporting manuals so that they and the CNAs are sensitized to the laws stipulations with regard to hospital documents and reports (Laws & Amato, 2010, 73).

In a an article in the Journal of the American College of Nurse-Midwives, the issue of making email systems and EMRs compliant with HIPAA are critical. As Phillippi and Buxton point out, besides making sure that the email systems are compliant, all copies of emails and instant messages dealing with the client's case need to be in the patient's file. This would include any non-secure correspondence as well. Hospital emails should be used only for patient files or hospital business for this reason. Additionally, in the area of EMRs, to promote compliance with the law, it would seem to be critical to remind the person generating patient records or nursing reports in the format of EMRs is that practice makes perfect or that repetition of the HIPAA mandates is what is necessary. The beauty of the electronic medium is that of copy and paste. A set of HIPAA guidelines can be included with every report made as an EMR (Phillippi & Buxton, 2010, 472-475).

One area that HIPAA has a huge impact upon on are large databases and registries that have large membership lists of people who have access to the data. Without a doubt, the needs of research need to be balanced off against patient rights as set out in HIPAA. In the online Journal of the American Pain Society, it notes the potential conflict that exists between the creation of large representative, de-identified electronic databases. In order to address such concerns, the journal talks about a project by the American Society of Regional Anaesthesia to develop an Acute Postoperative Pain (AcutePOP) database in 2006. The projects goal was to create a national Internet-based and HIPAA-compliant database for tracking the APS patients. In the ongoing project, participation is be open to all individuals and institutions in the nation. APS is working on issues such as the consensus on data elements and developing software for the HIPAA compliant project (Zaslansky, Chapman & Meissner, 2009).

The Departments of Labor in the various states are acknowledging and trying to deal with challenges of HIPAA in the area of EMRs. An article in the online journal Wyoming Labor Force, Senior Economist

Douglas W. Leonard, writes an extensive article about EMR and HIPAA's impact upon the state's labor pool as federal funds to support health information technology are pumped into the state. It also notes the perils of large Internet databases in the era of Web 2.0 and HIPAA. Leonard makes an interesting observation which should be obvious but bares repeating: those who own the database will be responsible for HIPAA compliance (Leonard, 2010, 9).

Section D: Implementation Plan

As noted in the problem description, in the age of EMRs, records are proliferating with huge implications for increased access to patient records that conflicts with HIPAA strictures. However, separating, suspending, or otherwise disciplining large numbers of employees could wreak havoc with hospital and nursing operations. Therefore, a third option between neglect and overzealous compliance is necessary. A lot of the solution is in the prevention, hence this project's emphasis upon that approach.

1. Overall Plan

Since many HIPAA violations do not represent patient harm, an employee should not simply be warned. However, over punishment of too many employees at one time could negatively affect hospital operations. Therefore, in this project, a mandatory fifteen minute retraining with a HIPAA series of videos and a quiz will be used. In this proposed solution, the employee information video and quiz will be tried on 100 employees whose scores would be tabulated to gauge the effectiveness of the retraining. The solution uses the occasion of the HIPAA violation as a training opportunity. If it works, it could be employed by the nurse educator with the nurse manager's approval for permanent employment as a training device.