Healthcare Security Issues, Term Paper Example

Healthcare security issues, particularly because of the increasing dependence of the industry on computers and the influence and importance of the HIPAA laws, are of more importance than ever.  This paper deals with issues from several hypothetical situations that deal with healthcare security, the liability of healthcare organizations, and possible consequences of confidentiality of HIPAA breaches.

Scenario 1

In this case, it is likely that Kaiser Permanente would share at least some of the culpability for this breach.  In a somewhat similar case, a healthcare organization named South Shore Hospital was successfully sued under the Massachusetts Consumer Protection Act and HIPAA when they shipped computer disks with PHI to a third-party company who would erase and sell them, but failed to tell the company that there was PHI on the disks or to check to begin with that the company was able to handle the disks properly (Margrave, 2012, p.1).  In this case, like the scenario here, there was shared failures on the part of both companies, but the healthcare company in question does have an obligation to investigate third party contractors for their fitness to carry out business obligations in regards to the handling of patient information.

A breach like this could definitely have a dampening effect on patient confidence in this healthcare system, and in this day and age, with people so skittish about privacy and identity theft issues, this could be a very serious problem.  There are, however, ways in which confidence can be re-established. One good example is that of the Johns Hopkins Hospital, who recently had a breach issue with one of their clinical psychiatric staff who made recordings of patients without their knowledge or consent: in response, Johns Hopkins offered patients “free, face-to-face, professional counseling services that focus on crisis response, stabilization, and referrals for longer term treatment if needed” (Ouellville, 2013, p.1).  The hospital responded quickly and emphatically to the breach issue and the article goes on to note that “how the hospital is handling patient responses may affect data breach management in similar cases going forward” (Ouellville, 2013, p. 2).

Scenario 2

Due to the sensitive and potentially very expensive nature of breaches, it would certainly behoove a company to do background checks on employees who work with PHI, especially if that employee has something egregious in his record like child molestation. Anne Mehnke, an RN at the Mayo Clinic, writing about employees who access patient PHI for personal reasons, addresses this issue forthrightly.  She reiterates that patient PHI should be accessed on a “need to know” basis only and if such information for anything other than treatment is required, then written consent should be obtained from the patient first.  Mehnke notes that in a recent case at the Mayo Clinic of  a nurse accessing patient information for personal reasons – and confronting the patient about it – the nurse was suspended pending an investigation by Human Resources, the Nurse Administrator and the legal department, and eventually terminated because of the breach (Mehnke, 2013, p.48).  Any organization wanting to avoid liability should take the “need to know” basis for accessing PHI very seriously indeed.

In the Mehnke article, she mentions that in the case of the breach at the Mayo Clinic, the incident was turned into a teaching situation for the staff so that it would not happen again (Mehnke, 2013, p. 48).  This, too, would be a good idea to include in new employee training and yearly continuing education to make sure that all employees are well aware of breach issues. Under HIPAA’s Security Rule, organizations are obligated to hire a security officer to manage potential breach issues, keep a record of staff who log in to access PHI, and also conduct risk analysis to detect vulnerability in their system (McGraw Hill Higher Education, 2011, p. 231).   All of these measures would have been good in this case to help prevent the incident in this scenario from occurring.

Scenario 3

The vulnerability of university-based healthcare systems has been a major area of concern for those in the industry.  David Shaw, the chief information security officer for Purdue University, explains why computer hacking is such a potential issue in this particular environment: “a university environment is different from a corporation or a government agency, because of the kind of openness and free flow of information you’re trying to promote. The researchers want to collaborate with others, inside and outside the university, and to share their discoveries” (Perez-Pena, 2013, p.1).  In the same article, when talking about how universities are under increasing attempts at cyber-attacks, Bill Mellon of the University of Wisconsin notes that “We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system (Perez-Pena, 2013, p. 2).

There have been a number of instances of lawsuits in dealing with a breach in university medical systems.  Leon Rodriguez, director of the Health and Human Services Office for Civil Rights, notes that “We have reached record settlements against companies who violated privacy laws and sent a message to everyone that privacy violations will not be tolerated” (iHealthbeat, 2013, p.1).  Only recently, for instance, the HHS Office made public a resolution agreement with Idaho State University because its Family Medical Clinic exposed the PHI of nearly 17,500 patients; the office sited that the university did not a conduct a risk analysis on its security measures, did not put adequate measures in place to protect PHI and did not regularly review records of computer activity to see if PHI had been compromised.  (Ovellelle, 2013, p.1).

Conclusion

From these scenarios, it is easy to see that protecting patient health information is an extremely important one for all healthcare providers, no matter what the setting.  Failure to adequate protect such information cannot only lead to costly law suits, but it can hurt the organization’s reputation and lead to bad public relations and a loss of patient confidence in the healthcare system that is trying to help them.  In an age when we are increasing dependent on technology in nearly all branches of our economy, and becoming increasingly technology-dependent in healthcare, it is more urgent than ever that security and protection of health information be given the highest possible priority.

References

“Health Industry Vulnerable to Hackers, Experts Say”.  (2013). iHealthbeat Website. Web. 14 April 2014.

“Legal and Ethical Issues in Medical Practice, Including HIPAA”. (2012). McGraw-Hill Higher Education Website. Web. 14 April 2014.

Margrave, B. (2012). “Massachusetts Hospital to Pay $750,000 to Settle Data Breach Case”. Health IT News Website. Web. 14 April 2014.

Mehnke, A. (2013). “Managing a Breach in Patient Confidentiality”. Nursing Critical Care. 5(4) 48

Ovellelle, P. (2013). “Johns Hopkins Privacy Breach Update: Patient Counselling”.  American Telemedicine Association.  Web. 14 April 2014.

Ovellelle, P. (2013). “HHS Fines Idaho State University $400,000 for Health Data Breach”. Health IT Security Website. Web. 14 April 2014.

Perez-Pena, R. (2013). “Universities Face a Rising Barrage of Cyber Attacks”. New York Times Online. Web. 14 April 2014.