MED INFO 407Legal, Ethical, and Social Issues

Group 4 Joseph Adams, Raymond Dawson, Beena Joy, Noreen Phelan

Compliance Issues

• Case Summary:Your hospital received a call from a hospital ED physician in St. Louis early yesterday. A former hospital employee named Bob Evans was treated at your hospital last year and was just in a car accident and they want his medical information faxed down there right away. An employee of your hospital, Jane Jones, who has access to EPIC or the electronic medical record files, took the call and recognized the patient’s name as that of a former neighbor who had moved to St. Louis several months ago. Out of curiosity, Ms. Jones looked up her former neighbor’s medical records located in EPIC and after learning that he is HIV positive, shared that information at a neighborhood block party last night. Also yesterday, a representative from Blue Cross/Blue Shield called and wanted additional medical treatment information to review a denial of one of Mr. Evans’ insurance claims from his last admit at your hospital. Last evening, Bob Evans Jr. came to your hospital to pick up other old medical records/x-rays/test results for his father that were requested by his St. Louis physician, because he planned to drive down to see his father today. While he is waiting for those records, he mentioned that his father was a patient “in some kind of a clinical trial” at your hospital and he would like to have those records, too. He is taken down to the clinical informatics department at the hospital and introduced to the informaticist, an independent consultant hired for this 2 year research project, who is aggregating data, including Bob Sr’s data, into a spreadsheet and they have a long talk about the preliminary results of the clinical trial. Then this morning, Bob Jr. arrives at the hospital CEO’s door demanding to know why the hospital is spreading rumors around the neighborhood that his father is HIV positive. The CEO wants to talk to you about this situation and what to do about it.

Board Overview / Agenda

• Compliance Assessment:• Recent activities resulted in a breach of patient level data• Systemic event not limited to a single department. Issues traced back to these departments

with oversight and management responsibilities• Human Resources• Medical Records• Claims and Admissions• Business Associates and Contracts

• Involved sensitive data• Business and Legal risks to the hospital• Potential public relations risk

• Department Reports / Assessment• Action Plans• Questions

Human Resources

Business RisksWhat is the hospital’s policy on disclosure of PHI. Does it meet the requirement’s of Privacy Rule?

• Improper access & use of PHI by employee. Assess computer access security measure. Immediate action plan should be implemented to minimize damage.

• Disruption of operations and associated costs of dealing with a data breach or improper use of PHI. Dismissal of Ms. Jones – could result in EEOC activity, hiring and training replacement employees.

• Lost brand equity. Hospital reputation & profits decline – decrease in hospital inpatient and outpatient admissions due to lack of confidence/trust from negative PR. Growing problem of Identify theft by hospital employees.

• Assess hospital culture regarding privacy and confidentiality. Start at the top with the CEO. Is there an atmosphere of lax compliance?

Human Resources

Legal RisksNon-compliance with HIPAA brings risks of FINES, JAIL & LAWSUITS that can impact either individuals or corporate entities.

• HITECH (ARRA) - New rules give the AG in every state to bring a civil action on behalf of a state resident against any person violating HIPAA in a federal District Court.

• “HIPAA derivative Litigation”. Defamatory lawsuits brought against hospitals by patients for breach of confidentiality. Hospitals incur costs in time and money when defending against these painful legal hassles.

• Filing a complaint with the Department Health & Human Services (HHS) Office of Civil Rights (OCR) resulting in investigation of CE.

• HIV status protected under the American with Disabilities Act. Individual states may have more stringent confidentiality laws and penalties for violations. Ex. Wisconsin Law 252.15(5)

Human Resources

Ethical Issues• Public’s trust suffers– negative attention by media for the improper use of PHI. • Betraying patient’s confidence. If Ms. Jones is a licensed staff member, may have violated

her profession’s ethics. Hospital can report her conduct to the appropriate licensing authority. Also put her under peer review.

Social Issues• Stigma of HIV diagnosis still exists. Disclosure can be psychologically and financially

devastating, especially to well know public figures.• HIV+ individuals can be subjected to prejudice and social alienation.• Discrimination due to presumed or positive HIV status still exists today. • Lack of trust leads to patient’s less likely to share all health information with physicians.

Human Resources

Resolutions • Organizations must become proactive in their compliance efforts and understand that

“voluntary compliance” is no longer the state of regulatory environment. • Implement a strong 2-factor authentication of users and access controls, audit logs to detect

and document deviations from internal policies. Sent a red flag to IT security. Add state-of-the-art physical and technical safeguards, and data encryption of computers at rest and in transit

• Random audits + annual privacy and security audits of all systems and products• Train and re-educate hospital workforce about privacy, minimum necessary requirements and

confidentiality of patient information. • Independent privacy certification needed for hospitals and companies that deal in PHI. Similar

to a good housekeeping seal of approval. Increases consumer confidence. • Develop a “Risk management matrix” to identify system vulnerabilities and the potential impact

of a successful breach of confidentiality.• The minimum necessary information needed to do one’s job. Ensure privacy and security while

ensuring access to the right data, at the right time and place.

Human Resources

Cons• The endeavor to become HIPAA compliant will be expensive in time and money in adding

security measures to protect PHI. • Educating employees will require additional staff which increases labor costs. • Adding firewalls and buying new healthcare software management tools to monitor

computer access by staff will also increase hospital operational costs.

Pros• Ounce of prevention will be worth far more than pound of cure.• Avoid potential litigation and prosecution. The best defense is to have comprehensive

compliance program that is actively monitored and enforced.• Increases consumer confidence. Hospitals/Covered entities are in competition with each other

for patient care business.

Claims/Admissions

Business Issues• Claim from Bob Evans’ last admit is already denied. How would further treatment

information alter result in favor of Blue Cross/Blue Shield?• Has BC/BS reopened the claim for possible payment to Mr. Evans?

Legal Issues• If BC/BS uses past information to deny current claims, they could be violating the

Portability in HIPAA Title 1• BC/BS is a Covered Entity and is entitled access to PHI, but has the “minimum necessary”

PHI already been disclosed?

Ethical Issues• We as our patient’s advocates must do what we can to protect our patients PHI, especially

if it will be used against them. • We also need to be fair and unbiased in our submission of data for insurance claims.

Social Issues• If we divulged additional medical treatment information to insurance companies without

checking if the “minimum necessary standard” has already been met, we risk violating our patient’s trust in us.

Claims/Admissions

Pros and cons• Pro for BC/BS – give additional PHI treatment information regarding past denied claim

gives BC/BS a greater base of data for future claims.• Con for Mr. Evans – BC/BS could use that information to make judgment on current

hospitalization.• Pro for Mr. Evans – Further treatment information could reverse the denied claim.

Resolution to include actionable items• We have determined that the “minimum necessary” PHI information was not initially

divulged, and we will forward the requested information.

Contracts Administration

Business Issues• Contract violation (contractor / hospital)• Violation of BA / DUA agreement (contractor / hospital)• Violation of confidentiality agreement• Incident response and notifications• Public Relations• Clinical trial outcomes jeopardized (scientific validation)

Legal Issues• Potential loss of hospital intellectual property• Violation of State and Federal privacy laws • Violation of HIPAA Privacy Rule

• IRB and/or Privacy Board guidance compromised• Violation of human subject protection regulations• Failure to take and/or enforce reasonable safeguards and “CIA” concepts• Potential defamation issues• Disclosure of sensitive information without approval

Contracts Administration

Ethical Issues• Inappropriate actions by the Informaticist resulted in data breach• Inappropriate discussion regarding patient level data and information• Inappropriate discussion regarding the clinical trial and outcomes• Discussing patient level data and intellectual property of the hospital is inappropriate

Social Issues• AIDS / HIV• Censorship• Civil Rights • Family Relations• Medical Ethics (Code of Ethics)• Outsourcing• Right of Privacy• Sex Education/Behavioral Issues (Assuming HIV contracted through those events)• Potential for discrimination• Truth

http://socialissues.wiseto.com/AZIndex/

Contracts Administration

Resolution to include actionable items• Tighten security and compliance to avoid future issues• Retrain personnel and document training• Conduct a Root Cause Analysis and implement CAR/PARs• Conduct a system wide Risk Assessment (Using FISMA or NIST Criteria)• Implement a Compliance Program and Leadership• Develop a project team to address identified vulnerabilities

• Review the 21 “required” and “addressable” items defined under the administrative safeguards• Prioritize and/or address severity of the risks• HR, IS, Compliance, Administration, and Clinical teams should be represented

Pros and cons• Failure to resolve issue will result in increased scrutiny and bad PR• Failure to address and/or resolve issues will result in increased sanctions• Failure to implement an action plan will result in fines and possible imprisonment• Transparency will demonstrate ownership

Medical Records

Business Issues• Were organizational procedures for the release of protected health information followed?• Was a signed authorization for the release of medical information obtained?• If no authorization was provided, was the patient’s son the legal representative, and

therefore appropriate identification verified?• Was reasonable notice given to staff to prepare appropriate copies that provide the

minimum amount of information necessary to provide care?

Legal Issues• Noncompliance with State and Federal statutes and regulations• Was unauthorized release of PHI immediately reported to Corporate Compliance / Privacy

Officer and documented appropriately?

Ethical Issues• Noncompliance with American Health Information Management Association (AHIMA)

guidelines

Social Issues• Our community of patients entrust their care and confidentiality in us• Breaches of privacy discourage patients from openly disclosing essential health concerns

or even seeking care

Medical Records

Resolution to include actionable items• Privacy Officer investigation of the unauthorized release of PHI• Is there a systemic issue with policies and procedures for handling PHI?

• Make necessary modifications to the practices by adding addendums to current policies• Notify all staff members of policy changes through internal memorandum

• Is there a personnel Issue?• Disciplinary actions for violations of practice policies

• (determine the severity of the punishment based on the severity of the unauthorized release)

• 1st offense – verbal reprimand / counseling • 2nd offense – written reprimand• 3rd offense – suspension of duties without pay• 4th offense – termination (1)

• Documentation of perpetrator(s) and actions taken• Routine privacy training and signed confidentiality agreements

• Both?• Misinterpretation of policies and procedures may require policy modifications and education efforts

Pros and cons• Pro – Due diligence in follow-up, practice policies, and personnel compliance• Con – Uncertain / subjective punishment respective to offense severity

1 http://www.nwgahealth.com/hipaa/privacy.htm

Mitigating Risk – Action Plan

• Goal is to establish a cohesive compliance plan

Compliance

Medical Records

Contracts Admin.

Human Resources

Admissions

Mitigating Risk – Action Plan

• Sample list of actions the hospital will implement to mitigate risk

Event Owner Violation Risk Action

HIPAA Response Team OperationsHR

HIPAA Corporate Establish Team with Goals

HIPAA Compliance Team OperationsHR

HIPAA Corporate Quarterly trainingAnnual re-training

Privacy Breach Operations HIPAA Financial System-wide education

Rogue Employee HR,Contracts Admin.

Legal Financial, image

Access control auditsTighter agreements

Rogue Contractor HR,Contracts Admin.

Legal Financial, image, loss of contracts

Tighter agreements

Incident Response Operations,Communications

HIPAA PR, image Implement protocol

Lack of safeguards Operations HIPAA, Legal Financial, image, loss of contracts

Access control plan Role assignmentsSystem auditsSystem-wide education

Coverage Zones

Questions?