The Kennedy-Kassebaum Plan and HIPAA
The Kennedy-Kassebaum plan, which was presented to Congress as a means of enhancing healthcare, is where the Health Insurance Portability and Accountability Act (HIPAA) originates. The law was passed in 1996, but it wasn't fully implemented until 2003. Liginlal (2015) identified two features of HIPAA. One is the portability section, which guarantees that consumers can keep their health coverage when they switch employers. The second is the accountability component, which guarantees the security and privacy of patient information. Additionally, it establishes accepted guidelines for the electronic transfer of administrative and monetary information pertaining to patient health data. The set of laws required that health care institutions cater for the resources needed in educating the staff for total compliance.
The Privacy Rule
The Privacy Rule concentrates on the individual's right to give directives on the use of personal information. The Protected Health Information (PHI) includes details of the mental and physical condition of a patient, the healthcare provision and the payments for the services (Drolet et al., 2017). The rule covers the discretion of PHI in electronic, oral and paper formats. However, the law cannot safeguard information held by an uncovered company. In addition, a client has the right to: get a privacy practices' notice or plan that explains scenario where the PHI disclosure could happen without his/her consent, request for a copy of the PHI, ask for corrections in case of partial or inaccurate data, and receive a record of the shared information made over a six-year period.
The Rule and Covered Entities
The Rule applies to the organizations and persons that transmit health data electronically. According to (Boyle & Mack, 2017), the covered entities are plans, providers and clearing houses in health care. The health plans cater for medical costs. Health care clearinghouses are the billing activities while the providers involve professionals and facilities providing treatment. If a covered organization carries out other functions aside from health, they can choose to insure the health department only thereby being a hybrid entity.
Exceptions and Permitted Disclosures
The Privacy Rule offers exceptions where one can disclose PHI. The requirement of the regulation is the individual's consent for disclosure, but a covered entity may share the treatment, costs, and medical operations use. Therefore, some circumstances for unconsented disclosure include during health assessment activities, request for use in judicial matters, in research, giving the data to a business partner and officials in law enforcement. Nevertheless, the permitted disclosures have to fulfill the conditions set to avoid illegal sharing of data.
The Security Rule
The security rule ensures the confidentiality, integrity, and accessibility of the client's data stored electronically (Boyle & Mack, 2017). Hence it calls for technical, physical and administrative preventive measures. Technical strategies are automated programs for data protection and controlled access such as encryption when transmitting. Consequently, the physical standards focus on guarding of systems, tools, and data from electronic form against viral threats, natural hazards, and unauthorized access. The administrative safeguards refer to the installation of security measures such as directing the responsibility to an individual or training the team on safety principles as well as company procedures.
Methods for Total Compliance
First, focus on the development and implementation of privacy policies. Following the privacy rule, companies should create and document privacy and security procedures. The regulations act as a guide in handling patients' data and avoiding any breach. For instance, encrypting organizational emails since protected health information sent over mail may reach the unintended recipient if there is no encryption. Similarly, storage of patient data in cell phones should be discouraged and minimal use of the phones on the premises.
Another method is training the workforce and risk assessing. Employees of covered entities should learn about the uses or the disclosure of PHI since they are the people who deal with patients. Hence, the organizations should conduct refresher meetings in the event of new policies (Agris, & Spandorfer, 2016). Risk assessment helps with identification of vulnerabilities. Employees conversant with HIPAA fasten the analysis since they already know the systems. The significance of risk assessing is to ascertain the integrity and confidentiality of the PHI. If any issue comes up from the assessment, then it's essential that the policies are revised to minimize it.
Implementation of a feedback channel is a crucial way of achieving compliance. The healthcare organizations should establish a mechanism where staff and patients can report about situations that necessitated a workaround. When there is a workaround, it is an indication of faulty practices or processes. Therefore, the management will initiate an investigation into the procedures and look for ways to address them. Moreover, managers are answerable for development of policies, implementation, review, and revision.
Penalties
As stated by Boyle & Mack (2017), HIPAA violation occurs when a company with the insurance coverage does not conform to the policies of the privacy rule, security or a breach. The action may be purposeful or accidental. Studies show that many of the violations are cases of negligence like incomplete risk assessment. Depending on the intensity of the act, the OCR metes out the suitable penalty.
The first category is the violation by ignorance. The individual or company may fail to adhere to a policy because they do not know about it and even if they reason out they won't figure it out. In this case, the fine ranges from a hundred to fifty thousand dollars per the acts. Secondly, violating with a viable claim. If one does not observe the rules because of solid reasons without negligence, the penalty ranges from thousand to fifty thousand dollars for every act (Liginlal, 2015). The third classification refers to violations by purposeful negligence, but the organization corrects it in time. The penalty is ten thousand to fifty thousand dollars per violation. Lastly, desecration by intentional neglect without corrections will attract a fine of at least fifty thousand dollars. Interestingly, all the categories have a standard penalty of one point five million dollars in the event of similar provisions in a year.
Conclusion
Drolet et al. (2017) states that, patients entrust their medical experts with their personal information. It is, therefore, the mandate of the practitioner to safeguard the data. HIPAA provides a platform directing the medical centers on how to protect the data, especially with the electronic records. The patients, on the other hand, get better treatment from any doctor in a covered entity since he/she can access the disease history. In addition to that, people save on money used to purchase another insurance cover when one lands a new job. However, the penalties are too high, though it helps in compliance, it may not an attract investment.
References
Agris, J. L., & Spandorfer, J. M. (2016). HIPAA Compliance and Training: A Perfect Storm for Professionalism Education?. The Journal of Law, Medicine & Ethics, 44(4), 652-656.
Boyle, L. M., & Mack, D. M. (2017). HIPAA: a guide to health care privacy and security law. Wolters Kluwer.
Drolet, B. C., Marwaha, J. S., Hyatt, B., Blazar, P. E., & Lifchez, S. D. (2017). Electronic communication of protected health information: privacy, security, and HIPAA compliance. The Journal of Hand Surgery, 42(6), 411-416.
Liginlal, D. (2015). HIPAA and human error: The role of enhanced situation awareness in protecting health information. In Medical Data Privacy Handbook (pp. 679-696). Springer International Publishing.
