Professional Regulations and Criminal Liabilities Pearl Street HCS/430 Joann Wilcox February 13, 2011 Consumer concerns have increased over the past few years because of the dramatic changes in health care information and its’ delivery (Benfield, Ashkanazi, Rozensky 2006). Each day patients put their physical health and trust in the hands of health care providers. Unfortunately, there have been times when the treatment provided, whether accidental or intentional, has caused harm to the patient. Patients who have experienced injury have the right to lodge a complaint against that provider.
Included in the possible reasons for civil complaints is the sharing of personal information, negligence, or assault. These injuries are considered civil wrongs and are covered under Tort Law. In recent years, with the advances in technology, patient privacy has become imperative. In order to protect patient privacy the Health Insurance Portability and Accountability Act of 1996 was enacted, and is part of the Department of Health and Human Services, regulated by the Office of Civil Rights. Health care providers must take care to protect the privacy of their patients at all times.
HIPAA regulations provide a guideline to help protect not only the patient, but also employees, from divulgence of their personal information to non-involved third parties. Providers of health care should be acquainted with the rules and regulations that guide HIPAA and the subsequent violations. Information is necessary to provide adequate and correct patient care. The guidelines to protect patient privacy should be followed but are open for interpretation. Providers should be steered by professional principals and ethics (Lo, Dornbrand, Dubler 2005).
Health care providers must understand the difference between privacy and confidentiality. Privacy is the right of individuals to keep personal information restricted. Patients decide who has access to their information. Confidentiality is how medical personnel deal with information once it has been disclosed. Patients’ believe that their health care providers will protect their privacy and use any personal information in an ethical manner (Ives, E, Millar, S. 2005). When providers of care breach that trust, atients may take action in the form of a formal complaint to the Department of Health and Human Services. When patients discover that their personal information has been unnecessarily shared, they may file a complaint against the physician, staff, or facility. To file a complaint, patients must follow the guidelines set by the local, state, or federal government. The process for a civil complaint to HIPAA begins with a written complaint, and can be in the form of a letter, fax or e-mail. Letters sent via mail or fax must be sent to the Office of Civil Rights regional offices.
According to the Health and Human Services Department this form must include the name of the health care provider or facility, a description of the violation and be submitted in a timely manner, usually but not limited to 180 days. Supporting documentation, such as notarized witness statements should be included. The claim is then reviewed and a decision made whether the health care provider has violated the patients’ privacy. There are both civil and criminal penalties associated with disclosure of patient information.
The Office for Civil Rights (OCR), a division of the Department of Health and Human Services, is responsible for investigating claims of privacy violations. According to the OCR, the guidelines for investigation include the timing of the allegation, if it took place after the rules for privacy protection took place, or after Aril 14, 2003 for privacy and after April 20, 2005 for security. A complaint must be filed against a facility or individual who is required, by law, to observe the Privacy and Security Rule such as a health plan or health care provider that electronically submits claims.
Businesses exempt from these Rules would be life insurance companies, employers, schools, or child protective service agencies, law enforcement or municipalities. The complaint must also violate the rules of privacy and security, so a claim could not be made against a facility submitting information for the purpose of payment for services. If a person suspects a violation has occurred, a claim must be submitted within 180 days of the suspected violation, unless extenuating circumstances are involved. The process of evaluation begins when the information is received by the OCR..
Once a claim is received, essential information is obtained and an evaluation made about the timeliness of the claim. Jurisdiction must be decided and if the claim does not fall under the OCR, a referral is made to the correct agency. The claimant must be notified of the receipt of the claim in 10 days. The Resolution Manual for the OCR then outlines the procedures to complete the claim process. Included in that process is the determination of urgency, notification to the facility or health care provider of the claim, and an acceptance letter and consent form are sent to the claimant.
Investigation of the claim continues and requires several steps. Case planning, communication with the health providers involved, obtaining and following through with information requests, evidence collection, and interviews are included in this process. Determination of the next step is dependent on the previous findings. The case can then be resolved or referred to the Department of Justice for criminal prosecution. If the complaint is a civil matter, the Office of Civil Rights will continue with an investigation. Evidence gathering can involve interviews, review of the submitted documents and visits to the facility or provider in question.
If OCR decides that a complaint is valid, the parties involved will be notified. An attempt is made to come to a resolution of the issue. The provider can then voluntarily comply with the OCR decision, which can include corrective action or some other agreement. The Office of Civil Rights then files formal findings. In a civil case, in which it is determined that the violation was an unknown breach of patient confidential information, the minimum fine, according to Health and Human Services, is 100 dollars per violation, and can increase to 25. 000 dollars per calendar year.
The maximum is a fine of 50,000 dollars for each violation and can be repeated up to 1. 5 million dollars per calendar year. The OCR then monitors the compliance of the resolution to establish that the corrective measures have been implemented. Non-compliance to the recommendations of the OCR can lead to suspension of Federal financial aid or referral to the Department of Justice for further action. Not only can providers be held accountable for their actions to OCR, but also according to Occupational Health Management, they may also face disciplinary sanctions from state government licensing boards and professional associations.
The Department Of Justice becomes involved in violations of HIPAA when the infringement is deemed an offense where the provider was aware of the breach of confidentiality. HIPAA is a federal law. As with any federal law, violations of HIPAA are considered a felony. If convicted, according to the DOJ, a provider may be fined a minimum of 50,000 dollars and one year in prison for knowingly violates a persons’ privacy rights or the maximum amount of 250,000 dollars and up to 10 years in prison, if the purpose is to use information for identity theft that results in personal gain.
Federal violations are felonies and carry all the consequences of a felony conviction. Conclusion Health care providers, facilities and support staff must always be aware of the responsibility their job entails. The patient has entrusted them to diagnose, treat and educate them about their health issues. This trust includes protection of the patients’ privacy rights. Providers of health care must share some of this confidential information with certain third party entities. The inadvertent or deliberate disclosure of patient information can lead to legal ramifications.
The patient health record is a tool for care. Emerging regulations to protect that record permits the patient to be the acknowledged owner of that information (Ives, Millar, 2005). Health professionals have an ethical duty to protect that information. When that trust is breached, patients have options. The Office of Civil Rights, working as an agency of the Department of Health and Human Services, handles civil complaints against providers that may have violated patient privacy.
The role of the OCR is to determine if a violation has occurred, establish a resolution, ensure compliance, or refer to the Department of Justice for criminal prosecution. Protecting the rights and privacy of information has been a long-standing ethical responsibility of health care providers. As we move forward, more advances in technology will require adherence to privacy rules and regulations that protect the privacy of the patients treated. References Benefield, H. Ashkanazi, G.
Rozensky, R. (2006) Communication and records: hipaa Issues when working in a health care setting Professional Psychology; Research and Practice 37(3) 273-277 DOI 10. 1037/0735-7028. 37. 3. 273 Department of Health and Human Services (2011) What the OCR considers during intake & review Retrieved from www. hhs. gov Feb. 09, 2011 Department of Health and Human Services (20110) Enforcement process Retrieved from www. hhs. gov Feb. 09, 2011
Department of Health and Human Services (2011) How to file a complaint Retrieved From www. hhs. gov Feb. 09, 2011 Ives, E. Millar, S. (2005) Caring for patients while respecting their privacy: renewing our commitment Online Journal of Nursing Vol. 10(2) Retrieved from EBSCOHost Feb. 10,2011 Lo, B. Dornbrand, L, Dublar, N. (2005) HIPAA and patient care: the role for professional judgment Journal of the American Medical Association 14(1) 1766- 1771 Retrieved from www. jama. ama Feb. 09,2011