There are companies and organizations that are required to follow HIPAA Privacy rule and then there are some that are not required to follow these laws. Health plans, most health care providers and health care clearinghouses have to follow HIPAA Privacy rule; but life insurers, employers, many schools and school districts are a few examples of organizations that do not have to follow the HIPAA Privacy Rule. In one example: a health care worker from UCLA was caught violating the HIPAA Privacy rule.
This former researcher accessed his superior and coworkers medical records; and during three other periods during the following four weeks, this person also accessed UCLA patient records, many of them involving celebrities (http://search. proquest. com). Employers have fallen into the category of companies that do not have to follow the HIPAA Privacy rule. “The Privacy Rule does not prevent your supervisor, human resources worker or others from asking you for a doctor’s note or other information about your health if your employer needs the information to administer sick leave, workers’ compensation, wellness programs or health insurance.
Nevertheless, if your employer were to ask your health care provider directly for information about you, your provider cannot give out the information in response without your authorization. Also, covered health care providers must have your authorization to disclose the information to your employer, unless other laws have required them to disclose it. Usually, the Privacy Rule applies to disclosures made by your health care provider, not to the questions of your employer (www. hhs. gov).
Public health is another area in the HIPAA Privacy Rule. “Protecting public health, including through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities, often requires access to or the reporting of the protected health information of individuals.
The Privacy Rule recognizes the genuine need for public health authorities and certain others to have access to protected health information for public health purposes and the importance of public health reporting by covered entities to identify threats to the public and individuals. Therefore, the Privacy Rule allows covered entities to disclose protected health information without authorization for specified public health purposes. Researchers in the medical and health-related fields rely on access to sources of health information, from medical records to disease registries, hospital discharge records and government compilations of vital and health statistics.
This information is used to identify, monitor and respond to disease, death and disability among populations (www. hhs. gov). The Privacy Rule recognizes that the researchers have a legitimate need to use, access and disclose health information to carry out a range of health research protocols and projects (www. hhs. gov). In an emergency situation, emergency preparedness and recovery planners may seek protected health information to ensure that in an emergency, individuals can receive the assistance or care that they need.
There are other ways to violate the HIPAA Privacy Rule other than accessing medical records; one example is not disposing of labeled pill bottles properly. In a case against Rite Aid, one of the nation’s largest drug store chains, violated the HIPAA Privacy Rule, by not disposing of prescriptions and labeled pill bottles that contained individuals’ identifiable information, properly. Instead, Rite Aid companies were disposing them into industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States.
The Rite Aid Corporation agreed to pay $1 million to settle violations of the HIPAA Privacy Rule, they also had to agree to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information (http://search. proquest. com). Another example of a different kind of violation under the HIPAA Privacy rule is not disclosing a patients’ medical record per their request.
The U. S Department of Health and Human Services imposed a civil money penalty of $4. 3 million to Cignet Health for failing to release 41 patients’ medical records when requested, therefore, violating their rights (http://search. proquest. com. ezproxy. rasmussen. edu). The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 days and no later than 60 days of the patient’s request.
The civil money penalty equaled $1.3 million for violating patients’ rights; the other $3 million came from not cooperating with the Office of Civil Rights. In conclusion, it is a highly recommended thing to be knowledgeable of which organizations have to follow HIPAA Privacy Rule and which ones do not. It is also a good thing to know the different violations there are under the HIPAA Privacy Rule. Who would have thought that disposing of prescriptions and labeled pill bottles would be a privacy violation? It seems like a simple and innocent mistake made by a company, but it is a huge privacy violation.
As just about everyone knows, accessing medical records without authorization is another massive privacy violation, but now you know there are certain people that are able to access your information without authorization and the reasons why. In order to protect public health, to protect your individual health, and for research purposes, some people have to have access to medical records without authorization. I believe that in order to try and protect patients’ medical records and privacy, more action should be in place when disciplining a violator.
I don’t believe it should be dependent on the circumstances or the severity of the crime, but the penalty for a violator should all be the same to start with, with no exceptions. For example: First time offender for any kind of Privacy Rule violation; big or small, being a witness or having the knowledge of someone violating the Privacy Rule and not reporting it, should be 1 year in federal prison, with no exceptions. Then maybe people will think twice and take the law more seriously before illegally accessing a patient’s medical record and invading their privacy.
Other things that could help protect patients’ medical records and their privacy could be different kind of software used; maybe a passcode for specific employees only, in order to enter into any kind of file. Anytime something is clicked on, a passcode could be brought up, that way they can track things better when someone is illegally viewing a patient’s file. I think that would be more time consuming, but the only people to blame are the persons breaking the law.