In this case study, I am acting as a CEO. The situation at hand involves the breach of information on patients who have been seen in our facilities that are HIV positive. My job is on the line unless I act expeditiously to resolve the situation. I hired a computer security consultant who is undercover as a nurse manager within the organization to determine how it was possible for the violations against HIPPA (Health Insurance Portability and Accountability Act) regulations concerning the 4,000 patients whose information was leaked to the public through newspapers, magazines, and the Internet. Her findings were problematic and involved unattended computers that were logged into by staff members, passwords shared and not kept confidential or changed often or easily seen and identified, fax machines and printers easily accessed by anyone, remote access to the system even from our homes, and easy access to sensitive patient files.
Two Major Issues
The two major issues identified in this situation is the violation against HIPPA regulations which is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. This was an act developed by the Department of Health and Human Services, in which new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes (HHS.gov 2011). The other issue involves an outdated MIS (management information system). This system needs to be flawless in protecting patient’s rights. Access needs to be limited, passwords changed on a monthly basis, and for staff members to respect the system and not share passwords and log off the system when leaving their station’s for any reason.
My first task would be to hold a meeting with the managers in all departments to discuss the formalities on the new updated system being installed and to hand out policies regarding password sharing or leaving it visible and leaving unattended stations that are logged on. I will address HIPPA standards with all staff again, and for the ones sharing passwords, their position with us will be terminated due to violations against company policy and for disregarding HIPPA regulations. For the ones being terminated, I would conduct one on one meetings with them to inform them of their termination. Another quick fix would be to change the layout of the office to secure printers and fax machines. The staff here needs to know the seriousness of this situation and take immediate action to secure their jobs and to protect our patient’s privacy.
With rolling out the new system, accessing information from home would be impossible. The MIS system would be more reliable in keeping patient’s information safe. With the staff not sharing passwords and constantly have to change their passwords every 90 days our system can provide the security necessary to protect the rights of patients, even on a federal level.
U.S Department of Health and Human Services. (n.d.). Retrieved September 29, 2011, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html