Abstract
The Health Insurance Portability and Accountability Act (HIPAA) imposes huge burdens on U.S. healthcare organizations in added overhead costs for compliance, as many research studies have documented. This chapter examines the additional high costs healthcare organizations in the U.S.A. incur in the aftermath of a privacy breach. Our study is based on a simple model of the information flow in a typical healthcare organization that must operate under the various policy formulation guidelines of the HIPAA legislation. We first analyze the documented examples of HIPAA enforcement actions by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services. We then examine the specific value of Rasmussen's model of human behavior in identifying the causes of human errors that lead to HIPAA breaches. We conclude the chapter with an overview of cost mitigation strategies and important recommendations for healthcare managers.
TopIntroduction
The Health Insurance Portability and Accountability Act (HIPAA) established national standards for healthcare organizations in the U.S.A to protect individuals’ medical records (U.S. Department of Health & Human Services, 2013a). The Health Information Technology for Economic and Clinical Health (HITECH) Act, on the other hand, seeks to accelerate the universal adoption of electronic health records, widens the scope of privacy and security protections available under HIPAA and mandates stricter enforcement. Enforcement of HIPAA is the responsibility of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Mercuri (2004) describes the HIPAA legislation as a “HIPAA-potamus” that imposes huge burdens on U.S. healthcare organizations in added overhead costs for compliance. Recent enforcement actions by the OCR (U.S. Department of Health & Human Services, 2013b) highlight other significant costs arising after a breach, such as those for implementing remedial measures and penalties. In this chapter, we analyze costs to healthcare organizations in the U.S.A. in the aftermath of such breaches, and based on Rasmussen’s SRK model of human behavior (Rasmussen, 1983), examine the causes of the breaches, and propose cost mitigation strategies.
The HIPAA Privacy Rule defines “individually identifiable health information” as information, including demographic data that relates to an individual’s past, present or future physical or mental health or condition, the provision of healthcare to an individual and the associated payment information, and other information that specifically identifies the individual. A covered entity, under HIPAA, is defined as a healthcare provider, a health plan, a clearinghouse, and any healthcare provider who transmits health information in electronic form in connection with transactions. Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral is referred to as protected health information (PHI).
In routine organizational work, the Privacy Rule is implemented as policies and recommended practices. Table 1 summarizes these five important policy formulation guidelines. Their key objective is to ensure that individuals control their PHI. For instance, a covered entity must get an individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations. A covered entity must make reasonable efforts to request, use, and disclose only the minimum amount of PHI needed to accomplish an intended purpose. Further, patients have the right to examine and obtain a copy of their health records and to request corrections.
Table 1. Important policy formulation guidelines of the privacy rule
| Policy Guideline | Key Objective of the Policy |
| Communication Policy | Establish standards for the electronic transmission of health-related information and implement controls to protect the security and privacy of PHI. |
| De-identification Policy | De-identify PHI before sharing the information by removing identifying information such as names, addresses, and Social Security numbers. |
| Medical Records Policy | Establish guidelines for handling medical records, such as requiring employees to retrieve and use only the information they need for legitimate purposes, and specify roles and responsibilities of employees who need access to PHI. |
| Administration Policy | Appoint a privacy officer who establishes and implements privacy policies and enforces a contract with business associates related to sharing PHI. |
| Safeguards Policy | Implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. |
Key Terms in this Chapter
Covered Entity: A healthcare provider, a health plan, a clearinghouse, or any healthcare provider who transmits health information in electronic form in connection with transactions (Source: HIPAA Privacy Rule).
Slip: A failure in the process of executing a task and represents errors associated with skill-based processes ( Reason 1990 ).
Mistake: A failure in planning or problem solving and represents errors associated with rule- and knowledge-based processes ( Reason 1990 ).
HIPAA Privacy Breach: Any acquisition, access, use, or disclosure of PHI in a manner that is not permitted by the HIPAA Privacy Rule, provided that it poses a significant risk of financial, reputational, or other harm to the individual” (Source: HIPAA Privacy Rule).
Skill-Based Process: A process that involves the application of a set of stored patterns of preprogrammed sequences without conscious monitoring or much thinking ( Rasmussen, 1983 ).
Individually Identifiable Health Information: Information, including demographic data that relates to an individual’s past, present or future physical or mental health or condition, the provision of healthcare to an individual and the associated payment information, and other information that specifically identifies the individual (Source: HIPAA Privacy Rule).
Rule-Based Process: A process which applies to familiar situations and is governed by the application of a set of explicit rules or heuristics ( Rasmussen, 1983 ).
Knowledge-Based Process: A process, which applies to new situations requires a thought process directed by interpreted knowledge and involves reasoning and planning to arrive at a solution ( Rasmussen, 1983 ).
Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral (Source: HIPAA Privacy Rule).