The Privacy Rule has provided a set of standards recognized nationally, that work to ensure that certain information related to health care is protected. The department of human services and health in the United States of America has issued a rule for privacy to ensure the implementation of HIPAA; the insurance portability and the Accountability Act. This rule was implemented in the year 1996. The rule addresses the protection of the individual information on matters of health. The rule also covers the standards of the individual rights of privacy, to control and understand the way their information on health is being addressed.
This privacy rule was formed with a goal of ensuring that the information on the health of an individual is purely protected, and at the same time not restricting the flow of information regarding health to the authorized personnel, in order to enhance the high quality health care, and the protection of the public with regards to well being and health. The rule was formed in such a way that, it balances between the information needed by the health personnel, and as well as protecting the privacy of such an information (Armstrong, 2005).
After the implementation of this rule in the year 1996, New Hampshire hospital and other health care units have undergone a series of changes, concerning the protection of the individual health information in the United States of America, and other parts of the world where the same rule applies. For the case where someone may access the health care information records of a colleague without permission, it is highly punishable after the implementation of this rule in the year 1996. Unlike the previous years before the implementation HIPAA, the identifiable information on the health of an individual, is highly protected by the health care associations. This information includes the individual mental health conditions for present, past or future times, health care provision to an individual or the payment of an individual regarding the provision of his or her health, for past, present or future.
Due to the implementation of HIPAA, the health organizations and the management allow the use of the de-identified health information, as provided by the rule. De-identified information is the facts the content of which is not enough, to identify the related individual. For the information to be de-identified, specific identifiers of the individual are removed from the information before they are used. Such specific identifiers may include names and address among others.
As it is provided by the HIPAA, the health care units and facilities, for instance New Hampshire has changed drastically as far as the information disclosure of an individual is concerned. The management may disclose the information of an individual, but only fewer than two facts. The information may be disclosed to the individual or the personal representative of that individual only under the special request to access, or accounting of revelation of their secured information related to health, and the relevant party when undertaking enforcement action, review or the investigation.
The New Hampshire hospital has gained it credibility, in terms of the services that they offer to their patients. This has been brought about by the maintenance of high standards of individual’s information protection, after the enactment of health insurance portability accountability act. The hospital management currently keeps the patients’ records in a secure place to avoid access to individual private information by other parties. Protected health information can only be disclosed to the person who is the subject matter of that particular information.
The management of the New Hampshire hospital has initiated changes in the records department, to make sure that there is no risk of the incidental disclosure or the use of private information related to health of an individual. If the health information of an individual is disclosed incidentally, it is permitted by the privacy rule, so long as the entity covered had taken the necessary safeguard requirements, to make sure that the information shared was limited enough, for one to know the directly associated individual. This may be done by removal of the individual names and replacing them with other secret codes, which someone cannot easily identify.
In the case where the disclosure of the information is to the patient’s interest, covered entities like the New Hampshire hospitals utilize the facility directories. A health care provider covered by the rule may rely on the permission of the individual private information, to list the name of religious affiliation and location in the directory. This information, for example, the religious affiliation may be disclosed to the clergy. While inquiring for the patient’s religious affiliation, members of the clergy are not required to inquire the individual by name.
Many health care entities, for example, the New Hampshire hospital have changed tremendously in the way they are protecting the individual’s private health information. The management does not allow the disclosure of such individual information, before the permission of the individual authorization. This rule applies especially when the information is not for the purposes of treatment, health care operations or payments. Individual information disclosure for the purposes of treatment is not conditioned by the covered entity, but this rule only applies on the limited circumstances (Baumer, 2000).
As it is provided by the rule, health care facilities have changed to provide only minimum information required. Disclosure of the unnecessary information that is not important for the use in the treatment is prohibited by the law.
Prior to the implementation of the health insurance portable accountability act, many health care facilities including West Allis Memorial Hospital Wisconsin, did not keep the privacy of the individuals information, as it is noticed in the case of jury in Waukesha. The emergency medical technician in Wisconsin disclosed the private information of an overdose individual, to the patient co-worker. However, after the implementation of the HIPAA rules in the year 1996, the disclosure of the individual private information ceased, because the hospital, was covered with the same rule.
West Allis Memorial Hospital management trains its employees on a daily basis, to make sure that they continue to comply with the rules of HIPAA. This training takes some time of the work, which health care providers would otherwise be doing in the hospital. The management of the hospital believes that, regular training of employees on the provisions of HIPAA will make them comply with the rules, especially the rule that is concerned with the protection of the health information of individuals (Lawson, 2003).
Ten years after the implementation of the HIPAA, there has been a considerable change in West Allis Memorial Hospital, concerning the privacy of the patient’s private data. The hospital management has provided security controls, on the access of the individual data or information. Computers in various departments are locked with passwords to limit access by the unauthorized personnel.
West Allis Memorial Hospital being a covered entity, the management has provided notice of practices that are private. These notices provide information to the employees of the hospital, on the disclosure and the use of the individual protected individual information. These notices are copies of HIPAA, which provide the duties of the covered entities, in ensuring the protection of the individual private information.
West Allis Memorial Hospital management has set aside communication channels that individuals may receive confidential information. The hospital has a designated number, which the provider may use to communicate with the individual. The hospital also is using the technique of shredding the documents, which contain individual private health data. The management has ensured the lock and key, in areas where the patient records are kept to ensure security on such medical records.
According to Armstrong (2005), West Allis Memorial Hospital as a covered entity has established and put into practice procedure policies, for request or routine recurring procedures for information disclosure. These procedures limit the disclosure of the private individual information. This provides the minimum disclosure, necessary to attain the reason for the disclosure. The review of breach disclosure by the individual is not required.
St. Dominic-Jackson Memorial Hospital in Mississippi, a proactive breach prevention strategy has dramatically reduced privacy violations involving nosy healthcare workers. The key to St. Dominic's breach prevention strategy is a combination of technology, employee training and a dose of fear.
HIPAA has led to the simple provision of the insurance services, by the hospital administration. This act provides for the department of health and other human services association, to implement the national standards for the electronic provision of the health care services.
Apart from the provision of portability of health insurance to the employee of America as it was initially meant for, HIPAA has gone further to provide the implication of the administrative functions. This is seen through the provision of standardized formats for a particular transaction transmission and provision of security for information by enhancing the security signatures (Ness, 2007).
Although the physicians felt that the implementation of the rule acts as a barrier to the acquisition of the necessary information for patient treatment, they have rated various organizations, putting into practice more regulation necessities, better at shielding the solitude of individual patient records, than organizations that have not put themselves under the cover of health insurance portability accountability act.
In order to fully establish the extent to which the organizational changes occurred in the two hospitals mentioned in this discourse after the application of the HIPAA standards, a diagnostic model will be applied here as well as the SWOT analysis. The diagnostic model applied will be the 7S model and it has been discussed in the ensuing paragraphs.
This model was originally stipulated by employees of an American consulting company called Mc Kinsey and have since then spread to become a preferred diagnostic model of organizational change in many and diverse companies all over the world. The following relational diagram gives a quick glimpse of the 7S model.
The 7S model is subdivided into two incorporated elements: the hard part or hard models and the soft models.
The hard models are matters which the specific organization has direct control over. These are strategy, structure and systems. The strategy element aims at using the vision and the mission of the firm to make the objectives become clearer. The structure element defines how the firm or organization are structured management wise and also outlines the kind of hierarchical order is present in the firm or company. The final element in the hard models part, systems outline all the informal methods of operation, both formal as well as informal and gives the procedures and communication channels.
The soft elements are composed of the other four; styles, shared values, skills and staff. The style element outlines the management and leadership cluster points of the firm or organization. The shared values give the various standards, values and other ethical practices within the company where the vision, corporate culture and identity are identified as being among the key elements.
The 7S model is applied in organizations as a benchmark for tracing performance problems in organizations and subsequently offer diversified mannerisms to change or resolve these problems. A point of observation is that all these values of the 7S model are intertwined. They work hand in hand for maximum effectiveness. Once a typical performance problem present in the organization is identified, several of the aforementioned elements in this model could be utilized together to achieve a comprehensive solution to these issues. The model resolves these issues by having a comparison of the present situation of a company with the future and desired situation. Then it applies either one or a combination of the elements mentioned above to assist the transit from the present situation to the future desired one. The model gives a clear outline of the two situations and also shows the inconsistencies and possible hiccups that may prevent that from happening and adjusts the model accordingly to make sure the desired goals are achieved.
Since both of these organizations have been faced with the accusation of breach of the confidential clauses according to the HIPAA standards, organizational change in both of these companies must be inclined towards ensuring that the confidentiality of information and records of the patients’ are preserved in future. With the application of the 7S model and elements in the model, the current situation of the two hospitals can be established as not being so desirable. The situation can be identified as having a huge leak or setup in the preservation and usage of information pertaining to the clients and patients in the hospitals.
The desired future position could be established as being one where the preservation and confidentiality of the records pertaining to the conditions of the patients admitted at the hospital could be guaranteed. This would employ a number of the 7S model elements as depicted below; the shared value is the preservation and confidentiality of the patients’ records in these hospitals. The system of the hospital needs to be altered to be flexible enough to incorporate these changes and if the system is altered, the structure has to be altered also. Relocations or reassignments could be conducted to bring the staffs that have the necessary skills to work in the records department. This will eventually result into the total overhaul of the management style of the hospital with a new management set up being incorporated that recognizes the need for preservation of information.
In this case at New Hampshire hospital where a psychiatrist at the hospital was accused of ‘snooping’ over confidential records of a patient by making constant perusals of the case and was fined $1,000, the 7S model could be used here prevent such happenings from occurring in the future. The current situation when the case was discovered and fined could be described as having been undesirable. However, it is evident that there was a lapse of checks and balances on the access of private and confidential information in the hospital. The fact that the psychiatrist was capable of accessing the data of the patient repeatedly without being noticed points to some flaws in the management of the hospital. The 7S model elements that could be applied here to avert such cases in the future are Staff, Skills, Style and shared values. The staffs need to have a shared value of understanding the importance of preserving patients’ information. Once they do, management could alter their style a bit by being flexible enough to offer the employees training to give them the necessary skills to make sure that their staff does not misuse the patients’ information. This is what has been done after the case and in compliance to the HIPAA standards.
In this hospital, the act of one nurse to disclose information about patient to a third party, for whatever reasons whatsoever was highly unprofessional. The staffs are supposed to be bound by oath not to disclose information regarding a particular patient to an outside party. When the nurses shared this information to a counterpart, for sentimental reasons, she violated this code of confidentiality and hence the case and the fine of $3,000.
To correct this mishap using the 7S model and elements, the staff should be given constant training on the importance of confidentiality of patients’ records. They should be made to understand and adopt the shared value of preserving information of the patients at all times. This is a strategy the management should utilize often so that the employees are kept up to their toes.
A strengths, weaknesses, opportunities and threats (SWOT) analysis is conducted here briefly in both hospitals’ organizational change cases to evaluate their stands, adaptability and ability to weather challenges in the future.
SWOT analysis of New Hampshire hospital organizational changes
A number of strong points could be identified here as follows:
The utilization of a de-identified system of preserving patients’ records. Here, specific identifiers of an individual are removed. These are names and addresses of the patient. They are replaced by a specific code not known to outsiders.
When information about a patient is to be disclosed, it is done so to the patient or the personal representative of that patient only under the special request to access, or accounting of revelation of their secured information related to health, and the relevant party when undertaking enforcement action, review or the investigation
In the case where the disclosure of the information is to the patient’s interest, only covered and authorized entities like the New Hampshire hospitals utilize the facility directories. A health care provider at the hospital covered by the rule may rely on the permission of the individual private information, to list the name of religious affiliation and location in the directory. This information, for example, the religious affiliation may be disclosed to the clergy. While inquiring for the patient’s religious affiliation, members of the clergy are not required to inquire the individual by name.
Adherence to the HIPAA rules which provide for the health care facilities to provide only minimum information required. Disclosure of the unnecessary information that is not important for the use in the treatment is prohibited by the law.
A potential weakness could be established in that assuming that there is an emergence scenario and the health officer in attendance to a specific patient cannot access information regarding the patient immediately, this might prove to be fatal.
Avenues of opportunities are present for the hospitals. Patients would love to go to a place where they are guaranteed that their information regarding their afflictions is kept very private.
Competition from other hospitals who have internalized this concept in a better way and the constant trainings to upgrade the employee could be the only visible threat sources in the short run.
SWOT analysis of West Allis Memorial Hospital organizational changes.
A number of strengths are noted here as follows:
West Allis Memorial Hospital management trains its employees on a daily basis, to make sure that they continue to comply with the rules of HIPAA. The management of the hospital believes that, regular training of employees on the provisions of HIPAA will make them comply with the rules, especially the rule that is concerned with the protection of the health information of individuals.
The hospital management has provided security controls, on the access of the individual data or information. Computers in various departments are locked with passwords to limit access by the unauthorized personnel.
West Allis Memorial Hospital management has set aside communication channels that individuals may receive confidential information. The hospital has a designated number, which the provider may use to communicate with the individual.
The hospital also is using the technique of shredding the documents, which contain individual private health data. The management has ensured the lock and key, in areas where the patient records are kept to ensure security on such medical records.
A weakness similar to the one identified in the New Hampshire Hospital case could be identified here. Bureaucracy in trying to retrieve information on a specific client may prove to be fatal. Also, the use of codes and digits may bring about confusion, though rare and this might result in misdiagnosis.
Like its counterpart, opportunities are available where the confidentiality of the patients is guaranteed. Training of staff to provide this crucial service will open avenues for the hospital.
The most imminent threat is threat of competition from other major established hospitals without a record of patient information getting exposed to a third party.
Potential areas of resistance from both hospitals
The implementation of the 7S model and changes in the organizational structure could meet some pockets of resistance as identified below;
The management may feel reluctant to change the management system that they have been using for a very long time
Retraining the workers to conform to the HIPAA standards and the 7S elements is an additional budget on the side of the hospital and this might be met with some restraint.