CBSSports.com reported that the University of Iowa Hospitals and Clinics “will fire three employees and suspend two others after an investigation confirmed they inappropriately breached the electronic medical records of hospitalized football players”. According to the article, a hospital spokesman stated the violations of the federal Health Insurance Portability and Accountability Act (HIPAA) “have been reported to federal regulators, who can choose whether to seek additional fines and jail time against those involved.” The terminations and suspensions stems from the recent incident involving thirteen University of Iowa football players, who are affected by rhabdomyolysis, which causes muscle fibers to be released into the bloodstream and can cause kidney damage. The athletes checked into the hospital last week complaining of soreness and discolored urine after undergoing intense workouts following winter break. The players spent several days getting treatment and were all discharged later in the week.
The hospital staff members’ violation of HIPAA is one of several federal and state laws designed to protect the privacy and security of records and information. The other major law is the Family Educational Rights and Privacy Act (FERPA), which is a federal statute that protects the privacy of student education records at schools that receive federal funds. The most effective way to guard against a violation of HIPAA, FERPA or any other similar law is to minimize the chance of a privacy or security violation. The following includes some tips to enhance your organization’s HIPAA and FERPA compliance program:
•Review the organization’s HIPAA and FERPA compliance program on an annual basis.
•Assess HIPAA and FERPA compliance policies and procedures to ensure the measures: are in writing; are published in an operations manual or handbook; work; are being implemented; and are communicated to the right groups and individuals.
•Evaluate the education and training program for accuracy and effectiveness on an annual basis.
•Require employees to acknowledge (in writing) their understanding of HIPAA, FERPA and the organization’s confidentiality policies and procedures on an annual basis.
•Implement a policy and procedure to handle complaints and allegations of non-compliance.
•Promulgate a non-retaliation policy for employees and other individuals who report instances of non-compliance with HIPAA, FERPA or the organizational policy.
[Source: “6 Practice Steps Practices Can Take to Ensure HIPAA Compliance”, David Ginsberg, California Medical Association.]