Assignment 9

Protecting Privacy: Design of Health Clinic Appointment Management System

[This scenario is a continuation of the scenario in The Back Door].

After Chris meets with Janet, the CFO of Acme to tell her about all the problems with the Goodcare Health Clinic Appointment Management System, Chris stays up all night to study the Design Plan that Acme delivered in Phase 1 of the Project and materials on privacy issues in computer systems that deal with healthcare data, arising out of the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Design Plan shows that the appointment management software needs to be able to electronically transmit the data about patients to insurance companies to confirm insurance coverage and pre-qualify certain treatments and receive information back from the insurance companies. Chris is quite sure that this functionality of the appointment management system will fall under "The Privacy Rule" issued by the US Department of Health and Human Services ("HHS") under HIPAA.

The next day, Chris meets with Dan and asks him whether Dan knows whether the Goodcare system under development will meet the requirements under The Privacy Rule. Dan admits that he does not know, as they all assumed that Goodcare would provide them with any requirements for compliance with law. Chris asks Dan to read through a list of resources and prepare a memo for Chris on what they would need to do to make sure the appointment management system complies with HIPAA:

• OCR Summary of HIPAA Privacy Rule (available at: http://www.hhs.gov/ocr/hipaa/assist.html, as RTF or PDF document).
• Frequently Asked Questions About Electronic Transaction Standards Adopted Under HIPAA (available at http://aspe.hhs.gov/admnsimp/faqtx.htm).

Chris tells Dan that are probably a lot of other materials on the Internet about the issue. Chris wants the memo as soon as possible, so Dan is limited to what he can find on the Internet (he won't have time to mail order materials or go to a seminar).

Write a Memo

[You have been assigned to be on a team with one or more classmates for this Assignment. Your work should be a collaboration with your team mates -- each team will submit one memo.] Draft a memo that Dan can give to Chris that addresses the following:

1. How does HIPAA address the Data Collection Guidelines:

• Notice - the data collector must give notice to the data subject about the collection and use of personally identifiable data: a) what is being collected; b) how it will be used.\
• Choice - the data subject must be given a choice about whether the data is collected and the extent to which it is used (no "invisible data gathering").
• Relevancy - the data collector must collect only the data necessary for the uses disclosed.
• Scrutiny - the data subject must be able to examine the collected data and request corrections and deletions (subject to legal compliance).
• Security - the data collector must exercise commercially reasonable security measures to protect the data from unauthorized disclosure.

2. What HIPAA requirements need to be built into the Goodcare appointment management system?

3. Should Acme Software request a change order and corresponding additional development fees related to making the appointment management system HIPAA-compliant?