Imagine awaking from surgery to learn that you received the wrong kidney at the wrong time. Or, as you waited for your transplant expecting to go into surgery, you learned the kidney intended for you went to someone else. This is what happened to two patients at University Hospitals Cleveland Medical Center.
The hospital is now investigating how the the mix-up happened and two caregivers have been placed on administrative leave.
The hospital issued a statement:
“We are dismayed that an error recently occurred resulting in one patient receiving a kidney intended for another. The kidney is compatible and the patient is recovering as expected. Another patient’s transplant surgery has been delayed.”
Although what exactly happened to cause this mix-up is not yet known, this horror story brings into focus two of the three basic HIPAA elements that are often overlooked – availability and integrity of protected health information (PHI). Most people think about the other element, confidentiality, when they think about HIPAA.
HIPAA Security Rule
The purpose of the HIPAA Security Rule is to maintain the confidentiality, availability and integrity of protected health information.
So a kidney transplant that went terribly wrong is certainly a HIPAA horror story even though it’s not about a loss of confidentiality or privacy. The hospital fails compliance with the HIPAA Security Rule on at least one, if not both of the other two elements – availability and integrity.
An obvious failing was that the medical personnel performing the kidney transplant did not have available the correct information about the patient who was to receive the kidney. The patient’s correct information should be accessible and usable to be available. It is less obvious, based on reports so far, whether either patient’s records had been lost, destroyed or altered in any way. If so, the protected health information did not have integrity.
Quality Care Depends on HIPAA Compliance
Patients trust that covered entities will protect their health information, ensure its accuracy, and prevent it from being altered or lost. Even without HIPAA, these are basic concepts for quality care. When HIPAA requirements are not met, not only is patient trust lost, but covered entities can face investigations and fines from the Office for Civil Rights (OCR) which enforces HIPAA.