Compliance Program Implementation and Ethical Decision-Making Template
Compliance Program Implementation and Ethical Decision-Making
Darlene Fussell
Capella University
Course BHA-FPX4006
Andrea Lowe
4/20/2025
1
,Background
In the scenario, a health supervisor at Vila Health instructs an employee to obtain pre-authorization from an insurance company for an
upcoming surgical procedure involving one of its patients. However, the employee tasked with obtaining the pre-authorization submits
the patient’s confidential protected health information to the insurance company. The services representative of the insurance
company contacts the supervisor and informs them that any discussions involving the patient, or the pre-authorization of the surgical
procedure would not occur without express written consent from the patient, and any such actions without such consent is prohibited.
Problem Summary: Privacy Breach—HIPAA Violation
Briefly Explain the Law, Regulation, Briefly Explain How the Law, Regulation,
Standard, et cetera* Standard, et cetera Applies to the Privacy
Breach/HIPAA Violation
Applicable Law(s) The Health Information Portability and HIPAA allows sharing of PHI (any individually
Accountability Act (HIPAA) of 1996 establishes identifiable patient or health information, future, past,
policies and procedures that establish security or present held or transmitted by a covered entity or
standards for safeguarding the confidentiality of associates in any medium or form) with covered
protected health information (PHI) that is either entities for treatment, payment or healthcare
2
, Briefly Explain the Law, Regulation, Briefly Explain How the Law, Regulation,
Standard, et cetera* Standard, et cetera Applies to the Privacy
Breach/HIPAA Violation
transferred or held electronically through operations (TPO) (Qin, 2020). However, the minimum
physical, technical, and administrative safeguards necessary principle applies, where only minimum
(Qin, 2020). amount of information can be provided for the
intended purposes. In this case, the employee shared
confidential information that was more than sufficient
for the purposes of obtaining the pre-authorization,
thus violating HIPAA. Moreover, sharing such
confidential information requires express written
consent from the patient.
Applicable Specific 45 CFR § 164.506 to 508 provides that covered The employee did not have valid authorization from
Regulation(s)
entities including insurance providers, and the patient to disclose their confidential PHI. Under
hospitals might require patient authorization the act, patient authorization should have the
when sharing PHI. Covered entities cannot following components: (a) description of purpose, in
disclose PHI without valid authorization (Code of this case the patient’s upcoming procedure; (b)
3
Compliance Program Implementation and Ethical Decision-Making
Darlene Fussell
Capella University
Course BHA-FPX4006
Andrea Lowe
4/20/2025
1
,Background
In the scenario, a health supervisor at Vila Health instructs an employee to obtain pre-authorization from an insurance company for an
upcoming surgical procedure involving one of its patients. However, the employee tasked with obtaining the pre-authorization submits
the patient’s confidential protected health information to the insurance company. The services representative of the insurance
company contacts the supervisor and informs them that any discussions involving the patient, or the pre-authorization of the surgical
procedure would not occur without express written consent from the patient, and any such actions without such consent is prohibited.
Problem Summary: Privacy Breach—HIPAA Violation
Briefly Explain the Law, Regulation, Briefly Explain How the Law, Regulation,
Standard, et cetera* Standard, et cetera Applies to the Privacy
Breach/HIPAA Violation
Applicable Law(s) The Health Information Portability and HIPAA allows sharing of PHI (any individually
Accountability Act (HIPAA) of 1996 establishes identifiable patient or health information, future, past,
policies and procedures that establish security or present held or transmitted by a covered entity or
standards for safeguarding the confidentiality of associates in any medium or form) with covered
protected health information (PHI) that is either entities for treatment, payment or healthcare
2
, Briefly Explain the Law, Regulation, Briefly Explain How the Law, Regulation,
Standard, et cetera* Standard, et cetera Applies to the Privacy
Breach/HIPAA Violation
transferred or held electronically through operations (TPO) (Qin, 2020). However, the minimum
physical, technical, and administrative safeguards necessary principle applies, where only minimum
(Qin, 2020). amount of information can be provided for the
intended purposes. In this case, the employee shared
confidential information that was more than sufficient
for the purposes of obtaining the pre-authorization,
thus violating HIPAA. Moreover, sharing such
confidential information requires express written
consent from the patient.
Applicable Specific 45 CFR § 164.506 to 508 provides that covered The employee did not have valid authorization from
Regulation(s)
entities including insurance providers, and the patient to disclose their confidential PHI. Under
hospitals might require patient authorization the act, patient authorization should have the
when sharing PHI. Covered entities cannot following components: (a) description of purpose, in
disclose PHI without valid authorization (Code of this case the patient’s upcoming procedure; (b)
3
