When it comes to legal issues as they relate to health care, there are likely moments where there may be breaches of confidentiality, personal health information (PHI) being divulged or breached, and even law suits filed due to malpractice.  Because there is a need to have a process in place in order to keep issues like these far away from the practice of health care, government has implemented laws that are enforced at medical facilities. To ensure that practices are followed when coming in contact with patients PHI, there must be a limit to risks of a breach occurring. The different laws covered in this paper are Health Care Quality Improvement Act (HCQIA), Health Insurance Portability Account (HIPAA), as well as a review of Labor Relations.

Legal Issue 1: Health Care Quality Improvement Act (HCQIA)

In 1986, the HCQIA was endorsed.  This act took place during the Reagan Administration in order to lessen hospital malpractice suits, as without this act, the negligence of physicians was hidden. (Willner, n.d.) The physician’s performance had to be restricted to prevent them from being able to move around to different states without their incompetent performances being disclosed. This issue was being experienced nationwide, however, if effective peer reviews are provided as a standard of practice, this could lead to a remedy (ssa.gov, n.d.).

While peer review is provided in the setting of a hospital, it is the system used by doctors to regularly assess their colleagues with the focus on improvement of patient care. As noted in Benson, Benson, and Stein, (2016) “peer review is greatly considered the ‘pillars of quality assurance’ in healthcare”.  This system has been beneficial.  Without the Joint Commission’s accreditation, physicians will not be able to receive their credentials, additionally, Medicare participation is not allowed if peer to peer review is not practiced (Benson, Benson, and Stein, 2016). The HCQIA requirements have to be enforced in order to prevent negligence in health care. It helps to exclude those who refuse to abide by the laws in place, using peer to peer review to implement and enforce.

In my opinion, a different perspective is that the protections have been abused and it is unfortunate that the fake peer reviews have had protection through the HCQIA, which has led to careers of lots of physicians being destroyed.  There will need to be seen along the way, reform, so that peer reviews can be protected, providing evidence and a thorough investigation follow.   Although the author, Vyas and Hozain (2014) has a reasonable belief regarding standards, it needs to be reviewed. “On one hand, practically all peer reviews meet the ‘reasonable belief’ provision of HCQIA and in turn qualify for near absolute immunity. Moreover, proving malicious intent to the courts is almost practically impossible” (Vyas and Hozain, 2014). In order to stop the actions from taking place, the HQIA was put into place creating a data bank that is over the nation. The National Practitioner Data Bank (NPDB), the central repository for information on physician competence, as screening is the law for practitioners.

It appears to me that the ideal outcome would be for doctors to self-report mistakes to the peer review committee. Self-reporting would formalize a process to address patient concerns, provide professional education, and prevent potential problems that could arise. This allows the doctor to self-report and not have to “fear that this information will be used by the hospital or the patient against him. HCQIA immunity applies to damage claims arising under state law as well as federal law” (Benson, Benson, and Stein, 2016).  It does not apply to civil rights claims, however.  Additionally, it does not bar claims for injunctive relief.  In order to be entitled to HCQIA immunity, the authors, Benson, Benson, and Stein (2016) refer to certain professional review action criteria that must be met:

  1. They must truly believe that they were attempting to improve health care quality.
  2. Due diligence was completed.
  3. Fair and equitable hearings offered and conducted based upon the conditions.
  4. Following sincere efforts to assess truths, adhering to any guidelines that maybe required.


Benson, M., Benson, J and Stein, M. (2016) Hospital Quality Improvement: Are Peer

Review Immunity, Privilege, and Confidentiality in the Public Interest? 11 Nw. J. L. &

Soc. Pol’y. 1. Retrieved from:


Social Security Administration. (n.d.). Title IV—Health care quality improvement act of 1986.

Retrieved from http://www.ssa.gov/OP_Home/comp2/F099-660.html

Vyas.D. and Hozain, A. (2014). Clinical peer review in the United States: History, legal development and subsequent abuse.  World Journal of Gastroenterology 6357–6363. doi: 10.3748/wjg.v20.i21.6357 Retrieved from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4047321/

Willner R. (n.d,) Health Care Quality Improvement Act (HCQIA) of 1986. What is it?  Why was it established? Is it working? (2017) Retrieved from: http://peerreview.org/articles/HCQIQ.htm

Legal Issue 2: Synopsis of General Staff Law Review

The government’s involvement in labor relations laws provide protection to employees. Those laws would include The Americans with Disabilities Act (ADA), the National Labor Relations Act (NLRA), the Immigration Reform and Control Act (IRCA), and the Family Medical Leave Act (FMLA).

The National Labor Relations Act (NLRA)

The National Labor Relations Board (NLRB) supports the NLRA, and is in place to protect the rights of employees’, while allowing them to organize as unions, or offering them the choice not to do so. This is a federal agency (nlrb.gov, n.d.).

Collective bargaining reviewed with employers for benefits can be negotiated for pay increases in addition to addressing other areas where there may be concern. “Unions also promote well-being by encouraging democratic participation and a sense of community among workers” (Hagedorn, Paras, Greenwich & Hagopian, 2016).

There is a benefit for the members of the union as a result of bargaining, but there are also conflicts that arise.  Often highlighted as a benefit is “it is encouraged for democratic participation as workers come together” (Hagedorn, Paras, Greenwich & Hagopian, 2016).  Not as often highlighted is the conflict that arises when strikes occur. When the employee strikes, “the striking employees can be discharged or otherwise disciplined, unless the strike is called to protest certain kinds of unfair labor practices… A walkout because of conditions abnormally dangerous to health, such as a defective ventilation system in a spray-painting shop, has been held not to violate a no-strike provision” (nlrb.gov, n.d.). An administrator or manager witnessing this may be torn between the employees’ safety and their right to stand up for themselves.  They may be required to enforce the regulations and discipline a striking employee.

Family Medical Leave Act (FMLA)

In 1993, the Family and Medical Leave Act was passed and became law in the United States. As explained in dol.gov (2012), the Act states that under certain conditions, employers must give employees up to 12 weeks of leave for family issues and medical problems. There are some limits to the Act. Specifically:

  1. The law does not apply to employers who have less than 50 workers.
  2. Not all workers at companies with more than 100 employees are eligible for family and medical leave. Employers may designate certain workers as “essential personnel” who cannot be granted leave. Criteria for this designation are unclear.
  3. To qualify for leave, an employee must have worked at least one year and a minimum of 1,240 hours a year and not be in the top 10 percent of the company’s salary levels.
  4. Nothing in the law requires that employers pay full or partial salaries to workers who take family and medical leave.

Other developed countries have more generous family leave policies and may pay full or partial salaries to employees on leave. In the United States, businesses have argued that they cannot afford to pay family leave.  Doing so would be an excessive cost.  Information found at the U.S. Department of Labor offers information on the current Family and Medical Leave Act (dol.gov, 2012).

I believe that women who work outside the home are far more likely than men to take family leave to care for newly born or adopted children, while research demonstrates convincingly that fathers and mothers are both important to children. In a position to operate a busy medical facility, staffing and access are key concerns. The question of granting time off, even if mandated by law, may present a personal and professional conflict for the manager.

Management is faced with difficult decisions to weigh the employee requests, versus operational needs. To grant every request could also impact patient care. “Notably, a recent report found that healthcare employers had the second-highest rate of FMLA leave of any industry (hospitality employees were first), with 39 percent of their employees having an open FMLA leave at any given time” (Washko, L. 2016). With potentially high rates of absence, issues can arise when patients see a difference in the care being provided. This raises another concern when patients complain.  The benefit of FMLA is obvious, however, conflict is a factor.


Fact Sheet #28: The Family and Medical Leave Act (2012) Retrieved from: https://www.dol.gov/general/topic/benefits-leave/fmla

Hagedorn, J., Paras, C. A., Greenwich, H., & Hagopian, A. (2016). The Role of Labor Unions in Creating Working Conditions That Promote Public Health. American journal of public health, 106, no. 6 (June 1, 2016): pp. 989-995. Retrieved from https://ajph.aphapublications.org/doi/abs/10.2105/AJPH.2016.303138

National Labor Relations Board (n.d.) Retrieved from https://nlrb.gov/rights-we-protect

Washko, L. (2016).  When Patient Care Needs and Employee FMLA Demands Conflict. Retrieved from: https://ogletree.com/insights/2016-09-07/when-patient-care-needs-and-employee-fmla-demands-conflict/

Legal Issue 3: Health Insurance Portability and Accountability Act (HIPAA)


In 1996, HIPAA was implemented by the U.S. Department of Health and Human Services (HHS) which issued the Privacy Rule to implement the requirement of HIPAA.  Addressed in this Privacy Rule is how medical operations incorporate an acceptable practice of handling patient records “protected health information (PHI)” by those subject to the Privacy Rule — called “covered entities,” while maintaining standards for “individuals’ privacy rights to understand and control how their health information is used” (hhs.gov).

Privacy laws have been spoken of, as tougher in the European Union (EU), over the United States (US), according to Joy Pritts (2013). She is the chief privacy officer at the Office of the National Coordinator (ONC) for Health IT. “But HIPAA is more detailed, more specific, and in some ways stronger than EU privacy law. HIPAA provides a clearer sense of what is expected than many other privacy laws” (Solove, n.d.).

To uphold these standards, there is the Enforcement and Penalties for Noncompliance.

“Civil Money Penalties. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation (hhs.gov).”

Delay in Compliance Mandate

The bill was passed on the year 1996, although it was not put into function until several years later due to the 2001 election of Bush becoming President and the Republicans becoming the majority.  “There were rumors that the regulation might be entirely rolled back and restarted (Solove, n.d.).” Changes were made and President Bush’s administration deadline put into place for the HIPAA privacy rule was to go into effect by April 14, 2003, and other plans by 2004.

Many opposed HIPAA, believing that the law would affect how they handled their day to day interactions. Additionally, physicians’ notes made in a patient’s chart and patients being able to access their medical record, making them take different measures in their offices. Once they became a bit more aware and familiar, then relaxation eventually could be felt, however, a tenseness was placed over most involved, and delays from all areas experienced due to hesitation of releasing PHI.

Implementing a Mandate

In the article by Cresswell, Bates & Sheikh (2013), the list of ten things to consider when implementing a mandate are as follows for a successful implementation:

1.      “Clarify what problem(s) – for designing a fix.

2.      Build consensus – Ensure commitment of the stakeholders.

3.      Consider your options – Time allowed to research multiple options to put into place a fix.

4.      Decision made – Choice should fit purpose for the organization and the clinic.

5.      Plan appropriately – Implementation of strategies tailored to the organization’s circumstances.

6.      Infrastructure – Software systems can have an impact on usability and performance which is important to determine acceptance.

7.      Train staff – It is important to insure that the roll out of the change is effective.

8.      Continuously evaluate progress – Strategies that provide formative feedback.

9.      Maintain the system – Maintenance of the above listed points to be re-visited throughout the technology lifecycle.

10.  Stay the course – Allow time for the expected benefit as it is important to manage over the long term for materialization. (Solove, n.d.)”

The ten steps of change management coincide with the importance of maintaining IT compliance when implementing processes that support and secure HIPAA standards (Giva, 2019).  Not only are these common sense, practical measures to safeguard PHI, they also prevent conflicts with third party vendors such as those who provide technical support by developing computing systems that store and transmit patient private records. Giva (2019) also has specific steps for its’ change management process for HIPAA. One relevant step is that it “maintains the proper balance between the need for change and the potential detrimental impact of changes”.

The introduction of HIPAA was not immediately accepted with open arms due to the lack of knowledge regarding it. It was suspected that fines would be placed against providers who did not follow the regulations, instead this was a newly placed mandate, implemented for lowering risks of HIPAA violations and securing PHI of patients.  An estimation of around seven years, is felt that this mandate will take to be in full operation if the aforementioned steps are followed.               The health care facilities will need to put into place digitalization of this mandate by 2021, and the use of biometric scanners for protection. There will be a seamless flow in the processes on accessed technology, easing up any negative thoughts of physicians.  Patients can have a feeling of ease with the mandate in place, feeling more secure that their PHI has added protection, to include billings, as limitations to access of specific billings will be allowed only to senior management, and not available to all staff members.

Constraints for implementing a mandate

The system was put into place for access by all users, although there will be those who will express opposing feelings.  Systems can have a social constraint where “technologies may prove frustrating for frontline clinicians and organizations as the systems may not fit their usual workflows, and the anticipated individual and organizational benefits take time to materialize” (Cressell, Bates & Sheikh, 2013).  A negative reaction to the change can be damaging as it relates to putting the mandate into place.  Having input from those who will use the systems as designed, will be beneficial. This is because support is needed in preparation of those actively using it and to minimize oppositions when possible.

The cost to digitally upgrade can be concerning, so it must be expressed as a mandate to avoid the possibility of avoiding the change.  Sources of finance could be in the form of grants and subsidies through government assistance, which can be made available, along with hiring a technical team to ensure a secure database is in place and only accessed by those with the rights to do so. Giva (2019) recommends hosting this secure system in the cloud as another cost saving measure.


  • Cresswell KM, Bates DW, Sheikh A (2013) Successful implementation and adoption of large-scale health information technologies. JAMIA doi:10.1136/amiajnl-2013-001684.
  • Giva (2019)  Reasons to Keep Change Management in a HIPAA Compliant Cloud. Retrieved from https://www.givainc.com/wp/reasons-to-keep-change-management-in-a-hipaa-compliant-cloud.cfm
  • Pritts, Joy (2013) Office of the National Coordinator for Health IT Engages on Patient Data Matching Retrieved from: https://www.himss.org/news/office-national-coordinator-health-it-engages-patient-data-matching
  • Solove, Daniel J. (2013) “HIPAA Mighty and Flawed: Regulation has Wide-Reaching Impact on the Healthcare Industry” Journal of AHIMA 84, no.4 (April 2013): 30-31. Retrieved from https://bok.ahima.org/doc?oid=106326#.XSgw-T9Khdh
  • United States Department of Health Human Services, OCR Privacy Brief. Retrieved from https://www.hhs.gov/sites/default/files/privacysummary.pdf