HIPAA is a law that was enacted to protect patients private health information (PHI). The HIPAA law was enacted in 1996. This law has since been amended to include more specifics on PHI as
the articles by Adjerid, Acquisti, Telang, Padman, & Adler-Milstein (2016), Cartwright-Smith, Gray, & Thorpe (2016), Marvin (2017), and Richesson & Chute (2015).
HIPAA is a law that was enacted to protect patients’ private health information (PHI). The HIPAA law was enacted in 1996. This law has since been amended to include more specifics on PHI as it relates to technology. Most recently, in 2009, HITECH, a segment of the American Recovery and Reinvestment Act, has been enacted to include an expansion to electronic PHI (ePHI). HITECH provides benefits for providers to encourage the adoption of ePHI systems.
From the 2018 OCR HIPPA Summary: Settlements & Judgements
Provide an analysis on the HIPAA violation of patient health information (PHI) that was present in the case selected: June 2018 In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay $4.3 million in civil money penalties for HIPAA violations. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device‐level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise‐wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. This matter is under appeal with the HHS Departmental Appeals Board.
Date Name Amount
June 2018 M.D. Anderson $4,348,000
- Analyze the specific HIPAA privacy and security rules that were broken.
- Explain the penalties (if any) that were imposed as a result of the ruling on the case.
- Develop a health system improvement plan to include applicable Federal standards.
- Propose a risk analysis strategy addressing appropriate laws and regulations.
- Apply the lessons learned from this particular case to your Proposal and Final Presentation.
Chapter 9 Privacy and Security
Privacy is an individual's constitutional right to be left alone, to be free from unwarranted publicity, and to conduct his or her life without its being made public. In the healthcare environment, privacy is an individual's right to limit access to his or her health care information. In spite of this constitutional protection and other legislated protections discussed in this chapter, approximately 112 million Americans (a third of the United States population) were affected by breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large insurance-related corporations accounted for nearly one hundred million records being exposed (Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained entrance through food and beverage computers, approximately 3.7 million individuals' information was accessed, much of it health information (Goedert, 2016).
Health information privacy and security are key topics for healthcare administrators. In today's ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every health care organization employee and visitor has a smart mobile device that is connected to at least one network, new and more virulent threats are an everyday concern. In this chapter we will examine and define the concepts of privacy, confidentiality, and security as they apply to health information. Major legislative efforts, historic and current, to protect health care information are outlined, with a focus on the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional and unintentional, to health information will be discussed. Basic requirements for a strong health care organization security program will be outlined, and the chapter will conclude with the cybersecurity challenges in today's environment of mobile and cloud-based devices, wearable fitness trackers, social media, and remote access to health information. Privacy, Confidentiality, and Security Defined As stated, privacy is an individual's right to be left alone and to limit access to his or her health care information. Confidentiality is related to privacy but specifically addresses the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security refers to the systems that are in place to protect health information and the systems within which it resides. Health care organizations must protect their health information and health information systems from a range of potential threats. Certainly, security systems must protect against unauthorized access and disclosure of patient information, but they must also be designed to protect the organization's IT assets—such as the networks,hardware, software, and applications that make up the organization's health care information systems—from harm.
Legal Protection of Health Information There are many sources for the legal and ethical requirements that healthcare professionals maintain the confidentiality of patient information and protect patient privacy. Ethical and professional standards, such as those published by the American Medical Association and other organizations, address professional conduct and the need to hold patient information in confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and
the government through Centers for Medicare and Medicaid, dictate that health care organizations follow standard practice and state and federal laws to ensure the confidentiality and security of patient information.
Today, legal protection specially addressing the unauthorized disclosure of an individual's health information generally comes from one of three sources (Koch, 2016):
Federal HIPAA Privacy, Security, and Breach Notification rules State privacy laws. These laws typically apply more stringent protections for information related to specific health conditions (HIV/AIDS, mental or reproductive health, for example). Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or third-party providers for PHR vendors or PHR-related entities to notify individuals of a security breach. However, there are two other major federal laws governing patient privacy that, although they have been essentially superseded by HIPAA, remain important, particularly from a historical perspective.
The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975]) Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2) The Privacy Act of 1974 In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the American public with the right to obtain information from federal agencies. The act covers all records created by the federal government, with nine exceptions. The sixth exception is for personnel and medical information, “the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” There was, however, concern that this exception to the FOIA was not strong enough to protect federally created patient records and other health information. Consequently, Congress enacted the Privacy Act of 1974. This act was written specifically to protect patient confidentiality only in federally operated health care facilities, such as Veterans Administration hospitals, Indian Health Service facilities, and military health care organizations. Because the protection was limited to those facilities operated by the federal government, most general hospitals and other non government health care organizations did not have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not only because it addressed the FOIA exemption for patient information but also because it explicitly stated that patients had a right to access and amend their medical records. It also required facilities to maintain documentation of all disclosures. Neither of these things was standard practice at the time.
Confidentiality of Substance Abuse Patient Records During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These regulations have been amended twice, with the latest version published in 1999. They offer
specific guidance to federally assisted health care organizations that provide referral, diagnosis, and treatment services to patients with alcohol or drug problems. Not surprisingly, they set stringent release of information standards, designed to protect the confidentiality of patients seeking alcohol or drug treatment.
HIPAA HIPAA is the first comprehensive federal regulation to offer specific protection to private health information. Prior to the enactment of HIPAA there was no single federal regulation governing the privacy and security of patient-specific information, only the limited legislative protections previously discussed. These laws were not comprehensive and protected only specific groups of individuals.
The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:
Title I addresses health care access, portability, and renewability, offering protection for individuals who change jobs or health insurance policies. (Although Title I is an important piece of legislation, it does not address health care information specifically and will therefore not be addressed in this chapter.) Title II includes a section titled, “Administrative Simplification.” The requirements establishing privacy and security regulations for protecting individually identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules were subsequently amended and the Breach Notification Rule was added as a part of the HITECH Act in 2009.
The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is information that
Relates to a person's physical or mental health, the provision of health care, or the payment for health care Identifies the person who is the subject of the information Is created or received by a covered entity Is transmitted or maintained in any form (paper, electronic, or oral) Unlike the Privacy Rule, the Security Rule addresses only PHI transmitted or maintained in electronic form. Within the Security Rule this information is identified as ePHI.
The HIPAA rules also define covered entities (CEs), those organizations to which the rules apply:
Health plans, which pay or provide for the cost of medical care Health care clearinghouses, which process health information (for example, billing services) Health care providers who conduct certain financial and administrative transactions electronically (These transactions are defined broadly so that the reality of HIPAA is that it governs nearly all health care providers who receive any type of third-party reimbursement.)
If any CE shares information with others, it must establish contracts to protect the shared information. The HITECH Act amended HIPAA and added “Business Associates” as a category of CE. It further clarified that certain entities, such as health information exchange organizations, regional health information organizations, e-prescribing gateways, or a vendor that contracts with a CE to allow the CE to offer a personal health record as a part of its EHR, are business associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, & Brokelman, PLC, 2012). HIPAA Privacy Rule Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the enforcement of existing state laws that are more protective of individual privacy, and states are also free to pass more stringent laws. Therefore, health care organizations must still be familiar with their own state laws and regulations related to privacy and confidentiality.
The major components to the HIPAA Privacy Rule in its original form include the following:
Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions. Security. PHI should not be distributed without patient authorization unless there is a clear basis for doing so, and the individuals who receive the information must safeguard it. Consumer control. Individuals are entitled to access and control their health records and are to be informed of the purposes for which information is being disclosed and used. Accountability. Entities that improperly handle PHI can be charged under criminal law and punished and are subject to civil recourse as well. Public responsibility. Individual interests must not override national priorities in public health, medical research, preventing health care fraud, and law enforcement in general. With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements for HIPAA-covered entities and business associates. In addition, the rights of individuals to request and obtain their PHI are strengthened, as is the right of the individual to prevent a healthcare organization from disclosing PHI to a health plan, if the individual paid in full out of pocket for the related services. There were also some new provisions for accounting of disclosures made through an EHR for treatment, payment, and operations (Coppersmith et al., 2012).
The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health information by distinguishing between patient consent to use PHI and patient authorization to release PHI. Health care providers and others must obtain a patient's written consent prior to disclosure of health information for routine uses of treatment, payment, and health care operations. This consent is fairly general in nature and is obtained prior to patient treatment. There are some exceptions to this in emergency situations, and the patient has a right to request restrictions on the disclosure. However, health care providers can deny treatment if they feel that limiting the disclosure would be detrimental. Health care providers and others must obtain the patient's specific written authorization for all nonroutine uses or disclosures of PHI, such as releasing health records to a school or a relative.
Exhibit 9.1 is a sample release of information form used by a hospital, showing the following elements that should be present on a valid release form:
Patient identification (name and date of birth) Name of the person or entity to whom the information is being released Description of the specific health information authorized for disclosure Statement of the reason for or purpose of the disclosure Date, event, or condition on which the authorization will expire, unless it is revoked earlier Statement that the authorization is subject to revocation by the patient or the patient's legal representative Patient's or legal representative's signature Signature date, which must be after the date of the encounter that produced the information to be released Health care organizations need clear policies and procedures for releasing PHI. A central point of control should exist through which all nonroutine requests for information pass, and all disclosures should be well documented.
In some instances, PHI can be released without the patient's authorization. For example, some state laws require disclosing certain health information. It is always good practice to obtain a patient authorization prior to releasing information when feasible, but in state-mandated cases it is not required. Some examples of situations in which information might need to be disclosed to authorized recipients without the patient's consent are the presence of a communicable disease, such as AIDS and sexually transmitted diseases, which must be reported to the state or county department of health; suspected child abuse or adult abuse that must be reported to designated authorities; situations in which there is a legal duty to warn another person of a clear and imminent danger from a patient; bona fide medical emergencies; and the existence of a valid court order.
The HIPAA Security Rule The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule governs only ePHI, which is defined as protected health information maintained or transmitted in electronic form. It is important to note that the Security Rule does not distinguish between electronic forms of information or between transmission mechanisms. ePHI may be stored in any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and personal computers. Transmission may take place over the Internet or on local area networks (LANs), for example.
The standards in the final rule are defined in general terms, focusing on what should be done rather than on how it should be done. According to the Centers for Medicare and Medicaid Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information (ePHI). The standards are delineated into either required or addressable implementation specifications.” A required specification must be implemented by a
CE for that organization to be in compliance. However, the CE is in compliance with an addressable specification if it does any one of the following:
Implements the specification as stated Implements an alternative security measure to accomplish the purposes of the standard or specification Chooses not to implement anything, provided it can demonstrate that the standard or specification is not reasonable and appropriate and that the purpose of the standard can still be met; because the Security Rule is designed to be technology neutral, this flexibility was granted for organizations that employ nonstandard technologies or have legitimate reasons not to need the stated specification (AHIMA, 2003) The standards contained in the HIPAA Security Rule are divided into sections, or categories, the specifics of which we outline here. You will notice overlap among the sections. For example, contingency plans are covered under both administrative and physical safeguards, and access controls are addressed in several standards and specifications.
The HIPAA Security Rule The HIPAA Security Administrative Safeguards section of the Final Rule contains nine standards:
1. Security management functions. This standard requires the CE to implement policies and procedures to prevent, detect, contain, and correct security violations. There are four implementation specifications for this standard: Risk analysis (required). The CE must conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI. Risk management (required). The CE must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Sanction policy (required). The CE must apply appropriate sanctions against workforce members who fail to comply with the CE's security policies and procedures. Information system activity review (required). The CE must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Assigned security responsibility. This standard does not have any implementation specifications. It requires the CE to identify the individual responsible for overseeing development of the organization's security policies and procedures. Workforce security. This standard requires the CE to implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access. There are three implementation specifications for this standard: Authorization and/or supervision (addressable). The CE must have a process for ensuring that the workforce working with ePHI has adequate authorization and supervision. Workforce clearance procedure (addressable). There must be a process to determine what access is appropriate for each workforce member.
Termination procedures (addressable). There must be a process for terminating access to ePHI when a workforce member is no longer employed or his or her responsibilities change.
Information access management. This standard requires the CE to implement policies and procedures for authorizing access to ePHI. There are three implementation specifications within this standard. The first (not shown here) applies to health care clearinghouses, and the other two apply to healthcare organizations: Access authorization (addressable). The CE must have a process for granting access to ePHI through a workstation, transaction, program, or other process. Access establishment and modification (addressable). The CE must have a process (based on the access authorization) to establish, document, review, and modify a user's right to access a workstation, transaction, program, or process. Security awareness and training. This standard requires the CE to implement awareness and training programs for all members of its workforce. This training should include periodic security reminders and address protection from malicious software, log-in monitoring, and password management. (These items to be addressed in training are all listed as addressable implementation specifications.) Security incident reporting. This standard requires the CE to implement policies and procedures to address security incidents. Contingency plan. This standard has five implementation specifications: Data backup plan (required) Disaster recovery plan (required) Emergency mode operation plan (required) Testing and revision procedures (addressable); the CE should periodically test and modify all contingency plans Applications and data criticality analysis (addressable); the CE should assess the relative criticality of specific app
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.