Breaches in Security & Privacy with HIPAA

Accidental and Intentional Breaches in Security and Privacy with HIPAA
Name
Institution

Chapter I Introduction
The federal HIPPA law is the “Health Insurance Portability and Accountability Act” of 1996. HIPPA law ensures that individuals can keep their health insurance. Also, HIIPA law protects healthcare information by guaranteeing the protection of its confidentiality and security. Moreover, HIPPA law assists in the in the control of administrative costs incurred by the healthcare industry (HHS.gov, 2016).
The secretary of the “United States (US) Department of Health and Human Services” (HHS) was required by the HIPPA law to develop regulations and rules that assist in the protection of security and privacy of particular health information (HHS.gov, 2016). In response to this requirement, HHS published HIPAA Security Rule and HIPAA Privacy Rule (HIPAA Journal, 2016). Before the introduction of HIPAA, there was neither an allowed set of standards of security nor general requirements that protected health information in the health care industry. During this time, the healthcare industry was fast growing, and through the emergence of new technologies, the paper process used in storing information was slowly being turned into electronic information systems. The electronic information systems were used to control clinical and administrative functions, answer eligibility questions, pay claims, and provide health information.
Worldwide today, technology has been introduced, and providers use clinical applications.

“Examples of these clinical applications include Computerized Physician Order Entry (CPOE) Systems,” Laboratory, Radiology and Pharmacy Systems, and Electronic Health Records (EHR) (HHS.gov, 2016). The introduction of new machinery in the health sector has increased the efficiency and quality of health services offered to the patients. However, it has also increasing potential security risks to the sector as a whole. Both intentional and accidental cases of privacy and security breaches are evident in many segments of the health sector. There are some rules that the healthcare industry has put in place to counter-attack these cases of security and privacy breaches. Entities are under the obligation to make compliance with all requirements that apply to them (HHS.gov, 2016).
Statement of the Problem
This study seeks to determine both intentional and accidental breach of privacy and security of healthcare systems in the healthcare industry and the ways in which they can be prevented. Initially, the healthcare industry consisted of the paper process. With the quick growth of technology and increase of its applications worldwide, the health care system has moved passed the paper processes and has now incorporated new methods that involve the use “of technology to improve the quality and efficiency of” quality patient care (Jenkins, 2011). However, the introduction of these new technologies into the healthcare industry has put the health care systems at potentials risks of breach of security and privacy.
Patients value their privacies just as much as health systems values their integrity and confidentiality. Frequent violations of security and privacy in the healthcare systems whether intentional or accidental has, therefore, necessitated the developments of rules and regulations in the health industry. These rules and regulations aim at the protection of the healthcare clearinghouses, health plans, patients and healthcare providers from the invasion of privacies and in maintaining their confidentiality and integrity.
Purpose of the Study
This study is aimed at understanding the accidental and intentional breach of security and privacy in the healthcare industry with HPAA, their causes, and the recommendations that can be put in place to prevent them. This research is carried to point out the most common healthcare systems, plans, and houses as well as the type of patients that most commonly experience security and privacy breaches and the rules that are already in place or that can be put in place to counter-attack them. In this study, it is important to understand both the accidental and intentional causes of breaches in security and privacy in the health industry and the ways in which they can be stopped to safeguard the confidentiality and integrity of clients, health providers, healthcare facilities, and the overall healthcare plans.
Research Question
What are the impacts of accidental and intentional breaches of security and privacy with HIPAA?
Subsidiary Questions
What are the intentional security and privacy breaches in the health industry and their causes and impacts?
What are the accidental security and privacy breaches in the health industry and their causes and impacts?
What are the privacy breaches in the health industry and what impacts do they have in the industry?
What are the security breaches in the health industry and what impacts do they have in the industry?
Why does the integrity, confidentiality, and privacy of healthcare professionals, patients, healthcare facilities and plans require protection?
Null Hypothesis
Security and privacy breaches in the health industry, whether intentional or accidental, negatively affect the confidentiality and integrity of health providers, patients, and healthcare facilities and the operations in which they engage in.
Importance of the Study
The study of intentional and accidental breaches in privacy and security, their causes and the steps that can be taken to eliminate them is critical in ensuring that the integrity and confidentiality of patients, health providers, and health care facilities and their operations are maintained. High ratings of integrity and confidentiality of a healthcare facility and its operations will boost the confidence that patients have in them, and as a result, they can experience elevated levels of growth and development. In the case of the health providers, confidentiality and integrity will make them feel safe at work without the fear of invasion into their private lives or lifestyles. The health providers can, therefore, feel protected and secured at work and this boosts the overall outcome of their jobs. In the case of patients, on the other hand, protection of their privacy is particular to personal health information is a top priority. Patients in most cases do not like particularly their medical information made public. In most cases, the need for confidentiality is as a result of fear of stigmatization or being judged by their family, friends, or other people. Therefore, it is imperative to maintain privacy and security at all times within the health industry.
Definition of Terms
Health Insurance Portability and Accountability (HIPPA) Act: a law in the United States (US) that was designed to offer protection to the medical records of patients as well as to any other information about health provided to doctors, health plans, and any other healthcare providers through the provision of privacy standards.
Security Breach: is an incident or an occurrence that leads to unauthorized access to applications, data, networks, services and devices through a bypass of the security mechanisms previously underplayed to protect from such access.
Privacy Breach: is the unauthorized access to the personal information of an individual and the disclosure of it.
Accidental Breach: is the unplanned/unintended unauthorized access to applications, data, networks, services and other devices or an individual’s personal information.
Intentional Breach: is the planned or intended to unauthorized access to applications, data, networks, services and other devices or an individual’s personal information.
Limitations of the Study
The design of the research makes it difficult for one to obtain accurate data and statistics on the topic.
Is it challenging to evaluate the effects of the rules and regulations of the HIPAA law?
Chapter II Review of Literature
HIPPA law came into existence as a result of frequent accidental privacy and security breaches within the healthcare industry. These violations started occurring after disposal of the paper processes and the introduction of technology in the health systems and processes. “The introduction of technology into the healthcare industry has made” it prone to security and privacy breaches, which occur either accidentally or intentionally (Califf and Muhlbaier, 2003). Due to the numerous breaches, HIPPA required the Secretary of HHS to make national public standards that would make secure the electronic healthcare system. These national standards were published for security and privacy of healthcare information, an electronic exchange and electronic protected health information (e-PHI) (Califf and Muhlbaier, 2003).
HIPPA law required the Secretary to issue rules and regulations that would safeguard the “confidentiality, integrity and availability of” the e-PHI, whether it is held or transmitted by entities that are covered (Califf and Muhlbaier, 2003). On August 12, 1998, HHS developed and released a proposed rule to the public for comments. The public gave a total of approximately 2, 350 comments and on February 20, 2003, the final regulation known as the Security Rule was published. The Security Rule specified a series of technical, administrative and physical security steps for covered entities. Through the Security Rule, these covered entities have managed to maintain the “integrity, confidentiality and availability of” e-PHI (HHS.gov, 2016).
The Security Rule applies to many sectors of the healthcare industry inclusive of healthcare clearinghouses, health plans, and healthcare providers responsible for the transmission of the electronic form of health information. These Security Rule applications are in connection with transactions of the Secretary of HHS and the standards that have been adopted under the HIPAA law on closed entities. Under the Security and Privacy Rule, HITECH Act of 2009has managed to expand responsibilities of business associates and HHS in is the process of developing and clarifying these changes (Securonix, 2016).
Chapter III Methodology
The data and the statistics in the research are obtained from various sources. These sources include books and scholarly articles both from the personal library and the Internet. The research is based in the United States and its environs, and most of the information is obtained from the publications of the department of US Health and Human Services (HHS) and hospital journals. Also, most of the data analyzed in this research is a sample from different hospitals that could be accessed from the various states in the US.
There is no clear way to determine the exact statics of the breaches and besides the recorded data analysis of sequence and estimation is used. The rates for the breaches also climb and fall with many cases of unreported issues (McCann, 2014). The research is based on both accidents and intensions, which makes it tough to determine the exact data. It is not easy to tell whether a breach of privacy or security was done intentionally or accidentally. Also, most cases of intentional breach of security or privacy go unnoticed, and this affects the overall sampled data.
The effectiveness of the rules and regulations of the HIPAA law is measured by the level of impact that they cause in the reduction of the cases of security and privacy breach to the health providers, patients, and health facilities and their plans and operations. However, the measurement of the effectiveness of the of the HIPAA rules and regulations is challenging since the impact can not be clearly verified.
Data Collection / Analysis
Through the HIPPA Privacy Rule, a culture of compliance has been created within several healthcare organizations. The healthcare environment keeps changing from time to time and therefore, compliance with healthcare rules are regulations have become of crucial importance. Also, the HIPPA Privacy Rule has ensured that better securities are built within organizations. For the healthcare organizations to be able to comply with the requirement of the HIPPA Act, they have been forced to electronically and physically improve their security systems. HIPAA Privacy Rule is also used in the medical instances where a patient’s medical details have “to be transferred from one organization to another” electronically (Brown & Fortunato, 2016). Also, through the HIPAA Act, healthcare information has been developed to fit national standards have been designed to ensure confidentiality in healthcare organizations (Brown & Fortunato, 2016).
Through the HIPPA Security Rule, different levels of security have been introduced in health care organizations based on job functions. The difference in levels of security has ensured controlled access to different healthcare information for various individuals in the organization. Healthcare organizations have also managed to create backup plans for critical data in the process of installing the security systems. Critical data are periodically backed up to a safely kept external media different from the organization’s system. Healthcare organizations, through HIPAA, have also managed to convince members to use strong passwords and usernames. Passwords have been created that involve the use of numbers, symbols, and different cases to make them difficult to build. The equipment in the healthcare organizations has also been protected from malicious software through patch management. Through management, the systems in the organizations contain the latest software and proper security protection. Finally, through HIPAA Security Rule, healthcare organizations have also managed to install physical securities in the form of facility access controls. Different selected individuals can now access various facilities and room within the healthcare organizations only. This has ensured that the access to the organization’s information facilities is controlled and restricted to only the allowed staff members (Jenkins, 2011).
Research Hypotheses
Hypothesis 1: Compliance “with the requirements of the HIPAA Security Rule” and Privacy Rule may “be expensive, but the benefits are totally worth it” (Jenkins, 2011). According to Bowers 2016, the benefits of the Act far outweigh the costs incurred in setting up the systems that control privacy and security and the overall compliance costs. Also, according to Sullivan 2016, “the new transaction standard also brings a fistful of its noteworthy advantages.”
Hypothesis 2: Despite all the benefits that HIPAA Security Rule and Privacy Rule bring to the healthcare organizations there are still arguments that they are not entirely advantageous. Many healthcare organizations are faced with challenges of compliance with the HIPAA Act/Law. According to these healthcare organizations, installation of all the requirements of the HIPAA Act is an expensive activity. Also, the fines resulting from lack of compliance are also too high (Financial Web, 2016).
Chapter IV Data Results
According to the Department of HHS journal (HHS.gov, 2016), from the year 2003 to the year 2016, the number of cases of security and privacy breach that have been resolved is approximately 97%. The total number of complaints that they received over the years is 141,754, and by the year 2016 the remaining number of complaints unresolved is 3,893 (3%) as shown in the table below:
“Status of All Privacy Rule Complaints – September 2016”  
Complaints Remaining Open 3,893 3%
Complaints Resolved 137,861 97%
Total Complaints Received 141,754  
Table 1
Also, in the HHS journal (HHS.gov, 2016), sample investigations made from the year 2003 until the year 2016 shown in the table below. The table shows both the cases where no violations were noted and those where violations were obtained, and corrective action was taken as reported by the Officer for Civil Rights (OCR).
YEAR INVESTIGATED: NO VIOLATION INVESTIGATED: CORRECTIVE ACTION TOTAL
Partial Year 2003 79 260 339
2004 360 1033 1393
2005 642 1162 1804
2006 897 1574 2471
2007 727 1494 2221
2008 1180 2221 3401
2009 1211 2146 3357
2010 1529 2709 4238
2011 1302 2595 3897
2012 979 3361 4340
2013 993 3472 4465
2014 667 1287 1954
Table 2.
Chapter V Analysis of Hypotheses
There are two main hypotheses in this research paper. The hypotheses are derived from the different opinions that people have with the HIPAA Security Rule and Privacy Rules. Various healthcare organizations have different ways of calculating benefit to cost ratio, and this has resulted in the differences in opinions. The reasons that are given by both the healthcare organizations that support the HIPAA Act and those that don’t are both significant and the conclusion is, therefore, dependent on many factors, all which must be considered in details.
Discussion / Conclusion
Breach of privacy and/or security can be either accidental or intentional. However, whether the breach is accidental or intentional it still negatively impacts on integrity and confidentiality of the patient, healthcare provider, or health care plans and processes. Therefore, both accidental and intentional breach of security and privacy in healthcare organizations must be prevented by all means.
Through the HIPAA, breach of security and privacy is avoided by obligating healthcare organizations to put it place preventive measures. The preventive measures prevent both accidental and intentional breach of security and privacy. They include: the use of secure usernames and passwords, the creation of different levels of security, physically controlling access to organizations equipment and rooms, periodical backing up of critical data in external safely kept media, and the use of latest software that have proper security protection.
The prevention of security and privacy breach with HIPAA has both positive and negative impacts. Different organizations have different opinions about the Act based on their individual calculation of its benefits and costs. At the moment, it is still not clear whether the advantages of the Act are greater than the costs or vice-versa (Andrews, 2015). However, it is worth noting that the methods of prevention of breaches applied by HIPAA Act work efficiently and the cases of security and privacy breach have reduced over the years. On the other hand, the major complaint by the healthcare organizations, which do not support the HIPAA Act is that it involves expensive processes and is hard to comply with.
Recommendations for Further Research
This research paper only describes the breach of privacy and security of patients, health providers, and healthcare facilities plans and operations in the health industry in the United States. However, invasion of privacy and security in the health industry is a worldwide problem. The research scope should be widened to cover more areas of the world, if possible its entirety. Also, the data and statistics collection methods in this research do not give the most accurate information. Therefore, better ways such as the use of separate questionnaires should be employed in the future during further research to enable better and more accurate data and statistics to be collected.
References
Andrews, J.M. “What Are Some of the Pros and Cons of HIPAA”. Livestrong.com. Retrieved from https://www.livestrong.com/article/75368-pros-cons-hipaa/Brown & Fortunato. 2016. “The HIPPA Privacy Rule And Its Impacts”. Brown and Fortunato. Retrieved from http://www.bf-law.com/the-hipaa-privacy-rule-and-its-impact-on-healthcare-organizations/Califf, R.M. and Muhlbaier, L.H. 2003. “Health Insurance Portability and Accountability Act (HIPAA).” Circulation. Retrieved from https://www.circ.ahajournals.org/content/108/8/915Jenkins, M. K. 2016. “The Top 5 Benefits of the HIPAA Security Rule”. Physicians Practice. Retrieved from http://www.physicianspractice.com/healthcare-careers/top-5-benefits-hipaa-security-ruleHHS.gov. 2016. “Health Information Privacy: Numbers at a Glance”. HHS.gov. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.htmlHHS.gov. 2016. “Health Information Privacy: Enforcement Highlights”. HHS.gov. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.htmlHHS.gov. 2016. “Health Information Privacy: Summary of HIPAA Rule”. HHS.gov. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/Bowers, D. 2016. “The Health Insurance Portability and Accountability Act: Is it really all that bad”. US National Library of Medicine. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1305898/McCann, E. 2014. “HPAA data breaches climb 138%”. Healthcare IT News. Retrieved from http://www.healthcareitnews.com/news/hipaa-data-breaches-climb-138-percentFinancial Web. 2016. “5 Disadvantages of HIPAA”. Financial Web. Retrieved from https://www.finweb.com/insurance/5-disadvantages-of-hipaa.htmlHIPAA Journal. 2016. “HIPAA History”. HIPAA Journal. Retrieved from https://www.hipaajournal.com/hipaa-history/Sullivan, T. 2016. “7 Benefits of HIPAA” Healthcare IT News. Retrieved from http://www.healthcareitnews.com/blog/7-benefits-hipaa-5010Securonix. 2016. “HIPAA/HITECH Complinace”. Securonix. Retrieved from https://www.securonix.com/solution/regulatory-compliance/hipaahitech/?