HIPAA Compliance

HIPAA Compliance
Student’s Name
Institution Affiliation
The violation of the HIPAA can be very costly to the concerned party, and the severity has been growing over the years. The regulations are getting stricter in the formulation, implementation, and observance. The consequences vary depending on the level of negligence, with those indicating a high level of negligence and reluctance in initiating measures to correct the breach within 30 days being the most affected (Kilbridge, 2003). While leniency regarding fines can be offered to those who violated the HIPAA without their knowledge and when they realized the breach, they immediately put measures in place to counter the harm caused.
The first real life case is that of New York Presbyterian Hospital (NYP) and Columbia University (CU) where they were charged with the exposure of patients’ electronic protected healthcare information (ePHI). This happened after the network server that was responsible for the protection and securing of the patients’ records in the network was shut down. This exposed the private data to the accessibility of the data, which was entrusted to the two parties and agreement of confidentiality signed, to anybody online with the knowledge and technology needed to access the data (Dwyer III, Weaver & Hughes, 2004). The breach report was submitted on 27th September 2010 which also had details of the actual number of the patients whom the violation affected which was over 6,800 and the categories of the information or records that were exposed.

Both institutions are based in the state of New York.
Following the investigation conducted by the office of civil rights (OCR), the NYP and CU were found to have violated the HIPAA of 1966 privacy and security rules. The violation occurred when the shared database between the two institutions was unintentionally made accessible to search engines when proper policies and safeguards in the maintenance of the network were not keenly followed. A physician hired by CU was responsible for the deactivation of a firewall, and the firms were only aware of the breach after one of the patients complained (“Data Breach Results in $4.8 Million HIPAA Settlements”, 2017). The two firms had policies to prevent this breach but did not implement them and follow the, as they were expected. Taking into consideration the number of patients affected and the various policies and negligence on the part of the institutions, they were fined 4.8 million dollars and committed themselves to train their staff and implement risk management plans.
Digital patient data storage is faced with numerous threats but is also privileged to have practical and implementable countermeasures that need to be followed and implemented beforehand. Regarding the servers and other databases, the two firms could have employed competent personnel to deal specifically with network security. A clear boundary or jurisdiction should have been stated at the beginning of the partnerships to avoid the case of joint penalization in the event of the two institutions. Lastly, with the well-defined policies, the firms would have avoided the violation if they followed these procedures to the letter.
Secondly, the case of Cignet Health Center which is located in the state of Maryland where they were involved in a series of scuffles with the US Department of Health and Human Services concerning the release of the records of some patients. Cignet was unresponsive to the requests by the OCR to produces the records and when the investigation into the complaints of the patients of whom the particular records had been denied access. The firm was reluctant or showed no cooperation at all to ensure smooth and fruitful investigation (“Civil Money Penalty,” 2017). The Maryland-based health center denied its patients’ access to their medical records for 13 months from September 2008 to October 2009 where the affected patients are amounting to 41 filed complaints concerning the denial of their requests.
The medical group was found to be in violation of the Privacy Rule of the HIPAA and was subject to civil money penalty (CMP). This occurred when they denied their clients access to their medical records which are their rights as provided by the HIPAA of 1996. The investigation and the behavior or the health center was a key factor in the determination of the extent of negligence and the cooperation of the attempt to solve the issue at hand. The firm was therefore penalized twice; the first penalty was due to their failure to provide their clients with a duplicate of their medical records within 30 days of the patient’s request as provided by the law which attracted a CMP of 1.3 million US dollars (Artnak & Benson, 2005). The second was due to their willful neglect regarding cooperation with OCR’s investigations which attracted another CMP of 3 million US dollar totaling to 4.3 million dollars in civil money penalty.
In the case of Cignet health center avoidance or prevention would have been thought straightforwardness on handling the issues that were at hand to avoid the penalties. Also, the OCRs demands could have been given considerations and discussions and interactions been initiated between the two parties rather than entirely disregarding or ignoring their requests. The firm could have taken the requests of the clients personal and explain the problem rather than letting it grow out of control and instigate a public uproar.
Lastly, the case of Concentra Health services, where the patients’ records were exposed after a Concentra unencrypted laptop was stolen in November 2011. The number of clients affected by this breach was 870. The laptop that was stolen belonged to a staff member who worked at one of Concentra’s facilities in the state of Missouri, Springfield Missouri Physical Therapy Center (“Stolen laptops lead to important HIPAA settlements,” 2017). The laptop contained the ePHI of several patients under the care of the company. This breach violated the privacy and the security rules of the HIPAA because each firm is responsible for the encryption and the protection of all the devices that will contain or store the electronic protected health information (ePHI)
The investigation by the OCR to review the compliance of the health service provider to the HIPAA rules was conducted after they received a breach report from the company. It was found that Concentra had previously acknowledged the multiple risks that faced the ePHI but did not take adequate procedures and precautions to address and mitigate these risks thus increasing the vulnerability of the patients’ records. The company had policies to ensure that data was secure among them the encryption of all devices but the OCR found the security measures inadequate to ensure the safety of the records (Dwyer III, Weaver & Hughes, 2004). With the findings of the investigation, Concentra accepted the liability and agreed to pay 1.75 million dollars in fines and also to espouse a corrective action plan to counter such security breaches in the future.
In preventing the violation, the firm could have necessitated the encryption of patient data when stored in any electronic device in all instances. The physical protection of their facilities should be prioritized to avoid physical access or stealing which will ease access to the private records. Consulting of proper experts to test the capability of their system would have flagged the easy access of data in case it was physically accessed as concern was only put on remote access.
References
Artnak, K. E., & Benson, M. (2005). Evaluating HIPAA compliance: A guide for researchers, privacy boards, and IRBs. Nursing Outlook, 53(2), 79-87.
Civil Money Penalty. (2017). HHS.gov. Retrieved 1 January 2017, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/Data Breach Results in $4.8 Million HIPAA Settlements. (2017). HHS.gov. Retrieved 1 January 2017, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/new-york-and-Presbyterian-hospital/index.htmlDwyer III, S. J., Weaver, A. C., & Hughes, K. K. (2004). Health Insurance Portability and Accountability Act. Security Issues in the Digital Medical Enterprise, 72(2), 9-18.
Kilbridge, P. (2003). The cost of HIPAA compliance. New England Journal of Medicine, 348(15), 1423-1477.
Stolen laptops lead to important HIPAA settlements. (2017). HHS.gov. Retrieved 1 January 2017, from https://www.hhs.gov/about/news/2014/04/22/stolen-laptops-lead-to-important-hipaa-settlements.html