HIPAA AND HITECH

HIPAA and HITECH



HIPAA and HITECH

Q1. Explain how you would respond to the situations in a way that meets HIPAA (1996) Privacy, Security, and HITECH (2009) breach notice requirements.

In the first case, the governor of the state, Hayden Samual Barrett was admitted to the hospital for surgery. He asked the management of the hospital to keep his hospitalization private, and reassurance was given to him by the hospital that no one will know about his hospitalization. However, three channels ran a story about his hospitalization. After talking with the news channel, the hospital managed to convince the news channel not to report further stories on the governor's hospitalization. The channels did not reveal their source but told the hospital that the news was broadcast that someone from the hospital leaked the information (Aluvihare, 2000).

In the second case, the CD holding patient information of about 1000 hospital patients was being transferred to the hospital from the storage for better safe keeping. On the way, the driver was stopped due to speeding, and after he was back from speaking with the police officer, the CD was gone. The driver immediately reported this incident to the hospital and retraced his route to look for the CD, but the missing CD could not be found. The hospital has a backup of that patient information, but the problem is the privacy breach. The employee who was on duty the day the CD went missing was a temporary employee from an employment agency named Sebastian Tresch.

As per the HIPAA (1996) Privacy, Security, and HITECH (2009) breach notice requirements, the patients must be notified about this data theft immediately and no later than 60 days after the breach was discovered. In both the above mentioned cases, first and foremost the notice is to be sent to the patients. The notice sent to patients requires to be written in simple language (Phelps, 2002). The notice must also include what happened, when the breach was made, and when it was discovered, types of PHI disclosed, the measures which are being taken by the hospital regarding this breach, ways through which the patients can protect themselves and contact information so that patients can easily contact the covered entity.

After that, the hospital needs to perform a risk assessment analysis on both the cases. The employees who were on duty on the day the news about the governor's hospitalization disclosure needs to be investigated properly. For this purpose, the hospital security cameras' recordings can be used, the telephone records and recordings can also be used. All employees who were on duty must be thoroughly investigated. In the second case too, thorough investigation is necessary. When the culprit is caught, then as per the requirements, “If convicted of violating the HIPAA statute, the accused faces a maximum sentence of 10 years in prison and a $250,000 fine.” As per the act, the arrest of the person is abundant for violating the Health Insurance Portability and Accountability Act (HIPAA) and wrongfully obtaining individually ...