Online Custom «HIPAA Violations» Essay Sample
Table of Contents
During the passage of the HIPAA, there have been many cases of the violations of its provisions. Notably, there have been concerns that the penalties imposed on the violators, if any, are inadequate to deter others from the engaging in the similar acts. This paper will discuss two such cases of violation, in which considerably stiff penalties were imposed.
In December 2007, 25 years-old LPN nurse, Andrea Smith of Trumann, Arkansas, along with her husband were indicted in disclosing the wrongfully patients’ health information with the intention of pursuing personal gains. They were also accused of tampering (Wood, 2008). While working at Northeast Arkansas Clinic, which serves as a multispecialty clinic in Jonesboro, Arkansas, Andrea Smith is said to have accessed private medical information of one patient. She then shared the alleged information with her husband, Justin Smith. On the same day Justin called the patient informing him that some of his medical information would be used against him in an upcoming legal proceeding. As a HIPAA-covered entity, Northeast Arkansas Clinic had an existing policy, which required it to protect the rights of the patients (Wood, 2008).
HIPAA required the organization to protect all individually identifiable health information, whether transmitted or held in any media or form by a covered entity or an associate. In consistence with the HIPAA ethical code, the facility held violators accountable with criminal and civil penalties where patient’s privacy rights were violated (Wood, 2008). Conforming to HIPAA’s stipulation, Northeast Arkansas Clinic terminated Mrs. Smith’s employment. Additionally, it was revealed that Andrea Smith faced up to a ten years imprisonment term. As an alternative, the accused one was to receive a penalty of an amount not exceeding $250,000 along with a term of supervised release of up to three years (Wood, 2008).
Another measure would have been to provide staff training. The organization should have ensured that the staff clearly and precisely understood the HIPAA legislation on the patient privacy rule along with the stipulated minimum required guidelines, something that can only be facilitated through a training program (Having & Davis, 2005). Along with that, the organization should have provided the nurses with all the necessary materials, which would ensure that they become more familiar with the privacy issues including the institution’s privacy notice, as well as the patients’ authorization forms. During the training, the organization should have used the real world examples. This would allow the staff to see clearly the manner in which HIPAA impacts their individual jobs. A refresher course in an attempt to ensure that the staff is informed about the updates to the legislation and the need for continued compliance (Having & Davis, 2005).
Want an expert write a paper for you?
In 2010, Columbia University New York and Presbyterian Hospital (NYP) contracted a CU physician to develop applications for each facility. The physician attempted to deactivate a personally-owned computer server on the network that held NYP patient’s data. According to Bowman (2014), this data, as a result of inferior technical safeguards, became accessible on the internet, whereby it could be easily accessed through any search engines. The issue was revealed after an internet user found information regarding a deceased patient through Google. The patient had been receiving care at NYP. The information included the status of the patient, primary signs, medication, as well as the laboratory results. The social security number was also visible.
Reports indicated that the two organizations had not initiated efforts to ensure the security of the server, prior to the breach. Besides, it was reported that none of the two affected facilities had set up adequate risk management strategies. Moreover, they had not encrypted their laptops from which the brreach was initiated. As a result, the two facilities were fined a combined total of $4.8 million. NYP was required to pay $3.3 million while Columbia University was supposed to pay $1.5 million (Bowman, 2014).
There is a set of measures that the two organizations should have implemented to prevent the breach. The first one is a proper, safeguarded record retention. According to HIPAA, it is the responsibility of an entity to maintain the patient data securely. The law requires that the patient information has to be stored on site and should be easily accessible for the purpose of disclosures, patient requests, and amendments among others. However, heightened encryption approaches should be implemented to ensure that the patient information is not accessible to unwarranted persons (McLaughlin, 2006). If the appropriate encryptions had been in place, the physician would not have accessed the data without an authorization. He would have had no other option than to seek permission, subject to conditions.
The second approach would have been record-destruction. As it has been identified in the case, the information of the deceased patients was the one that leaked. This is evidence that the two institutions still maintained unwanted data, which is entirely against the HIPAA stipulations. According to Appari et al. (2009), to ensure that the HIPAA guidelines are not violated, an organization is supposed to destroy all obsolete data. To successfully achieve that, the organization should have undertaken the process by itself. An onsite employee should be designated to shred all the documents that are no longer necessary after a specified time frame.
Hurry up! Limited time offer
Use discount code
The third measure is to contract a competent application developer (Appari, Johnson, & Anthony, 2009). If the developer was indeed a professional, he would have acknowledged his duty of care to the contracting organizations and their patients. He would have recognized that any unprofessional conduct on his side would subject the two organizations and its clients to severe consequences. Rather, his behavior shows that he was inadequately knowledgeable and skilled. If a more competent practitioner was contracted, he would have not created a situation in which the patients’ data became vulnerable (Having & Davis, 2005).
More and more HIPAA violations continue to be reported up to date. Despite the issue of the disclosure of patients’ information being very sensitive, it seems not enough actions have been done to prevent violations. Probably, lawmakers should consider adopting alternative measures to keep individuals, such as those discussed in this paper and organizations, from not taking HIPAA violations serious enough.
Most popular orders