Health Insurance Portability And Accountability Act (HIPAA) Violations
the articles by Adjerid, Acquisti, Telang, Padman, & Adler-Milstein (2016), Cartwright-Smith, Gray, & Thorpe (2016), Marvin (2017), and Richesson & Chute (2015).
HIPAA is a law that was enacted to protect patients’ private health information (PHI). The HIPAA law was enacted in 1996. This law has since been amended to include more specifics on PHI as it relates to technology. Most recently, in 2009, HITECH, a segment of the American Recovery and Reinvestment Act, has been enacted to include an expansion to electronic PHI (ePHI). HITECH provides benefits for providers to encourage the adoption of ePHI systems.
From the 2018 OCR HIPPA Summary: Settlements & Judgements
Provide an analysis on the HIPAA violation of patient health information (PHI) that was present in the case selected: June 2018 In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay $4.3 million in civil money penalties for HIPAA violations. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device‐level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise‐wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. This matter is under appeal with the HHS Departmental Appeals Board.
Date Name Amount
June 2018 M.D. Anderson $4,348,000
Analyze the specific HIPAA privacy and security rules that were broken.
Explain the penalties (if any) that were imposed as a result of the ruling on the case.
Develop a health system improvement plan to include applicable Federal standards.
Propose a risk analysis strategy addressing appropriate laws and regulations.
Apply the lessons learned from this particular case to your Proposal and Final Presentation.