Assignment Paper: HIPAA for Healthcare Professional Violation Case and How to Prevent

Future Occurrence

Temi Abdulazeez

HSA515

Professor Chad Moretz

October 23rd, 2022

 Abstract
The healthcare and technology world has continued to evolve and expand into the future,

while HIPAA (the Health Insurance Portability and Accountability Act), the United States of

America's basic fundamental patient privacy law, is striving to keep up with this evolving world

of information in healthcare. Revealing personal health information without patient consent is

common in healthcare and is the basis for many lawsuits against healthcare facilities.

Confidential information can fall into the wrong hands in many ways. This thesis analyzed a

Case showing HIPAA violations and what hospital leadership can do to prevent future violations.

It violates the HIPAA Title II Security Rule to disclose confidential patient information without

consent. This rule was enacted in response to private information being leaked to the media and

unauthorized people reading emails containing privileged information. Patient privacy should be

taken seriously because identity theft is a genuine concern.

 Introduction

The healthcare industry has established specific standards and laws to protect patients and

their personal health information. When a healthcare facility fails to protect its patients'

confidential information, the US government may intervene, and the facility may be forced to

pay large sums of money in fines and risk its reputation. The paper describes a case in which a

dental practice professional was fined $62,500 for improper disclosure of PHI for marketing

purposes to settle HIPAA violations for a data breach that exposed the health information of

1,727 patients.

Case Analysis: Dental Practice Fined $52,500 for Impermissible Disclosure of PHI for

Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was

investigated by OCR over an impermissible disclosure of PHI. Northcutt Dental's operator and

owner, Dr. David Northcutt, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt

hired a campaign manager and a third-party marketing firm to help with the state senate election

campaign. The campaign manager was given an Excel spreadsheet containing the names and

addresses of 3,657 patients, and letters were sent to each of them informing them that Dr.

Northcutt was running for state senate. The email addresses of those people, and the email

addresses of another 1,727 patients, were given to the marketing firm Solution reach in order for

them to send a campaign email.

 OCR determined that the PHI disclosures to the campaign manager and third-party

marketing company were improper disclosure. OCR also discovered that Northcutt Dental did

not appoint a HIPAA Privacy Officer until November 14, 2017 and that HIPAA Privacy and

Breach Notification Rules policies and procedures were not implemented until January 1, 2018.

Northcutt Dental agreed to a $62,500 fine and a corrective action plan to address the alleged

areas of noncompliance.

Health Insurance Portability and Accountability HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted

to establish standards for our healthcare providers to simplify healthcare administration,

eliminate waste, prevent healthcare fraud, and ensure employees could keep their healthcare

coverage while switching jobs. Congress passed this law to protect patient health information

from unauthorized individuals or organizations, as well as to make health care useable and to

offer non-discriminatory protection to all patients. Nobody wants to go to the hospital and

communicate to the doctor confidentially, only to find out later that the same information they

provided the doctor has been made public.

Standards have been introduced since its passage to improve patients' rights and protect

Protected Health Information (PHI). Failure to comply with these Standards is considered a

HIPAA violation, even if no harm has occurred. When a healthcare facility violates laws

protecting patients and their personal health information, it may pose court challenges that could

lead to huge fines, de-licensing, and reputational damage. The Department of Health and Human

Services Office of Civil Rights (OCR) is the regulatory body mandated to investigate any form

of HIPPA violation in our healthcare facilities. The HIPPA law is divided into four sections:

portability, transactions, security, and privacy.

One of the most common types of complaints, for example, is the failure to provide patients with

copies of their PHI upon request. As discussed above, this is another type of HIPAA violation

and the penalty imposed for HIPAA violations.

Implication of HIPAA on the Healthcare System

To assist with the transition from paper records to electronic copies of health information,

HIPAA introduced a number of significant benefits for the healthcare industry. HIPAA has aided

in the streamlining of administrative healthcare functions, the improvement of efficiency in the

healthcare industry, and the secure sharing of protected health information. The standards for

recording health data and electronic transactions ensure that everyone sings from the same

hymnal. Because all HIPAA-covered entities must use the same code sets and nationally

recognized identifiers, the transfer of electronic health information between healthcare providers,

health plans, and other entities is greatly facilitated.

Patients may reap the greatest benefits from HIPAA. HIPAA is significant because it

requires healthcare providers, health plans, healthcare clearinghouses, and HIPAA-covered

entities' business associates to implement multiple safeguards to protect sensitive personal and

health information.

While no healthcare organization wants sensitive data or health information stolen, there

would be no requirement for healthcare organizations to safeguard data - and no consequences if

they did not.

HIPAA rules require healthcare organizations to control who has access to health data, limiting

who can view health information and who can share it with.
 HIPAA helps to ensure that any information disclosed to healthcare providers and health

plans, as well as information created, transmitted, or stored by them, is subject to strict security

controls. Patients are also given control over who receives and shares their information.

HIPAA is essential for patients who want to take a more active role in their healthcare

and obtain copies of their health information. Even with great care, healthcare organizations can

make mistakes when recording health information. If patients can obtain copies, they can check

for errors and ensure that they are corrected.

Obtaining copies of health information also benefits patients when seeking treatment

from new healthcare providers. Because information can be passed on, tests accomplish not need

to be repeated, and new healthcare providers have a patient's entire health history to inform their

decisions. There were no requirements for healthcare organizations to release copies of patients'

health information before implementing the HIPAA Privacy Rule.

The HIPAA Privacy Rule establishes national standards to safeguard individuals' medical

records and other personal health information for the first time.

It gives patients more control over their medical data.

It establishes guidelines for the use and disclosure of medical records.

It establishes appropriate safeguards that healthcare providers and others must implement to

protect health information privacy.

It holds violators accountable by imposing civil and criminal penalties for violating patients'

privacy rights.
It also strikes a balance when public responsibility supports the disclosure of certain data types,

such as protecting public health.

For patients, it means making informed decisions about seeking care and receiving

reimbursement for care based on how personal health information is used.

It allows patients to learn how their information may be used and about specific disclosures.

It generally restricts the release of information to the minimum required for disclosure.

It generally grants patients the right to inspect and obtain a copy of their medical records and

request corrections.

It allows individuals to control how their health information is used and disclosed.

Transparency is essential in regulations such as HIPAA. Any activity involving regulated data

systems could be audited. As a result, within the organizational structure, there must be checks

and balances and policies in place to ensure that electronically protected health information

(EPHI) is:

It is only available to those with a legitimate business need.

Such access must be closely monitored.

Encrypted during storage and transfer on any unprotected network and only moved to authorized

locations.
The requirements above reflect four primary practices central to HIPAA compliance, outlined

below.

Many other aspects of data security are essential, such as data loss protection, secure data

backup, process, and technical controls, network configuration, and the human element required

for everything to work correctly.

Access Controls and Identity Management

Access controls are a great example of the need for technology in the data flow. Custodians,

supervisors, and owners must all determine who has access to secure EPHI. There is no

technology standard in this, but any entity wishing to comply with HIPAA should use identity

and access management tools. Without such technology, it would be nearly impossible to

maintain access control and related records of requests, approvals, and denials. Technological

systems can help even more by automating account privilege recertification.

Controls for System and Environment Configuration

Any system that stores protected data must be configured following strict guidelines. When

protecting data of this magnitude, it is critical to know the state of critical systems at any given

time within the regulated environment; simple monitoring is insufficient.

Each individual system should be kept separate, configured solely for its specific purpose,

monitored for vulnerabilities, and ensured that all software versions are up to date and securely

administered. Monitoring

When controlling it, it is critical to know who has access to sensitive data. HIPAA regulates not

only the data but also the access to that data. Any application or technology that allows access to

information must have a method of logging access that is strictly monitored.

Encryption and Information Flow Control

Obviously, data must be safeguarded wherever it is stored. However, in this day and age,

information never stays in one place for long. As a result, the fourth and final compliance

element must ensure data security at all times. It must be encrypted during transfer and may only

be moved to secure previously approved locations.

HIPAA compliance is a difficult task to complete. Overall, it can appear quite perplexing and

almost incomprehensible. However, when broken down into basic components, HIPAA

compliance is quite achievable for any organization that chooses to be proactive in its efforts.

Determine who will be in charge of compliance within the organization and establish the policies

required for compliance. Get the technology you need to keep access controls and data security.

Provide those in charge with compliance training. You can smooth out the glitches and adjust

policies as you go, but the first step must be to determine what needs to be protected, who will

protect it, and how!