Assignment Paper: HIPAA for Healthcare Professional Violation Case and How to Prevent

Future Occurrence

Temi Abdulazeez

HSA515

Professor Chad Moretz

October 23rd, 2022

 Abstract
The healthcare and technology world has continued to evolve and expand into the future,

while HIPAA (the Health Insurance Portability and Accountability Act), the United States of

America's basic fundamental patient privacy law, is striving to keep up with this evolving world

of information in healthcare. Revealing personal health information without patient consent is

common in healthcare and is the basis for many lawsuits against healthcare facilities.

Confidential information can fall into the wrong hands in many ways. This thesis analyzed a

Case showing HIPAA violations and what hospital leadership can do to prevent future violations.

It violates the HIPAA Title II Security Rule to disclose confidential patient information without

consent. This rule was enacted in response to private information being leaked to the media and

unauthorized people reading emails containing privileged information. Patient privacy should be

taken seriously because identity theft is a genuine concern.

 Introduction

The healthcare industry has established specific standards and laws to protect patients and

their personal health information (PHI). When a healthcare facility fails to protect its patients'

confidential information, the US government may intervene through the Department of Health

and Human Services’ Office for Civil Right (OCR), and the facility may be forced to pay large

sums of money in fines and risk its reputation. The paper describes a case in which a dental

practice professional was fined $62,500 for impermissible disclosure of PHI for marketing

purposes to settle HIPAA violations for a data breach that exposed the health information of

1,727 patients No author, 1).

Case Analysis: Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for

Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was

investigated by OCR over an impermissible disclosure of PHI. Northcutt Dental's operator and

owner, Dr. David Northcutt, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt

hired a campaign manager and a third-party marketing firm to help with the state senate election

campaign. The campaign manager was given an Excel spreadsheet containing the names and

addresses of 3,657 patients, and letters were sent to each of them informing them that Dr.

Northcutt was running for state senate. The email addresses of those people, and the email

addresses of another 1,727 patients, were given to the marketing firm Solutionreach in order for

them to send a campaign email (No author, 1).

 OCR determined that the PHI disclosures to the campaign manager and third-party

marketing company were improper disclosure. OCR also discovered that Northcutt Dental did

not appoint a HIPAA Privacy Officer until November 14, 2017 and that HIPAA Privacy and

Breach Notification Rules policies and procedures were not implemented until January 1, 2018.

Northcutt Dental agreed to a $62,500 fine and a corrective action plan to address the alleged

areas of noncompliance (No author, 1).

Health Insurance Portability and Accountability HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted

to establish standards for our healthcare providers to simplify healthcare administration,

eliminate waste, prevent healthcare fraud, and ensure employees could keep their healthcare

coverage while switching jobs. Congress passed this law to protect patient health information

from unauthorized individuals or organizations, as well as to make health care useable and to

offer non-discriminatory protection to all patients (HIPAA Journal, 2). Nobody wants to go to

the hospital and communicate to the doctor confidentially, only to find out later that the same

information they provided the doctor has been made public.

Standards have been introduced since its passage to improve patients' rights and protect

Protected Health Information (PHI). Failure to comply with these Standards is considered a

HIPAA violation, even if no harm has occurred. When a healthcare facility violates laws

protecting patients and their personal health information, it may pose court challenges that could

lead to huge fines, de-licensing, and reputational damage (Joy, 3). The Department of Health and

Human Services Office of Civil Rights (OCR) is the regulatory body mandated to investigate any

form of HIPAA violation in our healthcare facilities. The HIPAA law is divided into four

sections: portability, transactions, security, and privacy (HIPAA Journal, 5).

One of the most common types of complaints, for example, is the failure to provide patients with

copies of their PHI upon request. As discussed above, this is another type of HIPAA violation

and the penalty imposed for HIPAA violations (No Author, 4).

Implication of HIPAA on the Healthcare System

To assist with the transition from paper records to electronic copies of health information,

HIPAA introduced a number of significant benefits for the healthcare industry. HIPAA has aided

in the streamlining of administrative healthcare functions, the improvement of efficiency in the

healthcare industry, and the secure sharing of protected health information. The standards for

recording health data and electronic transactions ensure that everyone sings from the same

hymnal. Because all HIPAA-covered entities must use the same code sets and nationally

recognized identifiers, the transfer of electronic health information between healthcare providers,

health plans, and other entities is greatly facilitated (No Author, 6).

Patients may reap the greatest benefits from HIPAA. HIPAA is significant because it

requires healthcare providers, health plans, healthcare clearinghouses, and HIPAA-covered

entities' business associates to implement multiple safeguards to protect sensitive personal and

health information.

While no healthcare organization wants sensitive data or health information stolen, there

would be no requirement for healthcare organizations to safeguard data - and no consequences if

they did not. HIPAA rules require healthcare organizations to control who has access to health

data, limiting who can view health information and who can share it with (No Author, 6).
 HIPAA helps to ensure that any information disclosed to healthcare providers and health

plans, as well as information created, transmitted, or stored by them, is subject to strict security

controls. Patients are also given control over who receives and shares their information.

HIPAA is essential for patients who want to take a more active role in their healthcare

and obtain copies of their health information. Even with great care, healthcare organizations can

make mistakes when recording health information. If patients can obtain copies, they can check

for errors and ensure that they are corrected (No Author, 6).

Obtaining copies of health information also benefits patients when seeking treatment

from new healthcare providers. Because information can be passed on, tests accomplish not need

to be repeated, and new healthcare providers have a patient's entire health history to inform their

decisions. There were no requirements for healthcare organizations to release copies of patients'

health information before implementing the HIPAA Privacy Rule.

Other benefit for HIPAA Privacy Rule are as follows:

It gives patients more control over their medical data.

It establishes guidelines for the use and disclosure of medical records.

It establishes appropriate safeguards that healthcare providers and others must implement to

protect health information privacy.

It holds violators accountable by imposing civil and criminal penalties for violating patients'

privacy rights.

It also strikes a balance when public responsibility supports the disclosure of certain data types,

such as protecting public health.

For patients, it means making informed decisions about seeking care and receiving

reimbursement for care based on how personal health information is used.

It allows patients to learn how their information may be used and about specific disclosures.

It generally restricts the release of information to the minimum required for disclosure.

It generally grants patients the right to inspect and obtain a copy of their medical records and

request corrections.

It allows individuals to control how their health information is used and disclosed.

Prevention of HIPAA Violation

Transparency is essential in regulations such as HIPAA. Any activity involving regulated

data systems could be audited. As a result, within the organizational structure, there must be

checks and balances and policies in place to ensure that electronically protected health

information (EPHI) is only available to those with a legitimate business need. Such access must

be closely monitored. Encrypted during storage and transfer on any unprotected network and

only moved to authorized locations (Jacksonville, 7).

Access Controls and Identity Management

Access controls are a great example of the need for technology in the data flow. Custodians,

supervisors, and owners must all determine who has access to secure EPHI. There is no

technology standard in this, but any entity wishing to comply with HIPAA should use identity

and access management tools. Without such technology, it would be nearly impossible to

maintain access control and related records of requests, approvals, and denials. Technological

systems can help even more by automating account privilege recertification (Jacksonville, 7).
Controls for System and Environment Configuration

Any system that stores protected data must be configured following strict guidelines. When

protecting data of this magnitude, it is critical to know the state of critical systems at any given

time within the regulated environment; simple monitoring is insufficient. Each individual system

should be kept separate, configured solely for its specific purpose, monitored for vulnerabilities,

and ensured that all software versions are up to date and securely administered. When controlling

it, it is critical to know who has access to sensitive data. HIPAA regulates not only the data but

also the access to that data. Any application or technology that allows access to information must

have a method of logging access that is strictly monitored (Jacksonville, 7).

Encryption and Information Flow Control

Obviously, data must be safeguarded wherever it is stored. However, in this day and age,

information never stays in one place for long. As a result, the fourth and final compliance

element must ensure data security at all times. It must be encrypted during transfer and may only

be moved to secure previously approved locations (Jacksonville, 7).

Conclusion

HIPAA compliance is a difficult task to complete. Overall, it can appear quite perplexing

and almost incomprehensible. However, when broken down into basic components, HIPAA

compliance is quite achievable for any organization that chooses to be proactive in its efforts.

Determine who will be in charge of compliance within the organization and establish the policies

required for compliance. Get the technology needed to keep access controls and data security.

Provide those in charge with compliance training. One can smooth out the glitches and adjust

policies as you go, but the first step must be to determine what needs to be protected, who will
protect it, and how it should be protected. From our Court case discussed above, OCR also

determined that the Northcutt Dental had not appointed a HIPAA Privacy Officer until

November 14, 2017 and the policies and procedures related to the HIPAA Privacy and Breach

Notification Rules were not implement earlier until early January 2018. Hence, the Healthcare

organization are expected to have appointed HIPAA Privacy Officer earlier that is saddled with

the responsibility to ensure that HIPAA policies and procedures related to the HIPAA Privacy

and Breach Notification Rules are implement and monitor for strict adherence. For example, If

Northcutt Dental-Fairhope had appointed the HIPAA privacy officer he/she would have

prevented the impermissible disclosure of PHI for election campaign by ensuring that

organization follow the HIPAA privacy regulation when sharing PHI.

 Sources

1. No author. No date. HIPAA Violation Cases. https://www.hipaajournal.com/hipaa-

violation-cases/.

2. HIPAA Journal. April 18, 2022. What is a HIPAA

Violation?. https://www.hipaajournal.com/what-is-a-hipaa-violation/.

3. Joy, H, . March 2013. Medical office, Avoid Violation of

HIPAALaws, . http://medicaloffice.about.com/od/compliance/a/5-Ways-To-Break-

Hipaa-Compliance.htm.

4. No author. April 14, 2014. What does the HIPAA Privacy Rule

do?. https://www.hhs.gov/hipaa/for-individuals/faq/187/what-does-the-hipaa-privacy-

rule-do/index.html#:~:text=It%20gives%20patients%20more%20control,the%20privacy

%20of%20health%20information.

5. HIPAA Journal . February 12, 2022. Why is HIPAA

Important?. https://www.hipaajournal.com/why-is-hipaa-important/.

6. No author. No date. The Ultimate HIPAA Guide: The Facts You Need to

Know. https://evisit.com/resources/hipaa-guide.

7. Jacksonville. May 14, 2020. HE 9 MOST COMMON HIPAA VIOLATIONS AND

HOW TO PREVENT THEM. https://nettechconsultants.com/blog/most-common-hipaa-

violations/#:~:text=In%20order%20to%20reduce%20the,screen%2C%20and%20so

%20forth).