Professional Documents
Culture Documents
Future Occurrence
Temi Abdulazeez
HSA515
while HIPAA (the Health Insurance Portability and Accountability Act), the United States of
America's basic fundamental patient privacy law, is striving to keep up with this evolving world
common in healthcare and is the basis for many lawsuits against healthcare facilities.
Confidential information can fall into the wrong hands in many ways. This thesis analyzed a
Case showing HIPAA violations and what hospital leadership can do to prevent future violations.
It violates the HIPAA Title II Security Rule to disclose confidential patient information without
consent. This rule was enacted in response to private information being leaked to the media and
unauthorized people reading emails containing privileged information. Patient privacy should be
The healthcare industry has established specific standards and laws to protect patients and
their personal health information (PHI). When a healthcare facility fails to protect its patients'
confidential information, the US government may intervene through the Department of Health
and Human Services’ Office for Civil Right (OCR), and the facility may be forced to pay large
sums of money in fines and risk its reputation. The paper describes a case in which a dental
practice professional was fined $62,500 for impermissible disclosure of PHI for marketing
purposes to settle HIPAA violations for a data breach that exposed the health information of
Case Analysis: Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for
Marketing Purposes
investigated by OCR over an impermissible disclosure of PHI. Northcutt Dental's operator and
owner, Dr. David Northcutt, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt
hired a campaign manager and a third-party marketing firm to help with the state senate election
campaign. The campaign manager was given an Excel spreadsheet containing the names and
addresses of 3,657 patients, and letters were sent to each of them informing them that Dr.
Northcutt was running for state senate. The email addresses of those people, and the email
addresses of another 1,727 patients, were given to the marketing firm Solutionreach in order for
marketing company were improper disclosure. OCR also discovered that Northcutt Dental did
not appoint a HIPAA Privacy Officer until November 14, 2017 and that HIPAA Privacy and
Breach Notification Rules policies and procedures were not implemented until January 1, 2018.
Northcutt Dental agreed to a $62,500 fine and a corrective action plan to address the alleged
eliminate waste, prevent healthcare fraud, and ensure employees could keep their healthcare
coverage while switching jobs. Congress passed this law to protect patient health information
from unauthorized individuals or organizations, as well as to make health care useable and to
offer non-discriminatory protection to all patients (HIPAA Journal, 2). Nobody wants to go to
the hospital and communicate to the doctor confidentially, only to find out later that the same
Standards have been introduced since its passage to improve patients' rights and protect
Protected Health Information (PHI). Failure to comply with these Standards is considered a
HIPAA violation, even if no harm has occurred. When a healthcare facility violates laws
protecting patients and their personal health information, it may pose court challenges that could
lead to huge fines, de-licensing, and reputational damage (Joy, 3). The Department of Health and
Human Services Office of Civil Rights (OCR) is the regulatory body mandated to investigate any
form of HIPAA violation in our healthcare facilities. The HIPAA law is divided into four
copies of their PHI upon request. As discussed above, this is another type of HIPAA violation
and the penalty imposed for HIPAA violations (No Author, 4).
To assist with the transition from paper records to electronic copies of health information,
HIPAA introduced a number of significant benefits for the healthcare industry. HIPAA has aided
healthcare industry, and the secure sharing of protected health information. The standards for
recording health data and electronic transactions ensure that everyone sings from the same
hymnal. Because all HIPAA-covered entities must use the same code sets and nationally
recognized identifiers, the transfer of electronic health information between healthcare providers,
health plans, and other entities is greatly facilitated (No Author, 6).
Patients may reap the greatest benefits from HIPAA. HIPAA is significant because it
entities' business associates to implement multiple safeguards to protect sensitive personal and
health information.
While no healthcare organization wants sensitive data or health information stolen, there
they did not. HIPAA rules require healthcare organizations to control who has access to health
data, limiting who can view health information and who can share it with (No Author, 6).
HIPAA helps to ensure that any information disclosed to healthcare providers and health
plans, as well as information created, transmitted, or stored by them, is subject to strict security
controls. Patients are also given control over who receives and shares their information.
HIPAA is essential for patients who want to take a more active role in their healthcare
and obtain copies of their health information. Even with great care, healthcare organizations can
make mistakes when recording health information. If patients can obtain copies, they can check
for errors and ensure that they are corrected (No Author, 6).
Obtaining copies of health information also benefits patients when seeking treatment
from new healthcare providers. Because information can be passed on, tests accomplish not need
to be repeated, and new healthcare providers have a patient's entire health history to inform their
decisions. There were no requirements for healthcare organizations to release copies of patients'
It establishes appropriate safeguards that healthcare providers and others must implement to
It holds violators accountable by imposing civil and criminal penalties for violating patients'
privacy rights.
It also strikes a balance when public responsibility supports the disclosure of certain data types,
It allows patients to learn how their information may be used and about specific disclosures.
It generally restricts the release of information to the minimum required for disclosure.
It generally grants patients the right to inspect and obtain a copy of their medical records and
request corrections.
It allows individuals to control how their health information is used and disclosed.
data systems could be audited. As a result, within the organizational structure, there must be
checks and balances and policies in place to ensure that electronically protected health
information (EPHI) is only available to those with a legitimate business need. Such access must
be closely monitored. Encrypted during storage and transfer on any unprotected network and
Access controls are a great example of the need for technology in the data flow. Custodians,
supervisors, and owners must all determine who has access to secure EPHI. There is no
technology standard in this, but any entity wishing to comply with HIPAA should use identity
and access management tools. Without such technology, it would be nearly impossible to
maintain access control and related records of requests, approvals, and denials. Technological
systems can help even more by automating account privilege recertification (Jacksonville, 7).
Controls for System and Environment Configuration
Any system that stores protected data must be configured following strict guidelines. When
protecting data of this magnitude, it is critical to know the state of critical systems at any given
time within the regulated environment; simple monitoring is insufficient. Each individual system
should be kept separate, configured solely for its specific purpose, monitored for vulnerabilities,
and ensured that all software versions are up to date and securely administered. When controlling
it, it is critical to know who has access to sensitive data. HIPAA regulates not only the data but
also the access to that data. Any application or technology that allows access to information must
Obviously, data must be safeguarded wherever it is stored. However, in this day and age,
information never stays in one place for long. As a result, the fourth and final compliance
element must ensure data security at all times. It must be encrypted during transfer and may only
Conclusion
HIPAA compliance is a difficult task to complete. Overall, it can appear quite perplexing
and almost incomprehensible. However, when broken down into basic components, HIPAA
compliance is quite achievable for any organization that chooses to be proactive in its efforts.
Determine who will be in charge of compliance within the organization and establish the policies
required for compliance. Get the technology needed to keep access controls and data security.
Provide those in charge with compliance training. One can smooth out the glitches and adjust
policies as you go, but the first step must be to determine what needs to be protected, who will
protect it, and how it should be protected. From our Court case discussed above, OCR also
determined that the Northcutt Dental had not appointed a HIPAA Privacy Officer until
November 14, 2017 and the policies and procedures related to the HIPAA Privacy and Breach
Notification Rules were not implement earlier until early January 2018. Hence, the Healthcare
organization are expected to have appointed HIPAA Privacy Officer earlier that is saddled with
the responsibility to ensure that HIPAA policies and procedures related to the HIPAA Privacy
and Breach Notification Rules are implement and monitor for strict adherence. For example, If
Northcutt Dental-Fairhope had appointed the HIPAA privacy officer he/she would have
prevented the impermissible disclosure of PHI for election campaign by ensuring that
violation-cases/.
Violation?. https://www.hipaajournal.com/what-is-a-hipaa-violation/.
HIPAALaws, . http://medicaloffice.about.com/od/compliance/a/5-Ways-To-Break-
Hipaa-Compliance.htm.
do?. https://www.hhs.gov/hipaa/for-individuals/faq/187/what-does-the-hipaa-privacy-
rule-do/index.html#:~:text=It%20gives%20patients%20more%20control,the%20privacy
%20of%20health%20information.
Important?. https://www.hipaajournal.com/why-is-hipaa-important/.
Know. https://evisit.com/resources/hipaa-guide.
violations/#:~:text=In%20order%20to%20reduce%20the,screen%2C%20and%20so
%20forth).