Summary of the Article
In January 2021, the Department of Health and Human Services’ Office for Civil Rights announced that Excellus Health Plan, a health insurance provider, had agreed to pay $5.1 million. The money was paid as a penalty for a HIPAA violation case for a data breach that affected 9.3 million individuals (Cohen, 2021). The company’s computer systems had been accessed by hackers for two years between 2013 and 2015. The malware had been installed into the company’s computers and data for approximately 9.5 million customers accessed (Cohen, 2021). This data included names, contact information, dates of birth, social security numbers, health plan ID numbers, claims data, financial accounts, and clinical treatment information. Investigations revealed that the company was not in compliance with several HIPAA regulations and was, therefore, fined.
Mitigation or Prevention of Breach
Excellus Health Plan could have prevented the breach of the HIPAA privacy and security regulations by conducting regular risk analyses to identify weaknesses in their systems. These investigations into the electronically protected health information would have helped them invent means of strengthening their systems to combat malware. Additionally, the company could have ensured that its data is appropriately protected by ensuring that only authorized persons access it since the breach resulted from unauthorized access. The company could have established policies for regular reviews of the information system. These policies would have been a source of immense assessment of the electronic data and devices to ensure maintenance is within company needs and regulations. The company could seek the services of electronic system developers to ensure their electronic devices were installed with the latest malware detection and elimination tools.
Office for Civil Rights Enforcement Activities and Results
Similarities
In the majority of the cases, there is a third party entity that gains access to confidential information belonging to clients, therefore, violating their privacy. The access to data in most situations results from an insufficiency on the part of the party entrusted with the information, whether an insurer or a hospital (HIPAA Journal, 2021). The cases of HIPAA violations result in huge financial losses for the organizations entrusted with safeguarding such information.
Differences
A major difference arises in the nature of the institutions entrusted in safeguarding health information which includes hospitals and insurance agencies. There is a wide range of information that is divulged during the violation of the HIPAA rules, ranging from personal information to medical and financial information (HIPAA Journal, 2020). The nature of the HIPAA violations also varies, ranging from hacks of electronic devices using malware, diverging of information by staff, and data leak through unauthorized access.
Security Rule Violations and Privacy Rule Violations
Most of the security rule violations also involve privacy rules violations as there is the access of restricted information and divulgence of the same. Most cases present with the use of malicious malware to access protected data without the consent of the insurers and inappropriate use of that information (HIPAA Journal, 2019). The information is reportedly sold to the highest bidders who use this information for their own marketing needs, interfering with the lies of the patients.
Types of Cases and their Resolution
The cases were mostly due to negligence on the part of the organization entrusted with protecting the information. The most popular method of punishing the culprits involved fining them lsums of money for compensation (HIPAA Journal, 2019). This is appropriate, alongside proper modifications to their systems to ensure compliance with HIPAA rules. Additional monitoring is also crucial and is part of the resolution of most cases as it ensures such errors are avoided in the future.
References
Cohen, J. K. (2021). Excellus Blue Cross and Blue Shield to pay $5.1M HIPAA penalty. Modern Healthcare.
HIPAA Journal. (2019). Dental practice fined $10,000 for PHI disclosures on yelp. HIPAA Journal.
HIPAA Journal. (2020). HIPAA right of access failure results in $65,000 fine for University of Cincinnati medical center. HIPAA Journal.
HIPAA Journal. (2021). HIPAA violation cases. HIPAA Journal.