HIPAA Technology Breach Presentation

HIPAA Breach: Overview

• HIPAA – health, insurance, portability & accountability act;
• Components: data interchange standards, privacy protections & identifiers;
• HIPAA protects patient rights, e.g., access to records;
• Privacy Rule: ePHI usage or disclosure standards;
• HIPAA breach:

• • Impermissible utilization or disclosure of ePHI;
  • Amounts to Privacy Rule violation.

HIPAA specifies data exchange codes, federal standards, and privacy safeguards for protecting electronic patient health information (ePHI) maintained or shared by providers. Under HIPAA, a patient has a right to access his/her ePHI, amend it, limit its use, etc. (HHS.gov, 2017). The Privacy Rule includes national standards for using ePHI, while the Security Rule stipulates institutional confidentiality protections. A HIPAA breach violates this rule and jeopardizes the integrity and privacy of medical information. It involves an impermissible utilization or disclosure of ePHI during use or transmission, resulting in sensitive data getting into the wrong hands.

Choice of Topic

The topic is significant because:

• HIPAA breaches jeopardize:

• • Individual autonomy;
  • Respect;
  • Human dignity.

• PHI disclosure to insurer causes stigma & embarrassment.

Privacy assurance: complete ePHI disclosure to doctors.

Patients unlikely to share critical information:

• Incomplete data – affects care quality.

Bioethics principle:

• Individual choices – when to share ePHI.

The reason for choosing this topic is that respecting patient privacy is consistent with basic values of autonomy, respect, and human dignity when using healthcare technology. Therefore, a HIPAA breach jeopardizes the nonmaleficence principle that is fundamental to quality healthcare. Unauthorized ePHI disclosure to third parties exposes patients to social stigma and embarrassment. They may also face discrimination in workplaces. Without an assurance of privacy, they may withhold critical information required to provide optimal care. Incomplete subjective data cannot support quality and patient-centered healthcare.

How Often Breaches Occur

HIPAA breaches are quite prevalent;

• Nationally, Privacy Rule complaints (2003-2018) are 173,426 (HHS.gov, 2018);
• Affected hospitals implement OCR corrective action plans.

HIV information disclosure to the employer at St. Luke’s (HHS.gov, 2017).

CaseFirst – cyberattacks that targeted patient data (Snell, 2017).

Five breaches reported by FMCNA network (HHS.gov, 2018):

• Impermissible disclosure & access to ePHI.

HIPAA breaches are a common occurrence in hospitals. According to the HHS.gov (2018), 173,426 Privacy Rule complaints have been raised with the Office for Civil Rights (CF) between 2003 and 2018. For cases where violations have been found, hospitals have to implement corrective action plans. Examples of such breaches are the disclosure of sensitive HIV information at St. Luke’s, cyberattacks at CaseFirst, and five impermissible disclosures of ePHI at FMCNA facilities nationally.

Severity of HIPAA Breaches

Breach penalties – depend on harm & ePHI sensitivity.

Severity scale:

• Low-risk ePHI compromised & no harm: No breach notification needed;
• Moderate-risk ePHI exposed & unknown harm: Breach notification is necessary;
• More than one ePHI compromised & major harm: Requires breach notification.

Compensation of the affected patient:

• St. Luke’s paid $387,200 for HIPAA violations (HHS.gov, 2017);
• FMCNA remitted $3.5 million for five breaches (HHS.gov, 2018).

HIPAA violations – intentional, unintentional, or malicious – attract penalties that depend on the nature of the harm caused and how sensitive the ePHI compromised is to the patient. The severity scale comprises low-risk, moderate-risk, and multiple ePHI breaches. They differ on whether breach notification is needed or not. The level of compensation depends on the nature of the violation and harm caused to the patient. The ORC imposes penalties on providers for any violations or breaches reported.

Intervention to Reduce HIPAA Breaches

Technical safeguards – ePHI encryption could prevent breaches:

• Patient information turned into unreadable, coded text.

Codes required for decryption – prevents unauthorized access.

Consistent with HIPAA Security Rule – ePHI safeguards.

Benefits:

• Unauthorized user cannot read ePHI;
• Security – only genuine login credentials can give access.

Authentication required to access or transmit data.

An intervention that could reduce the likelihood of HIPAA breaches is data encryption. This technical safeguard involves converting ePHI into coded text before transmission. Only authorized persons can decrypt this information using a user key or code. This intervention is consistent with HIPAA’s Security Rule, which prescribes that hospitals should implement safeguards to protect ePHI integrity and privacy (HHS.gov, 2018). The benefits of encryption include it limits access to data through login credentials and ensures unauthorized users cannot read sensitive information in an encrypted format. As such, the integrity of ePHI cannot be compromised during cyberattacks on an institution’s information systems.

Conclusion

HIPAA breach – impermissible ePHI access or disclosure:

• Jeopardizes the security and confidentiality of ePHI.

Notification is mandatory for high-risk ePHI.

Possible outcomes:

• OCR fines & penalties imposed on providers: Depends on the level of negligence;
• HIPAA breach has implications on:
  • Individual autonomy;
  • Respect;
  • Human dignity.

• Withholding of information – incomplete data: Affects healthcare quality.

A HIPAA breach results from an impermissible ePHI access or disclosure by providers. The violation jeopardizes the security and privacy of data. Notification of affected persons is needed when a breach has occurred. The possible outcomes of HIPAA violations include fines and compensation to patients. The severity of the penalties is dependent on the level of negligence, harm caused, and the nature of ePHI that is compromised. HIPAA breaches also affect patient autonomy, respect, and dignity and may lead to the withholding of critical information required to deliver quality care.

References

HHS.gov. (2017). Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k. Web.

HHS.gov. (2018). Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules. Web.

Snell, E. (2017). CareFirst data breach case moves to US Supreme Court. Web.