In January, 2013, HHS issued modifications to the HIPAA Privacy, Security, Enfor

Question

In January, 2013, HHS issued modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules. The man charged with enforcing the rules said they represent "sweeping changes

1. Pick a major health care information breach from this website .    www.beckershospitalreview.com/healthcare-information-technology/19-latest-healthcare-data-breaches.html
(Note: the list has some minor breaches; avoid those.) How was this breach treated by HHS? What would have been different under the pre-2013 rules? [40 points]

Explanation / Answer

The topic I am selecting is:-

The Colorado Department of Health Care Policy and Financing notified more than 3,000 Colorado residents receiving Medicaid and CHIP benefits that their protected health information was unintentionally mailed to the wrong recipients.

The technology company at the center of an ongoing Medicaid payment fiasco in Colorado now says a system glitch might have inadvertently shared the private health information of 822 people.

The problem revealed Thursday comes after months of complaints about DXC Technology’s failure to reimburse doctors, therapists and others who care for needy and disabled Coloradans.

The state Medicaid department contracted with DXC Technology to run its revamped payment system. It went live on March 1, and immediately health care providers who care for people with Medicaid government insurance complained their requests for reimbursement were denied or stalled. Small therapists’ and doctors’ offices were forced to take out loans, borrowing against their homes or on their credit cards in order to pay their employees.

After the launch, wait times at a call center for health providers whose claims were rejected were reaching three hours. DXC has since added more workers to its call center.

The technology company and the Colorado Department of Health Care Policy and Financing, which manages the Medicaid program, said a security review determined that the “protected health information” of 822 people was “potentially accessible” from March 1 to May 10. An internet hyperlink to 12 Medicaid billing reports containing the protected information may have been accessible for more than two months.

The patients whose information was potentially breached have been notified, DXC Technology said.

The billing reports included patient names and Medicaid numbers, as well as their doctors’ names and addresses, the codes for types of medical services they received and on what dates. It also included cost of services. The information did not include Social Security numbers, birth dates or addresses of the patients, DXC said.

“While DXC Technology has no reason to believe this information has been used inappropriately,” the company said it is offering one free year of identity theft protection for people affected.

According to The Denver Post, the error stemmed from a computer glitch that caused confidential information to be sent to the wrong recipients. More than 3,000 Colorado residents who receive state benefits may have been affected, according to the report.

The department learned of the error when a resident who received a letter with someone else's information notified the department of the incorrect mailing July 1. The Governor's Office of Information Technology corrected the error July 5. Letters with incorrect information were mailed between May 25 and July 5, according to the breach notification.

Compromised information includes names, addresses, state identification numbers, Medicaid case numbers, employer name, income, amount of an Advanced Premium Tax Credit and if individuals were approved or denied for medical assistance programs. No Social Security numbers or other financial information was disclosed.

How was this breach treated by HHS?

A 1996 law — the Health Insurance Portability and Accountability Act, or HIPAA — guides federal efforts to reduce the risk of health care data breaches. The Department of Health and Human Services issues HIPAA security and privacy rules that spell out what health care providers are expected to do to reduce the risk of PHI being compromised. Ignoring these regulations can result in large financial penalties for hospitals and medical practices and cause serious damage to their reputation.

HHS’ Office of Civil Rights (OCR) has been charged with monitoring providers’ adherence to HIPAA. It has created a website to alert the public to violations of the Privacy External link  and Security Rules External link . Sometimes called the “Wall of Shame,” it lists over 1,000 providers that have experienced breaches,1 ranging from small providers to recognizable health care systems like Kaiser Permanente, Mount Sinai Medical Center and Anthem Blue Cross Blue Shield. While the portal doesn’t include details on the financial penalties, those figures are available elsewhere on the OCR site.

Investigation into a potential HIPAA violation typically begins when someone files a complaint with OCR. If the office uncovers a violation, it takes numerous factors into account when deciding whether to fine a provider and the amount of the penalty. While there is no simple formula, OCR considers how well prepared the organization was to ward off a breach in the first place: Did it perform a threat assessment? Did it train its employees to avoid common mistakes? Did it make a reasonable effort to safeguard PHI using physical and electronic measures?

More egregious violations incur larger penalties, which can run into millions of dollars.

Full details on the HIPAA Security Rule and how to comply with it are available in my book Protecting Patient Information.2 Essentially, the rule requires any organization that creates, manages or transports patient data to protect that information by putting in place a variety of physical and electronic safeguards. They include performing an extensive risk analysis to uncover potential weaknesses in its computer network, securing PHI on mobile devices, training employees and securing faxes that contain PHI. Providers are also expected to take reasonable precautions to protect paper records and must ensure that physical access to their computers is safeguarded.

Please let me know if any clarifications are required. Thanks!

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.