Prior to beginning work on this assignment, read Chapters 9 through 11 from the Wager, Lee, & Glaser (2017) text, and the articles by Adjerid, Acquisti, Telang, Padman, & Adler-Milstein (2016), Cartwright-Smith, Gray, & Thorpe (2016), Marvin (2017), and Richesson & Chute (2015).
HIPAA is a law that was enacted to protect patients’ private health information (PHI). The HIPAA law was enacted in 1996. This law has since been amended to include more specifics on PHI as it relates to technology. Most recently, in 2009, HITECH, a segment of the American Recovery and Reinvestment Act, has been enacted to include an expansion to electronic PHI (ePHI). HITECH provides benefits for providers to encourage the adoption of ePHI systems.
Select a resolution agreement from the Health and Human Services’ 2018 OCR HIPAA Summary: Settlements and Judgements. For this assignment, you will provide an analysis on the HIPAA violation of patient health information (PHI) that was present in the case you selected. Be sure to include in-text citations and a reference entry for your chosen case from the Resolution Agreements page.
In your case analysis,
• Analyze the specific HIPAA privacy and security rules that were broken.
• Explain the penalties (if any) that were imposed as a result of the ruling on the case.
• Develop a health system improvement plan to include applicable Federal standards.
• Propose a risk analysis strategy addressing appropriate laws and regulations.
• Apply the lessons learned from this particular case to your Proposal and Final Presentation.
Resolution agreement:
September 2018
In September 2018, OCR announced that it has reached separate settlements totaling $999,000, with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ PHI by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.
In September 2018, OCR also settled with Advanced Care Hospitalists (ACH), a contractor physician group, for $500,000. ACH filed a breach report confirming that ACH patient information was viewable on a medical billing services’ website. OCR’s investigation revealed that ACH never had a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.