HIM 422 Final Project
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
422
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
16
Uploaded by CorporalElkPerson738
1
Final Project: Executive Team Policy Recommendations Briefing
Southern New Hampshire University
HIM 422
Summary of the Problem
ABC Hospital is a 250-bed acute hospital who recently had a data breach. The HIM department at the hospital has fifteen employees and seven medical coders who work remotely
2
throughout the region. The data breach occurred when one of the coders violated HIPAA by accessing a neighbor’s PHI. This report is in response to the data breach and will include a briefing for stakeholders outlining the data breach, including its impact and consequences, as well as recommendations for rectifying it and ways to prevent another breach from occurring. Nature of The Breach As the HIM director at ABC Hospital, I was alerted to a recent data breach involving protected health information (PHI). This data breach was caused by one of the remote coders employed by our hospital who violated HIPAA when they accessed the medical record of one of their neighbors. This resulted in sensitive information about this patient being shared with fellow neighbors and the patient contacted our hospital’s legal department to file a complaint. Breach Investigation
Upon discovery of the breach, I immediately notified the hospital’s Privacy Officer and assembled an incident response team that included the privacy officer, chief information security officer, several stakeholders from senior management, HR, and PR departments. Also, we contacted several members from the hospital’s legal team and a member of law enforcement to help provide additional support for our team. A preliminary investigation was then conducted to gather evidence and identify any and all PHI that was compromised and to determine if the unauthorized activity involved unsecured PHI or other personal information that would be subject to state and federal laws. Even though the employee who caused the violation was named
in the complaint, it was important to verify this information during the investigation. Risk Assessment, and Communication Plan
3
Following the investigation, a risk assessment was performed to determine who the information was shared with, what type of PHI it was and what amount was involved, as well as identifying the potential risk of financial, reputation, or any other harm to the hospital. This was a crucial step in assessing the probable risk associated with the breach. As per the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, which requires HIPAA covered entities and their business associates provide notification following a breach of PHI (HealthIT Security, 2021). The affected patient of the breach was already aware of the incident; however, an official notification was sent to them as per this rule along with assurances that we at ABC Hospital take the protection of all patient information very seriously and the incident would be thoroughly investigated. Consequences
Per the Safe Harbor Bill, the U.S. Department of Health and Human Services is required to take an organization’s level of cybersecurity into account when they assess fines for security incidents (HCRS, 2022). Fortunately, our quick response to the data breach helped to minimize the short-term consequences and avoid fines. If our response to the data breach had been insufficient or if there had been numerous patients affected, the long-term consequences could have been significant. These consequences could have included loss of patient data, a tarnished reputation, loss of trust from our patients, the community, and our partners, as well as a possible hefty fine. For example, Community Health Systems “agreed to a $2.3-million settlement with the federal government for noncompliance with the HIPAA Security Rule” following a health data breach of PHI of more than 6 million individuals” (HealthITSecurity, 2021). Key Stakeholders
Internal and External Stakeholders
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
There are key internal and external stakeholders who need to be notified in the event of a breach. Internal stakeholders include the organizational staff, as well as executive leadership, including the chief executive officer (CEO) and the chief operating officer (COO), because they’re responsible for final management decisions. The chief financial officer (CFO) would be notified because they are responsible for trying to mitigate any financial impact that occurs from the breach. Human Resources was notified so they could determine disciplinary action, which in this case, resulted in the employee’s termination because the employee intentionally accessed PHI and was not acting in good faith. Also, as noted above, the Privacy Officer was immediately
notified when the breach was first discovered. Having a Privacy Officer is mandated per the HIPAA Privacy Rule, and they are responsible for creating and implementing policies and procedures to maintain HIPAA compliance (Alder, 2023). External stakeholders to notify in the event of a breach would be any affected patient or patients, the healthcare organization’s insurance company, and the local community via the media would be notified depending on the number of patients who were impacted. Federal Stakeholders The Federal Stakeholders who would need to be notified in the event of a data breach include the HHS Secretary and the media as per HIPAA Breach Notification Rule which requires
that a breach be reported within 60 days to the U.S. Department of Health and Human Services if
500 or more individuals were affected (Health and Human Services, 2021) and must also include
media notification. Upon investigation it was determined that there was no more than one patient
whose information was accessed, therefore this is not necessary, but we will still need to inform the Health and Human Services Secretary no later than 60 days after the end of the calendar year in which the breach was discovered (Health and Human Services, 2021).
5
Policies
Center for Medicare and Medicaid Services condition of participation 42 C.F.R. § 482.11 states “the hospital must be in compliance with applicable Federal laws related to health and safety of patients” and standard § 482/13: Confidentiality of Patient Records states, “the patient has the right to the confidentiality of his or her clinical record” (Code of Federal Regulations, 2023). A HIPAA violation could cause ABC Hospital to be in noncompliance with these CMS standards which may result in loss of CMS participation. The Joint Commission also has standards in place to ensure that facilities comply with regulations. These include standard IM.02.01.01 which states “The hospital protects the privacy of health information” and standard IM.02.01.03 which states “The hospital maintains the security and integrity of health information” (TJC, 2022). Failure to comply with TJC standards could result in loss of accreditation. In the event of a data breach, standard 45 C.F.R. § 164.408 states that “A covered entity mush notify the Secretary if it discovers a breach of unsecured protected health information.” (hhs.gov, 2022). Impacts
Laws to Prevent Data Breaches
Over the years, data security laws imposed by federal, state, and international bodies have
increased to try to lessen the vulnerability that healthcare organizations have in regard to protecting patient health data, especially as data breaches become larger and more carefully targeted. Health information is considered to be “one of the most attractive targets for cybercriminals due to its inherent sensitivity and the price of a single patient file can be hundreds
of dollars on the dark web” (Seh et al., 2020). Some of these laws that have been developed to try to prevent data breaches are general protection rules that mandate the protection of certain
6
kinds of data with “reasonable security but others provide a much more detailed set of requirements, some that even relate to the use of specific technologies, such as encryption” (Wu, 2023).
The HIPAA Security Rule and the Privacy Rule are laws established to try to protect electronic patient health information (ePHI) from possible data breaches. The Data Breach Notification Rule is another way that helps to protect data security by informing law enforcement
when a breach has occurred and notifying individuals whose data may be included in the breach. The Security Rule includes three components: Administrative, Physical, and Technical requirements which have been developed to prevent security breaches such as the one this company recently experienced. The Administrative requirements include setting policies to protect ePHI and manage employee conduct by knowing which employees have access to certain
data, training employees, and performing data security assessments annually (HIPAA, 2022). The Physical requirements center around preventing “theft of devices that contain patient information but also include simple actions like a malicious actor looking over a healthcare professional’s shoulder when at their desktop” (HIPAA, 2022). The Technical requirements of the Security Rule includes controls put in place to prevent data breaches, such as encrypting sensitive information, phishing training for employees, password rules, alerts, etc. The Privacy Rule pertains to all forms of patient PHI, not just ePHI and was implemented
to ensure patient’s health information is protected while still “allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing” (HHS, 2022). The HIPAA Privacy Rule was violated when the hospital’s coding employee committed privilege abuse by viewing her neighbor’s health record without reason or authorization and the hospital failed to protect the privacy of this patient’s protected
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
health information. The Security Rule’s Administrative requirements of managing employee conduct by generally knowing which employees have access to certain data was also violated. The Conditions of Participation (CoP) was developed by CMS for healthcare organizations who participate in federally funded programs such as Medicare and Medicaid and includes standards that must be followed in order for participation in these programs. The Conditions of Participation was also violated because 42 CFR §482.13 states a hospital must protect and promote each patient’s rights. Condition §482.13C.1 states “the patient has the right to personal privacy and §482.13D.1 states that the patient has the right to the confidentiality of his or her clinical records” (CMS, 2008). This violation could lead to non-compliance resulting in corrective action plans, monetary sanctions, and could also result in a provider being excluded from participating in these programs which will result in lost revenue and tarnished reputation.
In the event of a breach, communication is crucial for effective mitigation of damages.
Communication Plan
Key stakeholders need to be notified, including the Privacy Officer, the organizational staff, executive leadership, including the chief executive officer (CEO), the chief operating officer (COO), and the chief financial officer (CFO), as well as Human Resources. HIPAA Breach Notification Rule mandates that the affected patients be notified within 60 days. If more than 500 individuals are affected then the breach must be reported to the U.S. Department of Health and Human Services and must also include media notification (Health and Human Services, 2021). Also, the Health and Human Services Secretary must be notified no later than 60
days after the end of the calendar year in which the breach was discovered (Health and Human Services, 2021). Non-Financial and Financial Impacts
8
The non-financial consequences of the breach could include loss of patient data, a tarnished reputation, loss of trust from our patients, the community, and partners. The financial impact of the breach could include possible sanctions, lost revenue if excluded from participating
in Medicare and Medicaid programs, and costly penalties for “non-compliance with HIPAA regulations include civil monetary penalties ranging from $100 to $50,000 per violation, depending on the level of culpability” (Adler, 2023) Decision Making In the event of a data breach decisions will need to be made, including analysis of the company’s finances to help assess how well the organization can weather the data breach storm. Resources may need to be allocated and the company may need to look at layoffs. Other decisions will need to be made, such as deciding whether to hire a service to find and verify patient addresses and send out notification letters to affected patients and to decide whether to set
up a call center since current staff may not be able to keep up with the overwhelming number of calls that will come in once the affected patients receive notification of their PHI being included in the data breach. Whether to offer credit monitoring to the victims will need to be decided. Credit monitoring can cost $5 to $15 per person so it could be very costly (Healthcare Finance, 2017). If more than 500 individuals were impacted, then the media will need to be notified so whether or not to use a PR service is going to be a big decision and expense. “The Office of Civil
Rights (OCR) will likely require a complete overhaul of the system and the hiring of an independent monitor for three years, as well as other fixes” (Sanborn, 2017) so deciding how to address this, before the OCR gets involved, will be an important decision.
Sponsored Initiatives
9
Our mission at ABC Hospital is to ensure the highest level of healthcare safety, quality, and efficiency while keeping data secure and we work towards this goal by utilizing several federally funded initiatives. The Agency for Healthcare Research and Quality (AHRQ) “develops the knowledge, tools, and data needed to improve the healthcare system and help consumers, healthcare professionals, and policymakers make informed health decision to improve the safety and quality of healthcare for all Americans” (DHHS, 2023). AHRQ helps with digital healthcare research and provides data analysis to help health organizations identify areas for improvement. HIPAA federal law requires standards be created to protect PHI and The National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce helps provide guidance on cybersecurity for organizations. They recently published a revision to their publication titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide which is designed to “help organizations maintain confidentiality, integrity and availability of electronic protected health information (ePHI) in response to a rise in cyberattacks affecting health care” (NIST, 2022). Ethical and Legal Considerations
Ethical and Legal Risks
Ensuring that a patient’s health information is protected is by far one of the most important ethical and legal issues facing healthcare organizations. Unfortunately, health information is an attractive target for cybercriminals and can result in a data breach that exposes the affected patients to identity theft, the healthcare organization to financial losses and damaged reputation. The data breach that impacted ABC Hospital recently highlights the importance of having stringent policies and procedures in place to help prevent this from happening in the future.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
10
Loss of patient privacy was the ethical risk that contributed to the data breach when a remote coder employed by ABC Hospital intentionally accessed a neighbor’s health record and revealed sensitive information. A breach of healthcare ethics is a “situation in which requirements established by a code of ethics are violated, whether intentional or accidental” (Oachs & Watters, 2020). This breach contributed to the ethical issue of loss of autonomy and human dignity. The right to privacy is a fundamental human right as dictated in Article 12 of the Universal Declaration of Human Rights, “No one must be subjected to arbitrary interference with
his privacy, family, home, or correspondence, nor to attacks upon his honor and reputation” (Qian, 2018). The affected patient’s right to privacy and autonomy was violated when the coder revealed his HIV diagnosis to others. Risks of a data breach in healthcare include financial loss, data theft, reputational damage, and increase in patient safety. The data breach at ABC Hospital was caused by the employee’s definite ethical lapse and opened the healthcare organization up to legal ramifications, including non-compliance with HIPAA federal law that could result in huge penalties that range from $100- $1.5 million (Gsimon, 2021), depending what tier HIPAA assigns to the breach. The former employee could face possible criminal charges, jail time, and loss of employment. Maintaining Compromised Information Maintaining patient PHI during the data breach is of the utmost importance, as is the need
to mitigate the damage. The most important step is to initiate the hospital’s incident response plan the minute a data breach is suspected. Having a sound incident response plan can help to minimize the impact of the data breach, prevent additional PHI from being accessed, and possibly reduce the fines that the hospital could incur. All evidence should be preserved so that
11
the investigators can determine how, when, and by whom the breach occurred. This is important information that will help the hospital prevent future attacks. Next, the breach must be contained, and incident response management needs to be started immediately. The incident response team will work to manage this crisis, including providing notification as per the HIPAA
Breach Notification Rule, 45 CFR §§164. 400-414 (Alder, 2023). Then the next and crucial step is to investigate, find out the how, why, and who of the breach and repair the system if needed. It’s imperative for ABC Hospital to better understand the implications of a security breach and the importance of implementing strict data breach policies and procedures to prevent this from happening in the future or at the very least mitigate the damage.
Policy Recommendations
Technology-Based Recommendations
This breach was an inside job and a result of snooping by an employee who was not authorized to access the patient’s health information. To safeguard sensitive patient data from authorized access in the future robust security measures must be implemented including role-
based access controls that will limit access to PHI based on the employee’s role in the organization. Also, incorporating an activity monitoring system that will “monitor real-time EHR access, detect unusual activity, and alert administrators of potential breaches (Levitt, 2023).
Other technology that would be recommended is data encryption, two-factor authentication, and audit trails that will record every time someone accesses a patient’s information and will provide the who, where, when, and what of the encounter.
Organizational Challenges
12
Organizational challenges that can contribute to ABC Hospital’s breach include insider threats and was probably more problematic due to the employee working remotely. Administrative safeguards may have helped in this situation. AHIIMA has a recommendation for an administrative safeguard that may have helped in this situation, such as “requiring specialized remote access user agreements delineating obligation to adhere to administrative, technical, and physical safeguards designed to protect the privacy and security of ePHI” (AHIMA, 2022). An element of the policy that should be implemented is to have frequent risk assessments conducted to assess for any security red flags that can then be addressed immediately to help decrease the risk of a breach. Also, it is recommended to implement mandatory employee education on security risks, such as creating strong passwords, dangers of sharing password and opening phishing emails. It’s important to have a thorough policy in place to help prevent data breaches and should
include administrative, technical, and physical safeguards based on HIPAA Security Rule to “ensure the confidentiality, integrity, and security” of electronic PHI (AHIMA, 2022). Reducing Gaps
The HIPAA Security Rule and Privacy Rule standards help ensure quality and safety within an organization and helps promote a reduction in gaps for securing PHI and helping safeguard confidential patient data by outlining standards and giving guidance on the how PHI can be used and shared.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
13
References
AHIMA. (2021). Safeguards for Remote Access
. The American Health Information Management Association. https://library.ahima.org/doc?oid=71946
Alder, S. (2023, June 30). What are the Penalties for HIPAA Violations? 2023 Update
. HIPAA Journal. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
Gsimon. (2021). What are the Consequences of a Medical Record Breach. American Retrieval Company
. https://americanretrieval.com/medical-records-breach/
Oachs, P.K., Watters, A., & American Health Information Management Association. (2020). Health Information Management: Concepts, Principles, and Practice. AHIMA. Qian, H. (2021, July 19). Our right to protect our autonomy and human dignity - internet society
.
Internet Society. https://www.internetsociety.org/blog/2018/08/our-right-to-protect-our-
autonomy-and-human-dignity/
References
14
Alder, S. (2023, June 30). What are the Penalties for HIPAA Violations? 2023 Update
. HIPAA
Journal. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
CMS. (n.d.). CMS Manual System: Pub. 100-07 State Operations Provider Certifications
. Department of Health & Human Services (DHHS).https://www.cms.gov/Regulations-and-
Guidance/Guidance/Transmittals/downloads/R37SOMA.pdf
Health and Human Services. (2021). Breach Notification Rule. Office for Civil Rights (OFC). HHS.gov
. https://www.hhs.gov/hipaa/for-professionals/breach-
notification/index.html
HHS. (2022). The security rule. Health and Human Services
. https://www.hhs.gov/hipaa/for-
professionals/security/index.html
NIST Updates Guidance for health care Cybersecurity | NIST. (2023). NIST
. https://www.nist.gov/news-events/news/2022/07/nist-updates-guidance-health-care-
cybersecurity
Sanborn, B. J. (2017). Breaking down the financial toll of healthcare data breaches
. Healthcare Finance News. https://www.healthcarefinancenews.com/news/breaking-down-
financial-toil-healthcare-data-breaches
Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A., Agrawal, A., Kumar, R., & Khan, R. A. (2020). Healthcare data breaches: Insights and implications. Healthcare
, 8
(2), 133. https://doi.org/10.3390/healthcare8020133
Wu, S. (2023). Data Security Breaches: A Legal Guide to Prevention and Incident Response
. Silicon Valley Law Group. https://www.svlg.com/data-security-breaches-a-legal-guide-to-
prevention-and-incident.html
15
References
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
16
Alder, S. (2023, January 3). HIPAA Privacy Rule - Updated for 2023: Why Does the HIPAA Privacy Rule Exist?
HIPAA Journal. https://www.hipaajournal.com/hipaa-privacy-rule/
Code of Federal Regulations. (2023). Code of Federal Regulations: 42 CFR Part 482 -- Conditions of Participation for Hospitals
. National Archives. Retrieved July 7, 2023, from https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-482
HCRS. (2022). The Long-Term Damage of a Healthcare Data Breach. Healthcare Resolution Services
. https://healthcareresolutionservices.com/blog/the-long-term-damage-of-a-healthcare-
databreach/#:~:text=While%20its%20name%20usually%20conjures,soured%20reputation
%20with%20industry%20partners
Health and Human Services. (2021). Breach Notification Rule. Office for Civil Rights (OFC). HHS.gov
. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
HealthITSecurity. (2021). Ensuring Healthcare Industry Compliance with HIPAA in 2021. TechTarget
. https://healthitsecurity.com/news/ensuring-healthcare-industry-compliance-
with-hipaa-in-2021
Schooley, S. (2023). Importance of User Activity Monitoring. business.com
. https://www.business.com/articles/user-activity-monitoring/
TJC. (2022). Medical Record - Security | Ambulatory | Information Management IM
. The Joint Commission. https://www.jointcommission.org/standards/standard-faqs/ambulatory/information-
management-im/000001462/