In what ways do the security guidelines that HIPAA provides assist or require organisations to identify risks and develop appropriate risk management strategies for information security? For example, what rights does someone have if he finds out that: (a) His medical file contained in the information system of a large medical centre has been read without authorisation by a receptionist.

The HIPAA Security Regulations therefore provides the framework within which the HIPAA is implementable by requiring reasonable measures[9] through processes, policies and controls.[10] It also provides formal sanctions in the event of failure to comply with established policies and procedures.[11] The HIPAA Security Guidance on the other hand is complimentary in respect of PHI during use of portable devices and offsite or transport of EPHI by use of laptops, personal digital assistants, etc.[12]

A)   In this instance the main issues arise out of the type of the information that was accessed, whether the receptionist is an authorized person who can access that information and the legality of the procedure.[13]

This case demonstrates that where there is laxity in processes and procedures and inadequate supervision in respect of sensitive or protected information,[14] there is likely to a breach such as this one. Indeed the information is protected and would have required authorization for it to be disclosed[15] and the reception is not an authorized person in this instance and the process she followed was wrong.[16]  In Guin V. Brazos Education[17], the defendant put in place the necessary security policies and properly followed the requisite procedure and therefore no liability could arise. This case is in sharp contrast with the class case before us. Sanctions therefore arise against the covered entity.[18]

B)   The difference here is that the Doctor is authorized to access the information however the issues arise in respect of whether she took adequate measures to restrict unauthorized access by using adequate technologies[19] such as encryption or other means such as password restrictions[20] and yet she is aware of the likely risks.[21]

Furthermore, she intends to use this information for a conference which is not required disclosure[22] and she therefore requires express authorization in writing[23]. Disclosure by a covered entity will only arise as permitted by the Privacy Rule and by the affected gentleman’s written permission.[24] The gentleman was not notified of the breach, he stumbled upon it on You Tube and as such the requirement imposed by the HIPAA Act for notification in case of breach was not met.

The first remedy would be to seek to resolve this matter under the procedural rules for investigations and informal resolution of compliance issues and failing which he can seek compensation by way of the civil money penalty (CMP).[25]

 

[1] Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

[2] The Privacy Rule, Security Guidelines, Administrative Simplification Rules, the Transactions Rules, the Identifier Rules (the NPI and EIN Rules)

[3] http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp., which makes provision for the covered entity

[4] The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”)

HIPAA Sections 261 – 264 and Administrative Simplification provisions

[5] The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) which provides for use and disclosure of the protected health information

[6]See sections 261 – 264 of the HIPAA

[7] Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

[8] 45 C.F.R. § 160.103

[9] HIPAA Security Regulations, 45 CFR Section 164.306(b)(1)

[10] HIPAA Security Regulations, 45 CFR Section 164.304

[11] HIPAA Security Regulations, 45 CFR Section 164.308 (a)(3)(ii)(C)

[12] HIPAA Security Guidance

[13] HIPAA Security Regulations, 45 CFR Section 164.306(b)(1)

[14] HIPAA Security Regulations, 45 CFR Section 164.308 (a)(3)(ii)(A)

[15] 45 C.F.R. § 160.103, it is Individually identifiable health information

[16] HIPAA Security Regulations, 45 CFR Section 164.304

[17] Guin v. Brazos Higher Education Services, Civ. No. 05-668, 2006 US Dist. Lexis 4846 (D.Minn. Feb 7, 2006)

[18] HIPAA Security Regulations, 45 CFR Section 164.308 (a)(3)(ii)(C)

[19] Guin v. Brazos Higher Education Services, Civ. No. 05-668, 2006 US Dist. Lexis 4846 (D.Minn. Feb 7, 2006)

[20] Guin v. Brazos Higher Education Services, Civ. No. 05-668, 2006 US Dist. Lexis 4846 (D.Minn. Feb 7, 2006)

[21]Bell v. Michigan Council 2005 Mich App. Lexis 353 (Mich. App. Febraury 15, 2005

[22] 45 C.F.R. § 164.502(a)(2).

See also OCR “Government Access” Guidance.

[23] 45 C.F.R. § 164.502(a).

[24] 45 C.F.R. § 164.502(a).

 

[25] Enforcement Rules Subparts C, part of Subpart D, and Subpart E of 45 C.F.R. Part 160; the substantive rules are generally in Subpart D.