In what ways do the security guidelines that HIPAA provides assist or require organisations to identify risks and develop appropriate risk management strategies for information security? For example, what rights does someone have if he finds out that: (a) His medical file contained in the information system of a large medical centre has been read without authorisation by a receptionist.

Authors Avatar by dxb625 (student)

In what ways do the security guidelines that HIPAA provides assist or require organisations to identify risks and develop appropriate risk management strategies for information security? For example, what rights does someone have if he finds out that:

(a) His medical file contained in the information system of a large medical centre has been read without authorisation by a receptionist. She has relayed information about a health crisis he wanted kept secret to his employer who is a close friend of the receptionist. The latter’s job merely entails arranging appointments at the centre.

(b) His medical file with photographs of an unusual and embarrassing medical condition he suffers from have been posted by a teenager on YouTube. The teenager found the information in unencrypted form on a USB flash on a train. It appears it fell out of a doctor’s pocket. She was taking the information home to work on writing a paper about the condition for a conference.

HIPAA[1] and the Rules and Guidelines[2] made thereunder provide an elaborate framework for health insurance, identifies who can legally hold information[3] whose information and what type of information[4] is protected, how that information[5] may be used and how that information may be accessed. The Privacy Rule[6] provides for standards for electronic exchange, privacy and security of information[7]. It therefore provides for privacy rights for individuals to understand and control how their health information is used and this information is “protected health information.”(PHI)[8]

Join now!

The HIPAA Security Regulations therefore provides the framework within which the HIPAA is implementable by requiring reasonable measures[9] through processes, policies and controls.[10] It also provides formal sanctions in the event of failure to comply with established policies and procedures.[11] The HIPAA Security Guidance on the other hand is complimentary in respect of PHI during use of portable devices and offsite or transport of EPHI by use of laptops, personal digital assistants, etc.[12]

A)   In this instance the main issues arise out of the type of the information that was accessed, whether the receptionist is an ...

This is a preview of the whole essay