The HHS’ Office for Civil Rights carries the responsibility of enforcing the Privacy and Security Rules. This has significantly improved the privacy practices of entities more so the HIPAA covered entities. The corrective actions have achieved lots in systematic changes which have consequently made an improvement of the privacy protection of health information for all the individuals at their service. HIPAA Security and Privacy Rules are meant to be followed and it is therefore necessary that entities and organizations stay compliant and resolve issues with their service to ensure compliance with the HIPAA Security and Privacy Rules (Amatayakul, 2004).

 

Analysis of cases

Case one

HMO Revises Process to Obtain Valid Authorizations

In this case, the covered entity was Health Plans/HMOs and the issue was impermissible uses and disclosures; authorizations. It is alleged that an HMO disclosed Private Health Information of a member without her consent by sending her entire medical report to a disability insurance company without her authorization, which after the OCR investigation it was found that the HMO depended on a form that was not a valid authorization under the HIPAA Privacy Rule. To resolve this compliance issue, the HMO had to revise its processes and create a new HIPAA-Complaint authorization form. The HMO also had to implement a new policy that included staff obtaining the signatures of patients on the HIPAA-complaint form before disclosing any information about them even if the patients came along with their own authorization form (Office for Civil Rights, 2013).

Case Two

This case involves a Private Practice revising access procedure to provide access despite an outstanding balance. The issue in this case is access to protected health information. The complainant alleges that a private practice physician denied her the right of access to her medical records owing to an outstanding balance for the services the physician offered her. The Private practice being covered, the OCR investigation later explained to the private practice physician that a covered entity was supposed to disclose health records to a patient within thirty days of request despite their outstanding balance for the provided services. On learning that it was against the HIPAA rules and regulations, the physician had to correct the issue and comply with the rules by providing the complainant with a firsthand copy of her medical/health records (Office for Civil Rights, 2013).

 

Case Study

The HIPAA regulations inclusively cover both privacy and security of protected health information. Yes, they may be somewhat distinct but they go hand in hand. The privacy rule much concentrates on the right of a person to exercise control over their personal information. Protected health information should not be shared without the consent and authorization of the owner. The privacy rule covers the confidentiality of protected health information of all types including paper, oral, and electronic which includes an assurance that the PHI is well safeguarded from unauthorized disclosure. Privacy is actually the physical security of all formats of protected health information. The security rule much focuses on administrative, physical, and technical safeguards with specific interest on electronic PHI. The organization must ensure that privacy and security for the clients PHI is well maintained and any disclosure of information is authorized (Wheeler, Schiller, & Davis, 2011).

The major types of breaches and incidents that occur in the reported cases include a breach of privacy and the right of access to personal health records. At any given time, regardless of whether the patient has paid the whole service fee or not, they should never be denied access to their health records. The physician at any request should give the patient or client, with in thirty days, a copy of their health records. The patient’s protected health information privacy must be preserved and not disclosed without their consent and permission (Amatayakul, 2004).

Mitigating the risks and vulnerabilities infringing the privacy of a client’s information thus not being HIPAA complaint entails both technical and non-technical controls. The technical controls include putting controls and authentication on computer systems such that the private and protected health information of patients is not tempered with and shared. Non-technical methods include not sharing the information of patients to other bodies, for instance insurance agencies. The organization ad private physicians must always seek permission before the disclosure of protected information. The practioners should be aware of the HIPAA rules such that they prevent such issues. They should ensure direct contact with the client to ensure the release of client’s health records on request (Wheeler, Schiller, & Davis, 2011).

The network architecture should have some important consideration in order to be compliant with HIPAA rules and regulations. There should be good segmentation for covered entities. There is need to segment, separate, and isolate the clinical and administrative data and functions to help in limiting the depth and scope of security controls on various forms of data. The management should be well identified and accessed in the architecture. There should be a manageable and strong access control and identity solution to warrant low risk assessment under customer’s risk management programs to meet the rule of accounting. The HIPAA compliant architecture should allow for log in, audit and monitoring of access to PHI by users to achieve the security rule. There should be the ability to encrypt and decrypt customer PHI in order to avoid risky and unwanted PHI exposures promoting the safeguard of PHI (Amatayakul, 2004).

A hospital is similar to and different from other organizations in regards to HIPAA compliance in some ways. The hospital compares other organizations in that it must adhere to the HIPAA regulation but differs from the severity of the regulations and penalties in the case of breaches knowing that some instances may call for breaches of PHI in order to save life in hospitals. Violation penalties and punishments of hospital differ on some instances and occasions to those of other organizations (Wheeler, Schiller, & Davis, 2011).

Significantly there are nine IT audit steps for an organization’s overall IT plan towards ensuring HIPAA compliance which include: Becoming familiar with the audit protocol, updating and maintaining documentation, conducting a review of the initial pilot audits, assessing the current HIPAA program governance, updating risk analysis, running internal mock audits, mindset change, having a focus on the IT audit spirit, and discussing the process with other stakeholders and external hospitals (Wheeler, Schiller, & Davis, 2011).