Health & Medical Question

MODULE INTRODUCTION
The chapter discusses the main principles associated with information security. Making the case for why security measures are necessary to protect health information sets the framework for all other discussions of the chapter. The common issues of security are deliberately segmented from the proposed HIPAA security provisions. The rationale for the separation is that while the HIPAA regulations may change, the general principles of best practices for information security will not. Thus, regardless of what changes may or may not be made to HIPAA security rules, the basic constructs remain the same.

Assignment Checklist

The topic items that follow are required for completing this module:

Discussion 10.1: HIPAA Changes Under ARRA  [3d, 3g, 3h]

Dropbox 10.1: Lab Assignment 10.1  [3d, 3g, 3h]

PSPC Real World Case 10.1: Security Breach at Presbyterian Hospital and Columbia University  [3d, 3g, 3h]

SPC Real World Case 10.2: Riverside Health System  [3d, 3g, 3h]

HIPAA Changes Under ARRA15 POINTS

In this discussion, you will identify the primary changes to HIPAA under ARRA. In addition, highlight several methods that can be utilized to detect inappropriately or attempted inappropriate access to data.

For this discussion, you will answer the following questions in your post:

Identify the primary changes to HIPAA under ARRA

Highlight several methods that can be utilized to detect inappropriately or attempted inappropriate access to data.

For this discussion, read Chapter 10 and research the internet to gather information.

1. Guidelines

Please make sure your discussion posts include all of the items below:

Identify the primary changes to HIPAA under ARRA

1. Highlight several methods that can be utilized to detect inappropriately or attempted inappropriate access to data.

Note: your initial summary post should be one or two paragraphs in length (a paragraph is at least 3 sentences in length).

1. Lab Assignment 10.1: Security Breaches15 POINTS

Security breaches can occur at any time. In today’s high tech environment, cybercriminals or malicious applications can bypass security mechanisms with a tap of a keystroke. A security breach can include unauthorized access to servers, networks, applications, and protected data. Common security breaches in healthcare are sending protected health information to the wrong patient, errors in the disposition of health records, loss or misplacement of health records, or an employee viewing a patient’s health record with no viable reason for doing so.

Lab Assignment:
Review Chapter 10 to gather information.

1. Instructions:
   For this assignment, you will list and describe the elements of a data security program. You will also describe how each element is utilized in health information management.

Review Chapter 10 to gather information, then complete this 10.1 Worksheet on Security Breaches and upload it to this 10.1 Dropbox.

Guidelines

Your completed worksheet should follow these guidelines and include the following information:

List and describe the elements of a data security program.

Describe how each element is utilized in health information management.

Make sure you fill out the worksheet thoroughly.

Real World Case 10.120 POINTS

For this activity, you will review the Real World Case 10.1 in your textbook. You will conduct an analysis of the situation and summarize how you would have addressed the issues.

The Health Insurance Portability and Accountability Act (HIPAA) require covered entities and business associates to perform a risk assessment to assess potential threats and vulnerabilities within their e-PHI system. Entities and business associates can conduct their assessment by utilizing the 5 steps of a risk assessment:

Identifying the risk.

Who has been harmed by the risk?

Conduct a thorough assessment and set a corrective action plan in place.

Record their findings.

Maintain an ongoing assessment to be sure the risk is no longer a threat.

Analyze Real World Case 10.1. For this assignment, you will analyze the data security breach that encompassed thousands of patient’s e-PHI records from a physician’s personal computer and what should have been in place to protect this protected information and answer the following questions.

• A risk analysis should include an inventory of all systems and devices that can access an organization’s ePHI (in this case, the breach occurred via a physician’s personal computer server). How can an organization account for all systems and devices on which PHI may be accessed or otherwise present?

What should the risk analysis include?

Should the physician have been the one to deactivate the server? Why or why not?

Guidelines

Before you submit your Real-World Case Study written responses:

• Ensure all of the Real World Case Study 10.1 questions are answered thoroughly.

View the Critical Thinking Assignment Rubric (20 points) for the grading criteria.

Then, finally, complete and submit your answers in the Quiz Tool.

Please Note: Each question is worth 6.66 points for a total of 20 points.

Real World Case 10.120 POINTS

For this activity, you will review the Real World Case 10.1. You will conduct an analysis of the situation and summarize how you would have addressed the issues.

The Health Insurance Portability and Accountability Act (HIPAA) require covered entities and business associates to perform a risk assessment to assess potential threats and vulnerabilities within their e-PHI system. Entities and business associates can conduct their assessment by utilizing the 5 steps of a risk assessment:

Identifying the risk.

Who has been harmed by the risk?

Conduct a thorough assessment and set a corrective action plan in place.

Record their findings.

Maintain an ongoing assessment to be sure the risk is no longer a threat.

Analyze Real World Case 10.1:

In 2014, the Department of Health and Human Services reported on its website a $4.8 million HIPAA settlement with New York and Presbyterian Hospital (NYP) and Columbia University following the 2010 breach of thousands of patients’ e-PHI. A Columbia University physician, who was an attending physician at NYP, tried to deactivate a computer server that he owned on the network that contained NYP patient e-PHI. The e-PHI became accessible to the public on Internet search engines because technical safeguards were lacking. A patient’s loved one found e-PHI about the patient on the Internet and filed a complaint.

In addition to the impermissible disclosure, both entities were noncompliant in other ways: (1) no attempts had been made to assure the server was secure; (2) a thorough risk analysis had never been completed that identified all systems able to access the e-PHI of NYP patients and therefore no plan to address potential threats and hazards existed; (3) no appropriate policies and procedures existed regarding authorizing access to its databases; and (4) they did not follow their own policies on information access management (HHS 2014).

• This costly mistake, both monetarily and from a reputation standpoint, highlights the negative outcomes that can happen when both technical and administrative safeguards are not followed. It also emphasizes the importance of inventorying all systems and devices that can access an organization’s e-PHI to address threats and an organization’s vulnerabilities. This is not an easy task given the number of personal and mobile devices that access e-PHI, but it is critical.

US Department of Health and Human Services (HHS). 2014 (May 7). Data Breach Results in $4.8 million HIPAA Settlements.

For this assignment, you will analyze the data security breach that encompassed thousands of patient’s e-PHI records from a physician’s personal computer and what should have been in place to protect this protected information and answer the following questions:

A risk analysis should include an inventory of all systems and devices that can access an organization’s ePHI (in this case, the breach occurred via a physician’s personal computer server). How can an organization account for all systems and devices on which PHI may be accessed or otherwise present?

What should the risk analysis include?

• Should the physician have been the one to deactivate the server? Why or why not?

Guidelines

• Before you submit your Real-World Case Study written responses:

Ensure all of the Real World Case Study 10.1 questions are answered thoroughly.

View the Critical Thinking Assignment Rubric (20 points) for the grading criteria.

Then, finally, complete and submit your answers in the Quiz Tool.

Real World Case 10.220 POINTS

For this activity, you will review the Real World Case 10.2 in your textbook. You will conduct an analysis of the situation and summarize how you would have addressed the issues.

It is a documented fact that humans are one of the greatest threats to data security. The risk of exposure is only heightened when the human threat comes from an internal source. Potential risks come from poor access control, unencrypted laptops, and phones, errors in e-mail addresses, forgetting to log off, failure to upgrade firewalls, and failure to remove employees who have left the company.

Analyze Real World Case 10.2:

Riverside Health System in Virginia announced in 2014 that the e-PHI of nearly 1,000 patients was breached by a nurse who accessed Social Security numbers and EHRs. The violation was discovered during a random organizational audit. Riverside described its compliance program as

robust with ongoing monitoring (McCann 2014). This case raises numerous issues; for example, the fact that humans present one of the greatest threats to data security. When this human threat is internal to the organization, it is heightened by the ability to access information in the course of doing business. The article did not describe what type of access was given to employees; however, a nurse role is likely to result in broad access. The inappropriate access had occurred over a four-year period, which raises the issue of monitoring adequacy. Nonetheless, monitoring was taking place. The nurse was terminated after the breach was discovered. When the perpetrator of the breach was identified, all electronic access for that person should have been terminated immediately as well.

McCann, E. 2014 (January 2). 4-Year Long HIPAA Breach Uncovered. HealthITNews.

For this assignment, please answer the following questions:

What red flags does this case raise?

How would you have avoided this breach?

Alternatively, given limited human resources that most organizations have to conduct audits, is it realistic to conclude that monitoring truly was robust and this breach still occurred, undetected?

Guidelines

Before you submit your Real-World Case Study written responses:

Ensure all of the Real World Case Study 10.2 questions are answered thoroughly.

View the Critical Thinking Assignment Rubric (20 points) for the grading criteria.

Then, finally, complete and submit your answers in the Quiz Tool.

Please Note: Each question is worth 6.66 points for a total of 20 points.

Real World Case 10.220 POINTS

For this activity, you will review the Real World Case 10.2 on  of your textbook. You will conduct an analysis of the situation and summarize how you would have addressed the issues.

It is a documented fact that humans are one of the greatest threats to data security. The risk of exposure is only heightened when the human threat comes from an internal source. Potential risks come from poor access control, unencrypted laptops, and phones, errors in e-mail addresses, forgetting to log off, failure to upgrade firewalls, and failure to remove employees who have left the company.

Analyze Real World Case 10.2. For this assignment, please answer the following questions.

What red flags does this case raise?

How would you have avoided this breach?

Alternatively, given limited human resources that most organizations have to conduct audits, is it realistic to conclude that monitoring truly was robust and this breach still occurred, undetected?