Hypothetical Scenario
Facts
You are the “Privacy Official†(“POâ€) for Ipswitch Medical Center (“IMCâ€), located in the state of South Dakota. As the PO, part of your job description is to investigate and respond to potential breach incidents to determine if IMC has breached protected patient health information (“PHIâ€) under federal law (“HIPAAâ€) and South Dakota state law.
On November 18, 2020, the IMC’s IT director, “Scott Schmigidityâ€, contacts you to report a potential breach involving the PHI of 879 patients of the hospital. Through the course of your conversation, Mr. Schmigidity explains that through a routine security audit, it was identified that a former employee of IMC (Ben Crenben) continued to have access to a web-based calendar software the hospital uses to schedule patients for outpatient imaging services (such as MRIs, CT’s and x-rays).
The audit revealed that after Mr. Crenben was terminated from the hospital, he continued to have access to the software, and that his credentials were used to access the PHI of these 879 patients. Mr. Schmigidity is not sure how Mr. Crenben’s access was not removed on his last date of employment per IMC policy. Mr. Schmigidity admits that termination of access is a manual process requiring communication to IT of an employee’s final day. Additionally, he mentions that historically, this communication has not been consistent as his department has been notified by HR, and sometimes by the employee’s supervisor.
As you begin to investigate this incident, you learn that a large IT tech company, “Goofleâ€, is a contracted vendor to IMC, providing this particular software that was accessed by Mr. Crenben. Further, your investigation reveals that IMC and Gooffle never executed a Business Associate Agreement (“BAAâ€), as required under HIPAA.
Assumptions
Assume you discover the following information for each patient was accessed by Mr. Crenben:
Patient Name;
Patient Address;
Patient DOB;
Patient Account;
Patient SS #;
Exam Type; and
Reason for Visit.
Assume this incident is considered an “impermissible disclosure†under HIPAA for the purposes of this assignment.
Assume South Dakota has a consumer data protection law, applicable to IMC, which requires a 30 day notice to any consumer/victim of an identified breach.
Assume that IMC has privacy and security policies that follow HIPAA and South Dakota state law.
Assume that all 879 patients are residents of South Dakota and the services were provided to these patients entirely within South Dakota.
Assume that by providing this software to IMC, appropriate Goofle staff members would necessarily have access to IMC’s PHI.
Assignment Instructions
Write a 5-6 page internal memorandum to the CEO and Board of IMC detailing this incident. As part of your memo, include the following information:
1. Brief background paragraph summarizing what occurred.
2. Apply the HIPAA four factor Breach Notification Rule risk assessment to the facts in this incident. Make a determination assigning a level of risk (i.e., 1) high, 2) medium, or low) for each of the four factors in the assessment and identify which facts were important to the risk level you assigned. Then, make an overall conclusion as to whether you think this incident would be considered a HITECH breach under HIPAA based on your assigned risk levels for each of the four factors.
3. Based on the result of your risk assessment, determine whether any notifications need to be made. More specifically, do the patients need to be notified? Does the Office for Civil Rights (“OCRâ€) need to be notified? Does the local media need to be notified? For each of these notifications, include why you think a notification does or does not need to be made, and calculate the required calendar date deadlines for any of the notifications, factoring in both state and Federal law.
4. Discuss the lack of a BAA between IMC and Goofle? Do you think this relationship requires a BAA? Why or why not?
5. Describe for the Board, what, if any Business Impacts may affect IMC as a result of this incident?
6. Include your recommendations to the CEO/Board for corrective action measures to prevent a future occurrence. Be sure to address both issues: 1) The former employee accessing the software and, 2) No BAA in place between IMC and Goofle.
Use Times New Roman and font size 12 for your essay, and make sure to double space it.
Textbook:
Understanding Privacy and Data Protection: What You Need to Know By: T. J. Toohey
ISBN-13: 978-0314291943
Lecture PPT Attached
What Students Are Saying About Us
..........
Customer ID: 12*** | Rating: ⭐⭐⭐⭐⭐
"Honestly, I was afraid to send my paper to you, but splendidwritings.com proved they are a trustworthy service. My essay was done in less than a day, and I received a brilliant piece. I didn’t even believe it was my essay at first 🙂 Great job, thank you!"
..........
Customer ID: 14***| Rating: ⭐⭐⭐⭐⭐
"The company has some nice prices and good content. I ordered a term paper here and got a very good one. I'll keep ordering from this website."
"Order a Custom Paper on Similar Assignment! No Plagiarism! Enjoy 20% Discount"