This is an IT class , the question should answered in reference to the materials attached to the question and the case study in blue print . 

reference book : legal issue in information security 

(joanna lyn grama ) second edition 

ITN 267 Assignment 6

Answer the following to the best of your ability in complete sentences with proper spelling and grammar. Be sure to elaborate on your answers and provide support for each of your statements. Your textbook and your own knowledge are your source for answering questions unless otherwise instructed. Format your answers in blue font.

Recall that you must cite any sources and it is never okay to copy from any source. TurnItIn Plagiarism checking is being run against all submissions. Your work must be below a 40% match per question.

Chapter 6 – Security & Privacy of Health Information

1. Describe the main parts of the Health Information Portability and Accountability Act (HIPAA) and how it protects health care information.

2. Why is health care information sensitive?

3. List 5 examples of privacy data elements for HIPAA as defined in the Privacy Rule.

4. Describe the role of state law in protecting the confidentiality of medical records.

5. What other laws affect health care in the USA?

6. What is the difference between COBRA and HIPAA?

7. Explain incidental disclosures that are permitted disclosures under the Privacy Rule.

8. Discuss the scope of HIPAA in the context of small doctor’s and dentist’s offices. Do these offices have to comply with the same HIPAA regulations as large health institutions? What challenges do the small offices face?

9. Read through the HIPAA case examples presented in the text sheet “HIPAA Case Examples” (ts_ hipaacaseexamples). What other policies or procedures could each organization institute to comply with HIPAA?

10. Consider the check-in desk at any doctor’s office, dentist’s office, or emergency room at a hospital. Most desks are located in the waiting room, where visitors can hear conversations at the check-in desk between care providers and patients. What procedures should be instituted to ensure the privacy of conversations between providers and patients?

HIPAA Case Examples

© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com

This handout is a reprint of several HIPAA case examples published by the U.S. Department of

Health and Human Services (http://www.hhs.gov).

Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html

URL Last Verified: 2014-05-16

HIPAA Case Examples

Hospital Implements New Polices for Telephone Messages

Covered Entity: General Hospital

Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone

message with the daughter of a patient that detailed both her medical condition and treatment plan. An

OCR investigation also indicated that the confidential communications requirements were not followed, as

the employee left the message at the patient’s home telephone number, despite the patient’s instructions

to contact her through her work number. To resolve the issues in this case, the hospital developed and

implemented several new procedures. One addressed the issue of minimum necessary information in

telephone message content. Employees were trained to provide only the minimum necessary information

in messages, and were given specific direction as to what information could be left in a message.

Employees also were trained to review registration information for patient contact directives regarding

leaving messages. The new procedures were incorporated into the standard staff privacy training, both

as part of a refresher series and mandatory yearly compliance training.

HMO Revises Process to Obtain Valid Authorizations

Covered Entity: Health Plans / HMOs

Issue: Impermissible Uses and Disclosures; Authorizations

A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire

medical record to a disability insurance company without her authorization. An OCR investigation

indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the

Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created

a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain

patient signatures on these forms before responding to any disclosure requests, even if patients bring in

their own “authorization” form. The new authorization specifies what records and/or portions of the files

will be disclosed and the respective authorization will be kept in the patient’s record, together with the

disclosed information.

Mental Health Center Corrects Process for Providing Notice of Privacy Practices

Covered Entity: Outpatient Facility

Issue: Notice

Page 2

A mental health center did not provide a notice of privacy practices (notice) to a father or his minor

daughter, a patient at the center. In response to OCR’s investigation, the mental health center

acknowledged that it had not provided the complainant and his daughter with a notice prior to her mental

health evaluation. To resolve this matter, the mental health center revised its intake assessment policy

and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed

acknowledgement of receipt of the notice prior to the intake assessment. The acknowledgement form is

now included in the intake package of forms. The center also provided OCR with written assurance that

all policy changes were brought to the attention of the staff involved in the daughter’s care and then

disseminated to all staff affected by the policy change.

Entity Rescinds Improper Billing for Medical Record Copies

Covered Entity: Private Practice

Issue: Access

A patient alleged that a covered entity failed to provide him access to his medical records. After OCR

notified the entity of the allegation, the entity released the complainant’s medical records but also billed

him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the

imposition of a reasonable cost-based fee that includes only the cost of copying and postage and

preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered

entity refunded the $100.00 “records review fee.”

Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health

or Safety

Covered Entity: General Hospital

Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health

or Safety

After treating a patient injured in a rather unusual sporting accident, the hospital released to the local

media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the

complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-

ray and an article that included the date of the accident, the location of the accident, the patient’s gender,

a description of patient’s medical condition, and numerous quotes from the hospital about such unusual

sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to

health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy

Rule’s standard for such actions. The investigation also indicated that the disclosures did not meet the

Rule’s de-identification standard and therefore were not permissible without the individual’s authorization.

Page 3

Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to

develop and implement a policy regarding disclosures related to serious threats to health and safety, and

to train all members of the hospital staff on the new policy.

Page 4