Health Insurance Portability and Accountability Act (HIPAA) Violations


the articles by Adjerid, Acquisti, Telang, Padman, & Adler-Milstein (2016), Cartwright-Smith, Gray, & Thorpe (2016), Marvin (2017), and Richesson & Chute (2015).

HIPAA is a law that was enacted to protect patients’ private health information (PHI). The HIPAA law was enacted in 1996. This law has since been amended to include more specifics on PHI as it relates to technology. Most recently, in 2009, HITECH, a segment of the American Recovery and Reinvestment Act, has been enacted to include an expansion to electronic PHI (ePHI). HITECH provides benefits for providers to encourage the adoption of ePHI systems.

From the 2018 OCR HIPPA Summary:  Settlements & Judgements

Provide an analysis on the HIPAA violation of patient health information (PHI) that was present in the case selected:  June 2018  In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The  University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay  $4.3 million in civil money penalties for HIPAA violations.  OCR investigated MD Anderson  following three separate data breach reports in 2012 and 2013 involving the theft of an  unencrypted laptop from the residence of an MD Anderson employee and the loss of two  unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over  33,500 individuals.  OCR’s investigation found that MD Anderson had written encryption  policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack  of device‐level encryption posed a high risk to the security of ePHI. Despite the encryption  policies and high risk findings, MD Anderson did not begin to adopt an enterprise‐wide solution  to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices  containing ePHI between March 24, 2011 and January 25, 2013.  This matter is under appeal  with the HHS Departmental Appeals Board.

Date               Name                       Amount

June 2018     M.D. Anderson        $4,348,000

  • Analyze the specific HIPAA privacy and security rules that were broken.
  • Explain the penalties (if any) that were imposed as a result of the ruling on the case.
  • Develop a health system improvement plan to include applicable Federal standards.
  • Propose a risk analysis strategy addressing appropriate laws and regulations.
  • Apply the lessons learned from this particular case to your Proposal and Final Presentation.