A Nurse Is Reviewing Information About the Health Insurance Portability

Get i year unlimited nursing CEUs $39Sign up now

To earn of certificate of completion you accept one of 2 options:

1. Take test and pass with a score of at least lxxx%
2. Reflect on exercise affect by completing cocky-reflection, self-assessment and grade evaluation.

   (NOTE: Some approval agencies and organizations crave you to accept a examination and cocky reflection is NOT an choice.)

Introduction

This learning module provides practicing nurses and healthcare professionals with the data necessary to protect patient data as outlined past the Health Insurance Portability and Accountability Human action (HIPAA). In recent years, some aspects of HIPAA Rules proved unnecessarily crushing for covered entities and provided little benefit to patients and health program members. Some of these rules are slated to be removed or amended by law. For example, The Office of Ceremonious Rights (OCR) aims to make the Observe of Privacy Practices less crushing for everyone. In addition, Health and Human Services (HHS) and its enforcing arm, the OCR, cracked downward on violators. For case, in 2020, penalisation amounts increased for HIPAA breaches.¹

With HIPAA regulation, change occurs slowly. The procedure requires a review of recommendations by the Department of Health and Man Services, feedback from stakeholders, submission of new rules to committees, and an boosted comment period.

Understanding potential areas of HIPAA breaches is necessary to safeguard patient privacy, one's job, and one's professional license. HIPAA violations can event in fines and disciplinary action, then health intendance professionals must be knowledgeable and compliant to avoid any wrongdoings. For example, in 2018, fines and settlements totaled $28,683,400.ⁱⁱ

This continuing education program outlines regulations and guidelines for maintaining privacy, confidentiality, and security of health data every bit required by law. Case scenarios demonstrate contempo HIPAA violations, and for most of these occurrences, penalties and or fines were applied. In some situations, nurses who violated HIPAA rules were suspended or fired. Lessons learned from these cases emphasize HIPAA implications for clinicians, nurse managers and executives, nursing faculty, clinical educators, and nurse researchers. Internal and external reporting mechanisms for suspected violations will be addressed, including how to file a complaint with the Part of Civil Rights (OCR).

Key Terms

Healthcare professionals must comprehend central terms because the passage of HIPAA has created new language and abbreviations which must be mastered.

HIPAA- The Health Insurance Portability and Accountability Human activity of 1996 or HIPAA is a federal law that gives individuals rights over health information. HIPAA is a set of rules that limits who can access wellness data. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.³

PHI is Protected Health Information (PHI) that identifies a patient or client such as past, present, or future diagnoses, weather, outcomes, care plans, and billing statements. PHI excludes individually identifiable health information in teaching records covered by the Family Educational Right and Privacy Act.⁴

ePHI is Protected health information in electronic form. Examples include online billing systems, electronic medical records, a server with health insurance enrollments, and a case director'due south laptop with patient cess records.

IIHI is Individually Identifiable Health Information (IIHI) that tin can be linked to a patient or client such as demographics, social security numbers, diagnoses, zip codes, and electronic mail addresses.

PTO- Payment, handling, and healthcare operations (PTO) are the three areas where PHI can be disclosed. Treatment refers to providing, managing, and analogous care. Payment includes diverse activities related to billing, utilization review, and coverage decision. Operations cover maintaining medical records, substitution of data for care coordination, and billing.

Concern Associate- A business associate is an entity or person who has access to the Protected Wellness Information (PHI) or ePHI of a covered entity. This written document outlines each political party's responsibilities to protect PHI. Examples include companies that process claims for hospitals or doc practices, utilization review companies, case management companies, and quality improvement organizations.

Function of Civil Rights (OCR) is a branch of the Wellness and Human Services Department (HHS) that investigates HIPAA allegations and imposes fines and penalties.

Covered Entity is any business or private that has access to Protected Health Information (PHI). Covered entities include health plans, instance management companies, medical research organizations, medical record copy services, and billing companies.

Chance Analysis/Assessment is an entity's written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its protected data. A risk management plan outlines protections and measures to countermand risks. Both the risk assay and adventure management plans are cost-effective compliance mechanisms.

Technical Safeguards are electronic security measures that covered entities use to secure ePHI. This can include following policies and procedures that protect and control access to ePHI.

Security Rules unremarkably refer to the Security Standards for the Protection of Electronic Protected Health Data. Security Rules are plant at 45 CFR Part 160 and Part 164, Subparts A and C.

HIPAA Violations and Implications for Healthcare Professionals

Healthcare professionals are probable to run into many situations in their careers, which tin can be potential or actual HIPAA violations. An assay of eight scenarios provides a number of areas of business concern where HIPAA rules are violated or could exist violated. Healthcare professionals must have proper action to ensure that the privacy of patients is protected and the risk of HIPAA violations for their arrangement is lowered.

Scenario one- Filming Patients without Their Informed and Written Consent

You are a staff nurse in an emergency room for a large infirmary, one of three in the state, owned by a for-profit corporation. Your manager tells you that a prestigious news crew will be coming to the emergency room to film nurses providing care to patients and using the latest equipment. Your manager tells you that the crew has completed the hospital'south HIPAA training course. You ask your director if the patients volition be given the opportunity to consent to exist filmed. The managing director tells you that consent is not necessary because no patient names will be used.

Yous are enlightened that an ABC news documentary, Save My Life: Boston Trauma, resulted in large fines because patient permission was non obtained before filming. While the hospital administrators required that news crew members and reporters complete HIPAA grooming and sign confidentiality agreements, the Office of Civil Rights (OCR) said that all patients needed to give written consent and the opportunity to withdraw consent at any time.^5,six

Y'all mention the Boston case to your manager, simply he dismisses it and tells y'all not to be a troublemaker. Further, he states that the hospital needs the positive exposure that this story will bring. What is your next step?

You will:

1. comply with your director'due south suggestions without saying some other give-and-take.
2. make an date with the hospital's HIPAA privacy part.
3. file a complaint with the OCR.
4. send an electronic mail to the infirmary administrator, outlining the situation.

Ignoring the outcome, or reply A, can cause the organization more damage. If you fail to study your observations and suspicions and filming takes place without patient consent, a patient or family member could file a complaint with the OCR. If this happens, your hospital may be fined, and reputation damage might ensue.seven If you written report the potential violation internally by talking to the privacy officer (answer B, yous will allow your employer the opportunity to accept steps to reduce or eliminate the potential HIPAA violation. Furthermore, your actions will be helping to ensure that similar incidents do not occur in the future.

Scenario ii- Insufficient Technical Controls to Prevent Unauthorized Electronic Protected Wellness Information (ePHI) admission

Yous are an Occupational Therapist instance manager who works for a Long-Term Care facility. While you are eating dejeuner in the visitor'southward cafeteria, y'all eavesdrop other employees who work in the housekeeping office, talking near how they were able to review the medical record of a neighbor through the online system. You are aware that access to protected health information (PHI) should exist limited to those that "demand to know" for the purposes of payment, treatment, or healthcare operations.

Equally an OT, y'all attended the company's required HIPAA preparation. You are enlightened that a covered entity, such every bit a wellness insurance company, is subject to HIPAA security rules.⁸ You call up that security rules must be reasonable and appropriate.⁹ You remember that access controls must ensure that only authorized users take access to the minimum necessary data needed to perform task functions. You are shocked that housekeeping staff gained access to patient information. You wonder if you should confront the two housekeeping employees and try to teach and so a lesson about privacy.

What volition you do?

1. Take the housekeeping staff bated and tell them they violated HIPAA rules.
2. Study the incident to the company's HIPAA privacy officer.
3. Go to the director for housekeeping and demand that the staff is disciplined.
4. Finish your dejeuner and go nearly your own business organisation.

Ignoring the situation is non an selection since you witnessed a HIPAA violation. The problem of information exposure, or failure to protect data, puts the organization at risk for fines and penalties. The instance direction company is a covered entity and, by constabulary, must enforce the minimum necessary standard.^10,11 This means that employees should just have admission to data that they "need to know" for their jobs. Information technology systems and security must be in place to ensure that housekeeping employees cannot access PHI or ePHI.¹²

The best selection is to contact the company's HIPAA privacy officer. Discussing the matter with the two housekeepers or the manager of the housekeeping department might non effect in a organization-wide risk analysis, which is necessary to discover and correct other potential vulnerabilities. The risk analysis will identify the persons or classes of persons, and the types of access they need to perform their job duties. For example, instance management company leaders may permit physicians, nurses, or others involved in intendance coordination to read the unabridged medical record of those they manage. They will prohibit admission to those who exercise not demand to encounter the records of patients/clients to perform their job duties.

All members of the healthcare team can learn from resolution agreements from companies who violated HIPAA rules. Fresenius Medical Intendance of Northward American paid $3.5 million for failure to protect patients' PHI. Furthermore, the OCR demanded that Fresenius execute a risk assay and risk management plan, revise policies and procedures on facility access controls, improve encryption, and educate its employees on HIPAA policies and procedures. The Fresenius matter involved unauthorized access, tampering, and theft of data when it was reasonable and appropriate to provide HIPAA protections.¹³

The Security Rules outlines Access Control Standards that could prevent these violations. Inimitable usernames should be created for each employee to help runway access. Visibility settings for each username should limit user admission to only the PHI needed for their job role. Furthermore, procedures for accessing PHI during an emergency are required. Emergency admission to PHI should exist reviewed with the medical staff, and clear guidelines should exist set. Additional required Admission Controls include automatic logoff after inactivity and encryption/decryption processes. These measures help reduce chances of unauthorized persons viewing PHI, while digitally protecting sensitive information.¹³

Scenario 3 - PHI Disclosure to a Reporter

You are a nurse manager for an outpatient clinic where detoxification from prescription drugs takes place. A news reporter calls the clinic and asks for an interview with you lot and some patients. The reporter requests to exercise a story for the local newspaper nearly the opioid crisis and the handling of addicts.

What should you do?

1. Decline the interview at work but offer to run across at a neutral location without patients.
2. Turn down the interview and report the request to the HIPAA privacy officer.
3. Tell the reporter to phone call the Media Officer for the clinic.
4. Gather 3 well-functioning patients and exercise the interview.

The best option is to decline the interview and report the call to the HIPAA Privacy Officer for the healthcare system. Telling the reporter to call the Media Officer of the Public Relations Department of the dispensary is also acceptable; even so, some reporters will continue to call physicians or nurses who work for the clinic, hoping to find someone who will consent to an interview. Alerting the HIPAA Privacy Officer will help ensure that the unabridged facility follows approved policies. Your determination is based on your knowledge of HIPAA rules plus what y'all have learned from HIPPA violations, such as the i below.

This HIPAA violation took place when a patient of a specialty practice contacted a local television reporter to complain well-nigh a problem he encountered with the practice. The reporter telephoned the patient's medico to validate the patient's claims and to define details. The doc disclosed protected health information to the reporter without the patient's consent or the facility's permission. In fact, the privacy officeholder of the practice had instructed the physician to ignore the reporter or respond with "No comment." The Function of Civil Rights' (OCR) investigation found that the doctor's actions were reckless and irresponsible.

Further, OCR scrutiny revealed that the administrator did not subject field the doctor or plant corrective actions to prevent a reoccurrence.^fourteen The OCR imposed a $125,000 fine and demanded a corrective action plan that included two years of HIPAA compliance monitoring.^fifteen The corrective action program dictated that the specialty practice submit policies and procedures consistent with the HIPAA privacy rule within 60 days for HHS approval.

If you observe a physician or someone in authority at your facility violating HIPAA rules, should yous report that person? Could you lose your task for reporting a well-admired physician or a pop nursing administrator? A covered entity or a concern associate cannot threaten, intimidate, or retaliate against any person who files a HIPAA complaint or participates in a HIPAA investigation. ¹⁵

Scenario 4- Impermissible PHI disclosure. No Business organisation Associate Agreement (BAA), Insufficient Security Measures, No HIPAA Compliance Effects Prior to Apr 2014

Yous are a nurse executive for a nursing home and are researching billing companies for your facility. Your nursing home plans to institute a Business Associate Agreement with an outside billing company to bill for services. You lot review the websites of several billing companies. During the procedure, y'all detect patient data, including names, dates of nascency, and social security numbers exposed on the Cyberspace for i billing company.

What should you do?

1. Phone call the billing company's administrator and report what you lot institute.
2. File a study with the OCR.
3. Obtain guidance from your company's HIPAA Privacy Officeholder.
4. Make a note not to employ the billing company with the exposed data.

The best choices are either filing a complaint with the OCR or obtaining guidance from your HIPAA Privacy Officer. If you decide to file a complaint and desire action to be taken, y'all must provide your name and contact information. If you submit your complaint anonymously, the OCR might not investigate information technology. Nigh complaints can be filed online using the complaint portal assistant which tin be found at the following website

Those that demand help filing a complaint can email the office at OCRMail@hhs.govor phone call ane-800-368-1019.

The OCR can impose financial penalties for HIPAA violations that occur through negligence. This is what happened when ACH, a visitor providing contracted physicians to hospitals and nursing homes, hired a billing company. In early 2014, hospital personnel discovered patient names, dates of nascence, and social security numbers exposed on the Internet. Initially, ACH filed an OCR breach notification report testifying that 400 patients were affected. After further investigation, ACH filed a supplemental breach study avowing that an additional 8,855 patients could have been affected.¹⁶

The OCR examination revealed the following:

1. ACH shared protected wellness information with a vendor without a Concern Acquaintance Agreement (BAA) as required by HIPAA.
2. ACH lacked written HIPAA policies and procedures.
3. ACH did not bear a risk analysis or implement security measures required by HIPAA rules.

Scenario five- Failure to End Employee Access, No BBA

A nurse researcher was fired from her job because the university did not need her services for any more studies. After her termination, she illegally accessed the medical records of her supervisor, her coworkers, and several celebrities. She wrote and sold stories about celebrities to sleazy magazines.

What are some of the possible outcomes of her deportment?

1. Jail time
2. Fines
3. Loss of RN license
4. All of the higher up

Respond: D The nurse researcher committed a federal crime and will likely lose her license, exist fined, and may exist sentenced to time in jail. Instance precedence was set when a former cardiothoracic surgeon, Zhou, who was fired from UCLA School of Medicine for functioning issues unrelated to HIPAA, accessed the medical records of his supervisors, coworkers, and celebrities such equally Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks. The courts plant that Zhou broke the rules in gild to become back at those who terminated him. Zhou pleaded guilty. While he did not sell the information or employ information technology improperly, he viewed the records illegally. Zhou was sentenced to iv months in federal prison house for the HIPAA violation.¹⁸ The nurse researcher went 1 step further than Zhou considering she sold the information for personal budgetary gain.

While non quite as astringent, another incident illustrates what tin can happen when an organization does not finish access to ePHI for a person who is no longer employed. A medical center'due south information applied science chief failed to stop access to ePHI after a hospital employee resigned and separated from service. The failure resulted in the former employee having access to the protected wellness information of 557 patients. Additionally, the hospital used a Google-based patient scheduling calendar and did not have a business associate agreement with Google. The hospital paid $100 per patient in fines each time patient information was released inappropriately.¹⁸

Scenario 6- Security Management – Research

As a clinical nurse educator for a pharmaceutical visitor that oversees clinical drug trials in big metropolitan hospitals, you lot conduct sensitive patient information in your briefcase and laptop. While traveling to a hospital in Due north Carolina, you accidentally exit your unlocked briefcase in the airport waiting room. The briefcase is recovered, but the list of patients enrolled in the study in the N Carolina hospital, and their case histories, is missing.

What do you exercise?

1. Report the matter to your supervisor.
2. Cease the trial and discharge all of the patients whose case histories are missing.
3. Written report the thing to the OCR.
4. Use your laptop to print the case histories and say nothing.
5. Report the example as a missing paper to the airport'south lost and found office.

Your first action is to report the incident to your supervisor, who will guide y'all and ensure you are following company policies. Actions steps will about likely include contacting the HIPAA privacy officers for both the infirmary and the pharmaceutical company. The pharmaceutical visitor, in this case, is a business associate, and a business associate agreement should be in place.

A New York research plant paid a fine close to 4 meg dollars for a alienation of enquiry data, including 13,000 participants' full names, addresses, dates of birth, medical diagnoses, laboratory test results, prescribed medications, medical study particulars, and social security numbers. The breach occurred when an unencrypted laptop was left in full view on the backseat of an employee's automobile and was stolen.19

Some other research eye, this time in Texas, suffered a similar fine and breach. Unencrypted data for 33,500 research patients were exposed when an unencrypted laptop and ii flash drives were stolen.

In both cases, the following violations occurred:

1. Absenteeism of technical safeguards by the research plant to forbid data theft and/or accessing ePHI past unauthorized individuals.²⁰
2. Lack of policies and procedures governing the removal of equipment used to store ePHI.²¹
3. Failure to encrypt data or utilise another reasonable security measures to safeguard it.²²

Since nurses are often the collectors of research data and may carry laptops into patient homes or clinics for this purpose, they must brand sure to safeguard the data fairly. Proper safeguarding measures could mean locking briefcases, coding patient data, perhaps using numbers or coding instead of names.

Scenario 7- Concrete Therapist Reviews a Celebrity'south Record Whom She Is Non Caring For

You lot are a Physical Therapist at a Chicago hospital. Your employer provided HIPAA training as office of your initial orientation ten years ago, simply yous have not been trained since. Your curiosity gets the best of you when a high-profile individual is admitted to the infirmary. You review the medical record without the "need to know," and you chronicle what you saw to another employee in the break room. The other employee reports you to the Privacy Officer. Yous are scared that you volition lose your job and that the patient might sue you if he finds out y'all reviewed his chart without the need to do so.

Your supervisor is likely to:

1. Ignore the report from your colleague as she knows you had no malicious intent.
2. Place yous on probation with a monitored cosmetic action programme.
3. Dock your paycheck for $250.00 for x paydays.
4. Suspend you for violating hospital policy and HIPAA rules.

The privacy officer is probable to suspend or fire the PT who reviewed medical records inappropriately or put her on probation with a monitored corrective activeness plan. The corrective action plan volition include additional HIPAA training and shut observation. Even if the patient finds out about the violation, he cannot sue because there is no private course of action for HIPAA violations.

This scenario is similar to a situation that happened at Chicago Northwestern Memorial Hospital when at least l employees, including nurses, reviewed an actor's medical records without the "need to know" his status.²³

1. The consequences of healthcare professionals violating HIPAA are many, including whatsoever or all of the following:
2. Existence reported to your professional board and facing disciplinary actions
3. Employment bailiwick
4. Employment termination
5. Fines and penalties

Disciplinary action by a Board of Nursing for a HIPAA violation can be stiff. For example, when Martha Smith-Lightfoot, a nurse practitioner, left employment at the Academy of Rochester Medical Middle (URMC), she took a detailed spreadsheet of three,000 patients with PHI to her new employer. She did this without the consent of the patients or her employer. In fact, the breach was discovered when several patients complained virtually being contacted by Martha's new employer. The New York Board of Nursing imposed a one-year suspension and three years of probation for Smith-Lightfoot. In addition, the New York Attorney General fined URMC and instituted a detailed corrective activity programme which included a policy review and farther grooming.^24,25

Scenario 8- Social Media Violations

You are Facebook friends with many of your coworkers. You piece of work at a large children's hospital where you accept care of children mainly from depression-income families. Yous notice that a coworker posted several narratives about an extremely ill kid on your unit who has a illness that is preventable by vaccination. While the posts do not name the child, they are detailed, describing the child'south historic period, his symptoms, the rarity of the illness, his parent's reactions, and the care given. Additionally, the posts identify the hospital, the unit of measurement, and the posting professional and her credentials. Yous consider the details to be Individually Identifiable Health Information (IIHI).

What is your first activity?

1. Call the posting coworker and inquire her to delete the posts.
2. Print the posts and take them to the hospital's HIPAA Privacy Officer.
3. De-friend the posting coworker and remove your profile from Facebook.
4. Call your professional Country Lath and report the thing.
5. Do nix since the posting coworker did not publicize the patient'southward proper name.

Your first action should exist to print the posts and accept them to the infirmary's HIPAA Privacy Officer. You print them because you know that they can exist removed. Your activity is based on protecting your arrangement and the patient, plus complying with HIPAA privacy rules. A similar incident happened at Texas Children'due south Infirmary when a nurse posted IIHI almost a child who became extremely sick with the measles. The kid had non been vaccinated, which is unusual in Houston. The nurse was suspended while an investigation took identify. During the suspension, she removed many of the posts. Eventually, she was fired.²⁶The lesson learned is that healthcare professionals should never post about patients on social media. Even though the patient's proper name may not be mentioned, other information could link the post to the bodily example.

Lessons Learned from the Scenarios

1. Healthcare Professionals should never comment nearly patients or their conditions on social media. Even if the patient's name is not used, information such as the rarity of the affliction or other information could make it possible to identify the patient.
2. Organizations must develop security systems to ensure that employees have access to protected wellness information on a "need to know" footing. Policies need to exist written and audited to ensure admission management. Healthcare professionals must be aware of these policies and follow them consistently.
3. Companies must perform run a risk assessments to ensure compliance with HIPAA.
4. Failure to perform a run a risk assessment tin lead to a breach deemed every bit "willful neglect," which carries loftier budgetary fines.
5. Procedures must be established, enforced, and audited for safe handling of PHI and ePHI within institutions, as well equally information maintained on laptops. Healthcare professionals must follow all privacy protection procedures and report others that do not.
6. Healthcare professionals may use laptops in their work. Laptops with ePHI must be encrypted. Professionals need to store laptops according to company policy.
7. The OCR can impose financial penalties and institute compliance plans for HIPAA violations for healthcare professionals and for organizations.
8. HIPAA rule violators pay fines and must comply with corrective action plans, which are reviewed and monitored by the OCR and/or the Lath of Nursing.
9. Under HIPAA, covered entities must secure a business organization associate understanding with all vendors that have access to patient data. A healthcare professional who works for a business organization acquaintance needs to be well informed nearly protecting PHI and ePHI.
10. Employee access to PHI and ePHI must exist revoked after employment ends.
11. Anyone who files an OCR complaint and wants action to be taken should provide a name and contact information.
12. Healthcare professionals may file complaints nigh HIPAA dominion violations with the OCR. Most complaints can be filed on the Internet using the OCR complaint portal assistant.
13. Healthcare organizations cannot retaliate confronting individuals who report a HIPAA violation in the workplace.
14. HIPAA grooming should occur during the onboarding process for new employees and annually for all employees to ensure compliance, although at that place is no regulation mandating annual pedagogy.

Summary

The primary purpose of the HIPAA law is to protect patients from unauthorized or inappropriate use and admission to their health data through a number of processes and safeguards. Healthcare professionals must be educated about potential and actual violations and must be diligent in reporting any suspicions to their privacy officers or the OCR. Further, whatever unauthorized access or disclosure of patient information past nurses must be addressed and eliminated.

Select one of the following methods to complete this course.

Take ExamPass an exam testing your knowledge of the course material.

OR

References

1. HIPAA Periodical. New HIPAA regulations in 2019. HIPAA Periodical Website. View Source. Accessed February 22, 2020.
2. HIPAA Journal. Summary of 2018 HIPAA Fines and Settlements. 2018. HIPAA Journal Website. View Source. Published Jan 3, 2019. Accessed February 22, 2020.
3. HIPAA. Public welfare: general provisions and procedures for hearings. Fed Regist. 2010. ii: Subparts A and E. Codified at 45 CFR §160.
4. Family Educational Right and Privacy Act Regulations (FERPA). Fed Regist. 2012. 34: Subparts S and B. Codified at 34 CFR §§ 99.ane - 99.viii
5. Cotter, SP. ABC News Documentary Leads to HIPAA Violation Fines Against Boston Hospitals. Boston Herald website. View Source. Published September 21, 2018. Updated Nov 8, 2019. Accessed Feb 22, 2020.
6. HHS. Unauthorized Disclosure of Patients' Protected Wellness Information During ABC Telly Filming Results in Multiple HIPAA Settlements Totaling $999,00. HHS Website. View Source. Published September twenty, 2018. Accessed February 22, 2020.
7. HIPAA Journal. What to Do If You Discover a HIPAA Violation In The Workplace. HIPAA Journal Website. View Source. Published Apr two, 2018. Accessed February 22, 2020.
8. HHS. 4 Security Standards: Technical Safeguards. HHS Website. View Source. Published May 2005. Updated March 2007. Accessed February 22, 2020.
9. HIPAA. Public welfare: security and privacy. Fed Regist. 2019. 2: Subpart C. Codified at 45 CFR §164.306 (b).
10. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart E. Codified at 45 CFR §164.502 (b).
11. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart E. Codification at 45 CFR §164.514 (d).
12. HHS. Minimum Necessary Requirements. HHS Website.View Source. Accessed February 22, 2020.
13. HHS. Five Breaches Add Up to Millions in Settlement Costs for Entity That Failed to Heed HIPAA's Risk Assay and Risk Management Rules. HHS Website. View Source. Published February ane, 2018. Accessed February 23, 2020.
14. HHS. Allergy Practice Pays $125,000 to Settle Doctor's Disclosure of Patient Data to a Reporter. HHS Website. View Source. Accessed February 22, 2020.
15. HHS. HIPAA Administrative Simplification. HSS Website View Source. Accessed Feb 22, 2020.
16. HHS. Florida Contractor Physicians' Group Shares Protected Wellness Information with Unknown Vendor Without A Business Associate Agreement. HHS Website. View Source. Published Dec four, 2018. Accessed February 22, 2020.
17. FBI. Ex-UCLA Healthcare Employee Pleads Guilty to Four Counts of Illegally Peeking at Patient Records. FBI Website.View Source. Published January 28, 2010. Accessed Feb 22, 2020.
18. HHS. Colorado Hospital Failed to Terminate Former Employee's Access to Electronic Protected Wellness Information. HHS Website. View Source. Published December 29, 2018. Accessed February 22, 2020.
19. HIPAA Periodical. OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Enquiry. HIPAA Journal Website. View Source. Published March 17, 2016. Accessed February 22, 2020.
20. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart C. Codified at 45 CFR §164.310 (c).
21. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart Due east. Codification at 45 CFR §164.310 (d).
22. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart Due east. Codified at 45 CFR §164.312 (a)(ii)(4)
23. HIPAA Journal. Dozens of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett's Medical Records. HIPAA Journal Website. View Source. Published March viii, 2019. Accessed February 22, 2020.
24. Donovan, F. New York Suspends Nurse for HIPAA Violation Affecting 3K Patients. Intelligent Healthcare Media Website. View Source. Published June 11, 2018. Accessed February 22, 2020.
25. Wofford, P. Jussie Smollett Example: l Infirmary Workers Fired for Alleged HIPAA Violations. Nurse.org Website. View Source. Published March 18, 2019. Accessed February 22, 2020.
26. HIPAA Periodical. Texas Nurse Fired for Social Media HIPAA Violation. HIPAA Journal Website. View Source. Published September 13, 2018Accessed February 22, 2020.

taylormrsoled50.blogspot.com

Source: https://ceufast.com/course/hipaa-health-insurance-portability

Share this post