In 1996 Congress enacted HIPAA to protect the privacy and security of protected health information maintained by health care providers, which include health insurance companies, hospitals, doctors, and employers who sponsor self-insured health plans ("Health Insurance Portability and Accountability Act Of 1996 (HIPAA)", 2011). HIPAA is enforced by the Department of Health and Human Services. There are two sets of regulations issued by the HHS; Standards for Privacy of Individually Identifiable Health Information, the ‘privacy rule’ and the Security Standards for Individually Identifiable Health Information, the ‘security rule.’ The privacy rule requires entities to implement policies and procedures. This is to ensure the members use and disclose protected health information, PHI only for permissible purposes and to ensure patients and the insured have the right to access and amend their PHI. The security rule requires entities to implement policies and procedures to protect against threats to ensure confidentiality, integrity, and availability of PHI ("Health Insurance Portability and Accountability Act Of 1996 (HIPAA)", 2011). HIPAA violations can result in criminal and civil penalties. The Department of Health and Human Services establishes the civil penalty structure for HIPAA violations. The department HHS, Office of civil Rights, OCR enforces the privacy standards; Center for Medicare and Medicaid enforces the security rule. The HHS determines the amount of civil penalty based on the nature and extent of the violation and the harm resulting from the violation. In 2012 a group of ear and eye doctors in Massachusetts reported the theft of an unencrypted personal laptop as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). The laptop contained personal health information of MEEI patients and research subjects. Reporting the theft of a laptop containing electronic PHI is required under the Breach...
Please join StudyMode to read the full document