violations of the HIPAA privacy and security rules
Introduction
The blue cross shield of Tennessee (BCBST) was accused of potential violations of the HIPAA privacy and security rules. The organization was fined $ 1,500,000 to settle the case. The BCBST jointly agreed with HIPAA on a corrective option that involved revising, maintaining and reviewing its security policies, procedure and privacy ( Dimick, 2012). The procedures entailed conducting robust and regular training for all BCBST employees as outlined in HIPAA employee responsibilities. HIPAA would also monitor reviews to ensure that BCBST complies with the plan. The case that transacted between the two organizations involved unencrypted computer hard drive that BCBST claimed it was stolen from a leased facility in Tennessee. The BCBST claimed that the encrypted hard drive lacked integrity and privacy and therefore the act was bleached as outlined in the Health Information Technology for Economic and Clinical Health (HITECH). The key contributor to this loss was a failure to implement the appropriate administrative safeguards as well as failure to perform the required security evaluation in response to changes in operation. The bleach was associated with technical errors.
BCBST agreed to provide corrective obligations based on policies and procedures. The organization agreed to provide evidence to all on the procedures about the ePHI. The organization agreed to conduct a potential assessment of vulnerabilities and potential risks to the integrity, availability, and confidentiality of ePHI. These include when ePHI was received, maintained, created and transmitted on or off site. A sufficient risk management plan was constructed reduce risks at an appropriate level. Facility security plan and facility access control strategies were enhanced to limit access to electronic facilities and information systems. These would safeguard equipment containing ePHI from theft, tampering, and unauthorized physical access. The BCBST also agreed on physical safeguards governing the management and storage of media containing ePHI. The BCBST agreed to conduct monitor reviews. Portable and electronic storage media devices containing ePHI are protected according to the stipulated procedures and policies (Ayad & Squire, 2011). The BCBST failed in data encryption, authorization, and protection. The confidential domains were not well protected. This resulted in the data loss. HIPAA clearly stipulated the risk management and risk analysis plan. The organization covers a broad spectrum of the requirements as outlined in HITECH and HIPAA security rule. HIPAA failed to cover the measures essential in securing electronic protected health information (ePHI). The ePHI was to be completed on an ongoing basis but HIPAA did not prescribe on how to accomplish this task.
There are several security mechanisms that are very competent in data protection. The two organizations should have considered McAfee antivirus for software protection. McAfee antivirus and internet security provide theft detection rates and above average protection. The antivirus packages provided by the software have full featured protection. The HIPAA should have provided a data backup plan that could help the BCBST to recover the lost information. Well, stipulated administrative safeguards and contingency plan standards would save the data from disappearing.
Appropriate physical safeguards such as device and media controls will ensure that data is well safeguarded. Competent security software such as antivirus programs and firewall should have been used to protect the pros and cons of the information. The firewall monitors all the data attempting to flow in and out of the software. Good software will only allow safe communications through the software. The BCBST and HIPAA should have improved the policies and procedures with integrated security sites such as Norton internet security antivirus, antispyware, firewall with other prompt features such as parental and antispam controls to secure the information found in the hard drives (US Department of Health and Human Services, 2012). The BCBST should be have considered well-secured hardware from trusted corporation such as apples and Samsung. The hardware from this corporation is secured with security tracking systems.
References
US Department of Health and Human Services . (2012). HHS settles HIPAA case with BCBST for $1.5 million. Health and Human Services news release, March, 13.
Dimick, C. (2012). Simplification at Last? HHS Rolls out Operating Rules for HIPAA Transaction Standards. Journal of AHIMA, 83(2), 24-29.
Ayad, M., Rodriguez, H., & Squire, J. (2011). Addressing HIPAA Security and Privacy Requirements in the Microsoft Cloud.