Information Systems in Healthcare – HIPAA Violations

A. Introduction

There is no question that the healthcare sector – although previously considered
untouchable – is the newest industry to experience a technological boom in unprecedented
scales, and it is inevitable that this will continue to shape every aspect of the healthcare process.
As of 2021, it is estimated that at least 78 percent or four in five office-based physicians and over
96 percent of private (non-federal) acute care hospitals are using a certified electronic health
record (EHR) (Office of the National Coordinator for Health Information Technology, n.d.). The
proliferation of EHRs and other systems is driven by a growing pool of evidence showing that
leveraging these technologies can improve patient outcomes, organizational performance, and
clinician experiences (Sittig et al., 2020). Despite these benefits, there is a growing concern that
deploying these systems can pose a security and privacy risk, including unauthorized access of
private patient data by external hackers, unsanctioned employees, and the media. To safeguard
against such potential threats, the US Congress and other relevant regulatory bodies have
instituted a set of laws, policies, regulations, and professional ethical codes to ensure the
installation and usage of technology systems lies within the legal framework and follows all the
security and privacy requirements and guidelines.
This paper examines all these regulatory requirements, uses, and risks associated with
implementing health IT, plus a case study involving a security breach. It is divided into three
sections. The first part discusses the impact of patient privacy and HIPAA standards, healthcare
regulation, and legal guidelines on appropriate technology use in nursing and the healthcare
industry in general. The second part examines the actions that can be taken by healthcare
providers in a scenario whereby a HIPAA violation has occurred and client data has been leaked

3
to the media, and recommends actions that could be taken to mitigate the scenario’s impacts. The
last part describes the advantages disadvantages or risks associated with deploying health IT and
the nursing professional and ethical principles guiding its use.

B. HIPAA, Legal, and Regulatory Discussion

Like other products and programs in different industries, the use of health information
technology and systems is heavily regulated and codified in federal and state laws to ensure their
efficiency, effectivity, and meaningful use, while protecting the rights of patients. The Health
Insurance Portability and Accountability Act (HIPAA) is the overarching federal law that guides
and controls the use of health IT across the US. Enacted in 1996, HIPAA has multiple provisions
that guide the exchange, security, and privacy of health information. For example, the “HIPAA
Privacy Rule” stipulates the guidelines for protecting client/patient privacy, particularly their
health information known as PHI (protected health information). The Rule creates requirements
that covered entities (healthcare clearinghouses, insurers, and healthcare providers) must follow
to safeguard the confidentiality of PHI. It also accords clients/patients the right to request their
“own” health information (Edemekong, Annamaraju, & Haydel, 2022).
Another critical provision is the “HIPAA Security Rule.” This Rule establishes the
federal ideals, canons, or standards for safeguarding client/patient integrity, confidentiality, and
availability of digital or electronic PHI (ePHI). The Rule commands all covered entities to
implement technical, physical, and administrative “safeguards” or protections to secure ePHI
from unlicensed or unlawful use, access, and disclosure. The other three HIPAA Rules are the
“Breach Notification Rule,” and the “Enforcement Rule.” The Breach Notification Rules directs
that covered entities must notify or inform affected individuals (patients/clients and their
families), relevant authorities (the Department of Health and Human Services or HHS), and, in

4
some instances, the media, if a PHI breach has occurred in their institutions. Finally, the
Enforcement Rule lays the procedures and protocols for investigating and penalizing HIPAA
Rules breaches or violations. It sanctions the HHS to enforce the other HIPAA Rules and impose
financial penalties for those that fail to comply (Goldstein & Pewen, 2013).
Besides HIPAA, Congress has passed other equally critical legislation and regulations to
define the use, security, and privacy of protected health information. One of these laws is the
Health Information Technology for Economic and Clinical Health (HITECH) Act signed into
law by President Obama in 2009 to spur the implementation of EHRs nationally. HITECH also
improves and expands the Security and Privacy Provisions stipulated in HIPAA to include
subcontractors and business associates of covered entities, requiring them to notify patients, their
families, and the HHS in case of a PHI breach. It also expands fines for HIPAA breaches and
creates a tiered disciplinary framework based on the negligence level. HITECH also requires all
vendors to certify their products by ensuring they meet the set privacy and security standard. The
other law is the HIPAA Omnibus Rule. Enacted in 2013, the Omnibus Rule expanded patient
access and control, accountability, market restrictions, sale of PHI, genetic information, research,
and breach notifications stipulated in HIPAA and HITECH (Goldstein & Pewen, 2013).

C. Scenario Ending and Recommendations

HIPAA violation occurs, and client data is exposed to the media.
Scenario Ending and Recommendations – 50 points/21%
 Selects and presents one scenario ending as the focus of the assignment.
 Evaluates the actions taken by healthcare providers as the situation evolved.
 Recommends actions that could have been taken to mitigate the circumstances
presented in the selected scenario ending.
D. Advantages and Disadvantages of Using Technology in Healthcare and the

Professional and Ethical Principles Guiding Its Use

5

 The advantages of appropriately using technology in healthcare
 Risks of technology use in healthcare
 Describes professional and ethical principles guiding the appropriate use of technology in
healthcare.

E. Conclusion

6

References

Edemekong, P. F., Annamaraju, P., & Haydel, M. J. (2022). Health Insurance Portability and
Accountability Act. StatPearls [Internet].
https://www.ncbi.nlm.nih.gov/books/NBK500019/
Goldstein, M. M., & Pewen, W. F. (2013). The HIPAA Omnibus Rule: Implications for public
health policy and practice. Public Health Reports, 128(6), 554-558. doi:
10.1177/003335491312800615
Office of the National Coordinator for Health Information Technology. (n.d.). Quick stats.
https://www.healthit.gov/data/quickstats
Sittig, D. F., et al. (2020). Current challenges in health information technology-related patient
safety. Health Informatics Journal, 26(1), 181-189. doi: 10.1177/1460458218814893