In June 2009, 22-year-old Honolulu mother of three young children was sentenced to one year in jail for illegally accessing medical records another woman and send the MySpace page that she had HIV.
The State of Hawaii brought charges against a woman under state law punishable unauthorized access to computers; and classified policy implementation as a class B felony.
According to accounts of the incident that led to the conviction of the woman, it was a feud between the victim and sister-in-law of the victim, as a friend of the defendant. The defendant, who worked as a patient services representative at the hospital where the victim was a patient, access the computer for sister-in-law of the victim.
During the approximately ten months, the defendant approached the patient three times a computer. After she learned of the condition of the victim, the defendant posted on the MySpace page that the victim had HIV. In another post, she said the victim was dying of AIDS.
The victim complained to the officials of the hospital without permission. After an internal investigation at the hospital said professional defense.
conduct of the defendant, of course, was egregious and inexcusable. The one-year jail term handed down by the Court of the term recommended by prosecutors. Nevertheless, beyond the issue of holding the defendant accountable for her actions, some may ask to what extent the hospital responsible for damage of confidentiality that occurred.
Federal law imposes the statutory burden on health care providers to protect against misuse or disclosure of personal health and reasonably restrict the use and delivery of a minimum to achieve the desired purpose.
Specifically, the Health Insurance Portability and Accountability Act of (“HIPAA”) Privacy Regulations 1996 came into force on April 14, 2003. HIPAA is designed to protect health information consumers, allowing consumers greater access and control over such information, enhance health, and ultimately to create a national framework for the health protection of privacy. HIPAA includes health plans, health care clearinghouses, and health services providers who conduct certain financial and administrative transactions electronically.
In addition to privacy regulations, safety regulations HIPAA is entered into force on 21 April 2005. Together, privacy and safety regulations are a national set of rules governing the use and disclosure of the confidential and sensitive information.
Under HIPAA’s Security Rule, standards for the protection of electronic information covered by HIPAA are divided into three groups: Administrative safeguards, physical safeguards and security measures
A couple of the most important required security under HIPAA are Administrative “Sanctions Policy” and “Security Awareness Training” safeguards
punishment .. Trends standard requires communication with all employees of the sanctions will be taken by the covered entity for violations of HIPAA. Penalties strategy should have notice of civil or criminal penalties for misuse or abuse of health information and make employees aware of the violations may result in notification to law enforcement officials and rules, accreditation and licensing bodies.
The security awareness training standard requires all employees, agents and contractors to participate in the information security awareness training. Based on the duties covered entity should require individuals to meet customized education programs that focus on issues concerning the use of healthcare and responsibility for confidentiality and security.
HIPAA privacy and security regulations require a privacy officer and a security officer to be designated by the covered entity. The privacy and security officers should constantly analyze and manage risk by carefully assess the potential risks and vulnerabilities and the implementation of related security measures.
The US Department of Justice (“DOJ”) clearer penalties that may be assessed against and as a HIPAA violation. Covered entities and individuals who “knowingly” to obtain or disclose individually identifiable health information in violation of HIPAA fine of up to $ 50,000, as well as imprisonment of up to one year.
committed under false pretenses allow penalties increased – $ 100,000 fine, up to five years in prison. Finally, committed for the purpose of selling, transferring, or use personally identifiable medical data for commercial benefit, selfish gain or malicious harm permit fines of $ 250,000 and imprisonment for up to ten years.
In light of the security breach that led to the tragic events, including one year of prison time for the defendant, Hawaii employers, health professionals and health plans must revise privacy and HIPAA policies and conduct an audit of their activities in order to protect against improper use and disclosure of personal health and to reduce the risk of privacy violations in their own organization.