Risk management strategies for information security

In what ways do the security guidelines that HIPAA provides assist or require organisations to identify risks and develop appropriate risk management strategies for information security? For example, what rights does someone have if he finds out that: (a) His medical file contained in the information system of a large medical centre has been read without authorisation by a receptionist. She has relayed information about a health crisis he wanted kept secret to his employer who is a close friend of the receptionist.

The latter’s job merely entails arranging appointments at the centre. (b) His medical file with photographs of an unusual and embarrassing medical condition he suffers from have been posted by a teenager on YouTube. The teenager found the information in unencrypted form on a USB flash on a train. It appears it fell out of a doctor’s pocket. She was taking the information home to work on writing a paper about the condition for a conference.

HIPAA[1] and the Rules and Guidelines[2] made thereunder provide an elaborate framework for health insurance, identifies who can legally hold information[3] whose information and what type of information[4] is protected, how that information[5] may be used and how that information may be accessed. The Privacy Rule[6] provides for standards for electronic exchange, privacy and security of information[7]. It therefore provides for privacy rights for individuals to understand and control how their health information is used and this information is “protected health information.

”(PHI)[8] The HIPAA Security Regulations therefore provides the framework within which the HIPAA is implementable by requiring reasonable measures[9] through processes, policies and controls. [10] It also provides formal sanctions in the event of failure to comply with established policies and procedures. [11] The HIPAA Security Guidance on the other hand is complimentary in respect of PHI during use of portable devices and offsite or transport of EPHI by use of laptops, personal digital assistants, etc.

[12] A) In this instance the main issues arise out of the type of the information that was accessed, whether the receptionist is an authorized person who can access that information and the legality of the procedure. [13] This case demonstrates that where there is laxity in processes and procedures and inadequate supervision in respect of sensitive or protected information,[14] there is likely to a breach such as this one.

Indeed the information is protected and would have required authorization for it to be disclosed[15] and the reception is not an authorized person in this instance and the process she followed was wrong. [16] In Guin V. Brazos Education[17], the defendant put in place the necessary security policies and properly followed the requisite procedure and therefore no liability could arise. This case is in sharp contrast with the class case before us. Sanctions therefore arise against the covered entity. [18]

B) The difference here is that the Doctor is authorized to access the information however the issues arise in respect of whether she took adequate measures to restrict unauthorized access by using adequate technologies[19] such as encryption or other means such as password restrictions[20] and yet she is aware of the likely risks. [21] Furthermore, she intends to use this information for a conference which is not required disclosure[22] and she therefore requires express authorization in writing[23].

Disclosure by a covered entity will only arise as permitted by the Privacy Rule and by the affected gentleman’s written permission. [24] The gentleman was not notified of the breach, he stumbled upon it on You Tube and as such the requirement imposed by the HIPAA Act for notification in case of breach was not met. The first remedy would be to seek to resolve this matter under the procedural rules for investigations and informal resolution of compliance issues and failing which he can seek compensation by way of the civil money penalty (CMP). [25]