Part 1: Critical Analysis of the Law
- Evaluate HIPAA security requirements for a security risk assessment (SRA).
- How would you complete a security risk assessment that meets HIPAA security requirements? Outline it. What physical, administrative, and technical safeguards would you recommend to keep data secure?
- Evaluate HIT audits as a compliance tool . Describe an audit process you recommend that would meet the following criteria.
- The audit is fair and unbiased and free from conflict of interest (1-2 points).The audit results are effectively communicated to senior levels of the organization (1-2 strategies).There is a process in place to correct any problems identified in the audit (1-2 actions).
- How could a strong HIT audit system and the ACHE Code of Ethics serve to prevent the situation described in The Tracks We Leave: Chapter 9 Information Technology Setback: Heartland Health care System? Be specific and demonstrate understanding of the risks and how the compliance tool can be used specifically to control the risk
- Part 2: Strategic Compliance with the LawYou work for a large managed care organization (MCO) that includes 5 hospitals, 25 providers clinics, 1 health insurance company, and 10 pharmacies. The MCO is using electronic health records (EHR). Your organization is not using 2015 CEHRT. Your organization has been subject to medical identity theft through 3 recent cyberattacks that compromised the data of 2,000 patients. The cyberattacks all used a known vulnerability with poor data encryption during data transfer and poor security on the patient portal. All cyber-attacks removed the encryption or security safeguards to obtain patient data. The breach included a list of 20 HIV patients whose HIV status was being reported to the state as part of infectious disease reporting.Evaluate what you need to do to respond to the cyberattack. Recommend a cyberattack response. Your response should include:Methods to secure stolen data and mitigate harm (two).Actions to correct the problem that allowed for the cyberattack (two).Evaluate the breach notification requirements under HIPAA. What breach notice actions do you recommend? (1-2)When do they need to be completed?Evaluate the organization’s duty of privacy and security for HIV patients. What do you recommend to keep this information secure during future reporting? Are any additional protections required because of the HIV status? Why or why not?