HIPAA, CIA, and Safeguards
Security Issues of BCBST
A robust information security system must ensure confidentiality, integrity, privacy, and availability for the data stored. Healthcare facilities must comply with the HIPAA laws by adhering to these four principles (Chen & Benusa, 2017). Regarding confidentiality, BCBST failed to ensure the privacy of the patient health information due to its inability to put in place physical, technical, and administrative safeguards as per the HIPAA provisions. Having these safeguards in place would have ensured that highly sensitive patient information would not be accessed or released to unauthorized persons. According to the HIPAA administrative security requirements, confidentiality is a function of compliance.
BCBST failed to ensure the integrity of the patient health information (PHI) by allowing unauthorized access to the data which might have resulted in the alteration or modification of the stored information. The integrity of the patient medical data is achieved by ensuring that there is no unauthorized modification, alteration, and changing of the data. Healthcare organizations can achieve integrity by complying with the HIPAA administrative and technical security requirements (Tendam, 2018). The administrative and technical arms within BCBST failed to ensure that the PHI was not tampered with, which resulted in the loss of vital patient data.
Availability is concerned with maintaining the systems and hard- drives that store and access the patient medical data in good working conditions (Tendam, 2018). BCBST security issues regarding availability emanated from its failure to keep its systems up-to-date and secured from external attacks and hacking that can access the patient medical data. Availability as security issue ensures that the PHI is accessible on demand by authorized persons only. BCBST failed to ensure that the protected health information is only available to legally authorized persons. Under the HIPAA provisions, availability is a component of the technical and physical security requirements.
The security issue regarding privacy stems from the fact that BCBST was unable to seclude and keep in secrecy the protected health information (PHI) as per the HIPAA security rules. In this case, BCBST’s security issue emanated from its failure to adhere to the standards established by HIPAA under the privacy rule that seeks to protect the patient’s health records. The privacy requirement is concerned with the rights that patients have over their data and it is a requirement that third-party covered entities safeguard that information (Tendam, 2018). Overall, BCBST’s security issue regarding privacy stemmed from its inability to address how PHI can be used and revealed to other persons.
HIPAA Security Requirements
Compliance to the HIPAA security requirements entails the proper understanding of the HIPAA security rules by all healthcare organizations. The HIPAA provisions require that all entities covered must put in place measures that ensure appropriate administrative, technical, and physical security measures that secure the PHI (Moore & Frye, 2019). All the covered parties must identify and safeguard against possible external threats to the safety and integrity of the data. All covered entities must secure the PHI against potential unauthorized access and sharing of the information. Confidentiality refers to no-disclosure of the PHI to unauthorized persons. Integrity is a security requirement that prohibits alteration or modification of the patient data. Lastly, availability is a HIPAA security requirement that ensure that the PHI can be accessed by an authorized person when there is need.
BCBST’s Corrective Actions
Following the breach of HIPAA provisions, BCBST was compelled to carry out several corrective action plans, which included a review of the policies and procedures, staff training, and monitoring. Reviewing of the policies and procedures entailed providing printed copies of the organization’s blueprints and processes that comply with the requirements of HIPAA. This corrective action plan was successful and involved the distribution of copies of the policies and procedures to all members of staff. Training of all personnel on policies and procedures is another corrective action plan that was successful because all personnel who had attended the training were required to sign and certify their attendance (Chen & Benusa, 2017). However, monitoring as a corrective action plan was not effective because it addressed several parameters concurrently.
HIPAA Security Requirements and Safeguards
Administrative Safeguards
The administrative safeguards are concerned with internal organizational policies and procedures and adequate staff training. Having documented security blueprints and procedures establishes uniformity when dealing with issue of the security of patient health information. Administrative safeguards help in preventing a security breach resulting from a human error. The administrative safeguard as a security rule is responsible for carrying out risk evaluations and executing risk management programs (Moore & Frye, 2019). In the case of the BCBST, the administrative safeguard would have prevented the breach of integrity as a security issue from occurring. The administrative safeguards would have established security management processes and controlled access to PHI. The administrative safeguards would have controlled who, when and how PHI can be accessed.
Technical Safeguards
Technical safeguards are security requirements that are concerned with network and information data. These security requirements focus on reducing the risks of external attacks on the system and network within the organization, especially about unauthorized transmission of PHI. The technical security requirements under HIPAA are primarily concerned with accessibility, integrity, authentication, and audit controls that collectively control access to the PHI (Moore & Frye, 2019). In the case of BCBST, the technical safeguards would have prevented the occurrence of security issues regarding confidentiality and integrity.
Physical Safeguards
Under the HIPAA provisions, the physical security requirements are measures that secure the physical structure where the PHI is stored. These physical security requirements in this case are locks and security systems that are used to secure the premise where the PHI is kept to prevent unauthorized access to PHI due to break-ins. According to Moore and Frye (2019), the physical security requirements are concerned with tracking the staff accessing the premises that house the computer equipment. This security requirement would have prevented the occurrence of security issues regarding confidentiality, integrity, availability, and privacy.
Conclusion
The HIPAA provides people the right over their health information records. This law limits entities that can access an individual’s medical data. The HIPAA provisions require that all entities covered must put in place measures that ensure appropriate administrative, technical, and physical security measures that secure the patient medical records. The HIPAA security requirements are concerned with the administration, infrastructure, and technology that relates to the maintenance of PHI.
References
Chen, J. Q., & Benusa, A. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management, 10(2), 135-146.
Moore, W., & Frye, S. (2019). Review of HIPAA, part 1: history, protected health information, and privacy and security rules. Journal of nuclear medicine technology, 47(4), 269-272.
Tendam, M. L. (2018). The HIPAA-Pota-Mess: How HIPAA’s Weak Enforcement Standards Have Led States To Create Confusing Medical Privacy Remedies. Ohio St. LJ, 79, 411.