| In June 2009, a 22-year-old Honolulu mother of | | | | sensitive information. |
| three young children was sentenced to a year in | | | | Under HIPAA's Security Rule, the standards for |
| prison for illegally accessing another woman's | | | | the protection of electronic information covered |
| medical records and posting on a MySpace page | | | | by HIPAA are divided into three groups: |
| that she had HIV. | | | | Administrative safeguards, Physical safeguards |
| The State of Hawaii brought charges against the | | | | and Technical safeguards. |
| woman under a state statute criminalizing the | | | | A couple of the most significant required |
| unauthorized access to a computer; and which | | | | safeguards under HIPAA are the Administrative |
| categorized the conduct of the defendant as a | | | | "Sanction Policy" and "Security Awareness |
| class B felony. | | | | Training" safeguards. |
| According to accounts of the incidents that led to | | | | The sanction policy standard requires a |
| the woman's conviction, there was a feud | | | | communication to all employees regarding the |
| between the victim and the victim's sister-in-law, | | | | disciplinary action that will be taken by the |
| a friend of the defendant. The defendant, who | | | | covered entity for violations of HIPAA. The |
| worked as a patient service representative at the | | | | sanction policy should have a notice of civil or |
| hospital where the victim was a patient, accessed | | | | criminal penalties for misuses or misappropriation |
| the computer for the victim's sister-in-law. | | | | of health information and make employees aware |
| Over the course of approximately ten months, | | | | that violations may result in notification to law |
| the defendant accessed the patient's medical | | | | enforcement officials and regulatory, accreditation, |
| records three times through a computer. After | | | | and licensure organizations. |
| she learned of the victim's medical condition, the | | | | The security awareness training standard requires |
| defendant posted on her MySpace page that the | | | | all employees, agents, and contractors to |
| victim had HIV. In a second posting, she said the | | | | participate in information security awareness |
| victim was dying of AIDS. | | | | training programs. Based on job responsibilities, the |
| The victim complained to hospital officials of the | | | | covered entity should require individuals to attend |
| unauthorized access. After an internal investigation | | | | customized education programs that focus on |
| the hospital terminated the defendant's | | | | issues regarding use of health information and |
| employment. | | | | responsibilities regarding confidentiality and security. |
| The defendant's conduct, of course, was | | | | The HIPAA privacy and security regulations |
| egregious and inexcusable. The one-year jail term | | | | require a privacy officer and security officer to |
| handed down by the Court exceeded the term | | | | be designated by the covered entity. The privacy |
| recommended by the prosecutor. Nevertheless, | | | | and security officer should continually analyze and |
| beyond the issue of holding the defendant | | | | manage risk by thoroughly assessing potential |
| accountable for her actions some may question | | | | risks and vulnerabilities, and implementing related |
| to what extent the hospital should bear | | | | security measures. |
| responsibility for the breaches of confidentiality | | | | The U.S. Department of Justice ("DOJ") clarified |
| that occurred. | | | | the penalties that may be assessed and against |
| Federal law imposes statutory burdens on health | | | | whom for HIPAA violations. Covered entities and |
| care providers to protect against the improper | | | | individuals whom "knowingly" obtain or disclose |
| use or disclosure of private health information and | | | | individually identifiable health information in violation |
| to reasonably limit uses and disclosures to the | | | | of HIPAA may be fined up to $50,000, as well as |
| minimum necessary to accomplish their intended | | | | imprisonment up to one year. |
| purpose. | | | | Offenses committed under false pretenses allow |
| Specifically, the Health Insurance Portability and | | | | penalties to be increased--a $100,000 fine, with up |
| Accountability Act of 1996's ("HIPAA") privacy | | | | to five years in prison. Finally, offenses committed |
| regulations became effective on April 14, 2003. | | | | with the intent to sell, transfer, or use individually |
| HIPAA is intended to protect consumers' health | | | | identifiable health information for commercial |
| information, allow consumers greater access and | | | | advantage, personal gain or malicious harm permit |
| control to such information, enhance health care, | | | | fines of $250,000, and imprisonment for up to ten |
| and finally to create a national framework for | | | | years. |
| health privacy protection. HIPAA covers health | | | | Given the security breach that led to the tragic |
| plans, health care clearinghouses, and those health | | | | events, including the one-year jail term for the |
| care providers that conduct certain financial and | | | | defendant, Hawaii employers, health care |
| administrative transactions electronically. | | | | providers and health plans should review their |
| In addition to the privacy regulations, HIPAA's | | | | privacy and HIPAA policies and conduct an audit |
| security rules became effective on April 21, 2005. | | | | of their practices in order to protect against the |
| Together the privacy and security regulations are | | | | improper use and disclosure of private health |
| the only national set of regulations that governs | | | | information and to reduce the risk of privacy |
| the use and disclosure of private, confidential and | | | | breaches in their own organization. |