- This topic has 3 replies, 4 voices, and was last updated 4 years, 1 month ago by
.
-
Posts
-
-
Please read your friend’s report and provide comments on “Are there any other preventive measures to avoid the attack?”.
Case study 3 : 3 Massachusetts hospitals fined nearly $1 million by OCR for HIPAA violations (https://www.healthcareitnews.com/news/3-massachusetts-hospitals-fined-nearly-1-million-ocr-hipaa-violations)
1.Provide a brief description of the story.
During October 2014 – January 2015, three Harvard affiliated-hospitals in Boston had allowed a documentary production into the treatment area of their facility to capture the death-life moment and the medical efforts to save life. The production is for a six-episodes, medical TV series broadcasted as the “Save My Life: Boston Trauma.” The “reality” had been on-aired during July to August 2015. During the production, HHS had initiated a compliance review of the filming and one of the hospitals’ compliance with the Privacy Rule. On January 12, 2015, an article published by Boston Globe, stating that the film production is the same group as in the incident violated to HIPAA in New York in 2011. It is about a man broadcasted while being severely injured to death in an emergency room, without the family’s permission. The New York hospital, later sued by the man’s wife and fined for 2.2 million dollars, alleged of committing “impermissible disclosure of patient’s Protected Health Information.” Consequently, HHS initiated another compliance review for the rest of the three hospitals in the clue of the same TV production and suspected of HIPAA violation. The three hospitals were fined almost 100,000 dollars in total.
2.What is/are the impact of this data breach? Consequences of the data breach.
The impact of this incident is not clear; it only seems to be some protected information had already been disclosed before written consent made by the patients. According to the HHS’s announcement, the fine was due to the three hospitals compromising the privacy of patients’ protected health information (PHI) by inviting film crews into the emergency care and operating room. Moreover, the filming was without first obtaining authorization from patients. Even the fact that, before the production, the 2 out of 3 hospitals had reviewed, assessed, and implemented a patient privacy issue related to filming, they even had given the film crews training on HIPAA privacy; the three hospitals were still fined almost 100,000 dollars in total.
In comparison, while the case in New York, which is the patients were blurred-out, but after on-aired, his wife happened to watch the show and could recognize her husband voices moaning of pain. She sued the hospital and the TV company and that it caused her family a “great emotional distress and psychological harm.” While the case in Boston, some of the patients expressed that they felt honored that they took part in the series contributing to health education. The expression is in line with interviews given by the hospital’s management of their intention allowing the production in. There is no report against the hospitals by patient or family, of HIPAA violation, only of that reviewing by HHS. The lesser degree of compromising might be leading to the minor penalty for the three hospitals.
3.How did the data breach occur?
Dramatically, some scene was upon the arrival of the patient into the ER or even at the accident scenes. Full images of many patients were identifiable. The story of the patient, which is unnecessary for a medical reason, had been narrated. Some were unconscious; some were mentally weak. It is no doubt that the very first moment of filming for some patient was without consent or consent during the vulnerable. The privacy of the individual, “the full images, voices, and other identifiable information” had been already allowed by hospital staff for the film crews to collect through the camera before the patient is asked for proper permission. It was an unconsent collection of identifiable information and PHI taken place before asking for authorization and the authorization is only to disclose to the public in a commercial interest not for patient’s dignity.
4.What should be the main cause of the data breach? Provide a brief explanation of the cause of data breach, such as phishing, ransomware, HIPAA violation, database misconfiguration, human error, third-party vendor error)?
The incident, according to HHS, is a HIPAA violation described as an unauthorized/impermissible disclosures of protected health information (PHI). In this case, putting in place an authorization made by the patient is not sufficient as the film crews had committed an offense against some patent’ privacy before the proper authorizing process. Also, for the case in New York, using techniques, i.e., blurring, pixelation, voice alteration of identities of patients when it is broadcasted, is not an excuse and not validate to HIPAA, as the collection made before/without consent. The consent must be in the first place. However, the disclosure timeline and details are not clear.
Furthermore, according to the agreement made between the hospitals and the HHS, the fine seems to be a warning. Paradoxically, the agreement between HHS and the hospitals highlighted to be; there is no admission of liability by the three hospitals, while at the same time, there is no exception for the three hospitals to pay the penalty.
5.How could you prevent this data breach attack?
To prevent violation of HIPAA on an unauthorized/impermissible disclosures of protected health information (PHI) is ambiguous, depending on by policy or by practices. In terms of policy implementation, the government should weight up the entertainment business interest and public concerns. Allowing media to enter into the critical care treatment area, especially paramedic and emergency room under the requirement of an HIPAA-compliant authorization signed by the patient or family, is impractical for the particular medical care area. It is nearly impossible or even impossible for the patient in a powerless time of life-threatening to get enough information and conscious of making an informed choice. Otherwise, to be more practical, as the entertainment industry contributed a large portion of the country’s economic, the HHS should make a clear cut on pre-authorization regulations and emphasize a principle of authorization in the first place before collect and disclose. In simple words, media is allowed to enter the treatment area, reaching the patient and collecting PHI only when the patient has fully conscious as the same practice as clinical decision making for the patient with minimally conscious state or vegetative state. The privacy rule must be a safeguard throughout every aspect of life and dignity.
-
-
-
-
You must be logged in to reply to this topic. Login here