Sign Up
For the best experience, choose your profession & state.
You are not currently logged in. Please log in to CEUfast to enable the course progress and auto resume features.

Course Library

HIPAA: Health Insurance Portability and Accountability Act

2 Contact Hours
This peer reviewed course is applicable for the following professions:
Advanced Registered Nurse Practitioner (ARNP), Athletic Trainer (AT/AL), Certified Nursing Assistant (CNA), Certified Registered Nurse Anesthetist (CRNA), Clinical Nurse Specialist (CNS), Dietetic Technicians, Registered (DTR), Dietitian/Nutritionalist (RDN), Home Health Aid (HHA), Licensed Nursing Assistant (LNA), Licensed Practical Nurse (LPN), Licensed Vocational Nurses (LVN), Medical Assistant (MA), Midwife (MW), Nursing Student, Occupational Therapist (OT), Occupational Therapist Assistant (OTA), Osteopathic Doctor (DO), Physical Therapist (PT), Physical Therapist Assistant (PTA), Registered Nurse (RN), Respiratory Therapist (RT)
This course will be updated or discontinued on or before Thursday, April 7, 2022
FPTA Approval:CE20-491496. Accreditation of this course does not necessarily imply the FPTA supports the views of the presenter or the sponsors.
Outcomes

≥90% of participants will know how to comply with HIPAA regulations.

Objectives

Upon completion of this module, the learner will be able to complete the following objectives.

  1. Describe processes that healthcare professionals must implement to ensure patient information is kept confidential and secure.
  2. Analyze healthcare-based case scenarios and the HIPAA violations depicted in each.
  3. Apply lessons learned from case scenarios to other similar situations that healthcare professionals may encounter.
  4. Recognize measures that may (or may not) be taken against those who violate HIPAA rules.
  5. Outline the procedures for reporting suspected HIPAA violations, including how a complaint may be filed with the OCR if HIPAA rules have been compromised.
CEUFast Inc. did not endorse any product, or receive any commercial support or sponsorship for this course. The Planning Committee and Authors do not have any conflict of interest.

Last Updated:
CEUfast OwlGet one year unlimited nursing CEUs $39Sign up now
To earn of certificate of completion you have one of two options:
  1. Take test and pass with a score of at least 80%
  2. Reflect on practice impact by completing self-reflection, self-assessment and course evaluation.
    (NOTE: Some approval agencies and organizations require you to take a test and self reflection is NOT an option.)
Author:    Trudy Tappan (RN, PhD)

Introduction

This learning module provides practicing nurses and healthcare professionals with the information necessary to protect patient data as outlined by the Health Insurance Portability and Accountability Act (HIPAA). In recent years, some aspects of HIPAA Rules proved unnecessarily burdensome for covered entities and provided little benefit to patients and health plan members. Some of these rules are slated to be removed or amended by law. For example, The Office of Civil Rights (OCR) aims to make the Notice of Privacy Practices less burdensome for everyone. In addition, Health and Human Services (HHS) and its enforcing arm, the OCR, cracked down on violators. For example, in 2020, penalty amounts increased for HIPAA breaches.1

With HIPAA regulation, change occurs slowly. The process requires a review of recommendations by the Department of Health and Human Services, feedback from stakeholders, submission of new rules to committees, and an additional comment period.

Understanding potential areas of HIPAA breaches is necessary to safeguard patient privacy, one’s job, and one’s professional license. HIPAA violations can result in fines and disciplinary action, so health care professionals must be knowledgeable and compliant to avoid any wrongdoings. For example, in 2018, fines and settlements totaled $28,683,400.2

This continuing education program outlines regulations and guidelines for maintaining privacy, confidentiality, and security of health information as required by law. Case scenarios demonstrate recent HIPAA violations, and for most of these occurrences, penalties and or fines were applied. In some situations, nurses who violated HIPAA rules were suspended or fired. Lessons learned from these cases emphasize HIPAA implications for clinicians, nurse managers and executives, nursing faculty, clinical educators, and nurse researchers. Internal and external reporting mechanisms for suspected violations will be addressed, including how to file a complaint with the Office of Civil Rights (OCR).

Key Terms

Healthcare professionals must comprehend key terms because the passage of HIPAA has created new language and abbreviations which must be mastered.

HIPAA- The Health Insurance Portability and Accountability Act of 1996 or HIPAA is a federal law that gives individuals rights over health information. HIPAA is a set of rules that limits who can access health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.3

PHI is Protected Health Information (PHI) that identifies a patient or client such as past, present, or future diagnoses, conditions, outcomes, care plans, and billing statements. PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act.4

ePHI is Protected health information in electronic form. Examples include online billing systems, electronic medical records, a server with health insurance enrollments, and a case manager’s laptop with patient assessment records.

IIHI is Individually Identifiable Health Information (IIHI) that can be linked to a patient or client such as demographics, social security numbers, diagnoses, zip codes, and email addresses.

PTO- Payment, treatment, and healthcare operations (PTO) are the three areas where PHI can be disclosed. Treatment refers to providing, managing, and coordinating care. Payment includes various activities related to billing, utilization review, and coverage determination. Operations cover maintaining medical records, exchange of data for care coordination, and billing.

Business Associate- A business associate is an entity or person who has access to the Protected Health Information (PHI) or ePHI of a covered entity. This written document outlines each party’s responsibilities to protect PHI. Examples include companies that process claims for hospitals or physician practices, utilization review companies, case management companies, and quality improvement organizations.

Office of Civil Rights (OCR) is a branch of the Health and Human Services Department (HHS) that investigates HIPAA allegations and imposes fines and penalties.

Covered Entity is any business or individual that has access to Protected Health Information (PHI). Covered entities include health plans, case management companies, medical research organizations, medical record copy services, and billing companies.

Risk Analysis/Assessment is an entity’s written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its protected data. A risk management plan outlines protections and measures to countermand risks. Both the risk analysis and risk management plans are cost-effective compliance mechanisms.

Technical Safeguards are electronic security measures that covered entities use to secure ePHI. This can include following policies and procedures that protect and control access to ePHI.

Security Rules commonly refer to the Security Standards for the Protection of Electronic Protected Health Information. Security Rules are found at 45 CFR Part 160 and Part 164, Subparts A and C.

HIPAA Violations and Implications for Healthcare Professionals

Healthcare professionals are likely to encounter many situations in their careers, which can be potential or actual HIPAA violations. An analysis of eight scenarios provides a number of areas of concern where HIPAA rules are violated or could be violated. Healthcare professionals must take proper action to ensure that the privacy of patients is protected and the risk of HIPAA violations for their organization is lowered.

Scenario 1- Filming Patients without Their Informed and Written Consent

You are a staff nurse in an emergency room for a large hospital, one of three in the state, owned by a for-profit corporation. Your manager tells you that a prestigious news crew will be coming to the emergency room to film nurses providing care to patients and using the latest equipment. Your manager tells you that the crew has completed the hospital’s HIPAA training course. You ask your manager if the patients will be given the opportunity to consent to be filmed. The manager tells you that consent is not necessary because no patient names will be used.

You are aware that an ABC news documentary, Save My Life: Boston Trauma, resulted in large fines because patient permission was not obtained before filming. While the hospital administrators required that news crew members and reporters complete HIPAA training and sign confidentiality agreements, the Office of Civil Rights (OCR) said that all patients needed to give written consent and the opportunity to withdraw consent at any time.5,6

You mention the Boston case to your manager, but he dismisses it and tells you not to be a troublemaker. Further, he states that the hospital needs the positive exposure that this story will bring. What is your next step?

You will:

  1. comply with your manager’s suggestions without saying another word.
  2. make an appointment with the hospital’s HIPAA privacy office.
  3. file a complaint with the OCR.
  4. send an email to the hospital administrator, outlining the situation.

Ignoring the event, or answer A, can cause the organization more damage. If you fail to report your observations and suspicions and filming takes place without patient consent, a patient or family member could file a complaint with the OCR. If this happens, your hospital may be fined, and reputation damage might ensue.7 If you report the potential violation internally by talking to the privacy officer (answer B, you will allow your employer the opportunity to take steps to reduce or eliminate the potential HIPAA violation. Furthermore, your actions will be helping to ensure that similar incidents do not occur in the future.

Scenario 2- Insufficient Technical Controls to Prevent Unauthorized Electronic Protected Health Information (ePHI) access

You are an Occupational Therapist case manager who works for a Long-Term Care facility. While you are eating lunch in the company’s cafeteria, you overhear other employees who work in the housekeeping office, talking about how they were able to review the medical record of a neighbor through the online system. You are aware that access to protected health information (PHI) should be limited to those that “need to know” for the purposes of payment, treatment, or healthcare operations.

As an OT, you attended the company’s required HIPAA training. You are aware that a covered entity, such as a health insurance company, is subject to HIPAA security rules.8 You recall that security rules must be reasonable and appropriate.9 You remember that access controls must ensure that only authorized users have access to the minimum necessary information needed to perform job functions. You are shocked that housekeeping staff gained access to patient information. You wonder if you should confront the two housekeeping employees and try to teach then a lesson about privacy.

What will you do?

  1. Take the housekeeping staff aside and tell them they violated HIPAA rules.
  2. Report the incident to the company’s HIPAA privacy officer.
  3. Go to the manager for housekeeping and demand that the staff is disciplined.
  4. Finish your lunch and go about your own business.

Ignoring the situation is not an option since you witnessed a HIPAA violation. The problem of data exposure, or failure to protect data, puts the organization at risk for fines and penalties. The case management company is a covered entity and, by law, must enforce the minimum necessary standard.10,11 This means that employees should only have access to data that they “need to know” for their jobs. Information technology systems and security must be in place to ensure that housekeeping employees cannot access PHI or ePHI.12

The best choice is to contact the company’s HIPAA privacy officer. Discussing the matter with the two housekeepers or the manager of the housekeeping department might not result in a system-wide risk analysis, which is necessary to discover and correct other potential vulnerabilities. The risk analysis will identify the persons or classes of persons, and the types of access they need to perform their job duties. For example, case management company leaders may permit physicians, nurses, or others involved in care coordination to read the entire medical record of those they manage. They will prohibit access to those who do not need to see the records of patients/clients to perform their job duties.

All members of the healthcare team can learn from resolution agreements from companies who violated HIPAA rules. Fresenius Medical Care of North American paid $3.5 million for failure to protect patients’ PHI. Furthermore, the OCR demanded that Fresenius execute a risk analysis and risk management plan, revise policies and procedures on facility access controls, improve encryption, and educate its employees on HIPAA policies and procedures. The Fresenius matter involved unauthorized access, tampering, and theft of data when it was reasonable and appropriate to provide HIPAA protections.13

The Security Rules outlines Access Control Standards that could prevent these violations. Inimitable usernames should be created for each employee to help track access. Visibility settings for each username should limit user access to only the PHI needed for their job role. Furthermore, procedures for accessing PHI during an emergency are required. Emergency access to PHI should be reviewed with the medical staff, and clear guidelines should be set. Additional required Access Controls include automatic logoff after inactivity and encryption/decryption processes. These measures help reduce chances of unauthorized persons viewing PHI, while digitally protecting sensitive information.13

Scenario 3 - PHI Disclosure to a Reporter

You are a nurse manager for an outpatient clinic where detoxification from prescription drugs takes place. A news reporter calls the clinic and asks for an interview with you and some patients. The reporter requests to do a story for the local newspaper about the opioid crisis and the treatment of addicts.

What should you do?

  1. Decline the interview at work but offer to meet at a neutral location without patients.
  2. Decline the interview and report the request to the HIPAA privacy officer.
  3. Tell the reporter to call the Media Officer for the clinic.
  4. Gather three well-functioning patients and do the interview.

 

The best choice is to decline the interview and report the telephone call to the HIPAA Privacy Officer for the healthcare system. Telling the reporter to call the Media Officer of the Public Relations Department of the clinic is also acceptable; however, some reporters will continue to call physicians or nurses who work for the clinic, hoping to find someone who will consent to an interview. Alerting the HIPAA Privacy Officer will help ensure that the entire facility follows approved policies. Your decision is based on your knowledge of HIPAA rules plus what you have learned from HIPPA violations, such as the one below.

This HIPAA violation took place when a patient of a specialty practice contacted a local television reporter to complain about a problem he encountered with the practice. The reporter telephoned the patient’s physician to validate the patient’s claims and to ascertain details. The physician disclosed protected health information to the reporter without the patient’s consent or the facility’s permission. In fact, the privacy officer of the practice had instructed the physician to ignore the reporter or respond with “No comment.” The Office of Civil Rights’ (OCR) investigation found that the physician’s actions were reckless and irresponsible.

Further, OCR scrutiny revealed that the administrator did not discipline the physician or institute corrective actions to prevent a reoccurrence.14 The OCR imposed a $125,000 fine and demanded a corrective action plan that included two years of HIPAA compliance monitoring.15 The corrective action plan dictated that the specialty practice submit policies and procedures consistent with the HIPAA privacy rule within 60 days for HHS approval.

If you observe a physician or someone in authority at your facility violating HIPAA rules, should you report that person? Could you lose your job for reporting a well-admired physician or a popular nursing administrator? A covered entity or a business associate cannot threaten, intimidate, or retaliate against any person who files a HIPAA complaint or participates in a HIPAA investigation.15

Scenario 4- Impermissible PHI disclosure. No Business Associate Agreement (BAA), Insufficient Security Measures, No HIPAA Compliance Effects Prior to April 2014

You are a nurse executive for a nursing home and are researching billing companies for your facility. Your nursing home plans to establish a Business Associate Agreement with an outside billing company to bill for services. You review the websites of several billing companies. During the process, you discover patient information, including names, dates of birth, and social security numbers exposed on the Internet for one billing company.

What should you do?

  1. Call the billing company’s administrator and report what you found.
  2. File a report with the OCR.
  3. Obtain guidance from your company’s HIPAA Privacy Officer.
  4. Make a note not to use the billing company with the exposed data.

 

The best choices are either filing a complaint with the OCR or obtaining guidance from your HIPAA Privacy Officer. If you decide to file a complaint and want action to be taken, you must provide your name and contact information. If you submit your complaint anonymously, the OCR might not investigate it. Most complaints can be filed online using the complaint portal assistant which can be found at the following website

Those that need help filing a complaint can email the office at OCRMail@hhs.govor call 1-800-368-1019.

The OCR can impose financial penalties for HIPAA violations that occur through negligence. This is what happened when ACH, a company providing contracted physicians to hospitals and nursing homes, hired a billing company. In early 2014, hospital personnel discovered patient names, dates of birth, and social security numbers exposed on the Internet. Initially, ACH filed an OCR breach notification report testifying that 400 patients were affected. After further investigation, ACH filed a supplemental breach report avowing that an additional 8,855 patients could have been affected.16

The OCR examination revealed the following:

  1. ACH shared protected health information with a vendor without a Business Associate Agreement (BAA) as required by HIPAA.
  2. ACH lacked written HIPAA policies and procedures.
  3. ACH did not conduct a risk analysis or implement security measures required by HIPAA rules.

Scenario 5- Failure to Terminate Employee Access, No BBA

A nurse researcher was fired from her job because the university did not need her services for any more studies. After her termination, she illegally accessed the medical records of her supervisor, her coworkers, and several celebrities. She wrote and sold stories about celebrities to sleazy magazines.

What are some of the possible outcomes of her actions?

  1. Jail time
  2. Fines
  3. Loss of RN license
  4. All of the above

 

Answer: D The nurse researcher committed a federal crime and will likely lose her license, be fined, and may be sentenced to time in jail. Case precedence was set when a former cardiothoracic surgeon, Zhou, who was fired from UCLA School of Medicine for performance issues unrelated to HIPAA, accessed the medical records of his supervisors, coworkers, and celebrities such as Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks. The courts found that Zhou broke the rules in order to get back at those who terminated him. Zhou pleaded guilty. While he did not sell the information or use it improperly, he viewed the records illegally. Zhou was sentenced to 4 months in federal prison for the HIPAA violation.18 The nurse researcher went one step further than Zhou because she sold the information for personal monetary gain.

While not quite as severe, another incident illustrates what can happen when an organization does not cease access to ePHI for a person who is no longer employed. A medical center’s information technology chief failed to stop access to ePHI after a hospital employee resigned and separated from service. The failure resulted in the former employee having access to the protected health information of 557 patients. Additionally, the hospital used a Google-based patient scheduling calendar and did not have a business associate agreement with Google. The hospital paid $100 per patient in fines each time patient information was released inappropriately.18

Scenario 6- Security Management – Research

As a clinical nurse educator for a pharmaceutical company that oversees clinical drug trials in large metropolitan hospitals, you carry sensitive patient information in your briefcase and laptop. While traveling to a hospital in North Carolina, you accidentally leave your unlocked briefcase in the airport waiting room. The briefcase is recovered, but the list of patients enrolled in the study in the North Carolina hospital, and their case histories, is missing.

What do you do?

  1. Report the matter to your supervisor.
  2. Stop the trial and discharge all of the patients whose case histories are missing.
  3. Report the matter to the OCR.
  4. Use your laptop to print the case histories and say nothing.
  5. Report the case as a missing paper to the airport’s lost and found office.

 

Your first action is to report the incident to your supervisor, who will guide you and ensure you are following company policies. Actions steps will most likely include contacting the HIPAA privacy officers for both the hospital and the pharmaceutical company. The pharmaceutical company, in this case, is a business associate, and a business associate agreement should be in place.

A New York research institute paid a fine close to 4 million dollars for a breach of research data, including 13,000 participants’ full names, addresses, dates of birth, medical diagnoses, laboratory test results, prescribed medications, medical study particulars, and social security numbers. The breach occurred when an unencrypted laptop was left in full view on the backseat of an employee’s automobile and was stolen.19

Another research center, this time in Texas, suffered a similar fine and breach. Unencrypted data for 33,500 research patients were exposed when an unencrypted laptop and two flash drives were stolen.

In both cases, the following violations occurred:

  1. Absence of technical safeguards by the research institute to prevent data theft and/or accessing ePHI by unauthorized individuals.20
  2. Lack of policies and procedures governing the removal of equipment used to store ePHI.21
  3. Failure to encrypt data or use another reasonable security measures to safeguard it.22

Since nurses are often the collectors of research data and may carry laptops into patient homes or clinics for this purpose, they must make sure to safeguard the data adequately. Proper safeguarding measures could mean locking briefcases, coding patient data, perhaps using numbers or coding instead of names.

Scenario 7- Physical Therapist Reviews a Celebrity’s Record Whom She Is Not Caring For

You are a Physical Therapist at a Chicago hospital. Your employer provided HIPAA training as part of your initial orientation ten years ago, but you have not been trained since. Your curiosity gets the best of you when a high-profile individual is admitted to the hospital. You review the medical record without the “need to know,” and you relate what you saw to another employee in the break room. The other employee reports you to the Privacy Officer. You are scared that you will lose your job and that the patient might sue you if he finds out you reviewed his chart without the need to do so.

Your supervisor is likely to:

  1. Ignore the report from your colleague as she knows you had no malicious intent.
  2. Place you on probation with a monitored corrective action plan.
  3. Dock your paycheck for $250.00 for 10 paydays.
  4. Suspend you for violating hospital policy and HIPAA rules.

 

The privacy officer is likely to suspend or fire the PT who reviewed medical records inappropriately or put her on probation with a monitored corrective action plan. The corrective action plan will include additional HIPAA training and close observation. Even if the patient finds out about the violation, he cannot sue because there is no private course of action for HIPAA violations.

This scenario is similar to a situation that happened at Chicago Northwestern Memorial Hospital when at least 50 employees, including nurses, reviewed an actor’s medical records without the “need to know” his condition.23

  1. The consequences of healthcare professionals violating HIPAA are many, including any or all of the following:
  2. Being reported to your professional board and facing disciplinary actions
  3. Employment discipline
  4. Employment termination
  5. Fines and penalties

Disciplinary action by a Board of Nursing for a HIPAA violation can be stiff. For example, when Martha Smith-Lightfoot, a nurse practitioner, left employment at the University of Rochester Medical Center (URMC), she took a detailed spreadsheet of 3,000 patients with PHI to her new employer. She did this without the consent of the patients or her employer. In fact, the breach was discovered when several patients complained about being contacted by Martha’s new employer. The New York Board of Nursing imposed a one-year suspension and three years of probation for Smith-Lightfoot. In addition, the New York Attorney General fined URMC and instituted a detailed corrective action plan which included a policy review and further training.24,25

Scenario 8- Social Media Violations

You are Facebook friends with many of your coworkers. You work at a large children’s hospital where you take care of children mainly from low-income families. You notice that a coworker posted several narratives about an extremely ill child on your unit who has a disease that is preventable by vaccination. While the posts do not name the child, they are detailed, describing the child’s age, his symptoms, the rarity of the illness, his parent’s reactions, and the care given. Additionally, the posts identify the hospital, the unit, and the posting professional and her credentials. You consider the details to be Individually Identifiable Health Information (IIHI).

What is your first action?

  1. Call the posting coworker and ask her to delete the posts.
  2. Print the posts and take them to the hospital’s HIPAA Privacy Officer.
  3. De-friend the posting coworker and remove your profile from Facebook.
  4. Call your professional State Board and report the matter.
  5. Do nothing since the posting coworker did not publicize the patient’s name.

 

Your first action should be to print the posts and take them to the hospital’s HIPAA Privacy Officer. You print them because you know that they can be removed. Your action is based on protecting your organization and the patient, plus complying with HIPAA privacy rules. A similar incident happened at Texas Children’s Hospital when a nurse posted IIHI about a child who became extremely sick with the measles. The child had not been vaccinated, which is unusual in Houston. The nurse was suspended while an investigation took place. During the suspension, she removed many of the posts. Eventually, she was fired.26 The lesson learned is that healthcare professionals should never post about patients on social media. Even though the patient's name may not be mentioned, other information could link the post to the actual case.

Lessons Learned from the Scenarios

  1. Healthcare Professionals should never comment about patients or their conditions on social media. Even if the patient’s name is not used, information such as the rarity of the disease or other information could make it possible to identify the patient.
  2. Organizations must develop security systems to ensure that employees have access to protected health information on a “need to know” basis. Policies need to be written and audited to ensure access management. Healthcare professionals must be aware of these policies and follow them consistently.
  3. Companies must perform risk assessments to ensure compliance with HIPAA.
  4. Failure to perform a risk assessment can lead to a breach deemed as “willful neglect,” which carries high monetary fines.
  5. Procedures must be established, enforced, and audited for safe handling of PHI and ePHI within institutions, as well as data maintained on laptops. Healthcare professionals must follow all privacy protection procedures and report others that do not.
  6. Healthcare professionals may use laptops in their work. Laptops with ePHI must be encrypted. Professionals need to store laptops according to company policy.
  7. The OCR can impose financial penalties and institute compliance plans for HIPAA violations for healthcare professionals and for organizations.
  8. HIPAA rule violators pay fines and must comply with corrective action plans, which are reviewed and monitored by the OCR and/or the Board of Nursing.
  9. Under HIPAA, covered entities must secure a business associate agreement with all vendors that have access to patient data. A healthcare professional who works for a business associate needs to be well informed about protecting PHI and ePHI.
  10. Employee access to PHI and ePHI must be revoked after employment ends.
  11. Anyone who files an OCR complaint and wants action to be taken should provide a name and contact information.
  12. Healthcare professionals may file complaints about HIPAA rule violations with the OCR. Most complaints can be filed on the Internet using the OCR complaint portal assistant.
  13. Healthcare organizations cannot retaliate against individuals who report a HIPAA violation in the workplace.
  14. HIPAA training should occur during the onboarding process for new employees and annually for all employees to ensure compliance, although there is no regulation mandating annual education.

Summary

The primary purpose of the HIPAA law is to protect patients from unauthorized or inappropriate use and access to their health information through a number of processes and safeguards. Healthcare professionals must be educated about potential and actual violations and must be diligent in reporting any suspicions to their privacy officers or the OCR. Further, any unauthorized access or disclosure of patient data by nurses must be addressed and eliminated.

Select one of the following methods to complete this course.

Take TestPass an exam testing your knowledge of the course material.
OR
Reflect on Practice ImpactDescribe how this course will impact your practice.   (No Test)

References

  1. HIPAA Journal. New HIPAA regulations in 2019. HIPAA Journal Website. View Source. Accessed February 22, 2020.
  2. HIPAA Journal. Summary of 2018 HIPAA Fines and Settlements. 2018. HIPAA Journal Website. View Source. Published January 3, 2019. Accessed February 22, 2020.
  3. HIPAA. Public welfare: general provisions and procedures for hearings. Fed Regist. 2010. 2: Subparts A and E. Codified at 45 CFR §160.
  4. Family Educational Right and Privacy Act Regulations (FERPA). Fed Regist. 2012. 34: Subparts S and B. Codified at 34 CFR §§ 99.1 - 99.8
  5. Cotter, SP. ABC News Documentary Leads to HIPAA Violation Fines Against Boston Hospitals. Boston Herald website. View Source. Published September 21, 2018. Updated November 8, 2019. Accessed February 22, 2020.
  6. HHS. Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements Totaling $999,00. HHS Website. View Source. Published September 20, 2018. Accessed February 22, 2020.
  7. HIPAA Journal. What to Do If You Discover a HIPAA Violation In The Workplace. HIPAA Journal Website. View Source. Published April 2, 2018. Accessed February 22, 2020.
  8. HHS. 4 Security Standards: Technical Safeguards. HHS Website. View Source. Published May 2005. Updated March 2007. Accessed February 22, 2020.
  9. HIPAA. Public welfare: security and privacy. Fed Regist. 2019. 2: Subpart C. Codified at 45 CFR §164.306 (b).
  10. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart E. Codified at 45 CFR §164.502 (b).
  11. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart E. Codified at 45 CFR §164.514 (d).
  12. HHS. Minimum Necessary Requirements. HHS Website.View Source. Accessed February 22, 2020.
  13. HHS. Five Breaches Add Up to Millions in Settlement Costs for Entity That Failed to Heed HIPAA’s Risk Analysis and Risk Management Rules. HHS Website. View Source. Published February 1, 2018. Accessed February 23, 2020.
  14. HHS. Allergy Practice Pays $125,000 to Settle Doctor’s Disclosure of Patient Information to a Reporter. HHS Website. View Source. Accessed February 22, 2020.
  15. HHS. HIPAA Administrative Simplification. HSS Website View Source. Accessed February 22, 2020.
  16. HHS. Florida Contractor Physicians’ Group Shares Protected Health Information with Unknown Vendor Without A Business Associate Agreement. HHS Website. View Source. Published December 4, 2018. Accessed February 22, 2020.
  17. FBI. Ex-UCLA Healthcare Employee Pleads Guilty to Four Counts of Illegally Peeking at Patient Records. FBI Website.View Source. Published January 28, 2010. Accessed February 22, 2020.
  18. HHS. Colorado Hospital Failed to Terminate Former Employee’s Access to Electronic Protected Health Information. HHS Website. View Source. Published December 29, 2018. Accessed February 22, 2020.
  19. HIPAA Journal. OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research. HIPAA Journal Website. View Source. Published March 17, 2016. Accessed February 22, 2020.
  20. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart C. Codified at 45 CFR §164.310 (c).
  21. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart E. Codified at 45 CFR §164.310 (d).
  22. HIPAA. Public welfare: Security and privacy. Fed Regist. 2019. 2: Subpart E. Codified at 45 CFR §164.312 (a)(2)(iv)
  23. HIPAA Journal. Dozens of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records. HIPAA Journal Website. View Source. Published March 8, 2019. Accessed February 22, 2020.
  24. Donovan, F. New York Suspends Nurse for HIPAA Violation Affecting 3K Patients. Intelligent Healthcare Media Website. View Source. Published June 11, 2018. Accessed February 22, 2020.
  25. Wofford, P. Jussie Smollett Case: 50 Hospital Workers Fired for Alleged HIPAA Violations. Nurse.org Website. View Source. Published March 18, 2019. Accessed February 22, 2020.
  26. HIPAA Journal. Texas Nurse Fired for Social Media HIPAA Violation. HIPAA Journal Website. View Source. Published September 13, 2018Accessed February 22, 2020.