What should the risk analysis include

Reference no: EM133265841

Case: In 2014, the Department of Health and Human Services reported on its website a $4.8 million HIPAA settlement with New York and Presbyterian Hospital (NYP) and Columbia University following the 2010 breach of thousands of patients' e-PHI. A Columbia University physician, who was an attending physician at NYP, tried to deactivate a computer server that he owned on the network that contained NYP patient e-PHI. The e-PHI became accessible to the public on Internet search engines because technical safeguards were lacking. A patient's loved one found e-PHI about the patient on the Internet and filed a complaint.

In addition to the impermissible disclosure, both entities were noncompliant in other ways: (1) no attempts had been made to assure the server was secure; (2) a thorough risk analysis had never been completed that identified all systems able to access the e-PHI of NYP patients and therefore no plan to address potential threats and hazards existed; (3) no appropriate policies and procedures existed regarding authorizing access to its databases; and (4) they did not follow their own policies on information access management (HHS 2014).
This costly mistake, both monetarily and from a reputation standpoint, highlights the negative outcomes that can happen when both technical and administrative safeguards are not followed. It also emphasizes the importance of inventorying all systems and devices that can access an organization's e-PHI to address threats and an organization's vulnerabilities. This is not an easy task given the number of personal and mobile devices that access e-PHI, but it is critical.

Question 1. A risk analysis should include an inventory of all systems and devices that can access an organization's ePHI (in this case, the breach occurred via a physician's personal computer server). How can an organization account for all systems and devices on which PHI may be accessed or otherwise present?

Question 2. What should the risk analysis include?

Question 3. Should the physician have been the one to deactivate the server? Why or why not?

Reference no: EM133265841

Questions Cloud

Sense to build software without define software process : Does it ever make sense to build software without a define software process? ?Why or why not?

Review how asthma is diagnosed and current national standard : Review how asthma is diagnosed and current national standards (guidelines). Pick one screening test and review its sensitivity, specificity, predictive value

What role does change management play with regards : What role does change management play with regards to an EHR implementation? Why is change management important? What are some key strategies for successful

CPU can access main memory-CPU accessing eripheral devices : Which of these statements about the way the CPU can access main memory, vs. the CPU accessing eripheral devices, is not true?

What should the risk analysis include : What should the risk analysis include and Should the physician have been the one to deactivate the server? Why or why not

Six basic operators of relational algebra : After listing the six basic operators of the relational algebra, express r n s using the basic operator.

How will you apply what you have learned from this research : How will you apply what you have learned from this research to your recommendations for your own facility?

Apply the joint commission''s definition of sentinel event : HEALTH 467 University of Wisconsin, Madison Apply the Joint Commission's definition of sentinel event to determine if the following are clinical snippet

Identify and analyze the legal and ethical issues implicated : Health 1051 St. John's University Identify and analyze the legal and ethical issues implicated by the patient letter below. Offer assessments of claim success

User Account

All Pages