HIM 425 SNHU Health Medical Data Breach Question

The privacy and security of PHI is of paramount importance in any healthcare

organization, and as such it is mandatory to have safety measures to protect patient’s

electronic PHI as mandated by HIPAA Privacy and Security Rule. Failure to comply with the

regulations in place such as the HIPAA Privacy and Security Rule attracts penalties depending

on the severity of the breach.

Impact and Severity of Incidence

Having a computer with sensitive health information left unattended and subsequently

stolen is a big issue and a data breach because of the sensitivity of the information contained

in the computer. A breach may have occurred depending on the type of security measures put

in place by the healthcare organization or facility.A breach is an “impermissible use or

disclosure under the Privacy Rule that compromises the security or privacy of the protected

health information” (HHS.gov, 2021).

From the scenario, the stolen computer may have been accessed by an authorized

person and the information may have been used for reasons other than what is permissible

under the law which also requires seeking a patients’ consent to use or divulge their PHI. In

order to determine the severity of the incidence or if a breach has occurred, the computer

should be reported stolen and a risk assessment should be conducted to determine the nature

and extent of PHI involved, type of identifiers and likelihood of reidentification, whether the

PHI was viewed, acquired or redisclosed, and the extent to which the risk has been mitigated

(Oachs & Watters, 2020).

The impact of this breach to the organization could be financial (replacing the stolen

computer and implementing better security measures), Organizational (patients losing

trust/confidence in the organization which can affect their reputation and customer base),

litigation (being sues by patients), and sanction/penalty from relevant authorities for non-

compliance. The patient may face harassment/stigmatization because of the breach.

Phases of Handling Data Breach Incidence

Organizations have incidence response plans in place should such an incident occur.

The incidence response plans should be reviewed regularly, tested, and carefully practiced by

the response team (Andress, 2014). There are various phases involved in responding to a data

breach incidence in the following order.

Preparation phase-this involves having policies and procedures for incidence

response in place such as training for incidence handlers and reporters

(response team), documentation development and maintenance, incidence

response activities, and all required equipment (hardware and software), as

well as adequate workspace. This phase is required prior to the actual

occurrence of the incidence.

Detection and Analysis Phase- This entails accurately detecting and

assessing the actual incidence to determine the extent and severity of the

incidence via security monitoring and detection tools such as Intrusion

Detection System (IDS), passwords and authentication, Anti-Virus software,

firewall logs, alerting from a Security Information and Event Monitoring

(SIEM) tool or Managed Security Service Provider (MSSP) (Andress, 2014).

In this phase, the employee having detected that the computer is missing is

expected to report that the computer is missing so that the incidence response

team and law enforcement can get to work. The analysis aspect if this phase

has to do with determining the impact the incidence will have on the