HIM 425 SNHU Health Medical Data Breach Question
HIM 425 SNHU Health Medical Data Breach Question
The privacy and security of PHI is of paramount importance in any healthcare
organization, and as such it is mandatory to have safety measures to protect patient’s
electronic PHI as mandated by HIPAA Privacy and Security Rule. Failure to comply with the
regulations in place such as the HIPAA Privacy and Security Rule attracts penalties depending
on the severity of the breach.
Impact and Severity of Incidence
Having a computer with sensitive health information left unattended and subsequently
stolen is a big issue and a data breach because of the sensitivity of the information contained
in the computer. A breach may have occurred depending on the type of security measures put
in place by the healthcare organization or facility.A breach is an “impermissible use or
disclosure under the Privacy Rule that compromises the security or privacy of the protected
health information” (HHS.gov, 2021).
From the scenario, the stolen computer may have been accessed by an authorized
person and the information may have been used for reasons other than what is permissible
under the law which also requires seeking a patients’ consent to use or divulge their PHI. In
order to determine the severity of the incidence or if a breach has occurred, the computer
should be reported stolen and a risk assessment should be conducted to determine the nature
and extent of PHI involved, type of identifiers and likelihood of reidentification, whether the
PHI was viewed, acquired or redisclosed, and the extent to which the risk has been mitigated
(Oachs & Watters, 2020).
The impact of this breach to the organization could be financial (replacing the stolen
computer and implementing better security measures), Organizational (patients losing
trust/confidence in the organization which can affect their reputation and customer base),
litigation (being sues by patients), and sanction/penalty from relevant authorities for non-
compliance. The patient may face harassment/stigmatization because of the breach.
Phases of Handling Data Breach Incidence
Organizations have incidence response plans in place should such an incident occur.
The incidence response plans should be reviewed regularly, tested, and carefully practiced by
the response team (Andress, 2014). There are various phases involved in responding to a data
breach incidence in the following order.
Preparation phase-this involves having policies and procedures for incidence
response in place such as training for incidence handlers and reporters
(response team), documentation development and maintenance, incidence
response activities, and all required equipment (hardware and software), as
well as adequate workspace. This phase is required prior to the actual
occurrence of the incidence.
Detection and Analysis Phase- This entails accurately detecting and
assessing the actual incidence to determine the extent and severity of the
incidence via security monitoring and detection tools such as Intrusion
Detection System (IDS), passwords and authentication, Anti-Virus software,
firewall logs, alerting from a Security Information and Event Monitoring
(SIEM) tool or Managed Security Service Provider (MSSP) (Andress, 2014).
In this phase, the employee having detected that the computer is missing is
expected to report that the computer is missing so that the incidence response
team and law enforcement can get to work. The analysis aspect if this phase
has to do with determining the impact the incidence will have on the