Health Information Portability and Accountability Act (HIPAA) Violations


HealthInformation Portability and Accountability Act (HIPAA) Violations

HealthInformation Portability and Accountability Act (HIPAA) Violations

TheProtection of personal privacy and security in all environments is aconstitutional right. In medical and health setting, the HealthInsurance Portability and Accountability Act(HIPAA) is enforced to ensure the protection of patient’s privacyand security. However, in the “Doctor and Two Former HospitalEmployees Plead Guilty to HIPAA Violations” case study, the medicalpractitioners failed to observe its provisions. In purpose, HIPAAacts as an effective tool to safeguard the privacy and security ofpatient’s personal information thereby preventing unauthorizedaccess and misuse (Rezaeibagha, Khin Than, &amp Susilo, 2015). WhileHIPAA policies and rules strive to safeguard patient’s personallyidentifiable information, the use of advanced medical technology topromote patients’ privacy and security is important.

HIPAAprivacy and security rules that werebroken

Inthe case study, Dr. Jay Holland, Sarah E. Miller, and Candida Griffinviolated two HIPAA requirements. One, they accessed patient’sinformation without proper reasons. Evidently, there was no medicalpurpose for checking the patients’ personal details but only theneed to feed their curiosity (“Doctor and Two Former HospitalEmployees Plead Guilty to HIPAA Violations,” (2009). HIPAAprovisions only allow such access with a clear medical objective. Second, these practitioners did not obtain the permission from thepatients to access their personal information. Medical practitionersor researchers accessing patient’s information are required to haveconsentfrom the patient in a written form (Melnik, 2016). However, Holland,Miller, and Griffin did not obtain it before viewing the information.

Thepenalties imposed

Uponviolation of the HIPAA provisions, Holland, Griffin, and Miller faceda one-year imprisonment, cash fine of an amount not more than $50,000 or both (“Doctor and Two Former Hospital Employees Plead Guiltyto HIPAA Violations,” 2009). Also,they can be discharged from their official duties in response tosuspension or termination of their work relationship (“What are thepenalties for violating HIPAA?” 2015). Although HIPAA requires apenalty of $50,000 per violation and one-year imprisonment, thesepenalties were sufficient since there wasno provable negative implications to the patients.

Theunderstanding of HIPAA privacy and security rules

HIPAArules address the access, use, share and disclosure of patient’shealth data to facilitate the protection of patient’s informationby the organization while at the same time ensuring the flow ofinformation critical to the promotion of the quality care, publichealth and the patient’s recovery (Melnik, 2016). HIPAA act wasenforced in 1996 under sections 261, 262, 263 and 264 of public lawto facilitate the development of the standards for the electronicexchange of data, and the privacy of patient’s information(Herschman, &amp Barry, 2013). Later in 2000, the privacy rule wasadded to address the use of personally identifiable information. Therule operates to guide the use and disclosure of the individual’shealth information as permitted by the civil privacy and libertyrights, and needs for consent (Herschman, &amp Barry, 2013). It alsodescribes the covered entities and circumstances under which suchinformation can beused.

Therules apply to medical practitioners, care providers, and health planindividuals who send and receive health information throughelectronic media (&quotHIPAA Violations &amp Enforcement | AMA,&quot2016). In this case, health insurance firms such as Medicaid andMedicare havecoveredentities. Also,all health care provider aredirectly or indirectly coveredentities (Melnik, 2016). Therefore,theyshould adhere to HIPAA whether they transmit the informationdirectly, uses billing address or another party on their behalf. Theviolation of the acts results in penalties and fine to both thecovered entities and individuals.

Thesignificance of the case study concerning health information systems

Thecase demonstrates the natures and scope of HIPAA policies and rules.It not only covers the access of information within an organizationbut also any access outside medical facilities. Evidently, Dr.Holland accessed the information at home. In this case, the abilityof an information system to identify the user’s account or thelogin details that were used to access particular information in thesystem and at a given time is important in upholding the privacy andsecurity rights of individuals. Therefore, healthcare informationsystem should have their security and privacy protocols enhanced, andregularly updated to ensure every unauthorized access to the databaseis documented and addressed (Rezaeibagha, Khin Than, &amp Susilo,2015). Also,the case also reveals the effectiveness and transparency required incompliance with HIPAA rules and policies.

Otherlaws the practitioners broke apart from HIPAA

Oneof the laws that the medical practitioners broke is the Privacy Actof 1974 that guides the collection, use, and distribution ofpersonally identifiable information (Herschman, &amp Barry, 2013).Also, both the Personal Information Protection and ElectronicDocuments Act(PIPEDA)of 2000 that guides the use and access of electronic by privatesectors and Personal Information Protection Actof 2003 that was enacted to protect personally identifiableinformation about American citizens wereviolated.Similar to HIPAA, these acts have their dictated fines and periods ofimprisonments.

Applicationof the case to final proposal and presentation

Thecase of the doctor and former employees of the hospital brings theidea of the importanceof complying with the established health information policies andrules. In this case, a researcher may investigate the ways medicalpractitioners adhere to or ignore HIPAA rules and policies in theirday-to-day activities. Consequently, such study can help develop adiscussion and recommendations to improve the doctor’s compliancewith the medical regulations and their effectiveness in theprotectionof patients’ information. For example, a researcher can investigatethe implications non-compliance may have to a patient’s populationin a particular medical facility.


Inbrief, the protection of patient’s personal information when in thehands of medical practitioners is important. The misuse orunauthorized access to information may have adverse impacts leadingto a lack of patient’s trust and confidence, and theirvictimization or stigmatization in the community. Therefore, themedicalteam should ensure that the information system increases thecompliance to the regulatory tools that are established to protectindividual’s privacy and security.


“Doctorand Two Former Hospital Employees Plead Guilty to HIPAA Violations.”(2009). FBI. Retrieved 5 November 2016, from

“HIPAAViolations &amp Enforcement | AMA”. (2016). 5 November 2016, from

“Whatare the penalties for violating HIPAA?” (2015). 5 November 2016, from

Herschman,G. W., &amp Barry, J. D. (2013). Preparing Compliance ProgramEffectiveness Reports. Journalof Health Care Compliance,15(6), 15-34.

Melnik,T. (2016). Beyond HIPAA: Privacy and Security Due Diligence in HealthCare Transactions.Journal of Health Care Compliance,18(1), 45-48.

Rezaeibagha,F., Khin Than, W., &amp Susilo, W. (2015). A systematic literaturereview on security and privacy of electronic health record systems:technical perspectives. HealthInformation Management Journal,44(3), 23-38. doi:10.12826/18333575.2015.0001