27 Oct The two facilities are separate covered entities that participated in a joint arrangement. investigation of the breach revealed it was caused when a physician who developed applications for both of the covered entities attempted to deactivate a personally—owned computer server on the network containing electronic personal health information

LAHt’ MA I’- F. LG The two facilities are separate covered entities that participated in a joint arrangement. investigation of the breach revealed it was caused when a physician who developed applications for both of the covered entities attempted to deactivate a personally—owned computer server on the network containing electronic personal health information {ePl—H}. Because of a lack of technical safeguards. deactivation caused the ePHI to be accessible on Internet search engines. The covered entities learned about the breach after receiving a complaint from a deceased patient’s family member who found the deceased’s eP’l—lI during an iirternet search. The investigation also found that the covered entities had made no efforts prior to the breach to: I: Assure that the server was secure and contained the appropriate software protections I: Conduct a thorough risk analysis that identified all covered entity systems that access eP’l—H I: Develop an adequate risk management plan that addressed potential data security threats I: Implement appropriate policies and procedures for authorizing access to its databases I: Ensure that its own policies and procedures on information access were observed The covered entities were lined a total of $4=SUU.GGU—the largest HIPAA violation fine to dat% in which both parties agreed to a substantive correction action plan that included performing a risk analysis= developing a risk management plan._ revising policies and procedures= training staif. and providing progress reports. Discussion Question 1. This case demonstrates the importance of conducting a thorough system inventory and a comprehensive risk analysis of security risks and vulnerabilities. When all inventory is not identified and included in the risk assessment. an organization leaves itself vulnerable to security threats. such as the one that occurred here. The specific language in the corrective action plan requires the covered entity to conduct a risk assessment that must incorporate all electronic equipment. data systems: and applications controlled, administered or owned by the covered entity: its workforce members= and affiliated stalf that contains: stores. transmits or receives ePl—H and that the covered entity must develop a complete inventory of all electronic equipment. data systems, and applications that contain or store ePHI. How would a DE policy helped avoid this situatiorfJ 2. How should a DG policy be worded that includes authority= responsibility, and accountability for risk management? Application Exercise Application exercises provide the student an opportunity to increase knowledge and skill inthe topics related to the current chapter. Review the resolution agreements for l-DI’AA violations available at h :-‘-‘tt.1.vw.hhs.gov.-‘ocr-‘ rivacv hi aaf’enforcement- exam les. indenhtml and make atable outlining the key issues that required correction. ‘What patterns do you see? How does this information help establish data governance for HIPAA security?