Skip to main content
SpringerLink
Log in

Data Privacy and Security in the US: HIPAA, HITECH and Beyond

  • Chapter
  • First Online:
Nursing Informatics

Part of the book series: Health Informatics ((HI))

Abstract

In 2018, the Office for Civil Rights (OCR) saw Health Insurance Portability and Accountability Act (HIPAA) enforcement violations amount to $28.7, the most in one year to date [1]. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html.Sincethe start of HIPAA in April 2003, there have been 216,195 complaints. This resulted in 39,132 investigations. Seventy percent, 27,225 required corrective action [2].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html. Accessed October 15, 2019.

  2. US Department of Health and Human Services. Numbers at a Glance. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html#allcomplaints. Accessed October 23, 2019.

  3. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR160.103.

    Google Scholar 

  4. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.502(b).

    Google Scholar 

  5. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.502(a)(1).

    Google Scholar 

  6. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.508.

    Google Scholar 

  7. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.510.

    Google Scholar 

  8. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.512.

    Google Scholar 

  9. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.520.

    Google Scholar 

  10. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.520(c)(3)(i).

    Google Scholar 

  11. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.524(a)(1)(i).

    Google Scholar 

  12. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.524(b)(2).

    Google Scholar 

  13. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.526(b)(2).

    Google Scholar 

  14. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFr164.530(a)(1).

    Google Scholar 

  15. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.530(2)(b)(1) & (C)(ii).

    Google Scholar 

  16. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.530(d)(1).

    Google Scholar 

  17. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.530(e)(1).

    Google Scholar 

  18. HIPAA Privacy Law: Standards for Privacy of Individually Identifiable Health Information. U.S. Department of Health and Human Services, Office for Civil Rights. (45CFR Parts 160 and 164) Federal Register, August 14, 2002. 45CFR164.530(j)(2).

    Google Scholar 

  19. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.306)(d).

    Google Scholar 

  20. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(2)).

    Google Scholar 

  21. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 16, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(1).

    Google Scholar 

  22. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(1)(ii)(C)).

    Google Scholar 

  23. Jail Terms for HIPAA Violations by Employees HIPAA Journal, March 22, 2018. https://www.hipaajournal.com/jail-terms-for-hipaa-violations-by-employees/. Accessed October 30, 2019).

  24. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(5)(i)).

    Google Scholar 

  25. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(5)(ii)(A)).

    Google Scholar 

  26. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(7)(i)).

    Google Scholar 

  27. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.308(7)(A-C)).

    Google Scholar 

  28. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. (45CFR164.308.8(b)(1)).

    Google Scholar 

  29. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.310.

    Google Scholar 

  30. Ouellette, Patrick. Health IT Security, Thieves Steal Laptop with phi from California internist, September 9, 2013. Accessed November 5, 2019. https://healthitsecurity.com/news/thieves-steal-laptop-with-phi-from-california-internist).

  31. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.312(a)(1).

    Google Scholar 

  32. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.312(2)(i).

    Google Scholar 

  33. HIPAA Security Law: Health Insurance Reform: Security Standards Final Rule. U.S. Department of Health and Human Services, Office of the Secretary (45 CFR parts 160, 162, and 164) Federal Register, February 20, 2003. 45CFR164.312(2)(iii)&(iv)).

    Google Scholar 

  34. HITECH: Breach Notification for Unsecured PHI: Interim Final Rule. U.S. Department of Health and Human Services. (45CFR Parts 160 and 164) Federal Register, August 24, 2009. 45CFR164.404(a) & (b).

    Google Scholar 

  35. HITECH: Breach Notification for Unsecured PHI: Interim Final Rule. U.S. Department of Health and Human Services. (45CFR Parts 160 and 164) Federal Register, August 24, 2009. 45CFR164.406.

    Google Scholar 

  36. HITECH: Breach Notification for Unsecured PHI: Interim Final Rule. U.S. Department of Health and Human Services. (45CFR Parts 160 and 164) Federal Register, August 24, 2009. 45CFR164.410.

    Google Scholar 

  37. Omnibus Final Rule: U.S. Department of Health and Human Services, Office of the Secretary (45CFR Parts 160 and 164) Federal Register, January 25, 2013. 45CFR164.522.

    Google Scholar 

  38. Omnibus Final Rule: U.S. Department of Health and Human Services, Office of the Secretary (45CFR Parts 160 and 164) Federal Register, January 25, 2013. 45CFR164.508).

    Google Scholar 

  39. Omnibus Final Rule: U.S. Department of Health and Human Services, Office of the Secretary (45CFR Parts 160 and 164) Federal Register, January 25, 2013. 45CFR164.514.

    Google Scholar 

  40. Omnibus Final Rule: U.S. Department of Health and Human Services, Office of the Secretary (45CFR Parts 160 and 164) Federal Register, January 25, 2013. 45CFR160.404).

    Google Scholar 

  41. Omnibus Final Rule: U.S. Department of Health and Human Services, Office of the Secretary (45CFR Parts 160 and 164) Federal Register, January 25, 2013. 45CFR160.408.

    Google Scholar 

  42. Omnibus Final Rule: U.S. Department of Health and Human Services, Office of the Secretary (45CFR Parts 160 and 164) Federal Register, January 25, 2013. 45CFR164.308.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University HIPAA Compliance, Health Management Systems, Duquesne University, Pittsburgh, PA, USA

    Joan M. Kiel

Authors
  1. Joan M. Kiel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joan M. Kiel .

Editor information

Editors and Affiliations

  1. University of Applied Sciences (UAS) Osnabrück, Osnabrück, Niedersachsen, Germany

    Ursula H. Hübner

  2. The University of Texas at Arlington (UTA), Arlington, TX, USA

    Gabriela Mustata Wilson

  3. Healthcare Information and Management Systems Society (HIMSS), Chicago, IL, USA

    Toria Shaw Morawski

  4. The University of Texas at Arlington (UTA), Arlington, TX, USA

    Marion J. Ball

Appendix: Answers to Review Questions

Appendix: Answers to Review Questions

  1. 1.

    Per the HIPAA Privacy Rule, discuss what is meant by “minimum necessary.”

    Minimum necessary pertains to only sharing the least amount of patient health information with those people who have a need to know. This is based on the role of the person, and the PHI needed for them to complete their role tasks.

  2. 2.

    What is a business associate?

    This is a person or entity external to the covered entity, but in their business dealings with a covered entity, they will encounter patient health information. There must be a signed business associate agreement between the two parties.

  3. 3.

    Who receives the Notice of Privacy Practices and why?

    Patients upon their first visit to a provider and when the Notice changes receive one. The Notice specifies the patient’s rights in regards to PHI and how their PHI is used.

  4. 4.

    Name the three areas of HIPAA Security and how adherence can be achieved in this situation.

    Technical security, administrative security, and physical security.

  5. 5.

    Name three items that must be done to become a HIPAA-covered entity.

    1. (a)

      Designate a person to manage HIPAA.

    2. (b)

      Develop policies and formage based on the HIPAA law.

    3. (c)

      Ensure that business associate agreements are in place.

  6. 6.

    What was the effect of social media in this situation?

    Social media created a HIPAA violation as once information is out via a social media site, it cannot be taken back and can be further spread.

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Kiel, J.M. (2022). Data Privacy and Security in the US: HIPAA, HITECH and Beyond. In: Hübner, U.H., Mustata Wilson, G., Morawski, T.S., Ball, M.J. (eds) Nursing Informatics . Health Informatics. Springer, Cham. https://doi.org/10.1007/978-3-030-91237-6_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91237-6_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91236-9

  • Online ISBN: 978-3-030-91237-6

  • eBook Packages: MedicineMedicine (R0)

Publish with us

Policies and ethics

Search

Navigation