1. Running Head: Written Assignment 2/20/2016
Written Assignment #2
Andrew Blumenreich
Professor Marjorie Silverman
HEA 310 OL
19 February 2016
2. Running Head: Written Assignment 2/20/2016
As the CEO of this healthcare facility it is plain to see that the organization and all of its
healthcare professionals have fallen behind the standards of care that are expected from us by our
patients. This healthcare organization faces a multitude of problems in the way we go about
protecting patient health information. The nurses and physicians who are employed by this
healthcare organization have an ethical responsibility to protect sensitive patient information and
must act more responsibly in the way that they handle themselves while on the job. This
healthcare organization needs to begin to implement information security strategies and train
employees to learn how to protect electronic health records, and patient records more efficiently.
This health care organization has accrued a tremendous amount of respect and earned its
reputation as a world-renowned AIDS treatment center and that is not something we take lightly.
After this breach of data my first responsibility as CEO is to protect patients who have
HIV/AIDS because this disgusting act is an injustice to them. The public should not fear people
with HIV/AIDS because HIV/AIDS does not reproduce outside of the human body. In addition
to that the public needs to know that they can only get HIV/AIDS from certain bodily fluids such
as, blood, semen (cum), pre-seminal fluid (pre-cum), rectal fluids, vaginal fluids, and breast
milk. The public cannot get HIV/AIDS from hugging, shaking hands, sharing toilets, sharing
dishes, or closed-mouth or “social” kissing with someone who is HIV-positive (HIV, 2015).
One of the biggest problems that this healthcare organization faces is accountability. The
culture at this healthcare organization is far too relaxed and healthcare professionals are
forgetting about their Hippocratic duties and guarantee to patients to protect their rights at all
times. Instead of being leaders that less experienced healthcare professionals can lookup to,
employees with merit are creating negative tendencies by carelessly giving away confidential
information such as passwords and login information. In addition to that healthcare employees
3. Running Head: Written Assignment 2/20/2016
have shown poor ethical behavior, with regards to respect of persons, because there is a lack of
regard for patient confidentiality (Buchbinder, 2007).
To ensure to the public that this breach of security is an odd occurrence and not the norm
it is important that employees understand the laws, guidelines and regulations that are relevant in
protecting patient security in the electronic information age. Employees must fully understand
HIPAA, which is the Health Insurance Portability and Accountability Act of 1996, including the
privacy and security rules that accompany it. The privacy rule states that there is a need for
national standards to control the flow of sensitive health information and to establish real
penalties for the misuse or improper disclosure of this information. The other important aspect of
HIPAA is the security rule, which mandates that PHI, electronically stored or transmitted, must
be kept confidential and protected against unauthorized users and threats to its security or
integrity (Choi, 2006). The poor conduct of employees at this healthcare organization and failure
to follow guidelines has directly caused violations of HIPAA. These violations have lead to
invasion of patient privacy, which is an Intentional Tort (Buchbinder, 2007). This has serious
ramifications if negligence is proven. In addition to that, the HITECH Act is also very relevant
because it supports the enforcement of HIPAA requirements by increasing the penalties for
healthcare organizations that violate HIPAA privacy and security rules (Salz, 2013).
As an organization we did not meet the requirements of these critical laws and guidelines
because we failed to meet our Fiduciary duty (Buchbinder, 2007). One of the first steps that I
must take as CEO is implementing a better form of communication from upper management to
staff. From now on it will be important to notify every employee about changes to protocol that
may affect medical privacy because not every employee is are aware of the rules, laws, and
standards that they are expected to follow in this facility (Salz, 2013). In addition to that this
4. Running Head: Written Assignment 2/20/2016
healthcare organization must bolster its security measures by evaluating the three ways that
access can be gained to our infrastructure. Those three ways are administrative access, such as
security policies and operation management. An evaluation of technical access appliances, such
as web filters and firewalls and lastly an evaluation of physical safeguards, such as security
guards, doors, locks, and windows (Love, 2011). This healthcare organization also failed to
prevent this security breach because employees do not have defined roles and job
responsibilities, which would help to determine a variation of access levels for employees and
make them think twice about revealing their access codes.
Thankfully there is a proven model to follow to remedy this crisis, because security
breaches unfortunately happen all the time in the healthcare industry. The numbers show that in a
single year, 96% of hospitals had a data breach and 60% of hospitals had multiple breaches (A
Case Study, 2013). One event where a security breach happened is when an employee of Holy
Cross Hospital inappropriately accessed over 10,000 patient records and looked at private
information such as patient names, dates of birth, addresses, and social security numbers.
Thankfully Holy Cross Hospital quickly realized that its public relations took a major hit and
took the necessary actions to correct its image before it was unfixable. The first thing that Holy
Cross Hospital did was mail letters to each and every one of the 9,900 patients whose
demographic information was accessed by the employee to make them aware of the situation.
Then Holy Cross Hospital conducted a very thorough investigation and found that the employee
was attempting to use the information to file fraudulent tax returns. After that Holy Cross
Hospital terminated the employee and made it known to the public that they knew what
happened was wrong and wanted to pursue further prosecution. Finally, Holy Cross Hospital
offered every patient affected by this crisis free credit monitoring services for a year, to attempt
5. Running Head: Written Assignment 2/20/2016
to alleviate any ongoing concerns (Holy Cross, 2013). The actions taken by Holy Cross Hospital
show that it took this security breach very seriously and acted hastily and impulsively to build
rapport with the public and the people most affected by this terrible situation.
With an adjustment of behavior and a future balance of efficiency and availability of
patient information and the protection of that same information this healthcare organization is on
the right track to preventing future security breaches (Choi, 2006). Through proper training each
employee will know the values of this healthcare organization and its mission to serve patients to
the best of our ability in every way possible. In the future, if we ever have any problems with
compliance to HIPAA or other regulations, this healthcare facility will be able to quickly identify
the setback and implement a solution. This healthcare organization will always stay on top of
technology and prevent further attacks by constantly reviewing and assessing our risks and
vulnerabilities to confidentiality. As CEO, I believe these actions will give employees the
abilities and knowledge that they need to correct course. This healthcare organization is
considered a prestigious place around the world based on the care to patients that we deliver and
this is the first step in the process of building the healthcare facilities integrity back up to the
level that it deserves.
6. Running Head: Written Assignment 2/20/2016
Works Cited
Buchbinder, S. B., & Shanks, N. H. (2007). Introduction to health care management. Sudbury,
MA: Jones and Bartlett.
Choi, Y. B., Capitan, K. E., Krause, J. S., & Streeper, M. M. (2006). Challenges associated with
privacy in health care industry: Implementation of HIPAA and the security rules. Journal
of Medical Systems, 30(1), 57-64.
doi:http://dx.doi.org.ezproxy.library.berkeley.org/10.1007/s10916-006-7405-0
Love, V. D. (2011). IT security strategy: Is your health care organization doing everything it can
to protect patient information? Journal of Health Care Compliance, 13(6), 21-28,64.
Retrieved from
http://search.proquest.com.ezproxy.library.berkeley.org/docview/912017991?accountid=
38129
Salz, T. (2013). HIPAA: Training critical to protect patients, practice. Medical
Economics, 90(18), 43-44,47. Retrieved from
http://search.proquest.com.ezproxy.library.berkeley.org/docview/1443260994?accountid
=38129
A case study: How one seattle hospital is ready to respond to data breaches. (2013).Briefings on
HIPAA, 13(1), 4-6. Retrieved from
http://search.proquest.com.ezproxy.library.berkeley.org/docview/1242448963?accountid
=38129
HIV Transmission. (2015). Retrieved February 02, 2016, from
http://www.cdc.gov/hiv/basics/transmission.html
Holy Cross Hospital Informs Former Patients regarding Data Breach. (2013, September 30).
Retrieved February 20, 2016, from https://www.amsspher.com/holy-cross-hospital-
informs-former-patients-data-breach/