ABSTRACT: Cybersecurity issues and their impact on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are becoming more of an enforcement focus for a variety of government agencies, including the US Department of Health and Human Services, the Federal Trade Commission, and the Department of Justice. In the case presented in this article, a nurse in a neurology practice opted to speak with a patient about human immunodeficiency virus testing procedures in a manner audible to others in the waiting room. Computer screens with patient information were visible to anyone approaching a desk, the staff had not been trained on cybersecurity issues, and malware infected the computers used in the practice. In light of these circumstances and the launch of Phase 2 of the HIPAA Audit Program by the US Department of Health and Human Services Office for Civil Rights, the neurology practice must consider the following questions. First, could the gaps in the technical, administrative, and physical requirements of HIPAA and the HITECH Act result in an adverse audit and penalties? Second, what course of action does the law mandate in response to a ransomware attack?
Address correspondence to Dr Joseph S. Kass, One Baylor Plaza M-210, Houston, TX 77030, firstname.lastname@example.org.
Relationship Disclosure: Ms Rose serves on the editorial board of BC Advantage and receives book royalties from the American Bar Association. Dr Kass serves as associate editor of ethical and medicolegal issues for Continuum and as an associate editor for Continuum Audio. Dr Kass has received personal compensation for CME and grand rounds lectures for MCE Conferences, Medical Education Speakers Network, and PrimeMed Medical Group and has received personal compensation for expert testimony in legal cases involving liability, malpractice, and personal injury.
Unlabeled Use of Products/Investigational Use Disclosure: Ms Rose and Dr Kass report no disclosures.