Online Custom «HIPAA Violations» Essay Sample

HIPAA Violations


During the passage of the HIPAA, there have been many cases of the violations of its provisions. Notably, there have been concerns that the penalties imposed on the violators, if any, are inadequate to deter others from the engaging in the similar acts. This paper will discuss two such cases of violation, in which considerably stiff penalties were imposed.

Case One

In December 2007, 25 years-old LPN nurse, Andrea Smith of Trumann, Arkansas, along with her husband were indicted in disclosing the wrongfully patients’ health information with the intention of pursuing personal gains. They were also accused of tampering (Wood, 2008). While working at Northeast Arkansas Clinic, which serves as a multispecialty clinic in Jonesboro, Arkansas, Andrea Smith is said to have accessed private medical information of one patient. She then shared the alleged information with her husband, Justin Smith. On the same day Justin called the patient informing him that some of his medical information would be used against him in an upcoming legal proceeding. As a HIPAA-covered entity, Northeast Arkansas Clinic had an existing policy, which required it to protect the rights of the patients (Wood, 2008).

  • 0 Preparing Orders
  • 0 Active Writers
  • 0% Positive Feedback
  • 0 Support Agents


Title of your paper*

Type of service

Type of assignment

Academic level



Number of pages*


Total price:

HIPAA required the organization to protect all individually identifiable health information, whether transmitted or held in any media or form by a covered entity or an associate. In consistence with the HIPAA ethical code, the facility held violators accountable with criminal and civil penalties where patient’s privacy rights were violated (Wood, 2008). Conforming to HIPAA’s stipulation, Northeast Arkansas Clinic terminated Mrs. Smith’s employment. Additionally, it was revealed that Andrea Smith faced up to a ten years imprisonment term. As an alternative, the accused one was to receive a penalty of an amount not exceeding $250,000 along with a term of supervised release of up to three years (Wood, 2008).

Hurry up! Limited time offer



Use discount code

Order now

Northeast Arkansas Clinic could have adopted several measures and strategies to ensure that such a HIPAA violation did not take place. One of these ways is to scale up the existing patient protection measures. The organization should have identified, in a precise manner, the access allowed to the employees, and restrict access to the patient health information based on the outcomes (McLaughlin, 2006). Besides, the organization should have ensured that its privacy policy was clearly visible. Further, it should have withdrawn the patient health information from the typical nurse work areas where unauthorized staff may come across it. It should have changed the physical access to the patient data as necessary, including securing file storage rooms.

Live chat

Another measure would have been to provide staff training. The organization should have ensured that the staff clearly and precisely understood the HIPAA legislation on the patient privacy rule along with the stipulated minimum required guidelines, something that can only be facilitated through a training program (Having & Davis, 2005). Along with that, the organization should have provided the nurses with all the necessary materials, which would ensure that they become more familiar with the privacy issues including the institution’s privacy notice, as well as the patients’ authorization forms. During the training, the organization should have used the real world examples. This would allow the staff to see clearly the manner in which HIPAA impacts their individual jobs. A refresher course in an attempt to ensure that the staff is informed about the updates to the legislation and the need for continued compliance (Having & Davis, 2005).

Benefit from Our Service: Save 25% Along with the first order offer - 15% discount, you save extra 10% since we provide 300 words/page instead of 275 words/page


A third approach would have been to appoint a HIPAA officer. According to HIPAA, each organization should assign an officer, who should then be given the role of developing and implementing the privacy policy (Appari, Johnson, & Anthony, 2009). The personnel should be held individually responsible for ensuring that privacy policies are implemented, and that the nurses are thoroughly and adequately trained according to any new requirement. Besides, the HIPAA officer would have handled the mandate to initiate and oversee internal investigations regarding any misuse of the customer information. This significantly contributes towards avoiding occurrence of the HIPAA violations.

Case Two

In 2010, Columbia University New York and Presbyterian Hospital (NYP) contracted a CU physician to develop applications for each facility. The physician attempted to deactivate a personally-owned computer server on the network that held NYP patient’s data. According to Bowman (2014), this data, as a result of inferior technical safeguards, became accessible on the internet, whereby it could be easily accessed through any search engines. The issue was revealed after an internet user found information regarding a deceased patient through Google. The patient had been receiving care at NYP. The information included the status of the patient, primary signs, medication, as well as the laboratory results. The social security number was also visible.

VIP services


extended REVISION 2.00 USD



Get an order
Proofread by editor 3.99 USD

Get an order prepared
by Top 30 writers 4.80 USD


Get a full
PDF plagiarism report 5.99 USD

VIP Support 9.99 USD



Reports indicated that the two organizations had not initiated efforts to ensure the security of the server, prior to the breach. Besides, it was reported that none of the two affected facilities had set up adequate risk management strategies. Moreover, they had not encrypted their laptops from which the breach was initiated. As a result, the two facilities were fined a combined total of $4.8 million. NYP was required to pay $3.3 million while Columbia University was supposed to pay $1.5 million (Bowman, 2014).

There is a set of measures that the two organizations should have implemented to prevent the breach. The first one is a proper, safeguarded record retention. According to HIPAA, it is the responsibility of an entity to maintain the patient data securely. The law requires that the patient information has to be stored on site and should be easily accessible for the purpose of disclosures, patient requests, and amendments among others. However, heightened encryption approaches should be implemented to ensure that the patient information is not accessible to unwarranted persons (McLaughlin, 2006). If the appropriate encryptions had been in place, the physician would not have accessed the data without an authorization. He would have had no other option than to seek permission, subject to conditions.

Try our

Top 30 writers


from the incredible opportunity

at a very reasonable price

The second approach would have been record-destruction. As it has been identified in the case, the information of the deceased patients was the one that leaked. This is evidence that the two institutions still maintained unwanted data, which is entirely against the HIPAA stipulations. According to Appari et al. (2009), to ensure that the HIPAA guidelines are not violated, an organization is supposed to destroy all obsolete data. To successfully achieve that, the organization should have undertaken the process by itself. An onsite employee should be designated to shred all the documents that are no longer necessary after a specified time frame.

The third measure is to contract a competent application developer (Appari, Johnson, & Anthony, 2009). If the developer was indeed a professional, he would have acknowledged his duty of care to the contracting organizations and their patients. He would have recognized that any unprofessional conduct on his side would subject the two organizations and its clients to severe consequences. Rather, his behavior shows that he was inadequately knowledgeable and skilled. If a more competent practitioner was contracted, he would have not created a situation in which the patients’ data became vulnerable (Having & Davis, 2005).

Try our

VIP support


from the incredible opportunity

at a very reasonable price


More and more HIPAA violations continue to be reported up to date. Despite the issue of the disclosure of patients’ information being very sensitive, it seems not enough actions have been done to prevent violations. Probably, lawmakers should consider adopting alternative measures to keep individuals, such as those discussed in this paper and organizations, from not taking HIPAA violations serious enough.

We provide excellent custom writing service

Our team will make your paper up to your expectations so that you will come back to buy from us again. Testimonials

Read all testimonials
Now Accepting Apple Pay!

Get 15%OFF

your first order

Get a discount

Prices from $11.99/page

Online - please click here to chat