Assignment task:
Under your leadership, Compliant Hospital weathered a difficult spring. The hospital managed to get through its many crises and is now functioning smoothly. You are excited to focus on the business of running a hospital. You decide to make a splash with your first transaction by acquiring a local cardiology practice, which you rebrand as Compliant Heart. After the purchase, Compliant Heart becomes an outpatient location of the hospital.
(note: treat Compliant Heart and Compliant Hospital as a single Covered Entity; do not worry about whether Compliant Heart is an Organized Health Care Arrangement or Affiliated Covered Entity; think of it as part of Compliant Hospital).
Following the purchase, you initiate a Risk Analysis under the Security Rule to assess the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that Compliant Heart creates, receives, maintains, and transmits.
In the course of your Risk Analysis, you learn that Compliant Heart terminated a disgruntled employee named Milton for unethical behavior a week before you bought the practice.
You discover that Milton accessed patient identities, including social security numbers, insurance coverage and beneficiary data, and addresses, and sold the information to a compounding pharmacy for $25 a piece. The pharmacy used the information to send the patients expensive pain cream products and then billed the patients' insurance companies and federal health care programs as if a physician had properly prescribed the medications. This scheme went on for about a year until Compliant Heart figured it out and immediately fired the employee. Compliant Heart did an internal investigation and learned that the employee sold 800 patient identities to the pharmacy. Compliant Heart notified the patients of the misuse of their PHI and deemed the matter closed.
Analyze the situation under Breach Notification and Enforcement Rules. In particular, address the following:
1) Did a HIPAA breach occur in this case? Conduct a full breach analysis and explain your reasoning.
2) If you conclude that a breach occurred, what were Compliant Heart's breach notification duties? Did Compliant Heart comply with those duties? Explain your reasoning.
3) What are the potential consequences for Milton based on his misconduct?
4) What are the potential consequences for Compliant Heart based on its response to the incident?
Regulations and/or laws must support the answer.