1.2 Purpose and Value of the Research The US Congress passed the HIPAA bill in 1996, and it was signed by former president Bill Clinton in the same year. Part of the HIPAA regulations is intended to promote the use of technolgy to increase the efficiency of healthcare and also to protect patients’ privacy and rights. To improve the efficiency and effectiveness of healthcare, the HIPAA included administrative simplification provisions that require HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and privacy [5]. On February 17, 2009, The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of …show more content…
The disclosure of patients’ health information affects them in many ways. Financially, when criminals obtain protected patient information, they can use it for insurance fraud, which affects insurance companies and the patients as well ; from a social and psychological perspective, patients feel embarrassed and can be blackmailed when their health information is exposed . Data breaches also affect covered entities’ finances and reputation. The HIPAA enforcement rule penalizes any HIPAA violation [12], but the hearing process that follows a HIPAA violation complaint is very expensive, and covered entities must pay for lawyers and other professionals during this legal process. The notification rule mandates that covered entities notify the OCR and patients affected by any data breach. If the data breach affects more than 500 records, the breach must be made public, which also affects the …show more content…
Despite the fact that most covered entities have security controls in place, the lack of workforce HIPAA training and awareness causes, or fails to prevent data breaches and HIPAA violations. The purpose of this research was to study the awareness of covered entities’ staff of HIPAA regulations and the lack of training with the objective to improve HIPAA compliance. 1.3 Research Questions Generally, the Breach Notification Rule defines a data breach as the impermissible acquisition, use, or disclosure under the Privacy Rule that compromises the security or privacy of patient PHI [13] in a manner prohibited by HIPAA that poses a significant risk of financial, reputational, or other harm to the individual affected. HIPAA violations that covered entities report to the OCR are classified based on their causes. The objective of this study was to correlate the causes of data breaches with the awareness of HIPAA regulations and the professional background on the part of covered entities’ workforces. Causes of data breaches Theft and loss: Any unencrypted mobile device that is misplaced or lost Access/Disclosure: Any unauthorized access to protected patient health information (accidental or intentional) Hacking/IT Incident: malicious attack with the intention to steal data (The most popular method used today is social