Essay Example on HIPAA: Leveraging Privacy and Security of PHI in Healthcare


Health Insurance Portability and Accountability Act, often shortened as HIPAA was officially launched in 1996. Its primary aim was to aid in strengthening policies and restrictions to leverage the privacy and security of personal health information PHI. For instance, the Privacy Rule outlines legal procedures of handling PHI in healthcare organizations to promote the national security of patients' records, which may be communicated electrically, verbally or using papers. The rule further depicts some information safeguarding measures which limit health professionals and clinicians from doing particular activities using the health information. More excitingly, the laws grant patients with full authority to request a copy of their health records that were used in suggesting and implementing the diagnosis. Conventionally, the Security Rule specifies its regulatory measures on the protection of electronic health records EHRs. The measures put in place may be physical, technical or administrative, all of which tend to support the need for integrity and confidentiality of electronic PHI (HIPAA Enforcement, 2017).

Trust banner

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Major Types of Incidents and Breaches that Take Place Based on the Reported Cases

Most scenarios and breaches inn the HIPAA systems have previously made patients have the worst nightmares in nursing institutions. The first authorization incident arose from the case of “HMO Revises Process to Obtain Valid Authorizations," where HMO was accused of having shared an individual's health information without valid consent. Findings from investigations found that the disclosure was illegal, based on the guidelines of the Privacy Rule. To correct the mistake, HMO adopted a new authorization strategy, which enabled employees to first gather the consent of patients, before engaging in such crucial disclosures (HIPAA Enforcement, 2017.

The next incident was a case on access, where a patient accused a Private Practice Entity, for having barred him from accessing his health records. Upon review by the OCR, it was noted that the denial of access was illegal. Similarly, OCR concluded that the entity's decision to request the patient for payment, was equally criminal, and full compensation was granted, based on the specification of the HIPAA Security Rule.

Technical and Non-Technical Controls for Mitigating Risks and Vulnerabilities

Technical controls refer to security measures that are primarily executed by computer systems to prevent the breach of IS systems of EHRs. The controls are usually automated to monitor how patient information is transmitted and accessed by different personnel within the healthcare organization to prevent unauthorized access (Shay, 2017). Besides, the controls have a great feature that allows for early detection of security violations, to allow for immediate response before the effects become much detrimental. Examples of such restrictions include firewalls, audit trails, encryptions and access control lists (Shay, 2017).

In contrast, non-technical controls are types of security measures that are classified into operational and management controls. Examples are; operational procedure, personnel security, security policy, physical and environmental systems. Suppose these controls are well integrated into an organization, then higher possibilities are that risks and vulnerabilities will be mitigated more instantly (Koontz, 2017).

Description of Network Architecture Within an Organization

To comply with the necessary regulations and guidelines of HIPAA, an organization must comply with specific standards as defined by the HIPAA Privacy and Security rules. However, the incorporation of these standards could be physical, administrative, or sometimes technical. Physical guidelines protect outward security in an organization. For the administrative ones, the measures often aim at safeguarding the managerial standards which the organization must meet. Technical measures regulate the integrity and security of data usage and transmissions, to ascertain that proper authentication and access standards are met by the organization (O’Dorisio, 2008).

Ideally, an organization must have devices such as VPN, IDS, routing systems, Web Servers, and switches to initiate the architectural network design. The role of switches would be to connect networks; routers will provide security for the network against attacks, but filtering signals more efficiently. VPN will serve to enhance the wired network security, provide secure accessibility of patient's health records. Also, IDS accurately connect all network systems, to promote a collective identification and response to threats (O’Dorisio, 2008). Finally, web server functionalities such as the installation of antivirus programs, latest update patches will be incorporated to block any threats and viruses. Security personnel and enhanced surveillance team will also be used to protect the rooms where such network integrations have taken place.

Similarity and Differences between Hospitals and other Organizations

When discussing HIPAA compliance, especially in healthcare organizations, it is similar to other non-medical institutions, because of both aims at raising the security of the store information. However, the two categories vary in that healthcare organizations have stricter HIPAA rules, and thus are requested to deliver a higher standard of security and protection to EHRs. Moreover, healthcare organizations have policies and procedures that offer legal actions upon data loss or breach of patients' records. In contrast, non-medical organizations lack strict legal policies to practice in case of an organization's data loss or threats (HIPAA Enforcement, 2017).

List of Audit Steps that an Organization Need for Effective HIPAA Compliance

  • Selection of an officer to maintain privacy and security during the formation of a compliance plan.
  • Engaging in a risk assessment plan involving electronic gadgets to predict possible risks and vulnerabilities.
  • Doing a review for the security policies, compliance programs, and an active interrogation of the documents to support the compliance.
  • Identification of the critical associates and terms of the agreement.
  • Annual training of employees about HIPAA compliance.
  • Ascertaining that used security software for compliance is up to date and has all HIPAA protocols and audits (Shay, 2017).


HIPAA Enforcement. (2017). United States Department of Health and Human Services: New York Times.

Koontz, L. (2017). Information privacy in the evolving healthcare environment. CRC Press.

O’Dorisio, D. (2008). Securing Wireless Networks for HIPAA Compliance. Retrieved February 28th.

Shay, D. F. (2017). The HIPAA Security Rule: Are You in Compliance? Family Practice Management, 24(2), 5-9.

Cite this page

Essay Example on HIPAA: Leveraging Privacy and Security of PHI in Healthcare. (2023, Sep 11). Retrieved from

Free essays can be submitted by anyone,

so we do not vouch for their quality

Want a quality guarantee?
Order from one of our vetted writers instead

If you are the original author of this essay and no longer wish to have it published on the ProEssays website, please click below to request its removal:

didn't find image

Liked this essay sample but need an original one?

Hire a professional with VAST experience and 25% off!

24/7 online support

NO plagiarism