Identify the particular HIPAA Privacy Rule violation and determine the enforcement approach that you would take if
Question:
Identify the particular HIPAA Privacy Rule violation and determine the enforcement approach that you would take if you worked as an Enforcement Officer within OCR for HHS. In particular, andfor each hypothetical:
Please explain whether you would:
oonly provide technical assistance to the covered entity;
opursue a settlement ("resolution agreement") in lieu of a civil money penalty (CMP);
opursue a CMP, and/or
orefer the case to the DOJ for criminal penalties.
Further explain the range of CMP that may be appropriate and, if applicable, the range of criminal penalty (including prison time and criminal fines) that may be appropriate.
Finally, put your "defense lawyer" hat on and identify any factors relevant to the defendant covered entity that you feel weigh in favor of a lower (versus a higher) civil and/or criminal penalty
Hypothetical 1:Assume that a physician who specializes in emergency medicine and who is employed by a covered hospital in the emergency department (ED) in the role of Director of Emergency Medicine intentionally sells protected health information (PHI) relating to 1,789 (one thousand seven hundred and eighty nine) hospital patients seen in the ED to a local plaintiff's lawyer. These patients are then harassed by the plaintiff's lawyer into filing lawsuits against the drivers and other people who inflicted the injuries that resulted in these patients presenting to the ED. Further assume that the covered hospital is a for-profit institution that is financially very well off and that the covered hospital has violated the HIPAA Privacy Rule many times before.