HTQ 8.1: Dan, who is currently taking a HIPAA course at Seton Hall Law School, went for his first visit to a new dentist. Dan was not given a Notice of Privacy Policies before, during or after his visit. Dan is upset and wants to report the dentist for violating HIPAA. What are Dan’s options? Can Dan sue the dentist for violating HIPAA?
HTQ 8.2: University Medical Center X and Hospital Y are separate covered entities that participate in a joint arrangement in which University Medical Center X faculty members serve as attending physicians at Hospital Y. The entities generally refer to their affiliation as “Medical Center Z.” University Medical Center X and Hospital Y operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to Hospital Y patient information systems containing ePHI.
A physician employed by University Medical Center X who developed applications for both University Medical Center X and Hospital Y attempted to deactivate a personally-owned computer server on the network containing Hospital Y patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the problem after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of Hospital Y, on the Internet.
Neither University Medical Center X nor Hospital Y made efforts prior to the event to assure that the server was secure and that it contained appropriate software protections. Moreover, neither entity had conducted an accurate and thorough risk analysis that identified all systems that access Hospital Y ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, Hospital Y failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
Applying the definition of breach in 45 CFR 164.402 explain whether this event constitutes a breach.
HTQ 8.3: Assume that the following event constitutes a breach:
Unauthorized intruders compromised a server at Clinic X. The server held information of 31,677 patients, and also a subset of written imaging and radiology reports dating back to 2010 and earlier. The personal information included names, dates of birth, social security numbers, addresses and phone numbers.
Who should be notified of the breach and how?
HTQ 8.4: Explain who can bring action under HIPAA.
CTQ 8.1: In a qui tam case, the relator initially files the suit under seal, giving the government time to decide whether to intervene, which means that the government takes over prosecution of the lawsuit. Did the government intervene in Bledsoe? If not, what was the government’s role?
CTQ 8.2: Is a relator entitled to her statutory share if the government settles the case without intervening?
CTQ 8.3: Pursuant to the Yates Memorandum, what must a corporation provide to the Department of Justice in order to be eligible for cooperation credit? What is DOJ’s position on releasing individuals from civil or criminal liability when resoling a matter with a corporation? Discuss whether DOJ encourages or discourages the civil and criminal divisions proceeding in tandem on corporate investigations.
CTQ 8.4: Did the court conclude that the Pfizer directors were at risk of personal liability? If so, for what reason would they be liable?
