Question

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule defines the types of protected information and the safeguards that must be in place to ensure appropriate protection of electronic protected health information. For this activity, you will identify protected health information (PHI) that will require protection and identify control types to be placed on the protected HIPPAA data. For your initial post, consider the scenario below. Tom Jones completed his yearly medical checkup, and the doctor found that he had a small growth on his kidney that will require additional testing. Using what you have learned in this week, carefully evaluate the tables below with consideration of the HIPAA governance requirements. Table 1 has common personal information about Tom that you may see on most hospital visit forms.

Table 2 has information about individuals and entities with some type of relationship with Tom. In your initial post, identify from Table 1 all the rows that are considered PHI. Evaluate the information and explain which should be encrypted at storage and which information should be left in clear text. Additionally, identify from Table 2 all the rows you believe HIPAA considers as associates of Tom. Support your statements with evidence from your sources.

Table 1 Tom Jones’ Diagnostics: Liver Issue (Nephropathy) Name Telephone Number Electronic email address Social Security Number Medical Record Number IP address of his computer Toms’ Hobby Toms’ Driver’s license number Table 2 Tom’s circle and relationship Doctor Kidney Specialist Pharmacist Priest Medical Billing Organization Insurance company Children Wife Best Friend Soccer Coach Your initial post should be a minimum of 150 words.

Table 1

Tom Jones’ Diagnostics: Liver Issue (Nephropathy)

Name

Telephone Number

Electronic email address

Social Security Number

Medical Record Number

IP address of his computer

Toms’ Hobby

Toms’ Driver’s license number

Table 2

Tom’s circle and relationship

Doctor

Kidney Specialist

Pharmacist

Priest

Medical Billing Organization

Insurance company

Children

Wife

Best Friend

Soccer Coach

Answer 1

For table 1:

• As it can be seen in the above information that the data present in the table 1 has personal information related to the patient (i.e Tom Jones). This information is going to remain same for all his visits to doctors.
• We need to take care of the data from the table that has potential of uniquely identifying a person.
• From the table we can see that Phone number, email address, IP address, Medical record number (assuming to be unique to everyone),Social security number and driving licence number are unique to everyone.
• Having information of any one can give the person's details, so we should consider it for encrypting.
• However name and Hobby can be found similar among various people, so breach of such information wont reveal person's identity.

For table 2:

• For the information in table 2, the relationships of persons are mentioned.
• There are many entities which have many to many relationships like doctor, coach , pharmacist. Kidney specialist,best friend, priest, Medical billing organization and Insurance company. This entities have many relationships with persons or patient. For instance a doctor has to dealt with many patient and same goes to priest as well.
• So this information wont lead to a unique person and hence we don't need to encrypt it.
• However children and wife are related to one single person only. So Breach to such kind of data could lead to easily identifying the patient or person. As the relationship is one to one i.e many children can have one father and one wife can have one husband. So it is recommended to encrypt these two fields.

From the above it can be concluded that the data points which have potential to uniquely identify an individual's identity needs to be encrypted so that whenever there is data breach, personal identity cannot be revealed.