Analysis of Ethics Related to HIPAA Privacy Rule and Anthem Case

Verified

Added on 2022/10/01

AI Summary

This essay examines the ethical considerations surrounding the HIPAA Privacy Rule, focusing on the Anthem data breach of 2015, which exposed the protected health information of 79 million individuals. The paper analyzes the case background, including the cyberattack's methods and Anthem's security failures, leading to a $16 million fine. It explores biases in the case, such as the focus on Anthem's adherence to cybersecurity guidelines despite the external nature of the attack. The essay further discusses the ethical implications for diverse populations, highlighting potential for prejudice and marginalization. It addresses the role of norming in creating biases and concludes by emphasizing the importance of HIPAA regulations in protecting patient data, while also acknowledging the limitations of current cybersecurity measures. References from HHS.gov, HIPAA Journal, and Healthcare Info Security are included.

Running Head: ETHICS RELATED TO THE HIPAA PRIVACY RULE 1
Ethics Related to the HIPAA Privacy Rule
Name
Institution

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ETHICS RELATED TO THE HIPAA PRIVACY RULE 2
Ethics Related to the HIPAA Privacy Rule
The nature of the health sector is that a sufficient flow of health information is necessary
for ensuring quality health care. However, this raises a serious ethical concern regarding
individual privacy. It is for this reason that the HIPAA privacy rule was established. According
to HHS.gov (2019), the regulations set parameters as to how individual health information can be
used and disclosed by various entities in the health sector. The OCR( Office of civil rights) in the
Health and Human Services department is responsible for enforcing and investigating breaches
to the HIPAA privacy rules. Over the years, the OCR has investigated and settled multiple cases
involving the exposure of protected health information. One such case involved Anthem Inc., a
major health insurance firm in the USA. However, typical of such cases, various ethical biases
and legal implications exist. Thus, this paper will analyze the various elements of the case.
Case Background
In 2015, Anthem Inc. was hit by a cyberattack series that led to the exposure of
electronically protected health information. According to McGee (2018), this incident is
considered the biggest data breach in history, whereby 79 million individuals were affected.
Investigations indicated that cyberattackers gained accessed to Anthem Inc.’s IT system and
continuously extracted individual health information across two months. Details obtained
included personal information such as names, medical identification numbers, social security
numbers, addresses, emails, and employment information (McGee, 2018). The primary way that
the attackers accessed the system was by sending phishing emails to employees belonging to
Anthem Inc,’s subsidiary. One employee made a response to the email leading to the attack.

ETHICS RELATED TO THE HIPAA PRIVACY RULE 3
OCR’s investigation revealed that Anthem failed to safeguard private information in
many ways. First, Anthem did not carry out an enterprisewide analysis of risk (McGee, 2018).
Also, the firm did not put in place minimum access controls that would prevent the access of
sensitive private health information by the attackers. Another failure by Anthem was the lack of
sufficient procedures for reviewing activity in its information system. It is this aspect that led to
the lack of detection of the cyberattacks, which continuously happened across two months.
Consequently, Anthem was found guilty of a data breach and was fined $16 million.
Notably, as per McGee (2018), this was the biggest ever fine issued for HIPAA regulations. Such
a settlement decision indicates the degree of seriousness by OCR in regards to HIPAA rules
enforcement. For example, in this case, the biggest data breach was settled with the biggest civil
monetary penalty. Thus, this decision shows the legal liability faced by firms who are negligent
on privacy rules. Firms that show negligence in the protection of private information face the risk
of substantial financial penalties if such events occur. Therefore, responsible health entities need
to ensure that they follow HIPAA rules in enhancing health data privacy.
Biases related to this case.
The biases related to this case stem from two aspects. First is that the disclosure of
protected information was carried out by an external agent. Anthem Inc. did not intentionally
disclose protected data. Instead, the disclosure was done through a cyberattack conducted in the
firm’s IT system by malicious individuals. However, despite this fact, Anthem Inc had to bear
full responsibility for the incident. This is without putting into consideration that these were
actions by external attackers. As McGee (2018) points, there is less information in regards to the
perpetrators. It is not known who the perpetrators were, why they accessed the private
information and their origin.

ETHICS RELATED TO THE HIPAA PRIVACY RULE 4
Secondly, OCR adopted a narrow focus in settling the case. OCR’s investigations
primarily focused on whether Anthem Inc had adhered to the recommended guidelines on
cybercrime control. In the determination of the case, the judgment was based on only one aspect.
The aspect is that if Anthem had adhered to these controls, the firm would have prevented or
reduced the attacks. However, as Litchman (2019) concedes, cybercrime has become a
significant problem such that HIPAA rules are not sufficient in dealing with the vice. Therefore,
there is no guarantee that entities can ensure the safety of private information by simple
following HIPAA’s guidelines.
The ethical implications for diverse populations in relation to the case
The case primarily involves the disclosure of private information through a cyberattack.
Notably, such an incidence carries severe ethical implications for diverse populations. The nature
of diverse communities is that it is characterized by various populations subsets which also share
distinct differences (Andrews & Berger, 2012). Therefore, such an incident can be conducted to
target a specific subset of the population. Then, the disclosed health information of this
population subset can be used to spread prejudices, stereotypes, and marginalization of the
targeted group. Consequently, this will lead to polarization and hate between these groups, thus
affecting societal harmony.
Additionally, the risk of cyberattacks is rising. As Litchman (2019) points, the increased
integration of the health sector to IT technologies increases the sector’s vulnerability to
cybercrimes. Consequently, firms will be forced to dedicate more resources to the prevention of
cybercrimes. Notably, the prevention of cybercrimes is necessary as a measure to protect
personal information. Also, it is essential for avoiding legal implications such as the hefty fines
that Anthem faced. However, this means that the cost of protecting private information will rise

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ETHICS RELATED TO THE HIPAA PRIVACY RULE 5
due to the extra resources needed (McGee, 2018). This cost will be passed on to the population
in the form of increased premiums and bills. However, it is worth noting that in diverse
communities, there are differences in regards to class and income. Therefore, the low income
subsets of the population will be significantly affected by the situation. This rise in cost will
impede their access to various health services. Thus, it can be stated that one ethical implication
will be the marginalization of the low income population subsets.
The role of norming in creating bias
Norming entails the establishment of various standards and expectations related to a
particular entity or sector. In this instance, Anthem Inc. is required to meet specific HIPAA
standards regarding its cybersecurity procedures. However, the firm failed to meet these
standards. Therefore, the firm was held fully responsible for the cyberattack to its IT systems.
However, there was little attempt to find and arrest the perpetrators of the attack. Also, as earlier
noted, there is no guarantee that the standards would have prevented the attack. Thus, this creates
a significant bias in regards to the narrow focus adopted by OCR. Whereby, instead of focusing
on the whole cybercrime incident, OCR investigations focused only on whether Anthem was
compliant to the set standards.
Conclusion
In conclusion, HIPAA privacy laws are aimed at protecting private health information.
Anthem Inc was guilty of breaching HIPAA regulations following a cyberattack on its systems.
The company received a fine of $16 million, the biggest in history of HIPAA privacy
regulations. However, a few biases can be noted in this settlement. Despite the action being
perpetrated by an external individual, only Anthem bore the full responsibility of the breach.

ETHICS RELATED TO THE HIPAA PRIVACY RULE 6
Additionally, the investigation adopted a narrow focus, focusing on the established procedures.
Thus, this indicates how norming can create bias. The ethical implications of this case also
extend to diverse populations. The exposure of private information can be used to polarize
diverse communities. Additionally, the added costs could affect healthcare access for low income
groups in the community. Thus, it can be noted that various ethical concerns exist regarding
HIPAA rules.

ETHICS RELATED TO THE HIPAA PRIVACY RULE 7
References
Andrews, K., & Berger, A. (2012). Engaging and Working with Diverse Populations [Ebook].
U.S. Department of Health and Human Services. Retrieved from
https://www.hhs.gov/ash/oah/sites/default/files/ash/oah/oah-initiatives/paf/508-assets/
definingtargetpopulation.pdf
HHS.gov. (2019). Summary of the HIPAA Privacy Rule. Retrieved 4 October 2019, from
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
HIPAA Journal. (2018). Lack of Security Awareness Training Leaves Healthcare Organizations
Exposed to Cyberattacks. Retrieved 4 October 2019, from
https://www.hipaajournal.com/lack-of-security-awareness-training-healthcare-
cyberattacks/
Litchman, J. (2019). The False Promise of HIPAA for Healthcare Cybersecurity. Retrieved 4
October 2019, from https://healthitsecurity.com/news/the-false-promise-of-hipaa-for-
healthcare-cybersecurity
McGee, M. (2018). Anthem Mega-Breach: Record $16 Million HIPAA Settlement. Retrieved 4
October 2019, from https://www.healthcareinfosecurity.com/anthem-mega-breach-
record-16-million-hipaa-settlement-a-11622