HIPAA and IT Audits

[CIS 558 Week 7 Case Study 2 HIPAA and IT Audits]

[Student’s Name]

[Instructor’s Name]

[Course Code]



Health Insurance Portability and Accountability Act was provided in the year 1996 and the enforcement of its rules and regulations was done by the Office of Civil Rights. This was done in order to safeguard the information of patients both personal and related to their health. According to Agaku (2014), the main aim of HIPAA is to protect the health information of patients that has been transferred or stored electronically. An overview of the HIPAA security and privacy rule has been given in this paper and also network diagram has also been provided.

Create an overview of the HIPAA Security Rule and Privacy Rule.

The main purpose of establishing Privacy Rules under HIPAA was to provide federal protection to the health information of an individual which is in the records of their business associates. The patient is provided with a list of rights that he/she has regarding information about his/her health. The Privacy Rule is designed in a flexible manner where the information of a patient can be disclosed in emergency situations or for any other purpose that holds importance (Anderson & Agarwal, 2011).

The Security Rules clearly state that business associates and other people withholding information must use a mix of electronic technical, administrative and physical safeguards to protect health information in order to build discretion, honesty and availability of the data.

Analyze the major types of incidents and breaches that occur based on the cases reported.

Any breach in security of the information or misuse of the information will be directly reported according to the guidelines stated under HIPAA and according to those guidelines strict action will be taken against the culprit.Anderson (2011) stated that, officers of HIPAA security and HIPAA Privacy are responsible for conducting an investigation and for deciding the occurrence of a breach. If it is found that by any means the unsecured Protected Health Information has been breached then its effects on the individual and the Secretary of U.S. Department of Health and Human Services are further investigated.

The report of the incidents is based on the disclosure and unauthorized use of Protected Health Information by any individual. The other recorded incidents are based on lost or stolen devices that contain Protected Health Information or hacked devices by malicious softwares like virus, etc. Furthermore, incidents where loss of PHI or illegal use of PHI by an organization or an individual are also reported under HIPAA.

The Breach incidents are inclusive of stolen PHI, or access of PHI without authority these incidents can be physical too where a person might attempt to enter a secure area where important Protected Health Information data is stored (Bansal and Gefen, 2010). The misuse of PHI is also recorded as a breach. If the authoritative person shares the key of the account with an unauthorized person and if by any means the data is compromised then he/she is punished and held accountable for compromising the data.

Analyze the technical controls and the non-technical controls that are needed to mitigate the identified risks and vulnerabilities.

In order to eliminate and minimize vulnerabilities/risks an organization needs three types of controls which must be technical and non-technical controls. These not only minimize the risks but also identify risks beforehand and make the system strong too. According to Luxton(2012), for provision of 100% security of Protected Health Information it is necessary to use management controls, technical controls and operational controls. Assessing risks, managing risks, allotment of separate duties and provision of cost effective security controls and safeguards are the main objectives of these controls.

The objectives of the management control are to provide information about the security program, focus on these programs, manage risks by identifying them using security policies and by following plans and procedures and also following all laws and regulations that are necessary to meet the needs of the organization.

Thompson et al (2011) stated that, execution of operation controls is to be done by the staff at every level of the organization. It is inclusive of user awareness, training of employees, protection of physical environment, possibility planning, managing security breaches at the spot and computer sustenance and processes.

Security of the information system is dependent on Technical controls. These controls are set to identify the authorized user, to allot access of control, to trail audits, detect intrusion and breach of in systems, audit logging, regulate firewalls and provide protection against viruses (Agaku et al, 2014).

Analyze and describe the network architecture that is needed within an organization, including a medium-sized hospital, in order to be compliant with HIPAA regulations.

In order to be in compliant with the HIPAA rules and regulations, security rules of HIPAA must be utilized for controlling a hospital’s network architecture. Main focus should be on Infrastructure, Administration, endpoints and services of the architecture. Infrastructure includes routers, switches, wireless connections, firewalls and software for intrusion detection. Administration consists of authentication, management, encryption and monitoring. Services include design, implement and audit. Endpoints include workstations, servers, phones, badge access and surveillance (Anderson and Agarwaal, 2011).

Analyze how a hospital is similar to and different from other organizations in regards to HIPAA compliance.

In regards to HIPPAA compliance, a hospital is extremely different from other organizations in numerous ways. First of the hospital has to make the health information of an individual highly secretive.It has to protect the sensitive information of the patient at all costs.According to Thompson (2011), other organizations also have to protect the data but when compared to a hospital, hospitals have to be more protective about the information.

Organizations other than hospitals are obligated to protect the data of their workers technologically whereas hospitals are obligate to protect the data of their patients.If data is misused in organizations or breached, legal action might not be taken in many cases things like these are dismissed whereas in a hospital the breach of PHI security involves legal consequences and actions where the culprit might be punished according to the rules.However, there is one similarity between hospitals and other organizations that both use advanced technical support for the protection of data and critical information (Bansal and Gefen, 2010).

List the IT audit steps that need to be included in the organization’s overall IT audit plan to ensure compliance with HIPAA rules and regulations.

Preparation of an Audit Team: The main objective of the audit team is to assist response in a timely manner. The team must compromise of skilled individuals that are experts in the field of audit and audit control.

Auditing of HIPAA documentation of the organization: It is to ensure that the organization members are conducting a proper evaluation of HIPAA procedures and plans. Furthermore, it is also to check that the documents are being documented according to the HIPAA standards and policies.

Conduction of Risk Assessment programs: Proper risk assessments must be carried out under HIPAA Security Rule in order to identify weaknesses and loopholes.

Identification of all Business Associates: Each and every business associate must be recognized and identified in the audit plan (Luxton and Kayl, 2012).


It can be concluded that, HIPAA was developed to provide security to protected health information. It provides extra safety to a patient’s privacy and also a better control to a patient over his/her health information. However, hospitals, medical researchers and health care providers have to pay a significant amount of money for implementing HIPAA. Even after giving several exceptions to HIPAA it is still not clear that whether or not HIPAA is worth the cost. This question can only be answered with the passage of time.

Part 2: Network Architecture

HIPAA and IT Audits


Agaku, I. T., Adisa, A. O., Ayo-Yusuf, O. A., & Connolly, G. N. (2014). Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. Journal of the American Medical Informatics Association, 374-378.

Anderson, C. L., & Agarwal, R. (2011). The digitization of healthcare: boundary risks, emotion, and consumer willingness to disclose personal health information. Information Systems Research22(3), 469-490.

Bansal, G., &Gefen, D. (2010). The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online. Decision support systems49(2), 138-150.

Luxton, D. D., Kayl, R. A., &Mishkind, M. C. (2012). mHealth data security: The need for HIPAA-compliant standardization. Telemedicine and e-Health18(4), 284-288.

Thompson, L. A., Black, E., Duff, W. P., Black, N. P., Saliba, H., & Dawson, K. (2011). Protected health information on social networking sites: ethical and legal considerations. Journal of medical Internet research13(1).