Identify actions Touchstone Medical Imaging could have taken to prevent this breach.

 Identify actions Touchstone Medical Imaging should have taken to investigate the breach.

 Identify the actions that Touchstone Medical Imaging took or did not take that caused HHS to award the penalty.

 

Identify actions Touchstone Medical Imaging could have taken to prevent this breach.

To prevent the breach, Touchstone Medical Imaging should've enforced the following security measures:

1. Safeguarding ePHI using strong encryption.
2. Mitigation of data security risk.
3. Education of staff and other members of the company
4. Other technical safeguards

Identify actions Touchstone Medical Imaging should have taken to investigate the breach.

1. Stop the breach
2. Contact the privacy officer
3. Promptly respond to the breach
4. Identify the "who, what, when, why, how, and how much"
5. Correct the breach and impose sanctions
6. Determine whether the breach should be reported to the HHS

Identify the actions that Touchstone Medical Imaging took or did not take that caused HHS to award the penalty.

1. Touchstone Medical Imaging did not act on the investigation in a timely manner.
2. Risk analysis had not been conducted
3. Business associate agreements were not placed.

Step-by-step explanation

Identify actions Touchstone Medical Imaging could have taken to prevent this breach.

To prevent the breach, Touchstone Medical Imaging should've enforced the following security measures:

Safeguarding ePHI using strong encryption.

According to HIPAA, accessing the electronic protected health information (e-PHI) via the internet is permissible. However, strong encryptions must be put in place in order to make sure that information will only be available to the intended party. The intended party will have a private key which is used to decrypt and decipher the contents. Strong encryption is the most effective way in preventing data breach.

Mitigation of data security risk.

This can be done by setting up road blocks in all methods that you can think in which the sensitive information can be accessed inappropriately. For example, in the case, data was breached because one of the servers of Touchstone Medical Imaging allowed access to internet. As one of security measures, you can install a software to protect your computer against viruses and malwares which put the data at risk.

Education of staff and other members of the company

It is important to educate the staff regarding the proper handling of PHI when accessing through mobile device. Some of the applications and websites accessible on the mobile device may contain malware which puts the data susceptible for inappropriate access.

Other technical safeguards

Other technical safeguards to prevent the breach include restricting access to PHI only to identified authorized personnel. Additionally, setup integrity controls to prevent improper alteration or destruction of e-PHI. Lastly, enforce transmission security measures in order to protect e-PHI if it is transmitted over an electronic network.

Identify actions Touchstone Medical Imaging should have taken to investigate the breach.

Timely investigation should be made in order to mitigate the amount of data accessed inappropriately. Several steps should be enforced immediately once data breach is confirmed.

First, stop the breach. Once data breach is known, terminate improper access to PHI and retrieve any PHI that was subjected to improper disclosure. Once done, document the actions taken.

Second, contact the privacy officer. The privacy officer is a trained individual in properly investigating and responding to a potential breach.

Third, promptly respond to a breach. This is due to several reasons. One, the covered entity, which in this case, is Touchstone Medical Imaging, have the obligation to mitigate or control any effects of the breach. Second, immediate action will help in mitigating the further breaches, which is also considered as one of the important factors in determining whether the breach should be reported. Third, Touchstone Medical Imaging may avoid penalties if they are able to correct the violation within 30 days. Lastly, the breach notification rule states that the notice of reportable breaches should be given "without unreasonable delay" but no later than 60 days after the breach discovery.

Fourth, identify the "who, what, when, why, how, and how much". This refers to the persons involved, especially those who committed the alleged violation. Identify how much PHI was inappropriately accessed and the manner in which it was accessed. However, it is important to remember that you should not report a suspected breach unless you can conclude that a reportable breach has truly occurred after your investigation.

Fifth, correct the breach and impose sanctions. A covered entity like Touchstone Medical Imaging may avoid HIPAA and HHS penalties if it did not act with willful negligence and imposed proper actions within 30 days after discovery of breach. The HIPAA also requires the covered entity to impose sanctions against the workforce members who violated the HIPAA or other privacy policies which led to the PHI breach.

Lastly, determine whether the breach should be reported to the HHS. Identify if the PHI security was truly compromised and was exposed to inappropriate accessing by unauthorized personnel.

Identify the actions that Touchstone Medical Imaging took or did not take that caused HHS to award the penalty.

1. Touchstone Medical Imaging did not act on the investigation in a timely manner. As stated above, the covered entity may avoid HHS penalties if it will act within 30 days after the discovery of breach and proper investigation is held in place. Since HHS awarded the penalty, it can be concluded that the covered entity acted in a willful neglect.
2. Risk analysis had not been conducted. Risk analysis is important in order to foresee how e-PHI can be accessed inappropriately, thus allowing the covered entity to put up road blocks in any manner that the e-PHI can be accessed.
3. Business associate agreements were not placed. HHS requires that a covered entity must obtain satisfactory assurances from its business associate. The satisfactory assurances involve the assurance that the business associate will safeguard the PHI it receives or creates in behalf of the covered entity appropriately. This should be made into writing either in a form of a contract or agreement between the covered entity and the business associate. However, in this case, no agreement was placed. This further made the PHI susceptible for breach.