Compliance with regulatory guidelines and mandates surrounding information security and the protection of privacy has been under close scrutiny for some time throughout the world. Smaller organizations have remained “out of the spotlight” and generally do not hire staff with the expertise to fully address issues of compliance. This case study examines a project partnership between an information-technology (IT) consultant who specializes in small business and a diminutive medical practice that sought support with compliance issues surrounding a research study it was conducting. Other small medical practices were contributing to the research; consequently, information sharing while concurrently adhering to the regulations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was a significant aspect of the project. It was also critical that numerous other security and privacy legislative requirements were met. The issue of data security is often neglected in IT instruction. This case study provides a foundation for examining aspects of information security from the perspective of the small-business IT consultant.
TopOrganization Background
Stephanie Soule had developed a great passion toward her home state and found her undergraduate internship with several small regional businesses highly rewarding. She surprised her teachers, family, and friends when she turned down job offers from two leading U.S. technology-consulting firms. Stephanie had graduated at the top of her class with an undergraduate degree in information systems. Rather than accept a position with a large corporation, she opted to remain within her hometown of Rumford and open her own technology-consulting firm serving small businesses throughout the greater Portland, Maine region. She named her new company the Rumford Consulting Group (RCG) and established the firm as a subchapter S corporation, registering herself as the sole owner and employee. Arranging a loan from her parents, Stephanie began operating from an apartment above a garage belonging to her parents, which also functioned as her home. The initial goal she set for the RCG was to become profitable within 1 year and move into offices located within downtown Portland. Within days after graduation, Stephanie had her first client. The endometriosis-excision research group, led by the president of a New England center for endometriosis located in Scarborough, Maine, was referred to RCG by one of her former information-systems professors.
Endometriosis is a painful and chronic disease affecting 5.5 million women throughout the United States and Canada, as well as millions more worldwide. When the tissue lining the uterus (i.e., the endometrium) is found outside the uterus, symptoms of pain and infertility result. One method for treating endometriosis is excision, which removes such tissue beyond the visible lesion. The research group referred to the RCG was examining the efficacy of excision surgery on recurring symptoms of endometriosis. In addition to their data-collection efforts in Maine, the researchers were also collecting related data from medical practices within Atlanta, Georgia; San Antonio, Texas; and Brisbane, Australia with the possibility of contributing follow-up studies from other sites.
The endometriosis-excision research group is essentially an ad hoc virtual team of researchers that are also small-business owners. A variety of regulations affect their governance. Their studies are not conducted for profit; the goal is to advance understanding surrounding the surgical technique and effects of endometriosis excision. The research team had collected data related to preoperative symptoms, surgical techniques, postoperative results, and demographical data from nearly 1,000 patients at the time of their collaboration with RCG. They sought to share and aggregate the data for analysis while remaining compliant to HIPAA and other applicable regulations. HIPAA is a framework dictating the manner in which health care entities electronically maintain, transmit, and protect data to ensure confidentiality for patients. Failure to comply with the Act can result in fines and criminal penalty. Intentionally disclosing health-related information that concurrently identifies the respective patients can result in a fine of up to $250,000 with the possibility of imprisonment for up to 10 years. In this particular case, compliance with the HIPAA was also to be confirmed by the institutional review board for the hospital affiliated with the New England center for endometriosis.
Stephanie Soule felt well prepared for the task at hand. Her undergraduate degree in information systems had included course work in database management, programming, and systems analysis and design. Her introductory course in the management of information systems had detailed issues of compliance and risk management that specifically addressed the regulatory mandates of the Sarbanes-Oxley Act of 2002, the Graham-Leach-Bliley Act of 1999, and HIPAA. However, it would be impossible for such a course to cover all of the legislative requirements that must be addressed in an international research project. Stephanie was prepared for the necessity to “dig” for additional project-specific compliance issues.