Talk:Health Insurance Portability and Accountability Act
|This article is of interest to the following WikiProjects:|
|The following references may be useful when improving this article in the future:
- 1 Administrative Simplification Rule
- 2 Right to request correction
- 3 Use of patient's information
- 4 Portability?
- 5 Stiff fine and random audits?
- 6 External Links
- 7 Implications for clinical care and research
- 8 Spam
- 9 HIPAA and clinical research
- 10 Adding more information on EDI transaction sets
- 11 A simple request
- 12 Request for addition
- 13 Parallelism grammer question
- 14 small changes
- 15 Effects on small to medium practices
- 16 HITECH HHH and FTC rules are out
- 17 Moving HITECH into its own page
- 18 link request
- 19 Section 6039G
- 20 Request for Picture Deletion
- 21 Request for more information
- 22 Major DELETION and REWRITE of "Notable Violations"
Administrative Simplification Rule
There is no "Information Standardization Provision" in HIPAA. It is called the "HIPAA Administrative Simplification Rule". I have reverted that part of the text back. —The preceding unsigned comment was added by Evenprimes (talk • contribs) .
Right to request correction
I changed the section on corrections to state that the patient had a right to request correction as I felt this was more accurate. The covered entity has a right to reject such requests if the material to be corrected is already considered to be complete and accurate. —The preceding unsigned comment was added by Cf1472 (talk • contribs) .
Use of patient's information
I also changed the provision implying that a patient's information can be used without consent only for treatment. In fact, there are a host of instances in which a patient's information can be used without his or her consent. —The preceding unsigned comment was added by Cf1472 (talk • contribs) .
I am acquainted with a nursing home. They have a policy of having no identifications for their patients. It seems a very dangerous policy when considering medicine distribution. It was explained to me that the policy was instituted because of this act. Does this seem reasonable?
- Where I work, we don't have ID bracelets on any of the residents. Instead, we have files with photographs of the residents so that they may be visually identified. The thing that makes my job as a CNA so insanely difficult, however, is not being able to know what to do with a patient because I'm not allowed access to his or her records. We have some people in isolation, and because of HIPAA, I can't ask anyone what precautions to take regarding what infectious disease measures I'm to take. I don't believe this was thought through very well -- I want to know whether I need to wear full iso gear to go in, you know? --Allie 09:39, 9 February 2007 (UTC)
- I'd tend to agree that HIPAA has mostly negative unintended consequences for patient care, has produced a bonanza of paperwork, and caused "HIPAA Consulting" firms to spring up, diverting money from being spent in areas that might actually, I dunno, help patients. That's my POV. I did start a section on "Consequences of HIPAA" in which I tried to include some sourced, verifiable, third-party criticisms of HIPAA (there are definitely quite a few out there). If you can find other sources describing some of the negative consequences you've mentioned, we should work them into the article. MastCell 17:15, 9 February 2007 (UTC)
This article doesn't say much about the "portability" aspect of of the Health Insurance Portability and Accountability Act. Would anyone care to expound on this [alleged] feature of HIPAA?
- If you're thinking of the process by which, after you leave employment, you can self-pay for the same health insurance for a certain period, check out Consolidated Omnibus Budget Reconciliation Act of 1985.
- Leave signatures people! Anyways, this article does need to address why the word "portability" is in there. COBRA is a separate act and existed before HIPAA came to pass. So how did this law address "portability"? And if you know, please add it to the article, thanks. Midtempo-abg (talk) 18:02, 1 December 2008 (UTC)
HIPAA portability is part of Title I of HIPAA, and is described in that section. It deals with the ability of individuals to leave one job and move to another without losing coverage for preexisting conditions. —Preceding unsigned comment added by 220.127.116.11 (talk) 18:50, 12 December 2008 (UTC)
- What if a person wants to buy individual coverage? Does HIPAA allow "portability" under similar rules and conditions for that situation? (As opposed to becoming covered under a group policy when getting a new job) I.e., if a person wants to buy an individual insurance policy, does HIPAA prohibit discrimination against people with preexisting conditions if they had continuous insurance coverage (whether group or individual) for 12 months prior to applying for the new individual policy? Captain Quirk (talk) 10:04, 27 June 2013 (UTC)
Stiff fine and random audits?
Can anyone cite anything to confirm this? "The result is that in the near future, covered entities will no longer be able to ignore the legislation and will be forced to adapt their processes accordingly or suffer stiff fines from the OCR. The OCR has recently begun doing random audits on various entities in an attempt to lessen the amount of HIPAA complaints that come into the regional OCR offices on a monthly basis." On the contrary, the new Final Ruling on Enforcement suggests that the policy of voluntary compliance and complaint-based enforcement will continue. And, does $100 count as a "stiff fine"? --Smarcus 04:32, 22 May 2006 (UTC)
So, I've noticed that there is a tendency to cite commercial websites as external links for this article. I think this can be valuable. For example, hipaadvisory.com has a lot of great information. However, there are a lot of marginal commercial sites that have little to offer. Hippa.info comes to mind. It doesn't even abbreviate the name of the act correctly. Does anyone have a problem with me getting rid of them and replacing them with links to publications or guidance directly from the CMS or HHS? --Smarcus 10:06, 26 May 2006 (UTC)
- My suggestion would be to focus on adding the material from CMS & HHS, while removing the least useful external links. For anyone intrested, the guidance related to external links include WP:EL, WP:SPAM, WP:NOT, WP:RS, and WP:REF. BTW, I removed Hippa.info; I agree with you that it was questionable (at best). Thanks -- Argon233 T C @ ∉ 16:31, 26 May 2006 (UTC)
This is a double edged sword. CMS & HHS site provides direct regulation information but not the easy, cost effective way to achieve compliance. You should designate some individual who can screen the commercial links which will be benefical to the readers. www.HIPAAdvisory.com has lot of information but they are commercial site...they offer templates, consulting services etc. Similarly www.training-hipaa.net has contingency planning templates which can save thousands of dollars and speed up the time consuming project for covered entity trying to comply with this requirement. Now the question is this is site created to help the reader or just let them find their way through CMS and HHS websites. I had added templates, timelines etc info which was removed as it was considered spam. I thought it was providing some information which was missing. You should allow website owner's useful information to be posted on site so that visitors get all useful information through your website. Bob 17:45, 21 September 2006 (UTC)
- Hi Bob. You're right that some commercial websites have excellent content, and HIPAAdvisory is a great example. But, my understanding is that Wikipedia is only supposed to contain the kind of information that you would find in an encyclopedia. So, the legislative summaries and some articles on the HIPAAdvisory site contain information that should be included and cited in this article. Information about "the easy, cost effective way to achieve compliance", however, probably does not belong on Wikipedia. I don't think this is the content that one would expect to find in an encyclopedia. But maybe you disagree? --Smarcus 03:07, 22 September 2006 (UTC)
- Agree with Smarcus. If there's important information in the external links, then ideally the information should be added to the Wikipedia article, with an appropriate citation to the link. However, there seems to be some misunderstanding about the purpose of this article. This is not a clearinghouse to advertise HIPAA compliance services. Companies who are interested in acheiving HIPAA compliance have plenty of ways to find a consultant; Wikipedia is not one of them. MastCell 06:22, 22 September 2006 (UTC)
I have added a new HIPAA regulation for enforcement which is the final version. Few days ago Mastcell had removed this link as an Spam. I am not sure why this is termed as spam as this is the actual regulation. Please provide a resonable explaination so i can keep the guidelines in mind. Thanking you for your time. Bob 05:16, 1 December 2006 (UTC)
- I can't speak for MastCell, but I think the concern is that this link was made primarily to advertise or market consulting services on your website. While Wikipedia does have links to commercial websites, those sites should generally provide some sort of unique content. This was a link to the Federal Register, possibly the most public document that exists. I've replaced the link with one to HHS. I think this should preserve the content and address MastCell's concerns --Smarcus 12:58, 1 December 2006 (UTC)
- Smarcus I understand your point. I would like to clarify that compliancehome website is a portal dedicated to regulatory compliance and we are not selling our consulting services. i have noticed many websites which are similar to our site contribute content (which is not unique) are not removed. If we are providing quality content which meets wikipedia content requirement, how does it matter where the content is originating? Few examples to support my statement:
http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations All the sites under extrenal links are promoting their website WITHOUT contributing quality and unique content. I am not finger pointing at anybody but I am putting a point that individuals like me will like to contribute quality content through our website as the rule which i added was not included by anybody. My gain is that the link is coming from my site, wikipedia's gain is that you are getting quality content. I hope my request is considered and link from my website is restored.Bob 21:24, 1 December 2006 (UTC)
- The relevant Wikipedia policy is WP:EL - adding external links to websites that you own, maintain, or have direct involvement with is strongly discouraged. If there was unique content that was relevant to the article and existed nowhere else, that would be one thing... but the text of HIPAA and related statutes are available from non-commerical sites and these should clearly be preferred (as Smarcus has done) based on the WP:EL policy. At a glance, the SAS 70 page also seems to contain quite a few inappropriate external links, and they should probably be removed or trimmed substantially as well. MastCell 21:50, 1 December 2006 (UTC)
http://www.compliancehome.com/resources/HIPAA/10093.html Workgroup for Electronic Data Interchange (WEDI) Privacy Policies & Procedures: A Resource Document 18.104.22.168 21:36, 19 March 2007 (UTC)
I believe the "http://www.cms.hhs.gov/hipaa/ Centers for Medicare and Medicaid Services - HIPAA Page" link is broken - didn't see an obvious fix on their website. Could someone repair the link? aerotheque 20:40, 13 November 2007 (UTC)
Hi, as requested I'm checking on editor opinions before posting a link. As best I can tell HIPAA.com provides documentation for download with commentary and all of it is free. While I can appreciate the argument for incorporating material directly into the article copy if it's of significance, and of limiting commercial links, this seems like a useful resource worth mentioning. Thoughts? --Picatrix (talk) 15:28, 24 January 2009 (UTC)
Can someone confirm whether or not the "Full text of the Health Insurance Portability and Accountability Act" external link is in fact the full text? Specifically, I am trying to find the information found in the section "Title I: Health Care Access, Portability, and Renewability" of this wikipedia page in that document, and I don't see it. I am assuming it is incomplete. Where is the source of this information? Nlalic (talk) 22:54, 26 January 2009 (UTC)
- I found a complete copy of the HIPAA on legalarchiver.org, and have replaced the old link with it. Old link can be found above. New link: "Full text of the Health Insurance Portability and Accountability Act" Nlalic (talk) 22:52, 29 January 2009 (UTC)
Despite being cited in the Article No one explains what X12 means I did a little research and found out that it is the Standard Rule Set where the Transactions are defined. So I suggest including this link: http://www.aafp.org/fpm/20011100/28what.html Thank you. —Preceding unsigned comment added by Einarabelc5 (talk • contribs) 20:35, 12 March 2009 (UTC)
Implications for clinical care and research
I've added a section on the effects of HIPAA on research and clinical care, drawn in large part from the recently published article on the topic in Annals of Internal Medicine. I think it's important that the article attempt to address the milieu and consequences of HIPAA in addition to the excellent legislative summary which has already been put together on this page. Comments/thoughts? MastCell 19:31, 17 August 2006 (UTC)
This article is prone to spam/inappropriate external links advertising "HIPAA compliance" services, etc. While in some ways I think this underscores the point that HIPAA has been a boon to these kind of "consultants" without measurably improving privacy or clinical care, they need to go. I've added the "spam-prone" template to the article so we can be vigilant. MastCell 18:33, 11 September 2006 (UTC)
HIPAA and clinical research
Is there a plan to embed the US HIPAA and the EU privacy regulation into the information on clinical trials on Wikipedia (wikilinks, article contents)? Privacy regulations have a significant impact on how to deal with data from clinical research. Pvosta 07:51, 10 October 2006 (UTC)
Adding more information on EDI transaction sets
First of all I must admit I made a mistake in posintg an external link to an article that I wrote on HIPAA and EDI. At the time I didn't understand that this was not appropriate becuase I felt that the information in the article was vendor nuetral. In reviewing the guidelines and the content, I realize that the link was wasn't as vendor nuetral as required by Wikipedia. In the same session, I added amplification on the use of EDI in HIPAA. Specifically I added the following text:
At present, the Healthcare industry working through the process to define and implement sensible EDI standards for all flows of information in the industry for all participants. As you can imagine, the process is slow as there are so many interested parties and business processes in the industry to consider when defining the implementation of EDI. For a flavour of how the industry is doing, the following is a sample of the transaction sets that have been defined for implementation.
EDI Health Care Claim Transaction set (837) is used to submit health care claim billing information, encounter information, or both. It can be sent from providers of health care services to payers, either directly or via intermediary billers and claims clearinghouses. It can also be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the rendering, billing, and/or payment of health care services within a specific health care/insurance industry segment.
For example, a state mental heath agency, may mandate all healthcare claims, Providers and health plans who trade professional (medical) health care claims electronically must use the 837 Health Care Claim: Professional standard to send in claims. As there are many different business applications for the Health Care claim, there can be slight derivations to cover off claims involving unique claims such as for Institutions, Professionals, Chiropractors, and Dentists etc.
EDI Health Care Claim Payment/Advice Transaction Set (835) can be used to make a payment, send an Explanation of Benefits (EOB) remittance advice, or make a payment and send an EOB remittance advice only from a health insurer to a health care provider either directly or via a financial institution.
EDI Benefit Enrolment and Maintenance Set (834) can be used by employers, unions, government agencies, associations or insurance agencies to enrol members to a payer. The payer is a healthcare organization that pays claims, administers insurance or benefit or product. Examples of payers include an insurance company, health care professional (HMO), preferred provider organization (PPO), government agency (Medicaid, Medicare etc.) on any organization that may be contracted by one of these former groups.
EDI Application Advice (824) this transaction set can be used to report the results of an application system's data content edits of transaction sets. The results of editing transaction sets can be reported at the functional group and transaction set level in either coded or free-form format. It is designed to accommodate the business need of reporting the acceptance/rejection or acceptance with change of any transaction set. The Application Advice should not be used in place of a transaction set designed as a specific response to another transaction set (e.g., purchase order acknowledgment sent in response to a purchase order.)
EDI Payroll Deducted and other group Premium Payment for Insurance Products (820) this transaction set can be used to make a premium payment for insurance products. It can be used to order a financial institution to make a payment to a payee.
EDI Health Care Eligibility/Benefit Inquiry (270) is used to inquire about the health care benefits and eligibility associated with a subscriber or dependant
EDI Health Care Eligibility/Benefit Response (271) is used to respond to a request inquire about the health care benefits and eligibility associated with a subscriber or dependant
EDI Health Care Claim Status Request (276) this transaction set can be used by a provider, recipient of health care products or services or their authorized agent to request the status of a health care claim.
EDI Health Care Claim Status Notification (277) This transaction set can be used by a health care payer or authorized agent to notify a provider, recipient or authorized agent regarding the status of a health care claim or encounter, or to request additional information from the provider regarding a health care claim or encounter. This transaction set is not intended to replace the Health Care Claim Payment/Advice Transaction Set (835) and therefore, is not used for account payment posting. The notification is at a summary or service line detail level. The notification may be solicited or unsolicited.
EDI Health Care Service Review Information (278) This transaction set can be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis or treatment data for the purpose of request for review, certification, notification or reporting the outcome of a health care services review.
EDI Functional Acknowledgement Transaction Set (997) this transaction set can be used to define the control structures for a set of acknowledgments to indicate the results of the syntactical analysis of the electronically encoded documents. The encoded documents are the transaction sets, which are grouped in functional groups, used in defining transactions for business data interchange. This standard does not cover the semantic meaning of the information encoded in the transaction sets.
I believe that the information that I posted did not follow outside the guidelines of Wikipedia. The EDI documents and use of such documents is commonly understood in the EDI and HIPAA communities. The text does not provide any vendor information. It does not specify any "opinions" as it states the generally understood reason for HIPAA and EDI. If Wikipaedia is to be relevant, it must provide information that is relevant and explains the information to inform the user. Again as a newbie to Wikipedia I might not understand all of the information requirements but an explaination would be helpfulMike Cobban 23:59, 8 January 2007 (UTC)Mike Cobban
- Before adding links to external sites, it's worth reviewing Wikipedia's policies on external links as well as advertising and spam. In general, sites with a commerical aspect to them as well as links to sites or articles you've written yourself are discouraged. MastCell 02:51, 9 January 2007 (UTC)
A simple request
I would like someone to insert the fact that there is no such thing as a 'HIPAA Certification', as this would likley immediately resolve 90% of user traffic to this page. —The preceding unsigned comment was added by 22.214.171.124 (talk) 01:50, 27 March 2007 (UTC).
Request for addition
Recently I put a short paragraph about HIPAA Validation, but it was removed as spam. Sorry if it was offtopic. I've created a separate article where I have put my knowledge about HIPAA Validation abilities and how this works. The article is available here: HIPAA Compliance Validation Services. If you consider that it worth to be placed in "See also" section or to the body of the article (I can provide corresponding paragraph for your consideration) that may be useful for the people. —The preceding unsigned comment was added by LokiThread (talk • contribs).
- I think the concern is that the material is promotional in nature rather than encyclopedic. Moving it to another article doesn't fix that concern. MastCell Talk 16:50, 11 May 2007 (UTC)
- From my point of view the article is quite helpful, I just wish the author can add more details about how the validation works and what is validated. This is very interesting for me, so I don't share your concern. This is a free encyclopedia and everybody can share his knowledge - it's up to the people to jusge, not to you solely, otherwise it becomes communism not democracy. JackDm 17:30, 11 May 2007 (UTC)
Parallelism grammer question
Under 'Effects on Research', it says "While such information is important, the addition of a lengthy, legalistic section on privacy may make these already complex documents even more user-unfriendly for patients who are asked to read and sign them." Should 'more user-unfriendly' be changed to 'less user-friendly'?
Effects on small to medium practices
Virtually all written material on HIPAA centers around the effects on hospitals and research centers. Is there any interest in a section on the effects on smaller healthcare entities?
I would like to see that too since they have to be HIPAA-compliant just like every large entity dealing with HIPAA areas.
It might be worth pointing out that a lot of private practices and community programs aren't a covered entity under HIPAA at all, since they aren't doing the type of electronic transmission that makes them a covered entity. Every provider is of course bound to ethics codes that include confidentiality standards, but this has been the case for decades and has nothing to do with the newish HIPAA. I'm frequently encountering colleagues who use "HIPAA" to mean "confidentiality" (or, worse, to mean "PHI," as in, "someone needs to shred that box because it has HIPAA in it") and have to explain to them that they aren't a covered entity (a lot of times they're doing something that doesn't involve insurance at all, like providing therapies in the public schools or something). Triangular (talk) 22:10, 8 January 2012 (UTC)
HITECH HHH and FTC rules are out
The section on the HITECH act is a bit dated—it says HHH and the FTC are taking comments with a view to issuing final regulations on August 17, 2009. The FTC has issued final regulations (see http://www.ftc.gov/os/2009/08/R911002hbn.pdf), and HHH issued interim final regulations (see http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf). I don't know enough about Wikipedia style to make these changes myself, but perhaps someone who is more comfortable with Wikipedia edits could update this section?
Moving HITECH into its own page
Although a portion of the HITECH act is functionally an extension of HIPAA, it is still a subsection of the ARRA, and deals a lot with the appropriation of stimulus funds as incentives for adopting EHRs. I think HITECH fits better under ARRA than under HIPAA, but better yet in its own page.
Section 6039G of HIPAA has a very curious provision. Skipping the legalese, this section requires that the IRS regularly publish in the Federal Register a list of individuals who have chosen to expatriate, something which is unrelated to the main purpose of the act.
It's an odd thing to have in a bill, but it's getting a bit more attention and there's a Wikipedia page containing notable expatriates, many of whom were uncovered under HIPAA's 6039G, and is also being reported heavily at the Isaac Brock Society Web site (a site for Americans abroad who are upset with US tax policy vis-a-vis expats).
Since the Wikipedia comments say "no more links", I would like to add a link to mention a bit of background on this subject. While it's not commonly known about inside of the US, those of us Americans living outside the US are being heavily impacted by this issue. Presumably, Eduardo Saverin was "outed" as renouncing his US citizenship due to the April 2012 Federal Register listing him, thus leading to great controversy and the drafting of the Ex-PATRIOT Act.
- It wouldn't be appropriate to just link to an external website discussing it, but it's possible that the topic is encyclopedic enough to treat directly in the article, following all appropriate policies and guidelines, especially those pertaining to reliable sources. --SarekOfVulcan (talk) 15:19, 12 July 2012 (UTC)
- Thank you for that. I'll look at pulling together a useful article. The entire provision has been rather controversial and I'll try to do it justice. Overseasexile (talk) 15:27, 12 July 2012 (UTC)
- I see from the bill that it's part of the Revenue Offsets title. Guess that explains how it got in there... --SarekOfVulcan (talk) 15:40, 12 July 2012 (UTC)
- Thank you for that. I'll look at pulling together a useful article. The entire provision has been rather controversial and I'll try to do it justice. Overseasexile (talk) 15:27, 12 July 2012 (UTC)
Request for Picture Deletion
The picture titled hipaa.jpg, with a nurse shredding documents labelled 'Confidential' seems to be an attempt at criticism, and is not representative of HIPAA. I think that kind of satire is best left to a public forum, not here.— Preceding unsigned comment added by Tccam (talk • contribs) 18:09, 23 May 2013 (UTC)
Request for more information
If a US citizen moves back to the US from a foreign country then attempting to get a certificat of creditable coverage from the foreign (perhaps nationalized) insurance is quite difficult, because US laws do not apply to them and because they don't know what the heck a certificate of creditable coverage is, and they may not even speak english. It would be helpful if someone who understands this would explain it in the article, because it is very hard to find clear instructions of what to tell a foreign insurer anywhere on the web. — Preceding unsigned comment added by 126.96.36.199 (talk) 13:30, 5 September 2013 (UTC)
Major DELETION and REWRITE of "Notable Violations"
Before my edit, this section was arbitrary and capricious in singling out one incident involving Shasta Regional Medical Center (SRMC) that was reported in the California media, which was *not* in fact a verified example of a HIPAA violation as written in the deleted text at the time it was written (more on this below). Instead I replaced it with objectively more significant reports -- plural -- of violations reported in impartial government sources. Wikipedia is not an advocacy forum, it is a reference work, and the singling out of SRMC executives or the parent corporation Prime Healthcare Services here violates Wikipedia's NPOV in terms of undue weight, balance, impartial tone, and bias in sources. First, the deleted text did not describe actual violations -- plural -- it only contained one case of a single alleged violation. Second, I do not like to get lawyerly and use terms like "alleged" but it is appropriate here because the text cited statements made by people quoted in 2012 newspaper articles but they are not the ones who make a determination of a HIPAA violation, that lies with the United States Department of Health and Human Services Office for Civil Rights (OCR). The SRMC incident took place in 2010 (not 2012 as referenced in the deleted text) and the text appears to have been written in 2012 based on the sources, and edited as late as Sept 2013 based on the page history. However, there was nothing verifiable that a HIPAA violation took place in the text as it was written and with the sources it cited. Nevertheless, in June of 2013, reports surfaced that a separate action by the California State Dept of Public Health resulted in fines to Prime Healthcare of $98,000, and that Prime Healthcare announced a settlement with DHHS OCR of $275,000. So one could say there *was* a HIPAA violation but not because of the deleted text's insinuations, but through public sources that were never referenced in the deleted text. Third, the problems with balance and weight of the SRMC incident as an illustration for HIPAA violations is more important that the above issues of veracity, tone, and timeliness of the deleted text. That is why it is not an appropriate action to update the references in the deleted text, rather better and more appropriate examples of HIPAA violations -- plural -- should occur if there is to be this kind of section in the article at all. For example, according to HHS, between April 2003 and January 2013 there were 91,000 complaints of HIPAA violations reported in which 22,000 led to enforcement actions of varying kinds (from warnings to fine) and 521 led to referrals to the US Dept of Justice (criminal actions)(http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html). Note that in 2010 alone, when the SRMC case took place, there were 8,700 reports of violations (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/complaintsyear.html). In this context it is hard to argue that the lone SRMC case was notable or unique in any way that justifies its inclusion in this Wikipedia article, when by comparison, there are many instances of clearly more significant examples. Neither the numbers nor fines in the SRMC are significant. For instance, the largest loss of control over patient information was committed by Tricare Management Activity of Virgina in 2011 that affected 4.9 million people, while the second largest breach of confidential records arising from the theft of a desktop computer occurred with Advocate Health and Hospitals Corp of Illinois in 2013 that affected 4.0 million people (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html). The largest civil fine imposed by HHS OCR was $4.3 million against Cignet of Maryland in 2011 (http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltynotice.pdf). THOSE are significant and notable examples of HIPAA violations. THOSE belong in the reference article. That is why I used them to replace the relatively parochial and relatively minor SRMC incident whose description and inclusion violates Wikipedia's NPOV rules in multiple ways. I added a table for the penalties imposed by HHS for violations of HIPAA, both civil and criminal. Finally, I renamed the section to the more broad heading of "Violations of HIPAA."Lapabc (talk) 21:47, 4 March 2014 (UTC)