Breach Activity; Assessing Privacy

at
Categories
Tags

 

Develop privacy strategies for health information.

Part I (of 2)

You are the Privacy Officer at Quality Hospital. It is a 500-bed hospital in large city. It provides various services: acute care with an ICU, CCU, NICU, pediatrics, obstetrics, psychiatric and is a Level I trauma center. Quality Hospital provides various outpatient services as well: cardiac cath lab, specialty clinics, and rehabilitation. It is a complex organization.

Review the following scenarios that occurred at your hospital and determine whether the scenario is a reportable breach:

Scenario 1: On April 1 Mary Nurse, RN, reports for duty on Unit 3B. Michael Patient is assigned to her. The EHR automatically gives staff access to patients on the unit they are assigned for the shift. Michael Patient was transferred from Unit 3A to Unit 3B on March 31. Mary logs into the EHR and is unable to access Michael Patient’s record. The EHR has an override if this issue occurs, and she goes through a series of steps to gain access to his record. Since Mary is not familiar with Mr. Patient’s history, she begins to review the medical record. After reviewing quite a bit of the record, she notices that it says Michael is aged 25. Mary suddenly realizes that this is not her patient. Her Michael Patient is 80 years old.

Is this a breach? Why or why not? Provide a detailed explanation (citing HIPAA statute numbers if necessary to provide rationale). If this is a breach, indicate if this is a reportable breach and indicate how many patients are impacted. If there is not enough information to determine whether this was a breach, indicate what additional information you would need.

Scenario 2: Even though Quality Hospital has an EHR many old paper records still exist, and the hospital is required by law to continue to retain them. Since the hospital was unable to maintain all of the records onsite, it hired Acme Storage to store their records offsite. All paper records have been stored by Acme since 3/1/2015. Quality Hospital somehow stopped paying the storage fees to Acme in 2019. On 1/3/2021 Acme started to throw out the records in a big dumpster. A new HIM Director was hired 12/7/2021. The HIM Department received a medical record request on 2/18/2022. The ROI clerk could not locate the information and asked the HIM Director where he could locate paper medical records dating back to 2013. It took a few days for the HIM Director to track down the records. On 2/23/2022 the HIM Director discovers that Acme has thrown out the records. On 2/24/2022 the HIM Director notifies you the Privacy Officer.

Is this a breach? Why or why not? Provide a detailed explanation (citing HIPAA statute numbers if necessary to provide rationale). If this is a breach, indicate if this is a reportable breach and indicate how many patients are impacted. If there is not enough information to determine whether this was a breach, indicate what additional information you would need.

Scenario 3: On 3/1/21 Dr. Jones is preparing for his telemed appointment with John Harrison. He pulls up the most recent lab work and then calls Mr. John Harrison. He begins discussing with Mr. Harrison that he is a little concerned with the results as his A1C is rather high. Mr. Harrison cannot understand this. He had bloodwork done three months ago and it was within normal limits. Dr. Jones pulls up the graph of the A1C results over time and sees that the bloodwork from three months ago was also elevated. He then realizes that is looking at Joan Harrison’s bloodwork. He apologizes to Mr. Harrison for the error and then continues their appointment.

Is this a breach? Why or why not? Provide a detailed explanation (citing HIPAA statute numbers if necessary to provide rationale). If this is a breach, indicate if this is a reportable breach and indicate how many patients are impacted. If there is not enough information to determine whether this was a breach, indicate what additional information you would need.

Part 2: As Privacy Officer, you are charged with reporting breaches to OCR. Visit their website at: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true Download the Sample Form (pdf on right side of the page). In the past you have realized that you do not always have all the key information for reporting breaches in one location. You have decided to develop a form that you can complete to make it easier to report breaches. Using good form design techniques and the information in the pdf, create a form for this purpose. After you complete designing your form, select the scenario(s) you have identified as breach(es) in part 1 of this assignment and begin to enter the information. You will probably not have all the information that is required such as addresses, phone numbers etc. If the information is not available, leave it blank. However, you should be able to complete some key such as whether a Business Associate was involved, how many individuals were impacted, the breach start date, discovery date, type of breach, location etc.

Sample Solution

Part I: Reviewing Hospital Privacy Scenarios

Scenario 1: Accidental Access of Incorrect Patient Record

  • Breach: Mary Nurse accessed the electronic health record (EHR) of Michael Patient (age 25) when she was assigned to care for a different Michael Patient (age 80). HIPAA requires covered entities to implement reasonable safeguards to protect patient information [45 CFR § 164.530(e)(1)]. Accessing a record that doesn’t correspond to the assigned patient indicates a potential failure of these safeguards.
  • Reportable Breach: Uncertain. The HIPAA Breach Rule requires reporting unauthorized access of unsecured PHI if it poses a significant risk of harm to the individual [45 CFR § 164.531(a)(1)(i) & (ii)].

In this scenario, we don’t know: * Content Accessed: Did Mary access sensitive information like HIV status or mental health diagnoses? More sensitive data accessed increases the risk of harm. * Use or Disclosure: Did Mary use or disclose the information about the 25-year-old Michael Patient? These actions would definitively be a breach.

Additional Information Needed:

  • Details of information Mary Nurse accessed in the record.
  • Did Mary use or disclose any information about the 25-year-old Michael Patient?

Scenario 2: Improper Disposal of Paper Medical Records by Third-Party Vendor

  • Breach: HIPAA requires covered entities to have Business Associate Agreements (BAAs) with any third-party vendors who access PHI [45 CFR § 164.502(e)(1)]. These agreements ensure the vendor protects PHI according to HIPAA regulations. Failing to properly dispose of PHI is a violation of the BAA.
  • Reportable Breach: Improper disposal of PHI that could be accessed by unauthorized individuals is a reportable breach under HIPAA [45 CFR § 164.531(a)(1)(ii)(A)].
  • Impacted Individuals: Unknown at this time. The scenario doesn’t specify how many patients’ records were improperly disposed of.

Scenario 3: Telehealth Disclosure of Incorrect Patient Information

  • Breach: Dr. Jones disclosed protected health information (PHI) about Joan Harrison to John Harrison [45 CFR § 164.502(a)(1)].
  • Reportable Breach: Uncertain. Similar to Scenario 1, the determination depends on the risk of harm.

Here’s what we need to consider: * Content Disclosed: Did Dr. Jones disclose any sensitive information about Joan Harrison? * Likelihood of Further Disclosure: Did John Harrison understand the information was not about him? Did he express any concerns about receiving another person’s medical information?

Additional Information Needed:

  • Details of information Dr. Jones disclosed about Joan Harrison.
  • Did John Harrison understand the information was not about him and express any concerns?

Part II: Developing a Breach Reporting Form (Next Response)

In the next part of the response, we will design a form to assist Quality Hospital in reporting breaches to the OCR following the guidelines you provided. We will populate the form with information from Scenario 2 (improper disposal of medical records) as an example.

 

This question has been answered.

Get Answer
WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, Welcome to Compliant Papers.
Hi, how can I help?