Breach Activity

profileabest

Breach Activity; Assessing Privacy This activity meets CAHIIM Domain II.1.

Develop privacy strategies for health information. 

Part I (of 2) 

You are the Privacy Officer at Quality Hospital. It is a 500-bed hospital in large city. It provides various services: acute care with an ICU, CCU, NICU, pediatrics, obstetrics, psychiatric and is a Level I trauma center. Quality Hospital provides various outpatient services as well: cardiac cath lab, specialty clinics, and rehabilitation. It is a complex organization. 

Review the following scenarios that occurred at your hospital and determine whether the scenario is a reportable breach: 

Scenario 1: On April 1 Mary Nurse, RN, reports for duty on Unit 3B. Michael Patient is assigned to her. The EHR automatically gives staff access to patients on the unit they are assigned for the shift. Michael Patient was transferred from Unit 3A to Unit 3B on March 31. Mary logs into the EHR and is unable to access Michael Patient’s record. The EHR has an override if this issue occurs, and she goes through a series of steps to gain access to his record. Since Mary is not familiar with Mr. Patient’s history, she begins to review the medical record. After reviewing quite a bit of the record, she notices that it says Michael is aged 25. Mary suddenly realizes that this is not her patient. Her Michael Patient is 80 years old. 

Is this a breach? Why or why not? Provide a detailed explanation (citing HIPAA statute numbers if necessary to provide rationale). If this is a breach, indicate if this is a reportable breach and indicate how many patients are impacted. If there is not enough information to determine whether this was a breach, indicate what additional information you would need. 

Scenario 2: Even though Quality Hospital has an EHR many old paper records still exist, and the hospital is required by law to continue to retain them. Since the hospital was unable to maintain all of the records onsite, it hired Acme Storage to store their records offsite. All paper records have been stored by Acme since 3/1/2015. Quality Hospital somehow stopped paying the storage fees to Acme in 2019. On 1/3/2021 Acme started to throw out the records in a big dumpster. A new HIM Director was hired 12/7/2021. The HIM Department received a medical record request on 2/18/2022. The ROI clerk could not locate the information and asked the HIM Director where he could locate paper medical records dating back to 2013. It took a few days for the HIM Director to track down the records. On 2/23/2022 the HIM Director discovers that Acme has thrown out the records. On 2/24/2022 the HIM Director notifies you the Privacy Officer. 

Is this a breach? Why or why not? Provide a detailed explanation (citing HIPAA statute numbers if necessary to provide rationale). If this is a breach, indicate if this is a reportable breach and indicate how many patients are impacted. If there is not enough information to determine whether this was a breach, indicate what additional information you would need. 

Scenario 3: On 3/1/21 Dr. Jones is preparing for his telemed appointment with John Harrison. He pulls up the most recent lab work and then calls Mr. John Harrison. He begins discussing with Mr. Harrison that he is a little concerned with the results as his A1C is rather high. Mr. Harrison cannot understand this. He had bloodwork done three months ago and it was within normal limits. Dr. Jones pulls up the graph of the A1C results over time and sees that the bloodwork from three months ago was also elevated. He then realizes that is looking at Joan Harrison’s bloodwork. He apologizes to Mr. Harrison for the error and then continues their appointment. 

Is this a breach? Why or why not? Provide a detailed explanation (citing HIPAA statute numbers if necessary to provide rationale). If this is a breach, indicate if this is a reportable breach and indicate how many patients are impacted. If there is not enough information to determine whether this was a breach, indicate what additional information you would need.

Part 2: As Privacy Officer, you are charged with reporting breaches to OCR. Visit their website at: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true Download the Sample Form (pdf on right side of the page). In the past you have realized that you do not always have all the key information for reporting breaches in one location. You have decided to develop a form that you can complete to make it easier to report breaches. Using good form design techniques and the information in the pdf, create a form for this purpose. After you complete designing your form, select the scenario(s) you have identified as breach(es) in part 1 of this assignment and begin to enter the information. You will probably not have all the information that is required such as addresses, phone numbers etc. If the information is not available, leave it blank. However, you should be able to complete some key such as whether a Business Associate was involved, how many individuals were impacted, the breach start date, discovery date, type of breach, location etc.


    • a month ago
    • 10