You're the Privacy Official (PO) for Peekaboo Hospital (KCH) in Wisconsin.As the PO, you're responsible to see
Question:
You're the Privacy Official (PO) for Peekaboo Hospital (KCH) in Wisconsin.As the PO, you're responsible to see if PH has breached any PHI under HIPAA or state law. On 5/17/2020, you received a call from the Hinky Dinky Grocery Store in Iowa.
The manager explained that one of their staff members found a thumb drive in their store. The manager thinks that the thumb drive may belong to KCH because upon opening the drive in her computer, she found what appears to be patient medical records from KCH.
The PO than arranges the thumb drive to be securely mailed to KCH, attention to PO, which was received on 5/22/2020. Upon review of the contents of the thumb drive, you find and confirm that their medical information of 623 cancer patients of KCH.
Furthermore, you ascertain that the thumb drive belongs to Dr. "Schmidlab" who is an oncologist employed with KCH. Upon interviewing Dr. Schmidlab, he cited that he was on vacation with his family in Lake Okoboji, Iowa where he deduced that he inadvertently left the thumb drive as it was taken out of his pocket as he pulled out his grocery list.
Scenario Assumptions:
- Patient Name, Address, DOB, Acct. #, SSN, Physician Progress Notes, Nursing Notes, Treatment Plan, Diagnoses of Cancer, Medical Imaging, Lab Results.
- Wisconsin has a patient privacy law that follows HIPAA (i.e., it is not more restrictive than HIPAA).
- KCH has privacy and security policies that also follow HIPAA.
- All 623 patients are residents of Wisconsin, and the services were provided to these patients entirely within Wisconsin.
- This incident is considered as "impermissible disclosure" under HIPAA.
Application - As the PO for KCH, address the following with your Board of Directors:
- In applying the HIPAA four factor Breach Notification Rule to this scenario, make a determination to the level of risk this applies to: High, medium, or low for each of the four factors.
- Make an overall conclusion as to whether a HITECH breach has been made under HIPAA according to your risk level findings.
- Also, determine whether any patients need to be notified. Does the OCR need to be notified? Should the local media need to be notified?
- Explain why a notification has to be made for each above situation and include the required calendar date deadline for making any of those notifications.
- Upon reaching whether a breach was made or not, include your recommendations to the Board for any corrective actions that need to be done so that this can be prevented from happening again.
Income Tax Fundamentals 2013
ISBN: 9781285586618
31st Edition
Authors: Gerald E. Whittenburg, Martha Altus Buller, Steven L Gill