Kerry Heinecke Med Inf 407 Group Case Study Project Case Study #1

Group three members are: Jaimie Bubb, Suzi Birz, Jennifer Weaver and Kerry Heinecke. Each member participated in the project equally and brought special talents depending upon their education and experience. Jaimie Bubb is a nurse so she was able to help us with the clinical aspects of the case. Suzi Birz works with compliance issues and is well versed in HIPAA (big bonus for our group!). Jennifer Weaver works for Cerner Corporation and brought in her expertise from an IT perspective. My experience is in health information management and EHR software development. We needed to make some assumptions in this case in order to decide what actions should be taken on the issues we spotted. Our assumptions were: 1. Neighbor has downloaded and printed data on 510 patients including the patient named John Smith. 2. The neighbor that accessed and printed the records was an employee of our covered entity (CE). 3. The CE is a state hospital in Illinois and all incidents occurred in Illinois. 4. The Compliance Office first became aware of the possible breach when an alert nurse called the Compliance Office. 5. The system access was our EHR and the employee used his logon credentials to access and inappropriately use and disclose protected health information (PHI). 6. The infection mentioned in the case study is a hospital-associated infection (HAI). 7. The internal memo that the nurse gave to the wife didn't contain PHI; it was a quality improvement study. 8. The research project on which the independent consultant is working is a quality assessment study that qualifies as health care operations (and therefore doesnt require patient authorization per HIPAA). 9. The patients admission was for a work-related injury (worker's comp); otherwise BC/BS is the payer. The first issue that we discussed in Case Study 1 is how to respond to the grandmother of Mr. Smith when she phoned the nursing station. The hospital is a covered entity (CE) and is required to use and disclose PHI in accordance with the rules of HIPAA. Patients must be allowed to opt out of the hospital directory; therefore, we agreed the nurse should first check to see if the patient has opted out. If not, simply transferring the call to the patient is appropriate. If he opted out, then the nurse would need to follow the policies/procedures for release of information to authorized family members. For example, the nurse should determine if the patient is conscious or awake and ask him if she can give his grandmother any information about his condition. HIPAA does allow limited disclosure of PHI in the event

Page 1 of 6

Kerry Heinecke Med Inf 407 Group Case Study Project Case Study #1
the best interests of the

that the patient is incapacitated and its deemed, per the practitioners judgment, to be in

patient to disclose the information. In that case, only the information relevant to that persons involvement with the patients care can be disclosed (C. Leyva & D. Leyva, 2010, 164.510 (b)). In this case, if we assume that the patient has opted out and the patient has not authorized his grandmother to receive information, the nurse should not give out any information without first asking the patient for authorization. The next issue we discussed was the fact that the grandmother found out about the patients hospitalization from her neighbor and that a preliminary investigation discovered that the neighbor had downloaded and printed medical records on 510 patients. We decided as a group to assume he is an employee of the CE. The first question we needed to ask is whether it was downloaded for purposes of treatment, payment, or operations (TPO). One question I had was whether the data was de-identified; we decided it couldnt be because the neighbor knew who Mr. Smith was and told his grandmother about his hospitalization. The CE should conduct an investigation into the disclosure to find and fix any network vulnerability. We needed to make assumptions on what was found in the investigation in order to determine how the case should be handled. The investigation revealed the disclosure of 510 records was connected to the neighbor through review of access and audit logs. The employees access should be terminated immediately. The CE should ensure full compliance with HIPAAs security rule by putting electronic healthcare data security safeguards in place. We decided running a network check is needed. We also determined a security check of the employee should be done and took the assumption that his security was appropriately assigned. Given the assumptions, we concluded that the system was protected and that this was a case of an employee misusing assigned privileges. The Chicago Police department needs to be notified of the breach and the employee should be terminated immediately. The CE must comply with the breach notification required by HIPAA (HHS, n.d.) and any

Page 2 of 6

Kerry Heinecke Med Inf 407 Group Case Study Project Case Study #1

preemptive state law. According to IL state law, the CE is required to notify the patients, in the most expedient time possible and without unreasonable delay (Illinois General Assembly, n.d.) that there has been a breach. State agencies are additionally required to report the breach to the IL General Assembly but the CE is not

required to do this since it is not a state agency. According to HIPAA, after the CE discovers a breach of unsecured PHI, they are required to notify each individual whos unsecured PHI was involved in the breach within 60 days. HIPAA also requires that the CE notify the Secretary of HHS who will then post this to the HHS web site. Lastly, when the breach involves over 500 records, the media must also be notified (HHS, n.d.). All of the HIPAA requirements hinge on whether or not the breach involved unsecured PHI. Since the individual who breached privacy is an employee of the hospital with his/her own logon/password, we dont believe it is considered unsecured PHI. Therefore, the CE does not need to notify the Secretary of HHS or the media. Illinois state law requires, if any breach occurred, the CE must notify the patient. The legal obligation of the CE is to notify the patients and no one else. However, the CE is accountable to their patients and community, and we feel that there is a social expectation of a breach this large to comply to the fullest extent possible. It would allow the greatest amount of transparency for the CE. Therefore, we agreed that the CE should notify the patient, the media, the Illinois General Assembly, and HHS. We also discussed that a CE is required to protect against reasonably anticipated threats or hazards to the security and integrity of electronic protected health information (EPHI) per the security rule. The CE needs to review its risk assessment and update it based on what was found from this investigation (i.e., determine risk for employees downloading data and how to mitigate this risk). In addition, the CE needs to mitigate harm caused by the breach (C. Leyva & D. Leyva, 2010, 164.308). This includes determining the extent of disclosure, having the employee return the paper copies, ensuring destruction of the downloaded data, follow-up with neighbors who were recipients of inappropriate disclosure, and possibly offer

Page 3 of 6

Kerry Heinecke Med Inf 407 Group Case Study Project Case Study #1

1-year subscription for credit monitoring. Putting administrative, technical, and physical safeguards in place is a requirement of the HIPAA Security Rule. The CE can take steps to prevent and detect breaches by implementing a technology solution to monitor the access logs for high volume and other parameters. In addition, the CE should generate routine access/audit reports for the Compliance Office to review. Training of the workforce to prevent and correct breaches so they dont occur in the

future should also be done. Also, the CE must account for the disclosures made in error (C. Leyva & D. Leyva, 2010, 164.528). The next issue we addressed was the Chicago Police wanted patients blood tests and other lab results faxed to them because Mr. Smiths supervisor suspects that drugs were a cause of Mr. Smiths accident. Since the accident happened at the factory, we decided it was a workers comp case. We discussed how to respond to the police request and determined that law enforcement has no right to the copies of patient blood tests/lab results without a court order, warrant, or written administrative request (C. Leyva & D. Leyva, 2010, 164.512(f)(1)). BC/BS wanted additional medical treatment information to begin processing Mr. Smiths insurance claim. In order to respond to this request, the person receiving the call needs to verify the callers identity followed by checking that the patient does have BC/BS insurance. Another check that needs to occur is verifying that the claim is for hospital services and that payment will be received by the hospital. If its for professional fees, the payment will be going to the physician practice associated with the case and no disclosure should occur. Disclosure of the information is allowed for payment of the CE since this information is covered under HIPAAs TPO exception to patient authorization (C. Leyva & D. Leyva, 2010, 164.506 (c)). If the caller is not BC/BS, then the employee will require an authorization in order to release the information. In addition, the minimum necessary standard must be applied; the disclosure should limit the information to the minimum amount necessary to handle payment of the claim.

Page 4 of 6

Kerry Heinecke Med Inf 407 Group Case Study Project Case Study #1

The patients wife, Mrs. Smith, asked the nurse questions about Mr. Smiths care,

including what data the hospital has on the number of other patients in this hospital who have contracted this particular post-op bacterial infection. If the wife asked the questions while in the patients room and the patient was conscious and he didnt object to the discussion, then the nurse can discuss pertinent information about the care that she is involved with (C. Leyva & D. Leyva, 2010, 164.510 (b)). However, the nurses response to the post-op infection and the disclosing of the internal memo was technically not a violation of HIPAA since the content appears to be a quality improvement study and wouldnt have contained PHI.

It was ethically a poor choice to discuss privileged quality improvement data and to release internal communication. We know from reading the case study that the informaticist who wrote the internal memo is a consultant, which means he is not part of the CEs workforce. HIPAAs definition of workforce is employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a CE, is under the direct control of such entity, whether or not they are paid by the CE (C. Leyva & D. Leyva, 2010, 160.103). Instead, consultants should be viewed as business associates (BAs) and should have a business associate agreement with the CE. This does not exempt the BA from inappropriate disclosure, however. Per the HITECH Act, BAs must report breaches of privacy to covered entities (C. Leyva & D. Leyva, 2010, HITECH Act Summary). Since we do not know what the informaticist told the wife, we cannot determine whether or not this was an inappropriate disclosure. The next issue we discussed was Mrs. Smith contacting the CEO and demanding that he cancel any medical billing for her husbands admission because of the hospital-associated infection (HAI) or else shell call The Chicago Tribune and report what the nurse told her, as well as supply the newspaper with a copy of that old hospital memo. In discussing how the CEO should respond, we thought that if the hospital maintains a scorecard, he should review

Page 5 of 6

Kerry Heinecke Med Inf 407 Group Case Study Project Case Study #1

that with her. As a group, we decided that the CE should not bill for HAIs due to the fact that CMS will not pay for these anymore and commercial insurance usually follows whatever CMS does. However, one of our group members felt that the CEO should explain to the wife that, because the plan of care was reviewed and agreed upon by the patient each day, and because he was prone to these types of infections due to his diabetes and smoking, that they should bill the patient for the hospital services. The group agreed to go with the decision on this. This was a great project to teach us the ins and outs of the HIPAA Privacy and Security Rules. The group worked very well together.

REFERENCES Illinois General Assembly. (n.d.). 815 ILCS 530/ Personal information protection act. Retrieved from http://www.ilga.gov/legislation/ilcs/ilcs3.asp? ActID=2702&ChapAct=815%C2%A0ILCS %C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName= Personal+Information+Protection+Act Leyva, C. A. & Leyva, D. L. (2010). HIPAA survival guide for providers: Privacy and security rules. Retrieved from http://www.hipaasurvivalguide.com/hipaa-survival-guide.pdf U.S. Department of Health and Human Services [HHS]. (n.d.). Breach notification rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htm l

Page 6 of 6