Competency: Analyze policies and procedures to ensure organizational compliance with regulations and standards (BL4/M);
Curricular Consideration: Internal and external standards, regulations, and initiatives; Health Insurance Portability and Accountability Act (HIPAA); Risk Management.
Subdomain V.A.3: Regulatory
Competency: Adhere to the legal and regulatory requirements related to health information management (BL3/M)
Curricular Consideration: Legislative and regulatory process (compliance strategies and reporting)
Objectives:
• Examine various reports to determine best course of action based on regulatory requirements (BL4).
• Create mechanism to assist in the collection and aggregation of data for reporting purposes (BL6).
• Format data in a meaningful way to assist in the process of data presentation (BL4).
• Demonstrate understanding of laws and regulations affecting health information management (BL3).
TASKS: For your PPE, you have been placed at ABC Hospital and will be rotating through several areas of the facility. The PPE site Manager wants to ensure you to get exposed to many areas of the facility that the HIM has some time of interaction. One of the areas you will go is the Compliance Department. Here you will work under the supervision of the Compliance Office, and with other members of the organization that report to the Compliance Department. The Compliance Officer recommends that you take good notes of any assignments you are given. He is expecting a written summary of all activities you will complete, and he said you that depending on your performance he might consider hiring you to assist him in a part-time basis.
Your first day was spent with the Compliance Officer going over the overall policies of the organization and detailing his responsibilities in the facility. You were given access to several documents and websites to help you with the task. You decided to familiarize yourself with the information by visiting the following website:
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
AHIMA Breach Management Toolkit can be found in the resource section of this module
He also informed you that your will work with the following individuals: Privacy Officer, Risk Management Director, and the Quality Management Director.
Activity 1: Your first assignment is to work with the Privacy Officer.
PART I: You were provided with a bunch of privacy complaints (See page 3-4) for review. You must carefully review each complaint and determine (BL??) the following:
A. IS the complaint reportable? And if so,
B. Who should be notified?
C. How should the notification be made?
D. How long do you have to make the report to each applicable entity?
PART II: Now that you had the opportunity to review all the complaints, you to go the Privacy Officer and inform her of your findings. She asked if you can put the report in writing. To help you with this task, you decide to create (BL5) Privacy Investigation Report Form listing all applicable information that must collected in order to make the determination if the reports are reportable of not. (you may use MS word or Excel for this task).
PART III: The Privacy Officer loved the form you created, and comment that you seem to be very proficient with Microsoft. She asked if you will be able to create (BL5) a tracking mechanism that lists all complaints and the outcome of investigation. This tool is needed to keep a cumulative account of all incidents that can be easily abstracted for future reference. You don’t think twice since you want to do a good job knowing that there is an opportunity for you to get your first job in the field. You decided to create an Excel file to help you organize the data. You will also create a graph from spreadsheet to ensure the data can be presented in a meaningful way.
Standards: Students must complete the assignment satisfactorily by achieving a minimum score of 70%. The time approximate for completion of this assignment is 6 hours.
Assessment Points
Part I: Demonstrate understanding of Breach Notification Requirements: /30
Part II: Appraise the need for documentation and timely collection of information for capturing required data for investigation and reporting: /30
Part III: Format data using Excel to demonstrate level of compliance with regulatory standards and facility policies: /30
Timely submission of assignment: /10
Total Points: __/100
Instructor: ___________________ Date: _
CASE SCENARIOS:
Scenario 1: On January 16, 2020, Mr. McFarland called, stating that he had requested that his complete medical record be mailed to him to the alternative address he provided during his surgery at the hospital. Instead, the records had been sent to his home address, and his wife received the package and reviewed the documents. Mr. McFarland stated his frustration and demanded that someone review this incident and address it accordingly.
Case 2: During a routine audit conducted in December of 2019, it was discovered that nearly 200 patient records had been accidentally emailed to a designer store email address by an employee in the Release of Information unit. The employee mistakenly typed in the name of what she tough was the requester, but instead, she selected an email address she had used in the past to email some personal documents to the store manager. The intended recipient of the email complained several times, stating that their request hadn’t been fulfilled.
Case 3: Patient Jose Gonzalez called the on December 20, 2019 and stated that upon returning home after his hospitalization at ABC hospital, he reviewed an envelop that was given to him during his discharge. To his surprise, the documents included in the envelope were not his. The documents in the envelope belong to Jose C. Gonzales, and the date of birth was totally different. He stated that he did not have a middle initial, and as far as he knew, he didn’t have a diagnosis of HIV, which was indicated on the discharge plan he received. He was very confused because the instructions on the discharge plan stated that he needed to see his PCP within three days to adjust his HIV meds.
Case 4: On May 22, 2019, one of the hospital physicians was attending a conference out of town, and he decided to take some work with him. He used a flash drive and downloaded the data. The files contained all necessary information he needed for his review, including the patient’s name, dob, ss#, address, insurance information, and all the pertinent clinical data. When leaving the hotel, the physician forgot the flash drive on the desk. Upon returning to his house, the physician called the hotel to inquire about the flash drive, but they informed him that they didn’t find it. Three months later, several patients called the hospital Compliance hotline stating that they were getting harassing calls from individuals claiming they had all of their medical information and were threatening to upload the information to the internet if the patients didn’t pay X amount of money.
Case 5: On August 11, 2019, an employee of the hospital wrote a formal complaint stating that her husband’s information was accessed by some hospital staff and the data of him having a psychiatric diagnosis was being discussed among several staff members. She demanded an investigation. The investigation demonstrated that his records were indeed accessed and viewed by several hospital staff.
Case 6: A patient called the Privacy Officer on June 2, 2020 stating that his ex-wife had received confidential information about him pertaining to his hospitalization in May of last year in which he was hospitalized for several days due to a drug overdosed. His ex-wife exposed this information in court in an attempt to discredit him and preventing him from seeing his children by having his visiting privileges revoked. He wants to know how his ex-wife obtained this information without his consent. He demanded a full investigation and requested some remuneration from the hospital.
Case 7: In February of 2020, the Admissions Director was terminated after it was discovered that she had been using patient data for financial gain by selling patient information to a law firm who then contacts all patients who had personal injuries to initiate lawsuits against other parties. It’s estimated that she sold PHI on approximately 1000 patients over the past year. This is a very serious issue, and the facility is very concerned about the impact this would have on their reputation, among other issues.
Case 8: A patient’s attorney called the privacy officer to put a complaint about a breach of privacy. The attorney stated that her client’s information was provided to a third party without his authorization. She further stated that the patient had given written consent to have his records released to a specific requestor, but the authorization was ONLY for specific dates of service. However, the hospital released his entire records, and as a result, her client was now dealing with a very serious family matter that caused a great deal of stress and caused him to lose his job.