In September 2009 the Department of Health and Human Services released an interim final rule describing a covered entity’s responsibilities to notify victims of a breach to their personal health information. The new rule was the result of provisions in the American Recovery and Reinvestment Act. Penalties for noncompliance take effect February 22, 2010.

How well do you know the ins and outs of the rule? It’s complicated, and there are many moving parts. Test your knowledge on the four following breach scenarios. Select the one best answer for each scenario. Each correct answer is based directly on a given section of the rule.

Download a PDF of the scenarios here, which includes commentary from the IFR and results of a poll of 500 AHIMA members who were quizzed on the scenarios already.

Scenario 1

Inadvertent disclosure of deceased patient information

General Hospital recently provided Mr. J. Smith with a copy of his complete medical record from his last visit. Accidently contained within the copies was the history and physical report of Mr. Robert Lewis. Mr. Smith, who is dissatisfied with General Hospital, called the HIM department to report the misdirected history and physical, complaining that the mistake was just another example of the substandard practices at General Hospital.

Mr. Smith refused to return the history and physical. He insisted he would call Mr. Lewis personally to inform him of the hospital’s incompetence. Further investigation revealed that Mr. Lewis is deceased. The hospital’s records do indicate the name and address of Mr. Lewis’s next of kin. In response to this breach the hospital should:

  1. Do nothing, because Mr. Lewis is deceased.
  2. Notify the hospital attorney. Secure a court order and seize the records from Mr. Smith.
  3. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital.
  4. Arrange for a face-to-face meeting with Mr. Smith to seek return of the history and physical.

Answer:
Show ▼

.

Scenario 2

Missing back-up tape

A hospital back-up tape containing unencrypted health information, names, and Social Security numbers of thousands of patients is lost or possibly stolen in delivery to off-site storage.  The healthcare organization serves patients across a five-state area, with thousands of victims located in each of the states. In response to this security breach the organization should:

  1. Comply with the breach notification regulations of all five states. File a year-end report with the secretary of Health and Human Services.
  2. Comply with the breach notification regulations of the state in which healthcare organization is incorporated. Follow federal breach notification regulations by notifying victims and the secretary of Health and Human Services. Do not notify the media.
  3. Comply with all applicable federal breach notification requirements only.
  4. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay.

Answer:
Show ▼

.

Scenario 3

Misdirected e-mail within network

A clinical laboratory staff member accidently e-mails patient biopsy reports to the office of an urgent care center. The urgent care center is affiliated with the same healthcare network as the clinical laboratory.

The employee of the urgent care center notifies the clinical laboratory supervisor of the misdirected e-mail. The supervisor instructs the employee to delete the e-mail, and the clinical laboratory receives a confirmation that the e-mail was deleted. In response to this misdirected e-mail, the organization should:

  1. Do nothing, because the e-mail has been deleted.
  2. Send a breach notification to every patients whose biopsy report was in the e-mail.
  3. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification.
  4. Inform both employees that they are under investigation. Suspend the employee responsible for sending the misdirected e-mail pending a further forensic investigation. Seize the computer of the employee receiving the misdirected e-mail and perform an audit for inappropriate activity.

Answer:
Show ▼

.

Scenario 4

Patient names disclosed outside the network

A list of clinic patient names is accidentally sent to a physician’s office that is not affiliated with the clinic. The list does not include the name of the clinic or any other identifying information about the patients.

The doctor receiving the misdirected list mails it back to the clinic. No other use or disclosure was made of the list. In response to this incident the clinic should:

  1. Do nothing, because the list was returned.
  2. Send a breach notification to every patient on the list.
  3. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification.
  4. Because the physician’s office viewed the list of patient names, it would be required to issue breach notification letters to all individuals on the list.

Answer:
Show ▼

Use for an organization’s internal educational purposes permissible without request as long as proper citation is made. Commercial use is not permitted. A version of scenario 1 was originally published in the February 2010 print edition.