Breach Notification Scenarios

In September 2009 the Department of Health and Human Services released an interim final rule describing a covered entity’s responsibilities to notify victims of a breach to their personal health information. The new rule was the result of provisions in the American Recovery and Reinvestment Act. Penalties for noncompliance take effect February 22, 2010.

How well do you know the ins and outs of the rule? It’s complicated, and there are many moving parts. Test your knowledge on the four following breach scenarios. Select the one best answer for each scenario. Each correct answer is based directly on a given section of the rule.

Download a PDF of the scenarios here, which includes commentary from the IFR and results of a poll of 500 AHIMA members who were quizzed on the scenarios already.

Scenario 1

Inadvertent disclosure of deceased patient information

General Hospital recently provided Mr. J. Smith with a copy of his complete medical record from his last visit. Accidently contained within the copies was the history and physical report of Mr. Robert Lewis. Mr. Smith, who is dissatisfied with General Hospital, called the HIM department to report the misdirected history and physical, complaining that the mistake was just another example of the substandard practices at General Hospital.

Mr. Smith refused to return the history and physical. He insisted he would call Mr. Lewis personally to inform him of the hospital’s incompetence. Further investigation revealed that Mr. Lewis is deceased. The hospital’s records do indicate the name and address of Mr. Lewis’s next of kin. In response to this breach the hospital should:

  1. Do nothing, because Mr. Lewis is deceased.
  2. Notify the hospital attorney. Secure a court order and seize the records from Mr. Smith.
  3. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital.
  4. Arrange for a face-to-face meeting with Mr. Smith to seek return of the history and physical.

3. §164.404(d)(1)(ii) of the interim final rule requires that if the individual is deceased, notice must be sent to the last known address of the next of kin or personal representative, if the address is on file.

Scenario 2

Missing back-up tape

A hospital back-up tape containing unencrypted health information, names, and Social Security numbers of thousands of patients is lost or possibly stolen in delivery to off-site storage.  The healthcare organization serves patients across a five-state area, with thousands of victims located in each of the states. In response to this security breach the organization should:

  1. Comply with the breach notification regulations of all five states. File a year-end report with the secretary of Health and Human Services.
  2. Comply with the breach notification regulations of the state in which healthcare organization is incorporated. Follow federal breach notification regulations by notifying victims and the secretary of Health and Human Services. Do not notify the media.
  3. Comply with all applicable federal breach notification requirements only.
  4. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay.

4. Because the breach poses reasonable risk of harm, and because it involves more than 500 people in total,  it requires notification of individuals (§164.404) and the HHS secretary (§164.408) without unreasonable delay. Because the breach involves more than 500 people in each state, §164.406 requires notification of major media in each state.

Federal regulations do not preempt state laws, and entities thus must comply with state law as appropriate. Further, entities must comply with laws for those states within which the breach victims reside.


Scenario 3

Misdirected e-mail within network

A clinical laboratory staff member accidently e-mails patient biopsy reports to the office of an urgent care center. The urgent care center is affiliated with the same healthcare network as the clinical laboratory.

The employee of the urgent care center notifies the clinical laboratory supervisor of the misdirected e-mail. The supervisor instructs the employee to delete the e-mail, and the clinical laboratory receives a confirmation that the e-mail was deleted. In response to this misdirected e-mail, the organization should:

  1. Do nothing, because the e-mail has been deleted.
  2. Send a breach notification to every patients whose biopsy report was in the e-mail.
  3. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification.
  4. Inform both employees that they are under investigation. Suspend the employee responsible for sending the misdirected e-mail pending a further forensic investigation. Seize the computer of the employee receiving the misdirected e-mail and perform an audit for inappropriate activity.

3. The misdirected e-mail was an unintentional access by a workforce member of the covered entity. It was made in good faith and within the scope of authority, and it did not result in further use or disclosures in a manner not permitted by the privacy rule. The clinical laboratory is responsible for documenting this determination, however.


Scenario 4

Patient names disclosed outside the network

A list of clinic patient names is accidentally sent to a physician’s office that is not affiliated with the clinic. The list does not include the name of the clinic or any other identifying information about the patients.

The doctor receiving the misdirected list mails it back to the clinic. No other use or disclosure was made of the list. In response to this incident the clinic should:

  1. Do nothing, because the list was returned.
  2. Send a breach notification to every patient on the list.
  3. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification.
  4. Because the physician’s office viewed the list of patient names, it would be required to issue breach notification letters to all individuals on the list.

3. The names on the list are not linked to a healthcare provider, diagnosis, or treatment. Thus no privacy rule violation or security breach resulting in harm to the individuals has occurred. The clinic is responsible for documenting this determination, however.

Use for an organization’s internal educational purposes permissible without request as long as proper citation is made. Commercial use is not permitted. A version of scenario 1 was originally published in the February 2010 print edition.


  1. This was a good “quiz” for practice in today’s health care environment. Thanks for making it accessible for me, as a student and HIM worker.

  2. Thank you for this quiz, they are very useful for me to test my knowledge and identify areas of weakness.
    I hope we can have more of these quizes.

  3. I enjoyed this quiz. It was informative and it allowed me to test my knowledge of these rules. keep the quizzes coming

  4. I enjoyed taking the quiz. These are issues that happen everyday somewhere and it just reinforced what we need to know.

  5. Excellent scenarios as examples of realistic occurrences we face.

  6. They talk about what to report annually and if over 500 unsecure releases, but what if you don’t have any, do you just not report anything?

  7. Thanks for the chance to review security breach scenarios. This is very useful.

  8. I enjoy the scenarios. It keeps you up to date with the new rules. This is also very informative, useful, and it’s also a good way to review situations like these to see if you have retained the knowledge needed to apply the rules.

  9. We’re glad here at the Journal that the scenarios are useful. A special thanks to AHIMA’s Privacy and Security Practice Council, who drafted them. What other scenarios, quizzes, or polls would be helpful?

  10. This was very helpful and actually answered a question I was resarching. I appreicate all the effort put into this type of exercise for us to test our knowledge.

  11. I found these scenarios extremely helpful and beneficial, please keep them coming. What a wonderful learning tool.


  12. Thank you for developing these scenarios. They were very helpful and helped test my knowledge of the HITECH rule.

  13. Great practice! Will forward these to the rest of our Privacy Team so everyone can test themselves. Please keep these types of scenarios coming!

  14. Excellent quiz. As an employee of a covered entity and privacy leader, its nice to confirm that I have a clear understanding of potential breach situations.

  15. We had a operative report faxed to a wrong number. As luck would have it, it was another fax machine to a local machine shop. They contact our facility about the mishap and we instructed them to destroy the fax. They agreed. What steps, if any, do we need to take since the information was destroyed?

  16. These are very good. Do you have some regarding correctional healthcare?

  17. Thanks for providing such a wonderful tool to review and “test” our knowledge.

  18. I really enjoyed this quiz. I was very surprised to see it on the website. I look forward to more practice.
    Thank you.

  19. Excellent quiz. I enjoyed testing my knowledge. I look forward to taking more quizes.

  20. This is very educative and informative and I look forward to reading more. Thanks for providing it.

  21. Yes, where is the PDF file that shows the readers’ responses to your quiz? That would be informative.

  22. Please scratch that message… I found the link to download : )

Submit a Comment

Share This

Share This

Share this post with your friends!