Scenario

You are the Privacy Officer at Saints Hospital who receives a patient complaint stating that her protected health information (PHI) was breached. The patient, Nancy S., tells you that an employee of Saints Hospital (Emily T.) got her address from the electronic health record and came to her house to threaten her and demand merchandise that Emily T. said her daughter had paid money for up-front to Nancy S. (Nancy S. runs a business selling makeup products which she delivers to customerscustomers do not come to her house). The patient was very upset and said her address is not published anywhere and she can only believe that the employee got the information from the EHR.

You begin your investigation, which includes an audit of the EHR, to see if the employee, Emily, had inappropriately accessed information regarding the patient, Nancy S. Emily is employed by the Diagnostic Imaging (DI) department. You also involve her department supervisor in the investigation, as well as the human resource director.

You collect evidence that, indeed, Emily had accessed information regarding the patient, Nancy S., who was scheduled for a distant appointment in the DI department on a day that Emily was not even working in that area. The audit further reveals which portions of the EHR were accessed, and it is evident that Emily was viewing the demographics which include address,phone number, etc. Her department supervisor confirms that there was no reason that she is aware of that Emily should have accessed that particular information on the date in question.

You and the DI department supervisor call Emily in to ask her to explain. She cannot explain and breaks down and says that yes, she did access the information for the purpose of going to Nancys house to try to collect what she felt was due and owed to her daughter. She further states that she did go to Nancys house but indicates that she did not threaten her, although admittedly she was angry at Nancy.

Instructions

After reading this case study and reading the AHIMA Practice Brief, Privacy and Security Audits of Electronic Health Information, please answer these three questions.

1. What elements from the Security Audit Strategy and Process section could have helped to prevent this from happening, and what elements did you follow as the Privacy Officer investigating this breach?
2. Please list three (3) examples of trigger events that would require auditing and who the Privacy Officer should enlist in helping with the investigation.
3. What elements would you recommend be included in the design of audit trails going forward?