You are once more the CEO of Compliant Hospital facing yet another dilemma.

 

Under your leadership, Compliant Hospital adopted a policy to limit the removal of PHI from the hospital. The policy states that employees may not take PHI in any form -- paper, electronic, or otherwise -- out of the facility, may not take laptops, mobile devices, or removable media from the premises, and may not conduct business outside the office. The policy applies to administrative staff, the billing department, medical assistants, technicians, and other non-clinical employees.

 

This is the policy, but not the practice. Compliant Hospital is bustling these days. Staff routinely take their work home to stay on top of their duties. The physicians and executives at Compliant Hospital know that this occurs and encourage it. But that's not the worst part.

 

A recent risk analysis revealed that the staff at Compliant Hospital use their own personal devices -- laptops, smart phones, thumb drives -- to transport PHI to and from the facility. Because Compliant Hospital's policy prohibits such conduct, it does not have security protocols in place for the use of mobile technologies.

 

One employee -- a billing clerk -- is a particularly hard worker, but she has lost 3 data sticks over the last month. She did not password protect the data sticks; nor did she encrypt the patient billing information on them, which consisted primarily of insurance information, superbills (forms that document the diagnostic and procedure codes related to patient care), and patient account histories. Each data stick held data for 200 patients. A good Samaritan returned one of the data sticks and forensic analysis determined it had not been accessed or reviewed by anyone outside of Compliant Hospital. The two other sticks remain missing.

Because Compliant Hospital was busy treating patients and responding to the stolen laptop incident, it has not done anything to respond to the lost data sticks.

 

Analyze the fact pattern under the Breach Notification Rule and answer the following questions:

1. Has a breach occurred under HIPAA?  Explain why or why not.  Whether you conclude that a breach has nor has not occurred, you must describe and conduct a breach analysis to earn credit. You must cite to or reference specific regulations to support your answer and earn full credit. Citing the textbook is not enough.
2. If you conclude that a breach has occurred, what must Compliant Hospital do in response?  Explain the steps Compliant Hospital must take to address the breach. You must cite to or reference specific regulations to support your answer and earn full credit. Citing the textbook is not enough.