You're the Privacy Official (PO) for Peekaboo Hospital (KCH) in Wisconsin As the PO, you're responsible to see if PH has breached any PHI under HIPAA or state law On 5 17 2020, you received a call from the Hinky Dinky Grocery Store in Iowa The manager explained that one of their staff members found a thumb drive in their store The manager thinks that the thumb drive may belong to KCH because upon opening the drive in her computer, she found what appears to be patient medical records from KCH The PO than arranges the thumb drive to be securely mailed to KCH, attention to PO, which was received on 5 22 2020 Upon review of the contents of the thumb drive, you find and confirm that their medical information of 623 cancer patients of KCH Furthermore, you ascertain that the thumb drive belongs to Dr Schmidlab who is an oncologist employed with KCH Upon interviewing Dr Schmidlab, he cited that he was on vacation with his family in Lake Okoboji, Iowa where he deduced that he inadvertently left the thumb drive as it was taken out of his pocket as he pulled out his grocery list Scenario Assumptions Patient Name, Address, DOB, Acct , SSN, Physician Progress Notes, Nursing Notes, Treatment Plan, Diagnoses of Cancer, Medical Imaging, Lab Results Wisconsin has a patient privacy law that follows HIPAA (i e , it is not more restrictive than HIPAA) KCH has privacy and security policies that also follow HIPAA All 623 patients are residents of Wisconsin, and the services were provided to these patients entirely within Wisconsin This incident is considered as impermissible disclosure under HIPAA Application As the PO for KCH, address the following with your Board of Directors In applying the HIPAA four factor Breach Notification Rule to this scenario, make a determination to the level of risk this applies to High, medium, or low for each of the four factors Make an overall conclusion as to whether a HITECH breach has been made under HIPAA according to your risk level findings Also, determine whether any patients need to be notified Does the OCR need to be notified Should the local media need to be notified Explain why a notification has to be made for each above situation and include the required calendar date deadline for making any of those notifications Upon reaching whether a breach was made or not, include your recommendations to the Board for any corrective actions that need to be done so that this can be prevented from happening again

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Apr 30, 2024

You're the Privacy Official (PO) for Peekaboo Hospital (KCH) in Wisconsin.As the PO, you're responsible to see if PH has breached any PHI under HIPAA

You're the Privacy Official (PO) for Peekaboo Hospital (KCH) in Wisconsin.As the PO, you're responsible to see if PH has breached any PHI under HIPAA or state law. On 5/17/2020, you received a call from the Hinky Dinky Grocery Store in Iowa.

The manager explained that one of their staff members found a thumb drive in their store. The manager thinks that the thumb drive may belong to KCH because upon opening the drive in her computer, she found what appears to be patient medical records from KCH.

The PO than arranges the thumb drive to be securely mailed to KCH, attention to PO, which was received on 5/22/2020. Upon review of the contents of the thumb drive, you find and confirm that their medical information of 623 cancer patients of KCH.

Furthermore, you ascertain that the thumb drive belongs to Dr. "Schmidlab" who is an oncologist employed with KCH. Upon interviewing Dr. Schmidlab, he cited that he was on vacation with his family in Lake Okoboji, Iowa where he deduced that he inadvertently left the thumb drive as it was taken out of his pocket as he pulled out his grocery list.

Scenario Assumptions:

Patient Name, Address, DOB, Acct. #, SSN, Physician Progress Notes, Nursing Notes, Treatment Plan, Diagnoses of Cancer, Medical Imaging, Lab Results.
Wisconsin has a patient privacy law that follows HIPAA (i.e., it is not more restrictive than HIPAA).
KCH has privacy and security policies that also follow HIPAA.
All 623 patients are residents of Wisconsin, and the services were provided to these patients entirely within Wisconsin.
This incident is considered as "impermissible disclosure" under HIPAA.

Application - As the PO for KCH, address the following with your Board of Directors:

In applying the HIPAA four factor Breach Notification Rule to this scenario, make a determination to the level of risk this applies to: High, medium, or low for each of the four factors.
Make an overall conclusion as to whether a HITECH breach has been made under HIPAA according to your risk level findings.
Also, determine whether any patients need to be notified. Does the OCR need to be notified? Should the local media need to be notified?
1. Explain why a notification has to be made for each above situation and include the required calendar date deadline for making any of those notifications.
Upon reaching whether a breach was made or not, include your recommendations to the Board for any corrective actions that need to be done so that this can be prevented from happening again.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

Lets break down the scenario according to the HIPAA Breach Notification Rule Nature and extent of PHI involved The thumb drive contained sensitive medical information of 623 cancer patients from KCH i... blur-text-image