Billy is confirmed as a patient in room 232 Behavioral Health Unit, so next you want to confirm Gina’s identity. To find out if she is an employee, you call the _____________ department.

Module 03 Assignment – HIPAA Scenario

An Admission to the Psych Unit – Part I Instructions: Read through the description below, then use your knowledge of health information and healthcare systems to answer the questions that follow.

Scenario

You are the HIPAA privacy officer and receive a phone call from Audra in Registration who asked to file a HIPAA violation report. Audra reported the following:

“Gina from registration returned from vacation this past Sunday, and we worked together. Gina asked me if I had heard that Rebecca’s son was up in Psych. Both Gina and I used to work for Becky. I told her that I did know about it, and then I asked her if she would cover my station for me while I took a break. I didn’t tell her that Rebecca (Becky) was the one that told me when we were at lunch this past Thursday.”

Audra continued “I didn’t want to talk about Billy because I know that Becky is crushed by the whole thing. This has been very emotional for her, and I don’t want to make things worse for her. I really feel bad about calling you and even though I get along with Gina, I think it’s awful that she is talking about Billy being a patient upstairs in Psych.”

1. To confirm Billy’s admission, you access the electronic record and look up Billy in the _____________. a. HIPAA Security Log b. Patient Account Registry c. Confidential Control Record d. Master Patient Index

2. Billy is confirmed as a patient in room 232 Behavioral Health Unit, so next you want to confirm Gina’s identity. To find out if she is an employee, you call the _____________ department.

a. Human Resource department b. Information Systems department c. Health Information Management Services department d. Telecommunications department

3. To ensure that you have all the persons involved correctly identified, you review Billy’s record to identify next of kin. You want to prove

a. Billy is actually a patient in Psych. b. Audra went to high school with Billy. c. Rebecca is listed as Billy’s parent. d. Both Audra and Gina used to work in patient accounts.

–Continued on next page–

4. You now need to learn who has accessed Billy’s record so you make a request for a _____________ from the Information Systems department.

a. Privacy Log Report b. Behavioral Census Report c. Security Access Report d. Medication Administration Report

5. Next, you will schedule private meetings with Rebecca and Gina but first you open the annual _____________ training session ‘sign-in’ log (which included HIPAA Privacy and Security education) to ensure that both received proper training for compliance.

a. Fire Safety b. Employee c. Payroll d. Security

An Admission to the Psych Unit – Part II Instructions: As the investigation unfolds, take care to organize the primary characters and the investigative notes documented for you below.

You have confirmed the following and are proceeding with the next steps in the HIPAA investigation.

 Billy is currently a patient in the facility.

 Billy is Rebecca (Becky) Bartel’s son.

 Rebecca is the manager of patient accounts.

 Gina R. is a full-time employee in Registration.

 Audra M. is a part-time employee in Registration.

You meet with Rebecca. Review the notes below that you took during your meeting her.

Met with Rebecca. Human Resource Director, Suzanne, in attendance as well.

 Asked Rebecca if she has attended the annual HIPAA training – she confirmed.

 Asked if she has a good understanding of HIPAA privacy and HIPAA compliance –

she confirmed.

 Asked if she has any idea as to why this meeting has been called

– she responded no.

 Asked if she has openly discussed her son’s admission here at the hospital.

– Learned that she had shared lunch with Audra and confided about Billy.

Rebecca indicated that she and Audra went to high school together. They have

maintained a friendship for many years. She also indicated that she told her

own boss, Ms. Reynolds, about Billy because she took two days of PDL to

support Billy. She was tearful when discussing the topic.

–Continued on next page–

You meet with Gina. Review the notes below that you took during your meeting with Gina.

Met with Gina. Human Resource Director, Suzanne, in attendance as well.

 Asked her if she has attended the annual HIPAA training

– she confirmed.

 Asked if she has a good understanding of HIPAA privacy and HIPAA compliance

– she confirmed.

 Asked if she has any idea as to why this meeting has been called

– she responded “If this is about Becky’s son, then yes, I know about him.

Everyone is talking about it, and I think it is really sad for Becky. I know she

loves both of her kids a lot. I haven’t done anything wrong”.

Additional notes from meeting with Gina.

I stressed the importance of honesty. I shared that it is beneficial when an employee

comes clean and is open when there is a HIPAA investigation.

 Gina then shared that she was on vacation when Billy came to the hospital. She

couldn’t have possibly blabbed about his admission to psych. She shared that

Samantha (a friend and co-worker in Registration) was working in the ER when

he came in and Sam sent her a text message about it. She shared the following

as proof.

–Continued on next page–

An Admission to the Psych Unit – Part III Instructions: Taking into consideration the information yielded by the investigation so far, answer the questions below. These ask that you make judgements regarding accountability and responsibility.

After confirming Samantha’s identify and her job at the hospital, you meet with Samantha. Review the notes below that you took during your HIPAA investigation meeting with her.

Met with Samantha. Human Resource Director, Suzanne, in attendance as well.

 Asked her if she has attended the annual HIPAA training

– she confirmed.

 Asked if she has a good understanding of HIPAA privacy and HIPAA compliance –

she confirmed.

 Asked if she has any idea as to why this meeting had been called

– she responded no.

 I stressed the importance of honesty. I shared that it is beneficial when an

employee comes clean and is open when there is a HIPAA investigation.

 She again said that she knows nothing about a HIPAA problem.

 I asked if she knows Rebecca from patient accounts. After a few moments of

silence, she responded “If this is about her crazy kid, I didn’t do anything wrong.

Everybody knows he was here that night – he went running out the ER door

and into the street. You can’t tag me with this problem. It’s his fault for

acting wild and going berserk in the ER. He’s a freak.”

 I confirmed that the subject did regard Rebecca’s son. Samantha continued to deny any wrong-doing and never came clean. She denied communicating confidential, protected patient information outside of the facility and outside of her job duties.

6. Consider the definition of Ethics “moral principles that govern a person’s behavior.” Who is the least ethical person described above?

a. Gina b. Samantha c. Audra d. Rebecca

7. Taking all of the interactions and information above into consideration and considering good ethics and morals, who do you feel violated the HIPAA Privacy Act to the greatest extent?

a. Rebecca b. Gina c. Samantha d. Audra

–Continued on next page–

8. Consider workplace relationships between staff, departments and management personnel. Who used poor judgement in communicating about Billy with other staff members particularly when you consider her position at the facility?

a. Rebecca b. Gina c. Samantha d. Audra

9. One staff member violated HIPAA (question 7) and one person did not funtion professionally considering her position at the facility (question 8) – as the HIPAA officer, you will need to follow-up with these two people:

a. Rebecca and Audra b. Audra and Samantha c. Samantha and Gina d. Rebecca and Samantha

10. Based on the evidence you gathered in this HIPAA investigation, you will need to update the HIPAA Incident Log and complete a _____________ for the person identified in question 7:

a. HIPAA Incident Determination Checklist b. HIPAA Security Audit c. HIPAA Consent Form d. HIPAA Authorization Release

An Admission to the Psych Unit – Part IV

Now that you have finished the investigation above, complete a HIPAA Incident Determination Checklist (below) about the person you identified in question 7 above.

–Continued on next page–

HIPAA Privacy/Security Incident Determination Checklist Directions: Complete the checklist below to determine if an actionable violation occurred by the employee listed below.

1. Fill out the top 3 lines for report identification. 2. Mark questions 1-6. 3. Then select all applicable from A-J. 4. Make a recommendation as the investigator, either section ONE or TWO. 5. Record your name as signature.

Livewell HIPAA Program – CONFIDENTIAL

Date Investigation Completed: (use today’s date) Name of HIPAA Officer Reporting: (use your name) Employee Accused in Investigation:

# YES NO TYPE OF MEDIUM – Format Used in This Incident

1. Electronic data (includes e-mails, faxes, etc.)

2. Paper

3. Oral

# YES NO INFORMATION SECURITY VIOLATIONS – How Incident Occurred

4. Theft, loss, damage, unauthorized destruction, unauthorized modification, or unintentional release of any data classified as confidential.

5. Deliberate or accidental distribution or release of personal information by employee(s) in a manner not in accordance with law or policy.

6. Intentional non-compliance of HIPAA law or policy by the employee within his/her responsibilities.

# YES NO INFORMATION SECURITY VIOLATIONS – Computer Evidence

A. Tampering or Interference with computer systems.

B. Unauthorized access to computer data or computer systems.

# YES NO INFORMATION SECURITY VIOLATIONS – Equipment

C. Theft of IT equipment or any electronic devices containing or storing confidential, sensitive, or personal data.

D. Damage or destruction of IT equipment or any electronic devices containing or storing confidential, sensitive, or personal data.

# YES NO INFORMATION SECURITY/PRIVACY VIOLATIONS – Method of Execution

E. An individual who knowingly accesses and without permission alters, damages, deletes, destroys, or uses any data, in order to wrongfully control or obtain money, property, or data.

–Continued on next page–

HIPAA Privacy/Security Incident Determination Checklist Directions: Complete the checklist below to determine if an actionable violation occurred by the employee listed below.

1. Fill out the top 3 lines for report identification. 2. Mark questions 1-6. 3. Then select all applicable from A-J. 4. Make a recommendation as the investigator, either section ONE or TWO. 5. Record your name as signature.

Livewell HIPAA Program – CONFIDENTIAL

# YES NO INFORMATION SECURITY/PRIVACY VIOLATIONS – Method of Execution

F. An individual who knowingly accesses and without permission takes, copies, or makes use of any information obtained during normal work assignment for malicious purpose in violation of law or policy,

G. Any individual knowingly and without permission provides or assists in providing a login to a computer, computer system, or computer network in violation of this section.

H. Any individual knowingly introduces any computer contaminant into any computer, computer system, or computer network.

# YES NO INFORMATION SECURITY VIOLATIONS – DEPARTMENT POLICY

I. Remote control software was installed and/or used without completion of a formal risk analysis.

J. Unauthorized use of a user ID or password.

Mark Finding INVESTIGATOR RECOMMENDATION

ONE Lack of evidence found in this investigation. (All ‘NO’ markings above from A-J) No Findings, case closed. HIPAA Investigation Log updated.

TWO HIPAA Security or Privacy violation evidenced above. Follow up with Human Resource Director for follow up disciplinary action. HIPAA Investigation log updated.

Based on evidence marked above, HIPAA Investigator recommends: Verbal warning, meeting with employee supervisor, HR file updated with incident Written warning, meeting with employee supervisor, HR file updated with incident

Suspension pending further investigation. Vice President review, HR file updated. Suspension for ____ days without pay. HR file updated with incident. Termination of employment following approval and signatures. 1. Notify Information Systems to terminate employee computer login. 2. Notify payroll for final check. 3. Notify benefits unit to schedule exit meeting with employee. 4. Secure employee identification card and keys (if keys were issued).

If Yes indicated in items A-J above and ‘two’ marked

yes above, please complete section to right

which is a recommendation

for Human Resources to

consider:

Using at least 2 complete sentences,

explain your INVESTIGATOR

RECOMMENDATION. Explain your reasoning.

Investigator Signature:

1. Group1:
2. Group2:
3. Group3:
4. Group4:
5. Group5:
6. Group6:
7. Group7:
8. Group8:
9. Group9:
10. Group10:
11. Use today’s date:
12. Use your name as name of HIPAA Officer Reporting:
13. Name of employee accused in investigation:
14. Yes1:
15. No1:
16. Yes2:
17. No2:
18. Yes3:
19. No3:
20. Yes4:
21. No4:
22. Yes5:
23. No5:
24. Yes6:
25. No6:
26. Yes6a:
27. No6a:
28. Yes6b:
29. No6b:
30. Yes6c:
31. No6c:
32. Yes6d:
33. No6d:
34. Yes6e:
35. No6e:
36. TWO:
37. Verbal warning:
38. ONE:
39. No6j:
40. Yes6j:
41. No6i:
42. Yes6i:
43. No6h:
44. Yes6h:
45. No6g:
46. Yes6g:
47. No6f:
48. Yes6f:
49. Written warning:
50. Suspension pending:
51. Suspension for # days:
52. # days:
53. Termination of employment:
54. Explain your recommendation as HIPAA Investigator:
55. Provide your name as HIPAA Investigator: