2023 Data Privacy at Tenet: 4231912
The HIPAA Breach Notification Rule required Tenet to (choose all that apply): -Notify the Department of Justice -Notify the media if the breach impacts 500 or more people -Provide formal patient notification to any affected individuals -Notify the Department of Health and Human Services
-Notify the media if the breach impacts 500 or more people -Provide formal patient notification to any affected individuals -Notify the Department of Health and Human Services
TRUE or False: Under HIPAA Rules, companies are protected from being liable for a breach of unsecured PHI.
FALSE Under HIPAA rules, a breach can affect companies through significant penalties, reinforcement actions and reputational risk.
Late on a Friday afternoon you have a project deadline approaching and send spreadsheet containing company financial and patient data to your personal email account so that you can access the data from home on your personal device and complete your project. Is this permitted?
No this is not permitted. Company approved email systems must be used to transmit company information. The use of personal email or other unauthorized email systems, such as yahoo or gmail, for business related purposes is prohibited. Employees are prohibited from sending prohibited health information (PHI), personally identifiable information (PII), or other Confidential information to an employee's personal email.
You share information on a patient's medical condition, room location, family contacts or personal history with unauthorized personnel, the public, the press or investigate personnel. Is this permitted?
No, it's not permitted Selling, releasing, or otherwise disclosing information for personal gain, or with malicious intent is reportable.
You were part of a treatment team who provided care to a gun-shot victim who was admitted through the Emergency Department. You recognize details about the event and the patient's injuries on your supervisor's social networking site. Is this permitted?
No, this is not permitted Employees may not publish any content related to patients and patient care, even if the patient is not identified. Unauthorized disclosure of non-Public or Confidential Information also constitutes a violation of Tenet's Code of Conduct and Tenet's Privacy & Security Compliance Program. The posting of this information may also pose safety and security risk to our patients, visitors, and staff.
TRUE or FALSE: Each time a potential breach is reported, an investigation will take place that includes evaluation of the breach, a risk assessment, and a determination if a breach did occur.
TRUE The Ethics and Compliance team along with employees of the facility are required to complete all steps of the investigation within the notification timelines.
You notice a note on your manager's desk from a coworker requesting time-off for a medical procedure. To relieve your coworkers anxiety about the pending exam, you access her medical record to ensure she is ok. Relieved that it was nothing serious, you tell your coworkers about the procedure and that there is nothing for them to worry about. Should this be reported?
Yes, it's reportable Accessing the electronic medical record of a patient (family, friend, coworker, or VIP patient) when you are not a member of the treatment team and do not have an operational purpose for accessing the record is reportable. Remember that routine access audits are conducted to identify inappropriate access just like this.
Jacob leaves a paper document containing patient information in an area which is accessible to the public but no one saw the PHI. After you discover this situation, should you report it?
Yes, it's reportable Leaving documents containing PHI in public areas is reportable. Also, if you find PHI in a regular trash bun that is reportable too as the PHI needs to be safeguarded and disposed of in a secured shred bin.
You receive a call from a physicians' office stating that the office just received a fax from your department containing information of a patient that is not their patient. Should this be reported?
Yes, it's reportable Transmitting PHI via mail, fax or email to the incorrect location or recipient is reportable. We want to make sure that the misdirected information is safeguarded from further disclosure. It is important to report these types of concerns as soon as possible so that we can either have it returned to us or appropriately destroyed or deleted. Remember, we have that ticking clock counting down and we may have reporting obligations to the patient, government and possibly the media.
Susan is related to a patient that has complained that they had a bad experience in the ER. She does not work in the ER but has access to the electronic health record system. Susan accesses parts of the medical record, including physician notes, copies them and give them to an attorney looking for evidence of malpractice. Should this be reported?
Yes, it's reportable. Accessing medical records of family members, co-workers or other members of the public for the intent of personal gain or when you're not a member of the care team is reportable.
You work in the Emergency Department and you receive a call from a patient stating that they received discharge instructions of another patient. The discharge instructions contain medical information as well as personally identifiable patient information. Should this be reported.
Yes, it's reportable. Accidentally providing PHI to the incorrect patient is reportable. Again, we want to make sure that the misdirected information is safeguarded from further disclosure. It is important to report these types of concerns as soon as possible so that we can either have it returned to us or appropriately destroyed. Remember, we have that ticking clock counting down and we may have reporting obligations to the patient and others.
Your friend works in Radiology and an adult member of their family (e.g. his/her spouse or adult child) visited the Emergency Department. Curious about their relative's diagnosis and treatment, they access PHI using electronic medical record system. Should this be reported?
Yes, it's reportable. You cannot access an electronic medical record of a patient if you're not a member of the treatment team. Also, you should know that routine access audits are conducted to identify inappropriate access just like this.
You are a nurse and a patient comes to you upset and alleges that another nurse on you floor has inappropriately gossiped about the patient's substance abuse treatment with another nurse. Should this be reported?
Yes, it's reportable. You should not discuss PHI in public areas with colleagues who are not involved in the treatment, payment or operations of a patient. Also, it is important to remember when discussing patient information to be aware of your surroundings and who may overhear the conversation. Remember to use a voice volume appropriate to the situation.
A family member of an employee needs his son's immunization history before he can start school tomorrow. He asks a friend working in the evening to look it up because it will take too long to get it from the Medical Records department. The friend searches the medical records to get the information. Should this be reported.
Yes, its reportable Accessing the records of a family member or friend to print their results for them instead of the patient signing a release authorization in medical records is reportable. We also audit this type of inappropriate access.
You recently received patient care at your facility and use the patient portal to access your medical record to obtain and print your lab results. Is this permitted?
Yes, this is permitted Employees are authorized to use the patient portal or follow the facility's release of information process to review or retrieve their own electronics medical records.