Privacy and confidentiality are the key fundamental elements for building trust between a health care provider and the patient. When compromised or breache

Review the following scenario:

ABC Health Systems (AHS) was founded in 1959 by a group of 10 doctors in a mid-sized city in the southeastern United States. Beginning with a 30-bed hospital, AHS has expanded to its current bed complement of 305 acute care beds, a 110-bed skilled rehab and nursing facility on its campus, a 65-bed assisted living facility, outpatient rehab services, ER, and a cancer treatment clinic. AHS has 1,195 full-time employees’ campus-wide and is accredited by The Joint Commission, Commission on Accreditation of Rehabilitation Facilities, and also has other credentialed or accredited services throughout the campus.

Ben Smithfield was recently hired as the privacy officer for AHS. Previously, he worked for the third-largest faith-based health system, which is in the Midwest. In his new job, he reports to the vice president for risk management, who served as AHS’s privacy officer prior to Ben’s recruitment. AHS felt their privacy and security concerns could be best met with a full-time program manager dedicated to training, compliance, and management of this function.

Ben’s first week on the job proved to be very busy. While eating breakfast at a local fast-food restaurant, he overheard 2 doctors discussing AHS’ first successful robotic surgery on Paul Petersen. The MDs enthusiastically reported on Mr. Petersen’s condition stating that “although the surgery took longer than expected, Mr. Petersen’s vital signs were good. His pain level is high, and we are closely monitoring a post-op infection.” Later that day, Ben was contacted by Mr. Petersen, who was surprised to see his case discussed on the local news. That was not the only time Ben saw AHS in the news that day. He saw a press release from administration that reported that an ER patient, Violet Jones, was arrested after she physically assaulted 2 nurses who were attempting to insert her catheter.

Observations Found on Tour

During Ben’s first day, there was also a tour of the hospital and Ben took note of the following violations:

· A USB drive was unattended in the IT department and was clearly visible from an open door to the department.

· A maintenance worker was throwing old laptops in a dumpster, along with digital printer/copy cartridges.

· A high school student was shadowing a medical resident and observed her charting in an electronic health record (EHR) at the nurses station.

· A resident answered questions for the spouse of Mr. Petersen at the nurses’ station, which was heard by the high school student and Ben.

· The high school student, the medical resident, and Mr. Petersen’s spouse left the nurses station to meet with Mr. Petersen. The medical resident did not log out of the terminal. Ben sat at the terminal and scrolled through the open EHR.

· Charge RN Betsy Brown approached Ben and explained that she was excited to meet the new recruit that the VP spoke so enthusiastically about. When Betsy left, Ben was unable to view the open record due to a timeout provision. He asked an LPN if he would log Ben in and the LPN gladly complied.

· Across from the nurses desk in the hall, Ben noticed a white board that listed all patients on the unit, the name of the attending physician, the purpose of their admission (hip surgery, knee replacement, gall bladder removal, etc.), along with their code status—full code, no code, Do Not Resuscitate (DNR), etc.

· Taking a break from viewing electronic charts, Ben headed to the staff break room on the unit. As he tossed his drink can in the trash can, Ben saw vital signs logs for patients on that unit completed the previous day. The logs contained patient and staff names, along with patient information, including temperatures, blood pressure, pulse rate, and blood sugar test strip results.

· Heading back to his office, Ben decided to stop by the IT department and check further about the unattended USB drive. He found the door unlocked and the area unattended. No one was around and the USB drive was still in plain sight on the desk.

· On his way to his first staff meeting later that day, Ben passed the radiology waiting area. He observed a crew filming what appeared to be a commercial using the full waiting room as a backdrop.

· In the staff meeting, Ben asked when the last HIPAA security assessment was completed. The staff was vague as to an actual date, but the consensus was “about 3 years ago.” The VP of nursing asked if Ben would check to see what follow-up was done about the missing or stolen laptop off West B 18 months ago. Her concern was the missing patient data since this was a common laptop used by numerous people; so many, in fact, that the laptop had a simple password: 12345.

After his first day on the job, Ben felt there was a need for him to summarize 3 major violations he observed and develop a plan of action that could be used to prevent these violations in the future. Each incident on the Observations Found on Tour list is either a legal or regulatory compliance violation.

PLAN OF ACTION:

Select 3 compliance violations from the list to focus on in your plan of action.

Respond to the five writing prompts below to develop a plan of action. Insert your answer beneath the prompt.

Please be sure to research your information and properly cite your sources.

1. Compliance Violations

Summarize three compliance violations you selected from the scenario and the regulations or laws that address these violations.

2. Regulatory Stakeholders

Analyze the roles and responsibilities of regulatory agencies, accrediting and certifying bodies, and state professionals’ boards and their influence on facility operations and compliance to regulatory standards in the scenario.

3. Patient and Provider Rights

Explain the patient and provider rights and responsibilities and what impact regulations have on standards of care and potential liabilities as they relate to the violations.

4. Compliance and Risk Management Factors of the Medical Records

Analyze the potential risk management issues as they relate to the violations selected and the organization’s responsibility to protect the medical records and protected health information.

5. Create a basic plan of action and implementation process that could be used to prevent these violations in the future. Include industry-recognized strategies and best practices in your plan.

REFERENCES (minimum of 2 required):

image1.png

Review the following scenario:

ABC Health Systems (AHS) was founded in 1959 by a group of 10 doctors in a mid-sized city in the southeastern United States. Beginning with a 30-bed hospital, AHS has expanded to its current bed complement of 305 acute care beds, a 110-bed skilled rehab and nursing facility on its campus, a 65-bed assisted living facility, outpatient rehab services, ER, and a cancer treatment clinic. AHS has 1,195 full-time employees’ campus-wide and is accredited by The Joint Commission, Commission on Accreditation of Rehabilitation Facilities, and also has other credentialed or accredited services throughout the campus.

Ben Smithfield was recently hired as the privacy officer for AHS. Previously, he worked for the third-largest faith-based health system, which is in the Midwest. In his new job, he reports to the vice president for risk management, who served as AHS’s privacy officer prior to Ben’s recruitment. AHS felt their privacy and security concerns could be best met with a full-time program manager dedicated to training, compliance, and management of this function.

Ben’s first week on the job proved to be very busy. While eating breakfast at a local fast-food restaurant, he overheard 2 doctors discussing AHS’ first successful robotic surgery on Paul Petersen. The MDs enthusiastically reported on Mr. Petersen’s condition stating that “although the surgery took longer than expected, Mr. Petersen’s vital signs were good. His pain level is high, and we are closely monitoring a post-op infection.” Later that day, Ben was contacted by Mr. Petersen, who was surprised to see his case discussed on the local news. That was not the only time Ben saw AHS in the news that day. He saw a press release from administration that reported that an ER patient, Violet Jones, was arrested after she physically assaulted 2 nurses who were attempting to insert her catheter.

Observations Found on Tour

During Ben’s first day, there was also a tour of the hospital and Ben took note of the following violations:

· A USB drive was unattended in the IT department and was clearly visible from an open door to the department.

· A maintenance worker was throwing old laptops in a dumpster, along with digital printer/copy cartridges.

· A high school student was shadowing a medical resident and observed her charting in an electronic health record (EHR) at the nurses station.

· A resident answered questions for the spouse of Mr. Petersen at the nurses’ station, which was heard by the high school student and Ben.

· The high school student, the medical resident, and Mr. Petersen’s spouse left the nurses station to meet with Mr. Petersen. The medical resident did not log out of the terminal. Ben sat at the terminal and scrolled through the open EHR.

· Charge RN Betsy Brown approached Ben and explained that she was excited to meet the new recruit that the VP spoke so enthusiastically about. When Betsy left, Ben was unable to view the open record due to a timeout provision. He asked an LPN if he would log Ben in and the LPN gladly complied.

· Across from the nurses desk in the hall, Ben noticed a white board that listed all patients on the unit, the name of the attending physician, the purpose of their admission (hip surgery, knee replacement, gall bladder removal, etc.), along with their code status—full code, no code, Do Not Resuscitate (DNR), etc.

· Taking a break from viewing electronic charts, Ben headed to the staff break room on the unit. As he tossed his drink can in the trash can, Ben saw vital signs logs for patients on that unit completed the previous day. The logs contained patient and staff names, along with patient information, including temperatures, blood pressure, pulse rate, and blood sugar test strip results.

· Heading back to his office, Ben decided to stop by the IT department and check further about the unattended USB drive. He found the door unlocked and the area unattended. No one was around and the USB drive was still in plain sight on the desk.

· On his way to his first staff meeting later that day, Ben passed the radiology waiting area. He observed a crew filming what appeared to be a commercial using the full waiting room as a backdrop.

· In the staff meeting, Ben asked when the last HIPAA security assessment was completed. The staff was vague as to an actual date, but the consensus was “about 3 years ago.” The VP of nursing asked if Ben would check to see what follow-up was done about the missing or stolen laptop off West B 18 months ago. Her concern was the missing patient data since this was a common laptop used by numerous people; so many, in fact, that the laptop had a simple password: 12345.

After his first day on the job, Ben felt there was a need for him to summarize 3 major violations he observed and develop a plan of action that could be used to prevent these violations in the future. Each incident on the Observations Found on Tour list is either a legal or regulatory compliance violation.