You are the HIPAA privacy officer at your facility. Last week you received a phone call from Dana (an LPN at your facility) who asked to file a HIPAA incident report. Dana reported that she believes her ex-boyfriend, Johnny, is snooping in her electronic medical records. Dana went on to explain that Johnny is an EMT who frequently transports patients to your facility’s emergency room

/in /by

Module 04 Assignment – HIPAA Scenario

Security Assignment on HIPAA Incident Report – Part I Instructions: Read through the description below, then use your knowledge of health information and healthcare systems to answer the questions that follow.

Scenario

You are the HIPAA privacy officer at your facility. Last week you received a phone call from Dana (an LPN at your facility) who asked to file a HIPAA incident report. Dana reported that she believes her ex-boyfriend, Johnny, is snooping in her electronic medical records. Dana went on to explain that Johnny is an EMT who frequently transports patients to your facility’s emergency room.

In the course of the investigation, you have already met with the ER Director, Lucinda Traverino, RN. She explained that after a report is given by an EMT on the transported patient, care is handed off to the ER staff and the ambulance team (including the EMT) depart the ER. Knowing that Johnny does not use the hospital’s computer system as an EMT with the ambulance company means that there is no possible HIPAA violation for you. You head back to log this issue and close it up with no findings.

Unfortunately, when you return to your HIPAA Office, the office phone is ringing. You take the call and immediately recognize the voice of Ms. Traverino, RN, the ED Director. She reports that Johnny also works part time for the hospital as an instructor in the Phlebotomy Lab. Ms. Traverino said she believes he only works a few hours each month but felt it was important to report. You thank her for calling, ask for Johnny’s last name –which she reports as Yeager– and hang up the phone. Your investigation has just gotten more complicated.

1. To confirm Johnny’s employment status at your hospital, you call the _______________ department. a. Pharmacy department b. Nursing department c. Risk management department d. Human Resource department

2. Johnny is confirmed as working at the hospital as a Phlebotomy Lab instructor, you wonder if he has access to the computer system. To find out, you call the _______________ department. a. Human Resource department b. Information Systems department c. Health Information Management Services department d. Telecommunications department

3. Johnny does have a computer login and since your investigation can’t be closed without further information, you record the information you have so far in the _______________ log before proceeding any further. a. HIPAA No Findings b. HIPAA Investigation c. HIPAA Terminated Employee d. HIPAA Ambulance Transport

–Continued on next page–

 

 

4. You now need to learn when Johnny works so that you can complete a security run and analysis report. You call the _______________ director to get Johnny’s work schedule. a. Laboratory b. Emergency Room c. Pharmacy d. Nursing

5. Using Johnny’s work schedule, you request a security audit which will show his _______________ in the _______________ system. a. Permission, ambulance b. Schedule, laboratory c. Activity, computer d. Security, personnel

6. If the security audit shows access to Dana’s _______________, then Johnny would have had _______________ access which is a violation of HIPAA Security. a. Bank account, authorized b. Bank account, unauthorized c. Medical record, authorized d. Medical record, unauthorized

–Continued on next page–

 

 

7. You access the MPI (master patient index) for Dana’s medical record and learn that she only has the following 3 account numbers: 887918, 337773, and 642262. Next, examine the security audit findings below which reflects Johnny’s activity in the computer system.

Security Audit: By Account Number; Employee Johnny Yeager, ID#7918; Run by:DGinn, Security Coordinator. 337757 337757 337753

642250 642252 642254

642256 642259 642263

642266 642283 642307

642313 642334 642350

642351 642363 642378

642384 642391 642572

440050 440050 440054

440054 440059 440043

440044 440083 440307

440313 440334 440350

440351 440343 440378

440384 440391 440570

337757 337757 337753

337753 337759 337733

337730 337783 337077

337313 337338 337357

337351 337303 337378

337383 337391 337977

337053 338759 337730

338733 337783 337377

337313 337333 337357

337351 337833 337378

337383 337391 337577

912250 912252 912251

912259 912239 912298

912299 912288 912807

912818 912880 912850

912851 912898 912878

912881 912891 912572

110050 110054 110051

110051 110059 110018

110011 110088 110807

110818 110881 110850

110851 110818 110878

110881 110891 110570

889757 887757 887768

887758 887759 887789

887788 087788 887877

887818 887888 887857

887851 887848 887878

887188 887891 887577

Based on the security audit findings presented in the table above, did Johnny access Dana’s information? a. Yes b. No c. Cannot tell from this information

8. The primary purpose of the above security audit is to determine if Johnny has accessed Dana’s _____________________________. a. PHI b. HMR c. SS# d. POA

Security Assignment on HIPAA Incident Report – Part II Now that you have finished the investigation above, complete a HIPAA Incident Determination Checklist (below) for Johnny.

 

 

HIPAA Privacy/Security Incident Determination Checklist Directions: Complete the checklist below to determine if an actionable violation occurred by the employee listed below.

1. Fill out the top 3 lines for report identification. 2. Mark questions 1-6. 3. Then select all applicable from A-J. 4. Make a recommendation as the investigator, either section ONE or TWO. 5. Record your name as signature.

Livewell HIPAA Program – CONFIDENTIAL

Date Investigation Completed: (use today’s date) Name of HIPAA Officer Reporting: (use your name) Employee Accused in Investigation:

# YES NO TYPE OF MEDIUM – Format Used in This Incident

1. Electronic data (includes e-mails, faxes, etc.)

2. Paper

3. Oral

# YES NO INFORMATION SECURITY VIOLATIONS – How Incident Occurred

4. Theft, loss, damage, unauthorized destruction, unauthorized modification, or unintentional release of any data classified as confidential.

5. Deliberate or accidental distribution or release of personal information by employee(s) in a manner not in accordance with law or policy.

6. Intentional non-compliance of HIPAA law or policy by the employee within his/her responsibilities.

# YES NO INFORMATION SECURITY VIOLATIONS – Computer Evidence

A. Tampering or Interference with computer systems.

B. Unauthorized access to computer data or computer systems.

# YES NO INFORMATION SECURITY VIOLATIONS – Equipment

C. Theft of IT equipment or any electronic devices containing or storing confidential, sensitive, or personal data.

D. Damage or destruction of IT equipment or any electronic devices containing or storing confidential, sensitive, or personal data.

# YES NO INFORMATION SECURITY/PRIVACY VIOLATIONS – Method of Execution

E. An individual who knowingly accesses and without permission alters, damages, deletes, destroys, or uses any data, in order to wrongfully control or obtain money, property, or data.

 

 

HIPAA Privacy/Security Incident Determination Checklist Directions: Complete the checklist below to determine if an actionable violation occurred by the employee listed below.

1. Fill out the top 3 lines for report identification. 2. Mark questions 1-6. 3. Then select all applicable from A-J. 4. Make a recommendation as the investigator, either section ONE or TWO. 5. Record your name as signature.

Livewell HIPAA Program – CONFIDENTIAL

# YES NO INFORMATION SECURITY/PRIVACY VIOLATIONS – Method of Execution

F. An individual who knowingly accesses and without permission takes, copies, or makes use of any information obtained during normal work assignment for malicious purpose in violation of law or policy,

G. Any individual knowingly and without permission provides or assists in providing a login to a computer, computer system, or computer network in violation of this section.

H. Any individual knowingly introduces any computer contaminant into any computer, computer system, or computer network.

# YES NO INFORMATION SECURITY VIOLATIONS – DEPARTMENT POLICY

I. Remote control software was installed and/or used without completion of a formal risk analysis.

J. Unauthorized use of a user ID or password.

Mark Finding INVESTIGATOR RECOMMENDATION

ONE Lack of evidence found in this investigation. (All ‘NO’ markings above from A-J) No Findings, case closed. HIPAA Investigation Log updated.

TWO HIPAA Security or Privacy violation evidenced above. Follow up with Human Resource Director for follow up disciplinary action. HIPAA Investigation log updated.

Based on evidence marked above, HIPAA Investigator recommends: Verbal warning, meeting with employee supervisor, HR file updated with incident Written warning, meeting with employee supervisor, HR file updated with incident

Suspension pending further investigation. Vice President review, HR file updated. Suspension for ____ days without pay. HR file updated with incident. Termination of employment following approval and signatures. 1. Notify Information Systems to terminate employee computer login. 2. Notify payroll for final check. 3. Notify benefits unit to schedule exit meeting with employee. 4. Secure employee identification card and keys (if keys were issued).

If Yes indicated in items A-J above and ‘two’ marked

yes above, please complete section to right

which is a recommendation

for Human Resources to

consider:

Using at least 2 complete sentences,

explain your INVESTIGATOR

RECOMMENDATION. Explain your reasoning.

Investigator Signature:

 

  • HIM2429fw-Mod_04-Assignment_HIPAA_Scenario part-1.pdf
  • HIM2429fw-HIPAA_Incident_Determination_Checklist.pdf
  1. Use today’s date:
  2. Use your name as name of HIPAA Officer Reporting:
  3. Name of employee accused in investigation:
  4. Yes1:
  5. No1:
  6. Yes2:
  7. No2:
  8. Yes3:
  9. No3:
  10. Yes4:
  11. No4:
  12. Yes5:
  13. No5:
  14. Yes6:
  15. No6:
  16. Yes6a:
  17. No6a:
  18. Yes6b:
  19. No6b:
  20. Yes6c:
  21. No6c:
  22. Yes6d:
  23. No6d:
  24. Yes6e:
  25. No6e:
  26. TWO:
  27. Verbal warning:
  28. ONE:
  29. No6j:
  30. Yes6j:
  31. No6i:
  32. Yes6i:
  33. No6h:
  34. Yes6h:
  35. No6g:
  36. Yes6g:
  37. No6f:
  38. Yes6f:
  39. Written warning:
  40. Suspension pending:
  41. Suspension for # days:
  42. # days:
  43. Termination of employment:
  44. Explain your recommendation as HIPAA Investigator:
  45. Provide your name as HIPAA Investigator:
  46. Group1:
  47. Group2:
  48. Group3:
  49. Group4:
  50. Group5:
  51. Group6:
  52. Group7:
  53. Group8: