Acme emergency medical services electronically performs transactions specified in HIPAA. Acme was transporting a patient when the ambulance door became unlatched and patient information flew out. John Citizen, a bystander, found and read the following information:
Gender: male
Age: 87
Residence: Littletown, Oklahoma (the population of Littletown is 6000 residents)
Narrative: This gentleman was transported to Littletown Hospital suffering from chest pain.
Answer the following questions:
- Describe the three-part test for determining whether information is PHI.
- Is the first part of the test met? Explain whether the document in question contains any of the HIPAA identifiers and, if so, which ones were included?
- Is the second part of the test met? Explain why you answered yes or no.
- Is the third part of the test met? Explain why you answered yes or no.
- Was there a HIPAA violation when this information fell out of the ambulance and was read by the John Citizen?
SUBMIT AS A WORD DOCUMENT USING FULL SENTENCES
Solution
HIPAA and Protected Health Information (PHI) Case Study
1. Describe the three-part test for determining
whether information is PHI.
So as to ascertain that information is a Protected Health Information (PHI)
under the Health Insurance Portability and Accountability Act (HIPAA), it must
pass a three-part test. First, the information should concern the individual
physical or mental health status, healthcare providers, or payment of
healthcare. Second, the information should be of that which identifies the
individual or has a good reason to have an idea that the individual may be
identified. Third, the information should be sent or retained in all forms,
such as electronic, paper, or oral, by a covered entity or its business
associate.
2. Is the first part of the test met? Explain
whether the document in question contains any of the HIPAA identifiers and, if
so, which ones were included.
Yes, it satisfies the first part of the test. The record contains a medical
history according to which the patient was taken to a hospital because of chest
pains, and this can directly be related to the health condition of the
individual and his treatment. Moreover, it contains HIPAA identifiers,
including the gender, age (87), and the name of the town in which the patient
lives (Littletown, Oklahoma), where the population is small, and that person
could easily be identified through it.
3. Is the second part of the test met? Explain
why you answered yes or no.
Yes, it satisfies the second part of the test. Even though the patient’s name
is not provided, the set of information given, age, gender, location, and
condition, could help identify the patient, and more so, in a small town with a
population of only 6,000. The information is thus a sensible source of
identification.
4. Is the third part of the test met? Explain
why you answered yes or no.
Yes, it satisfies the third part of the test. Acme Emergency Medical Services
was a covered entity under HIPAA that transmitted and stored the information
during the process of delivering healthcare services. Even though the
information was incidentally misplaced, it remained under the custody of a covered
entity and was under the provisions of HIPAA regulation during such an
occurrence.
5. Was there a HIPAA violation when this
information fell out of the ambulance and was read by John Citizen?
Yes, this incident constitutes a HIPAA violation. The information that slipped
out of the ambulance passed the three criteria pertaining to PHI, and it was
disclosed to a non-authorized person (John Citizen). Although the leakage of
the information was unintentional, the covered entities ought to handle PHI in
a manner that approximates what HIPAA requires as far as reasonable precautions
to prevent unauthorized disclosures are concerned. The loss and exposure of the
documents through a lack of proper security contributes to a breach of
unsecured PHI.