Question

The following case study (Rinehart-Thompson) at hypothetical St. John Hospital illustrates numerous issues that the HIPAA privacy rule presents and which HIPAA-covered entities must address on a daily basis. As you conclude chapter 10, use this case study to identify the issue(s) presented on each date, determining how each situation should be handled in order to comply with the HIPAA privacy rule.

Background: From May 26-30, Mary Jones was hospitalized in St. John Hospital, located in Johnson County, for Type 1 diabetes and a possible drug overdose. She had a previous above-knee amputation of the right leg, with prosthesis.

On July 18, Ms. Jones contacted the HIM department at St. John Hospital to request a copy of her medical records from her May hospital admission. The chart was copied for her by ReadyChart, the record-copying service utilized by St. John Hospital.

On October 5, St. John Hospital received a call from Mercy Hospital. Ms. Jones was in the emergency department there with a severe infection of her prosthetic site. The nurse in the Mercy Hospital emergency department asked for faxed copies of medical records from Ms. Jones’ September admission at St. John, as she was being prepared for immediate surgery.

On October 15, Ms. Jones called St. John Hospital’s HIM department and asked that her medical records from her May St. John Hospital admission be mailed to Dr. Lyon, as she has an appointment scheduled with him on November 15. Ms. Jones stated that she had also changed jobs in September, and her new health insurer was Liberty Life and Health.

On November 10, Ms. Jones received a brochure and samples from Comfort Healthcare, a pharmaceutical company that manufactures ointment for patients with prostheses. Ms. Jones called the St. John Hospital registration desk to complain. Jessica Carter, a volunteer, took Ms. Jones’ call.

On November 29, Liberty Life and Health submitted a request to Dr. Lyon’s office for copies of Ms. Jones’ medical records from her May St. John Hospital admission and from Dr. Lyon’s office.

On November 30, a case worker from the Johnson County Children’s Services called the HIM department at St. John and requested Ms. Jones’ medical records from her May hospitalization. Children’s services had received a complaint that Ms. Jones had an “episode” on May 26 and there was concern that her children were being subjected to ongoing abuse. As a result, it was initiating an investigation.

On December 2, Dr. King, an orthopedic surgeon, presented a seminar to the state association of orthopedic surgeons on above-knee amputation techniques. He had performed this procedure on Ms. Jones one year ago, and he showed slides that compared her condition before the procedure, immediately after, six months later, and one year later.

Based on the HIPAA privacy rule issues discussed in chapter 10, identify the issue or issues presented on each date in the above case study.

  

Date	Event	Identified Privacy Rule Principle(s)
July 18	Patient requested copies of medical records from May 26–30 admission at St. John Hospital. Records copied by record copying service, ReadyChart.	ReadyChart is a business associate (BA) There must be a signed business associate agreement (BAA) between St. John Hospital and ReadyChart, although ReadyChart is still a BA even if a BAA does not exist The business associate agreement must reflect the required changes per HITECH (which increase the risk of being a business associate) ReadyChart employees may be considered workforce members

Answer 1

In the above stated case study during the admission of Ms.Jones in May 26-30, shows no privacy issues.

In July 18 also, She is found requesting HIM department for the copy of her medical record. As per HIPAA rules of patients right, Mrs Jones can have the right to take a copy of her medical record. The use of Readychart for copying the medical record is aslo safe as there is an agreement signed and its a satndardized protocol of the hospital.

October 5: The Mercy hospital is asking for the medical record of Ms.Jones about the surgery done in September. As per HIPAA rules, the information can be provided to Mercy hospital only if this is consented by Ms. Jones. Moreover the surgery was conducted in month of May. There is no record of her being admitted in September. So this confused statement should be cleared first and the availability of the consent by Ms. Jones to disclose the health information.

October 15: Although Ms. Jones have consented telephonically that the information can be shared to Dr.Lyon and the information regarding her new insurance company, these consent can be considered as a valid method. There should be a legal contract signed between the patient and the organization about disclosure of personal health information and transfer of insurance company.

November 10: In this incidence, a breech in the privacy of patient health information is suspected as of how the Comfort healthcare pharmaceutical company came to know that Ms. Jones underwent a surgery and is using prosthesis. This is a questionable event as Ms. Jones have not consented for release of information to any such company.

November 29: The request of Liberty life and health can only be allowed by both the hospitals only if a written agreement or consent is available by Ms. Jones. Its important that the health issurance company retrieves information about patients health status, treatments and procedures done. But as per the HIPAA rule, this disclosure of information should be consented by the patient.

November 30: The social worker of chidren's services can be only told that if Ms. Jones was admitted in May for any treatment. But the details about the course of treatment and hospitalization can only be disclosed if Ms. Jones agrees to do so.

December 2: Every research activity or other type of study on patients and case study, requires the consent from the subject regarding the use of their personal health information. Legal issues can be raised by Ms. Jones if she has not been informed about the use of her case details. As per the HIPAA rules, in research the patient has the right to consent, reject or place restriction in the type of information to be shared. So consent of the subject is very important before conducting a research.