Case Study: The following case study (Rinehart-Thompson) at hypothetical St. John Hospital illustrates numerous issues that the HIPAA privacy rule presents and which HIPAA-covered entities must address on a daily basis. As you conclude Chapter 9 and the HIPAA privacy rule requirements, use this case study to identify the issue(s) presented on each date, determining how each situation should be handled in order to comply with the HIPAA privacy rule. From May 26-30, Mary Jones was hospitalized in St. John Hospital, located in Johnson County, with depression and a drug overdose (documented by the physician as possible suicide attempt). She also had Type I diabetes and a previous above-knee amputation of the right leg, with prosthesis. During her hospital stay, she had several sessions with her psychiatrist, Dr. Bridges. On July 18, Ms. Jones contacted the HIM Department at St. John Hospital to request a copy of her medical records from her May hospital admission. The chart was copied for her by ReadyChart, the record-copying service utilized by St. John Hospital. On August 7, Ms. Jones returned to the HIM Department at St. John Hospital, extremely upset that her May records indicated a possible suicide attempt. She wanted Dr. Bridges to change the incorrect records to reflect that the overdose was accidental. Dr. Bridges refused, stating that Ms. Jones didn’t know what she was talking about. On September 14, Ms. Jones was readmitted to St. John Hospital with an infection of the prosthetic site. She was treated with an antibiotic regimen. On October 5, St. John Hospital received a call from Mercy Hospital. Ms. Jones was in the emergency department there, with a severe infection of her prosthetic site. The nurse in the Mercy Hospital emergency department asked for faxed copies of medical records from Ms. Jones’ September admission at St. John, as she was being prepared for immediate surgery. On October 15, Ms. Jones decided to go to another psychiatrist. She called St. John Hospital HIM Department and asked that her medical records from her May hospital admission be mailed to Dr. Lyon, as she has an appointment scheduled with him this coming January. Ms. Jones stated that she had also changed jobs in September, and her new health insurer was Liberty Life and Health. On October 30, Ms. Jones requested a copy of her medical records from her September admission. The new HIM manager in charge of correspondence, Don Day, stated that he was aware of a state statute that prohibited the release of medical records to patients without prior written approval of their attending physician. This has not been the practice at St. John Hospital. Mr. Day was concerned about the hospital’s longstanding violation of state law. He suggested that correspondence requests (in which records would be released directly to patients) be suspended until the state law could be researched further. On November 10, Ms. Jones received a brochure and samples from Comfort Healthcare, a pharmaceutical company that manufactures ointment for patients with prostheses. Ms. Jones called the St. John Hospital registration desk to complain. Jessica Carter, a candy striper, took Ms. Jones’ call. On November 12, Liberty Life and Health submitted a request to Dr. Lyon’s office for copies of Ms. Jones’ medical records from her May St. John Hospital admission and from Dr. Lyon’s office. On November 17, A case worker from the Johnson County Children’s Services called the HIM Department at St. John and requested Ms. Jones’ medical records from her May hospitalization. Children’s Services had received a complaint that Ms. Jones had an “episode” on May 26 and there was concern that her children were being subjected to ongoing abuse. As a result, it was initiating an investigation. On November 20, the physical therapy department at St. John Hospital is performing a correlational study to determine the effects of two different types of treatment that the physical therapy department has used with its above-knee amputation patients during the past two years. Ms. Jones received treatment from the St. John physical therapy department during her September admission. On November 21, Dr. King, an orthopedic surgeon, presented a seminar to the state association of orthopedic surgeons on above-knee amputation techniques. He had performed Ms. Jones’ procedure one year ago, and he showed slides that compared her condition before the procedure, immediately after, six months later, and one year later. Based on the HIPAA privacy rule issues discussed in Chapter 9, identify the issue or issues presented on each date in the above case study. Sample of what your assignment should look like. I went ahead and provided the first two dates for you. Your assignment is to provide the needed documentation for the remaining dates: Date Event Identified Privacy Rule Principle(s) May 26–30 Patient hospitalized at St. John Hospital, Johnson County. Treated by psychiatrist Dr. Bridges. During hospitalization: facility directory July 18 Patient requested copies of medical records from May 26-30 admission at St. John Hospital. Records copied by record copying service, ReadyChart. Individual right of access (and psychotherapy notes exception). ReadyChart is a BA; its employees may be considered workforce members August 7 Patient wants “possible suicide attempt” removed from records by Dr. Bridges Individual right to request amendment Provide the remaining answers in a table, as you see here. Include the dates: September 14 – November 21. Provide the remaining answers in a table, as you see here. Include the dates: September 14 – November 21. Once your table is done, provide a summary for each of the dates identified in the documentation. I have provided an example for you below to get you started. May 26-30: The scenario doesn’t state whether Mary was admitted to a special behavioral health or substance abuse unit. If there are special units, St. John Hospital may establish a policy where there is no facility directory for those units (to ensure patient confidentiality). In that case, patients should be instructed that no information will be given about them and they will need to contact individuals directly. If facility policy allows Mary to be included in the facility directory, it must be clear to her what information can be disseminated—fact of her admission; location; condition in general terms to those who ask for her by name; religion (to clergy of her religious affiliation if this has been indicated on her record). July 18: If Dr. Bridge’s documentation constitutes psychotherapy notes, Mary does not have a right of access to this information (an exception to the individual right of access under the HIPAA privacy rule). If the record is an EHR, an electronic copy must be made available to Mary. ReadyChart is a business associate (the organization is not a member of St. John’s workforce and its functions include the use and disclosure of individually identifiable health information on behalf of the covered entity, St. John Hospital). There must be a signed business associate agreement (BAA) between St. John Hospital and ReadyChart, although ReadyChart is still a BA even if a BAA does not exist. The business associate agreement must reflect the required changes per HITECH (which increase the risk of being a business associate). Special note: ReadyChart employees, who likely routinely work on-site at St. John Hospital, may be considered workforce members for purposes of training and so forth. August 7: Mary is exercising her individual right to request an amendment to her health records. The right to request does not mean that the covered entity must comply with the request. If her request is granted, St. John must identify the records in the DRS that are affected by the amendment and append the information. Mary must then be notified that the amendment was accepted, have her identify the persons with whom the amendment needs to be shared, and obtain her agreement to notify those persons. Reasonable efforts must be made to provide the amendment, within a reasonable amount of time, to anyone who has received Mary’s PHI. Research Visit the website of the Office of Civil Rights for the Department of Health and Human Services and access the posting of breach incidents affecting 500 or more individuals at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf . Identify information such as the 10 largest breaches that occurred in the past 2 years, the locations of the breaches, and whether the covered entities are healthcare providers or other types of covered entities.