Question

After one year of experience and successfully passing all necessary quotas and quality audits, SUNY Broome Community Hospital allows coders the option of working remotely from home. Recently, there was an incident where one of the coders, Debbie, left her office door open and stepped outside to talk with a neighbor while on her lunch break. During this time, Debbie’s nine-year-old son who was home sick from school was able to access her computer which had protected health information up on screen in an attempt to play online games. When she returned to her office, Debbie reported the incident to her supervisor. No records were altered in any way, no information was publicly leaked, and there was no malicious intent. As the HIM Coding Manager in charge of the remote coders, you must now decide how to proceed.

1. In this scenario was there a HIPAA security breach?

2. What disciplinary actions, if any, would you take against Debbie?

3. There are four physical safeguards discussed in the chapter (facility access controls, workstation use, workstation security, and device and media controls). How should each of them apply to the home office setup of a remote coder?

4. There are five technical safeguards discussed in the chapter (access control, audit control, integrity, person or entity authentication, and transmission security). Which ones would be applicable to making sure an incident like this does not happen again?

5. As the manager in charge of the remote coders, following this incident you want to send an email reminding the remote coders of best practices to keep the protected health information in their home offices safe and secure. What best practices would you recommend?

Answer 1

1. In this scenario , the HIPPA security breach has happened. Even though the data was made public,the act of leaving all the record online which can be accessed anyone,itself is an act of breach.

2. Since the data was not made public or content was not leaked or sent anywhere or there was no malicious intent, a warning memo is sufficient. The warning memo will clearly specify that if such negligence happens again,Debbie may be put on performance improvement plan wherein each day her work will be supervised or she may not allowed to work from home or remote set up.

3. All 4 Physical safeguards are necessary in the home office or remote set up. Facility access control - Debbie should always lock the computer which has data. Additionally,all the files should by locked with password which only Debbie can unlock. Workstation use - Debbie is working from home. So she has to ensure that at home, during office hours, her computer and work place are not used by others. Preferably,she should sit in separate room which is locked. She should avoid keeping computer unlocked during any time of the day. The computer should always be locked. Workstation security is applicable as her home is workstation. Keeping separate room for computer,keeping is password protected,keeping all record files password protected, while stepping out during lunch,keeping room and computer locked are definitely recommended. Device and media control is necessary as at home,device may be used by others. In that case always keep all the files and records, password protected. The device should be also be protected from virus,threats and malwares. Use standard antivirus system for the device.

4. Technical safeguards - In this scenario, access control,integrity and transmission security are applicable. Access control - As the date should be accesed only authorised people. The device and all the date should be kept in password protected and encrypted files. Integrity - The person working remotely has obvious access to the confidential data. So his integrity is required. He/She should give or transmit the data to only authentic sources,when transmission security is established. For transmission security, the device should be threat free,so no virus,malware or threat can attack/hack the data. Appropriate anti virus system should be used for the device.

5.Best practices recommend -

Be loyal and honest to your work. Data confidentiality needs to be maintained. The integrity towards work is required.

Always keep your device,computer locked.

Always keep all the files containing records,data password protected so that only you can access the data. Do not share the password with anyone.

Always keep your device threat free. Use appropriate and standard antivirus software so that it is threat,virus and malware free.