Quantcast

HIPAA Complaint - Reportable Breach?

This forum made possible through the generous support of SDN members, donors, and sponsors. Thank you.

NSP2008

New Member
Joined
Aug 2, 2017
Messages
1
Reaction score
0

Members don't see this ad.
A resident clinical supervisor instructed a group of students to enter the electronic medical record of a patient whose care they were not involved in. This was done so that another student's chart note could be used as a model for incorrect charting. The person who filed the HIPAA complaint did not know the patient's name.

Is this a reportable HIPAA breach? Is this behavior typical of clinical education? Is this a FERPA violation against the student whose work was publicly criticized?
 

werd

Senior Member
15+ Year Member
Joined
Feb 13, 2004
Messages
856
Reaction score
61
it doesn't seem like a breach of either. the records were accessed under supervision as part of the students' education. a patient note does not constitute a school's educational record. instruction through review of patient charts is typical of clinical education.
 
  • Like
Reactions: 2 users

Cornfed101

Full Member
2+ Year Member
Joined
Aug 10, 2017
Messages
2,606
Reaction score
5,170
I’m not a medical student yet, but I work for a large EHR company so we deal with HIPAA on a regular basis. There are three reasons why health records can be accessed that are acceptable:
  • Treatment
  • Payment
  • Healthcare operations
Your example would most likely fall under the third

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
 
  • Like
Reactions: 1 users

ConspecificPlasma

Full Member
2+ Year Member
Joined
Sep 21, 2017
Messages
21
Reaction score
10
Your note was bad, don't try and get revenge, just get better at writing notes.
 
  • Like
Reactions: 1 user
Top