A healthcare administrator needs to provide a safe and secure environment for all health information. No matter the healthcare setting, personal health information (PHI) is accessible to many individuals. You will be faced with situations as an administrator that will require a well-founded knowledge of how PHI is secured, how it is proactively monitored, and what immediate actions you need to take when faced with a potential breach. The purpose of this task is to assess your knowledge of the implications of maintaining the security and privacy of healthcare information. It will also help you understand the cultural issues of implementing change in a small healthcare setting.
SCENARIO
You are the healthcare administrator for a small critical access hospital (i.e., 25 beds or fewer). Your administration team includes the director of nursing, the chief medical officer, the director of support services, the director of pharmacy, and the health information management (HIM) director. You and your team have been tasked with investigating a recent data breach. As the data breach was investigated, several members of the staff have been identified as being directly involved in the breach. Several patients experiencing the compromise of their PHI have filed legal claims with the intent to sue. Your team is also accountable for implementing an electronic health record (EHR) system, which is a newly initiated technology in a culture that is resistant to change. The board of directors has requested that you have a plan addressing both of these issues ready to present in two weeks.
A. Create a planning, organizing, directing, controlling (PODC) HIPAA training model by doing the following:
1. Describe how you would teach the hospital employees the rules and regulations regarding HIPAA.
a. Identify three appropriate types of PHI that can be shared between staff.
i. Identify where in the facility the information sharing should take place.
ii. Identify three individuals who can use and disclose this information.
b. Describe two penalties associated with breaching patient information.
c. Identify two appropriate ways to secure data from one working shift to another using HIPAA guidelines.
2. Complete an internal audit plan of all security measures meant to protect health information by doing the following:
a. Identify which department will oversee the audit.
b. Explain three security practices the audit will review (e.g., PHI sign-out sheets, secured storage/location of records).
c. Describe three potential changes that can be made within the organization to address the results of the audit (e.g., additional employee education).
d. Create a risk assessment plan to identify the potential for any future security breaches.
i. Identify how often this assessment plan should be completed.
ii. Identify who will complete this assessment plan.
B. Determine the financial impact of a new EHR system by doing the following:
1. Develop a risks versus benefits summary for the key stakeholders of the hospital to show why an EHR system should be invested in and implemented.
a. Identify four key decision makers who give input and buy-in.
b. Include two CMS requirements for the new system.
2. List four new hardware components required for the new system.
a. Identify the potential capital dollar investment for the new system.
b. Discuss which of the three EHR systems—Cerner, Meditech, or Epic—would be the best system for your organization using information in the web links section below and the attached “Information on EHR Vendors.”
3. Identify three components or applications that will need to be incorporated into the EHR system at your small critical access hospital.
