Printer Friendly, PDF & Email

Risks with the breach risk assessment

Yvonne M. Wolters ( is the Privacy Officer and Compliance Specialist at Southwest General Health Center in Middleburg Heights, OH.

Determining whether the privacy or security of protected health information (PHI) meets the low-probability-of-compromise threshold can be complex, which is further exacerbated when presented with ethical considerations and the risk for fraudulent activity. Based on the following scenario, this article will provide an analysis of the Breach Notification Rule[1] risk assessment. This analysis will discuss the four-factor risk assessment, the term compromise, factors beyond the minimum four, and defensibility.

Using the following scenario, consider whether your risk assessment proves low probability of compromise to the privacy or security of the (PHI) involved.

Scenario: A patient was recently admitted to the hospital for what he believes is pneumonia. A nurse practitioner (NP) goes into the patient’s room to discuss the patient’s recent test results. One visitor is in the room with the patient, so the NP asks the patient if it is OK to discuss his test results in front of his visitor. The patient tells the NP it is OK. The NP tells the patient his test shows he is HIV positive and that his pneumonia is associated with the HIV infection. The patient becomes infuriated with the NP, because the patient feels he was not given adequate opportunity to discuss this diagnosis with his visitor on his terms and when he was ready. The patient tells the NP that he believes the NP violated his right to privacy and says he is going to file a complaint with the Office for Civil Rights (OCR). The patient had no idea being in the hospital for pneumonia would result in a positive HIV test.

This document is only available to members. Please log in or become a member