Assignment task:

Whether there was a privacy breach

Whether the breach is reportable under California (under each: Cal. Civ. Code 1798.82 and CA Health & Safety Code 1280.15) and federal regulations (HIPAA). Please state the rule for each California statute, analyze under each law, and state your conclusion. Under HIPAA, please state each of the three (3) HIPAA exceptions and the four-factor rule, analyze under each exception and weigh under each of the four-factors, and state whether there is a high or low probability of a privacy breach.

To whom the breach should be reported

Any recommendations you may have for the covered entity as a result of the potential breach (e.g., internal policies, employee sanctions, etc.)

For the purposes of this assignment, all the health care facilities described in the following questions conduct business in California, and all patients are California residents.

Part I:

Question 1: An employee at health facility A reported to the privacy department that his iPad was stolen. IS determined that the iPad was password protected, encrypted, and that the iPad contained 4,000 health facility A patients' first and last names, medical record numbers (MRNs), and medical history information.  IS cannot ascertain whether the person in receipt of the stolen laptop has actually viewed any of the patients' health information. Health facility A is a licensed facility.

• Was there a privacy breach?
• Is the breach reportable under California and/or federal regulations? [Please indicate and explain if any regulatory exceptions apply (e.g. HIPAA breach exceptions).]
• To whom should the breach be reported (if applicable)?
• What recommendations do you have for the Covered Entity as a result of the potential breach (e.g. internal policies, employee sanctions, etc.)?

Question 2: An employee at health facility B searched the facility's encrypted Electronic Health Record (EHR) for patient X's medical record using patient X's first and last names. The employee is a nurse in the oncology department of health facility B. The patient is not under the direct care of the nurse, but the nurse has seen the patient in their unit in passing. The employee accessed patient X's entire medical history and disclosed the patient's medical history on social media. Health facility B is not a licensed facility.

• Was there a privacy breach?
• Is the breach reportable under California and/or federal regulations? [Please indicate and explain if any regulatory exceptions apply (e.g. HIPAA breach exceptions).]
• To whom should the breach be reported (if applicable)?
• What recommendations do you have for the Covered Entity as a result of the potential breach (e.g. internal policies, employee sanctions, etc.)?

Question 3: An employee at health facility C searched the facility's encrypted Electronic Health Record (EHR) for patient X's medical record using patient X's first and last names. After the Privacy Office conducted an audit trail of the employee's search, it was determined that the employee only accessed patient X's MRN and address. Health facility C is a licensed facility.

• Was there a privacy breach?
• Is the breach reportable under California and/or federal regulations? [Please indicate and explain if any regulatory exceptions apply (e.g. HIPAA breach exceptions).]
• To whom should the breach be reported (if applicable)?
• What recommendations do you have for the Covered Entity as a result of the potential breach (e.g. internal policies, employee sanctions, etc.)?

Question 4: A nurse at Health Facility D mistakenly hands patient X's after visit summary to patient Y. Patient Y holds the after-visit summary for about 2 minutes. The after-visit summary contained the patient's first and last name, MRN, address, prescription details, and doctor visit notes. The nurse realized her mistake, and immediately recovered the after-visit summary from patient Y. Health Facility D is a licensed facility.

• Was there a privacy breach?
• Is the breach reportable under California and/or federal regulations? [Please indicate and explain if any regulatory exceptions apply (e.g. HIPAA breach exceptions).]
• To whom should the breach be reported (if applicable)?
• What recommendations do you have for the Covered Entity as a result of the potential breach (e.g. internal policies, employee sanctions, etc.)?

 PART II:

You are a Privacy officer at Covered Entity A. Your colleague Diane is in the dermatology department would like to receive data from a university hospital so that she can develop algorithm that will detect certain skin cancers from patient-submitted images. Diane would like to know whether the dermatology department needs a particular agreement with the university hospital to receive this data. Additionally, Diane would like to partner with Mark from Biotech Company X, who is a product innovation lead, so that Mark's team can help co-develop the algorithm.

With respect to the relationship with Covered Entity A and the university hospital, how will you advise Diane? Consider advising whether Diane's team will need a BAA, DUA, or no agreement at all (with the university hospital) based on the type of data they will receive. Would it be more or less ideal if the Covered Entity receives PHI, a limited data set, or de-identified data? Which agreements would you use for each? How will you explain these options to Diane? How will you explain the risks involved with each option? Please provide your analysis under each option (BAA, DUA, and no agreement).

What do you anticipate that Mark's Privacy team at Biotech Company X will advise him? What type data do you think they will ask for? Will they need a BAA, DUA, or no agreement with Covered Entity A and/or the university hospital? Please provide your analysis under each option (BAA, DUA, and no agreement).