Capella University Valley City Regional Hospital Risk Report Template

Prepare a final risk report (5-7 pages) that identifies privacy and security-related risks from throughout the quarter. Include evidence-based recommendations; action plans; and best practices, policies, and procedures to support the recommendations and action plans.

 Via Health: Identifying Risks IntroductionHandling private health information carries with it significant responsibilities. Health organizations are ethically obligated to protect the health information of their patients. Because of HIPAA and other laws and regulations, they are also legally obligated to do so.That makes the improper disclosure of private health information a risk, and smart organizations analyze their potential risks and attempt to mitigate them. For this reason, health organizations often conduct regular risk audits to determine whether their practices and processes need to be changed in order to lower the risk of an improper disclosure.Select any of the scenes to get started.Scene 1Vila Health is a health system in the upper Midwest, with hospitals and clinics in North Dakota, Minnesota, Wisconsin, and Iowa. One of its hospitals is Valley City Regional Hospital in Valley City, North Dakota, and you have just been hired as an HIM analyst at the hospital.Recently, the hospital’s Quality Assurance department conducted a risk audit. Since you’ve been tasked with creating a security and privacy plan for the hospital, the information in this audit might help you to get started. The director of Quality Assurance, Andrew Barnes, wants you to help with a specific task.Email from AndrewFrom: Andrew Barnes, Director of Quality AssuranceSubject: SWOT analysisHello! I hope you’re settling into your new role. It’s a busy time around here, so I’m afraid we’re going to throw you in at the deep end.I need a SWOT analysis as soon as possible. We’re going to be making some significant decisions in the days to come, both around the security and privacy plan and on some other matters, and I need to know what kind of an environment we’ve got here.Since you’re new, I’d like you to talk to Lawrence Wilkerson. He’s our Risk Management manager, and he’ll be able to tell you a lot of what you need to know to get the SWOT done.Let me know if you’re having trouble getting what you need!—AndrewScene 2Meeting with Lawrence WilkersonHi. Andrew says you’re doing a SWOT analysis? We just finished up a risk audit last week, so I’ve got some information that might be helpful. Come on, let’s go to the IT department.Scene 3The IT DepartmentLawrence WilkersonHere’s our sort-of new EHR, which we adopted when we got acquired by Vila Health awhile back. It’s an okay system, but I wish we could upgrade. It’s not a bad EHR, but it isn’t the best, either. Epic is more secure than ours is. Still, the ROI for switching just isn’t there, because we just spent the money to install this one.Lawrence WilkersonThat’s Becca Matheson, our new security specialist. I’m glad we finally filled that position. We had trouble finding someone who was qualified for it, and we ended up having to recruit from surrounding states to find someone who had what we were looking for. I think she’s going to be great, and I hope we can hang on to her. We’re not the only organization in Valley City that needs people to keep an eye on security infrastructure, and I worry that she’ll get poached by some company that can afford to offer her a higher salary or better benefits.Lawrence WilkersonThat’s Ron Bailey, and he looks happy because he is. The project to secure wireless and all mobile devices is his, and he’s doing a great job on it. We’re lucky to have him; he’s a real go-getter and he has all kinds of ideas for how the hospital can be more security-savvy.Scene 4The Hospital FloorLawrence WilkersonHere’s what I found when I went out on the hospital floor.Email exchange between Ruby Young and Maria NavarroFrom: Maria NavarroTo: Ruby YoungSubject: Re: Information requestRuby,Yes, I did send the data. But I don’t know anything about the IRB. Is that something we’re supposed to check for? The records were de-identified, so I thought that was okay.—MariaFrom: Ruby YoungTo: Maria NavarroSubject: Information requestRuby,Maria,Hi, I’m the general counsel for Vila Health Corporate. I’m getting in touch because I need a bit of information about the data you provided to a researcher at the University of Wisconsin-River Falls. Did you actually send the data to her? If so, I’m really hoping we have documentation that the researcher’s project has been approved by UW’s IRB. Can you let me know? Thanks!—RubyJoann Reese voice mailRuby, this is Joann. What’s the procedure for requests for PHI from law enforcement? I’m talking to Melinda about a subpoena we got, and she doesn’t have any idea what to do with it and neither do I. It doesn’t say anything about authorization from the patient; do we have to get one? Can you call and let me know? Thanks. They want it yesterday, but we’re not comfortable with proceeding until we know a bit more.Shauna Dean voice mailHi, Mr. Nelson, this is Shauna at Valley City Regional Hospital, calling to remind you that your colonoscopy is scheduled for Friday. We ask you to be here at least 20 minutes before the procedure, which is scheduled for 9:30 a.m. If you have any questions you can call me at 632-555-1914, extension 222. Thank you!Oh, crap. It says in his chart that he only wants us to contact him at work and not at home. Maybe I better call him at work and warn him.Lynette Little and Courtney Donovan conversationLynette Little: How did the Jensen kid respond to the vancomycin and ceftriaxone?Courtney Donovan: He’d have responded better if the mother had brought him in sooner. We had to intubate and do CPR for four minutes before he was stabilized. Poor little fella. For two days he was lethargic and not speaking, but the mother only brought him in because the child’s grandfather insisted.Lynette Little: Is Child Protection going to get involved?Courtney Donovan: Probably.Scene 5AdministrationLawrence WilkersonHere’s what I found when I visited Administration.Email from Shauna DeanFrom: Shauna DeanTo: Margie HodgesSubject: It happened AGAINMargie,I got a call from Bob Balitan and he’s hopping mad. Remember Bob? He’s the patient whose invoice we sent to an address that wasn’t his. Well, it happened again and he’s furious. Apparently the neighbor brought it to him and then gave him a hard time about it saying that it was past due. THIS IS UNACCEPTABLE.We need to meet stat to figure this out.ShaunaBenjamin Mendoza and Phillip Rogers conversationPhillip Rogers: I’m not sure I like these numbers on elective orthopedic surgeries.Benjamin Mendoza: What’s the problem? We’re a critical-access hospital, so Medicare pays us a good rate for performing them.Phillip Rogers: I know, but we don’t specialize in those, and I worry that we should leave them to providers who do. The outcomes are better when these surgeries are done by people who do a lot of them.Benjamin Mendoza: Well, I haven’t heard of any problems. The more we do, the better we get at it! Besides, frankly, those are a money-maker for the hospital.Phone call from Wayne Peterson, director of ITWell, at least we know that HIPAA won’t be affected by whatever Congress does. But I am wondering: If they do repeal or change the Affordable Care Act, is it going to affect some of our security or privacy practices? There are some relevant provisions in the ACA – what happens to them, and what does it mean for us, if those provisions are changed or eliminated?Melinda Gibson and Kathryn Chapman conversationKathryn Chapman: How are the projections looking for the next fiscal year?Melinda Gibson: It’s hard to tell. It depends on what happens in Congress. Whatever they enact will affect the size of our Medicaid population. Right now, all we know is that whatever our projections look like for the coming year, they won’t look anything like this past year’s numbers.Scene 6Check in with LawrenceYou’ve got email from Lawrence about your SWOT analysis.Email from LawrenceFrom: Lawrence WilkersonSubject: SWOTHey, here’s that template I promised you. Use this when you do your SWOT for Andrew.—LawrenceScene 7SWOT AnalysisFill in the fields for your SWOT analysis. You will have the option of downloading what you write as a PDF on the next tab.Strengths:Your response:Strengths within Valley City Regional Hospital in Valley City include our team members. Our security specialist, Becca Matheson. Ron Bailey who is in charge of securing wireless and mobile devices is doing a fantastic job and has many ideas towards improvement within security technology.Weaknesses:Your response:Weaknesses within Valley City Regional Hospital in Valley City include our lack of capability to uphold Hipaa regulations. Prior to leaving a voicemail on a patient’s phone we should be certain of our patient’s preferences, especially when leaving details regarding an appointment. Same rule applies when sending out mail to patients. Updating records is crucial because we do not want to send out sensitive information to the wrong address.Opportunities:Your response:Opportunities to enhance Valley City Regional Hospital in Valley City have been identified. It has been brought to my attention that upgrading our EMR to EPIC would be beneficial to Valley City Regional Hospital by providing more security.Threats:Your response:Lynette Little and Courtney Donovan’s conversation regarding a patient’s well-being ended with uncertainty. As healthcare professionals we should be as certain as possible that our patients are safe.ConclusionActivity complete!In this activity, you learned some details of a recent risk audit at Valley City Regional Hospital. You also began drafting a SWOT analysis based on what you learned.If you wish, you may download your SWOT analysis as a PDF. It may be helpful in completing your assignment in this unit.CreditsSubject Matter Expert:Natasha CauleyInteractive Design:Kerry HansonInteractive Developer:Dre Allen, Matt TaylorInstructional Design:Carmen GarlandMedia Instructional Design:Holly DolezalekProject Management:Andrea Thompson

Vila Health® ActivityPrivacyIntroductionScene 1: Email from Lawrence WilkersonScene 2: The Hospital FloorScene 3: Check in with AndrewCreditsIntroductionIn the world of health information management, privacy is one of the paramount concerns. HIM professionals must be clear on the demands of privacy and of the practices that help guarantee that sensitive health information is only disclosed to providers and third parties that have been designated as entitled to receive it.But at any health organization, the protection of privacy can be a moving target. Private health information can only be protected by a combination of clear, well-articulated privacy practices and a workforce that complies with those practices. If either or both is compromised, a privacy breach may not be far behind.Scene 1Vila Health is a health system in the upper Midwest, with hospitals and clinics in North Dakota, Minnesota, Wisconsin, and Iowa. One of its hospitals is Valley City Regional Hospital in Valley City, North Dakota, and you have just been hired as an HIM analyst at the hospital.You continue your work as an HIM analyst for Valley City. Having completed your risk assessment, you now turn to the hospital’s compliance with privacy practices.It looks like you’ve got email from Lawrence Wilkerson, the Risk Management Manager.Email from Lawrence WilkersonFrom: Lawrence Wilkerson, Risk Management ManagerSubject: Privacy concernsYou had asked about the risk audit and privacy? Let’s go for a walk and I’ll tell you what I’ve got.—LawrenceScene 2The Hospital FloorLawrence WilkersonOkay, here are a few things I noticed that you might want to address in your compliance checklist.Shauna Dean and Margie Hodges conversationMargie Hodges: Here’s your fax. I’m impressed you got through to HND. I wish they’d go to electronic signature.Shauna Dean: HND? No, this was for Blue Cross Blue Shield.Margie Hodges: Well, you sent it to HND’s claims department.Shauna Dean: Dammit.Margie Hodges: Hey, at least you didn’t send it to his employer, like Maria did last week.Email from Brendan Davis to Don GrumanFrom: Brendan DavisSubject: Pseudoephedrine purchasesHere’s the list of people who have bought more than 7.5 grams of pseudoephedrine in the last month at the hospital’s pharmacy.I couldn’t get hold of our legal department to make sure it’s okay I give this to you, but I’m sure they want to cooperate with law enforcement so it shouldn’t be a problem. Let me know if you have any other questions!—BrendanJoann Reese and Scott McKinney conversationJoann Reese: Oh, boy. This news story isn’t good for us. Who released this?Scott McKinney: What do you mean?Joann Reese: Remember when that actor was here in town with the movie company, and got wasted and fell off the water tower? Somehow, the news media knows the details of his injuries. The specifics about the breaks and internal injuries probably came from someone here.Scott McKinney: What?? Someone’s getting fired!Joann Reese: Easy, tiger. Let’s find out what happened. You know there have been some other indiscretions around here. Depending on who it was, they may have just believed that that’s how it is.Scott McKinney: If so, we need some training around here, stat.Kathryn Chapman, Director of Nursing voice mailHi, Rose, this is Kathryn. I’m calling to let you know that one of your ER nurses — Victoria Wainwright — needs a talking-to. I heard her telling another nurse that her ex had come through the ER this morning with a drug overdose, and she had accessed his EHR even though she wasn’t assigned to his case (for obvious reasons). And I have to say, Victoria was pretty flip about it when I asked her about it — she said, “It isn’t gossip, it’s news.” Let me know what your plan is.Leona Davis and Gayle Slocum conversationLeona Davis: Have we sent over the labs for Mr. Caramucci yet?Gayle Slocum: Where?Leona Davis: To his disability insurance company.Gayle Slocum: Do we have a release of information on file for that?Leona Davis: Sure, it should be in his file.Gayle Slocum: I don’t see any record of it.Leona Davis: Well, I know it’s there. I remember him signing it.Gayle Slocum: Do we have a business associate agreement with them?Leona Davis: With who?Gayle Slocum: With the disability insurance company.Leona Davis: How would I know that? I’ll ask someone in billing later, but I need to get this sent over. They asked for it by end of day today.Scene 3Check in with AndrewYou’ve got an email from Andrew Barnes, with a deliverable for you to start working on.Email from Andrew BarnesFrom: Andrew BarnesSubject: Privacy complianceHi, was Lawrence helpful? I hope so. I’d like you to start drafting a checklist we can follow so that everyone, from the PCAs on up, has a guideline when they’re potentially going to release patient data. Please send me your initial thoughts about what should be on the list. I know you’ll send the complete list later; I just want to get a sense of what you’ve learned so far. Thanks!—AndrewSubject: Re: Privacy complianceChecklist:Your response:This question has not been answered yet.ConclusionActivity complete!In this activity, you observed the state of Valley City Regional Hospital’s privacy practices, and began drafting a compliance checklist to improve those practices.You may download the list you created as a PDF. It may be helpful in completing your assignment.CreditsSubject Matter Expert:Natasha CauleyInteractive Design:Kerry HansonInteractive Developer:Dre Allen, Matt TaylorInstructional Design:Carmen GarlandMedia Instructional Design:Holly DolezalekProject Management:Andrea Thompson

Vila Health® ActivitySecurityIntroductionScene 1: Valley City Regional HospitalScene 2: Meeting with Lawrence WilkersonScene 3: The Hospital FloorScene 4: The IT DepartmentScene 5: Follow Up with AndrewCreditsIntroductionPrivacy and security are intimately linked. Any organization that houses private data — credit card numbers, bank account numbers, legal information — must guard against its release, and that includes keeping it secure as well as keeping it private.This is especially true of health care information. Patients’ private health information is often a target of hackers, and every health care organization must make sure to protect its patients’ PHI from their efforts.Scene 1Valley City Regional HospitalYou continue your work as an HIM analyst at Valley City Regional Hospital. Lawrence Wilkerson, the hospital’s risk management manager, has some more information for you about the risk audit he conducted.It looks like you have email from Lawrence. You’ll want to read that now.From: Lawrence WilkersonSubject: Security IssuesHey, I’ve got the data you asked for. Swing by my office and I’ll give you the details on what I saw in my audit that related to security.—LawrenceScene 2Meeting with Lawrence WilkersonOkay, there were some security issues that came up during the audit. Let’s start with the medical staff.Scene 3The Hospital FloorLeona DavisUgh, they want me to change my password again? I can never remember it. I guess I better write it down and put it where I can always find it. Leona2017 ought to do it.Rebecca Snyder EHR4/17/2014 : H&P: Mrs. Snyder is a pleasant 56 year old obese Orthodox Jewish women with a PMH of poorly controlled DM, HTN, hypercholesterolemia, anxiety, and obesity. She admits to the ED with c/o hyperglycemia ranging from 230 to 389 for over 10 days, frequent urination, malaise, and mild abdominal discomfort, dyspnea on exertion and HTN on admission.Family Hx.Mother: Alive. History of HTN, DM, Dementia.Father: Deceased. HX of MI, Colorectal CASister: Alive. HX of Breast CA. s/p right mastectomy.Meds on Adm: Metformin 1000 mg q hs., Lisinopril 20 mg QD. Prior to adm. Was prescribed anti-anxiety medication but self d/c’d without taper due to c/o fatigue.V/S: 36.7, 102, 171/93, 24. O2 Saturations 92%. On room air.Courtney Donovan and Kathryn ChapmanKathryn Chapman: Dr. Donovan, I noticed you’re a little behind on your charting. You need to set a good example for the other staff.Courtney Donovan: I know. I was doing better, but then I left my laptop in the coffee shop across the street a few days ago. I was hoping it would turn up, but I’ve called every day and no dice.Kathryn Chapman: What does IT say about a replacement?Courtney Donovan: I’ll know this afternoon when I tell them about it.Erica Copeland text messageDr. Bellefleur, Mr. Moskovitz’s temperature is back down to 99 but his bp is still elevated (140/99). CBC results were inconclusive, although Cr count is higher than I like. Thoughts?Gayle Slocum and Shauna DeanShauna Dean: Dr. Copeland sent over the results last night.Gayle Slocum: But that doesn’t make sense, she wasn’t on shift last night.Shauna Dean: She probably sent them from home, don’t you think?Gayle Slocum: Oh, sure. Can doctors do that? We’re not supposed to.Shauna Dean: Oh, doctors can do whatever they want.Scene 4The IT DepartmentLawrence WilkersonLet’s take a walk around the IT department.Email exchange between Wayne Peterson and Anthony MartinezFrom: Wayne PetersonTo: Anthony MartinezSubject: Re: CopiersDid anyone scrub its hard drive before it was returned?—WayneFrom: Anthony MartinezTo: Wayne PetersonSubject: CopiersRuby,Wayne,The copier you asked about has already been returned to the vendor. What’s the problem?—TonyBenjamin Mendoza phone callThat’s right, she lost the tablet on Tuesday. Yes, she just reported it today. Don’t get me started. The point is, there wasn’t any encryption software loaded on it. I don’t know if we can do a remote wipe, but we’ve got to do something quickly.Wayne Peterson and Ron BaileyWayne Peterson: What version of the firewall are we on?Ron Bailey: 3.6, isn’t it?Wayne Peterson: That sounds right. I’ll check later, but check this out: InfoVault is retiring 3.0. They’re not going to support it anymore.Ron Bailey: That was quick. Wasn’t it?Wayne Peterson: No, it’s about on schedule. Safe to say that we need to start thinking about upgrading.Ron Bailey: I’d rather see us get better malware detection.Wayne Peterson: Well, there’s no money in the budget for either next year, so I guess it’s a matter of prioritizing what we can’t have. [laughter]Wayne Peterson: So what was the other thing you wanted to talk about?Ron Bailey: I’ve got two instances of this security issue, and I think it’s time we pushed it up to corporate.Wayne Peterson: Corporate? We can’t handle it locally?Ron Bailey: I’m not sure, but I don’t think so. We’ve got one supervisor who accessed one of his employee’s health records. That’s an obvious no-no, but why was he able to do it in the first place? Another guy, a nurse, accessed his ex-wife’s record. She works at St. Anthony Medical Center in Minneapolis now, but we’re all on the same system so he was able to pull up her record. Again, why did the system let him do it?Wayne Peterson: Hm.Scene 5Follow Up with AndrewIt looks like you have email from Andrew about your findings. You’ll want to read that now.From: Andrew BarnesSubject: Security risksI hope Lawrence was helpful. The board wants to meet and talk about what we need to do to improve our security posture. Can you send me a summary of the risks you and he identified? It doesn’t have to be anything formal. I just want to know what I’ll be talking about so I don’t sound like an idiot.—AndrewYour response:This question has not been answered yet.ConclusionActivity complete!In this activity, you gathered information about potential security risks at Valley City Regional Hospital. You may download your summary of security risks as a PDF; it may be helpful in completing your assignment.CreditsSubject Matter Expert:Natasha CauleyInteractive Design:Kerry HansonInteractive Developer:Dre Allen, Matt TaylorInstructional Design:Carmen GarlandMedia Instructional Design:Holly DolezalekProject Management:Andrea Thompson