A healthcare administrator needs to provide a safe and secure environment for all health information. No matter the healthcare setting, personal health information (PHI) is accessible to many individuals. You will be faced with situations as an administrator that will require a well-founded knowledge of how PHI is secured, how it is proactively monitored, and what immediate actions you need to take when faced with a potential breach. The purpose of this task is to assess your knowledge of the implications of maintaining the security and privacy of healthcare information. It will also help you understand the cultural issues of implementing change in a small healthcare setting.

SCENARIO

You are the healthcare administrator for a small critical access hospital (i.e., 25 beds or fewer). Your administration team includes the director of nursing, the chief medical officer, the director of support services, the director of pharmacy, and the health information management (HIM) director. You and your team have been tasked with investigating a recent data breach. As the data breach was investigated, several members of the staff have been identified as being directly involved in the breach. Several patients experiencing the compromise of their PHI have filed legal claims with the intent to sue. Your team is also accountable for implementing an electronic health record (EHR) system, which is a newly initiated technology in a culture that is resistant to change. The board of directors has requested that you have a plan addressing both of these issues ready to present in two weeks.

A.  Create a planning, organizing, directing, controlling (PODC) HIPAA training model by doing the following:

1.  Describe how you would teach the hospital employees the rules and regulations regarding HIPAA.

a.  Identify three appropriate types of PHI that can be shared between staff.

i.   Identify where in the facility the information sharing should take place.

ii.  Identify three individuals who can use and disclose this information.

b.  Describe two penalties associated with breaching patient information.

c.  Identify two appropriate ways to secure data from one working shift to another using HIPAA guidelines.

2.  Complete an internal audit plan of all security measures meant to protect health information by doing the following:

a.  Identify which department will oversee the audit.

b.  Explain three security practices the audit will review (e.g., PHI sign-out sheets, secured storage/location of records).

c.  Describe three potential changes that can be made within the organization to address the results of the audit (e.g., additional employee education).

d.  Create a risk assessment plan to identify the potential for any future security breaches.

i.   Identify how often this assessment plan should be completed.

ii.  Identify who will complete this assessment plan.

B.  Determine the financial impact of a new EHR system by doing the following:

1.  Develop a risks versus benefits summary for the key stakeholders of the hospital to show why an EHR system should be invested in and implemented.

a.  Identify four key decision makers who give input and buy-in.

b.  Include two CMS requirements for the new system.

2.  List four new hardware components required for the new system.

a.  Identify the potential capital dollar investment for the new system.

b.  Discuss which of the three EHR systems—Cerner, Meditech, or Epic—would be the best system for your organization using information in the web links section below and the attached “Information on EHR Vendors.”

3.  Identify three components or applications that will need to be incorporated into the EHR system at your small critical access hospital.

a.  Discuss the key security and privacy components of the EHR system you selected in part B2b.

C.  Create an appropriate training plan for all clinical and non-clinical staff by doing the following:

1.  Identify the estimated number of total hours required to learn the EHR system for both clinical and non-clinical staff.

2.  Describe the logistics required to train all employees on all shifts by doing the following:

a.  Identify how many training sessions would be reasonable for approximately 150 day-shift employees.

b.  Identify how many training sessions would be reasonable for approximately 50 night-shift employees.

c.  Identify how much the training will cost, assuming an average wage of $21 per hour and a total training length of 6−10 hours per employee.

d.  Develop a training plan for 75 physicians (40 are active medical staff, 35 see patients on a consult or specialist basis).

i.   Design a schedule, using the attached “Proposed Physician Schedule,” that allows all physicians to learn the new program while also providing adequate coverage for patient care on a 24-hour basis.

3.  Describe a train-the-trainer program you could implement to ensure ongoing support and training of new employees.

4.  Describe a transition plan for employees transitioning from the old EHR system to the new EHR system.

a.  Describe how you will measure whether employees have demonstrated competency with the new system.

b.  Identify the most appropriate time of day and day of the week to initiate the transition.

i.   Identify three leaders who should be on-site for the transition period.

ii.  Justify why you chose the three leaders in part C4bi.

5.  Describe one approach you could use in collaboration with your administration team to reward the staff for successfully learning and transitioning to a new EHR system.

a.  Explain how you would collaborate with your administration team to initiate the approach described in part C5.

D.  When you use sources, include all in-text citations and references in APA format.