A 79-year-old male presents to your office for his annual flu shot. On physical exam you note several linear bruises on his back. Upon further questioning he denies abuse from his daughter and son-in-law, who live in the same house. The patient states he does not want this information shared with anyone. What is the most appropriate next step, paired with its justification?

Breach patient confidentiality, as this patient is a potential victim of elder abuse and reporting is mandated in most states

Breach patient confidentiality, as this patient's care should be discussed with the daughter as she is his primary caregiver

See the patient back in 2 weeks and assess whether the patient's condition has improved, as his condition is not severe

Do not break patient confidentiality, as elder abuse reporting is not mandatory

Do not break patient confidentiality, as this would potentially worsen the situation

A psychiatrist receives a call from a patient who expresses thoughts of harming his ex-girlfriend. The patient describes a detailed plan to attack her at her workplace. Which of the following represents the psychiatrist's most appropriate legal obligation?

Warn the ex-girlfriend and notify law enforcement

Only notify the patient's family

Maintain patient confidentiality

A 75-year-old nursing home resident presents with multiple unexplained bruises in various stages of healing on the upper arms and inner thighs. The patient appears withdrawn and anxious when staff members enter the room. Which of the following is the most appropriate next step?

Report suspected abuse to adult protective services

Request psychiatric consultation

Prescribe anti-anxiety medication

A 36-year-old man comes to the physician because of a 2-week history of productive cough, weight loss, and intermittent fever. He recently returned from a 6-month medical deployment to Indonesia. He appears tired. Physical examination shows nontender, enlarged, palpable cervical lymph nodes. An x-ray of the chest shows right-sided hilar lymphadenopathy. A sputum smear shows acid-fast bacilli. A diagnosis of pulmonary tuberculosis is made from PCR testing of the sputum. The patient requests that the physician does not inform anyone of this diagnosis because he is worried about losing his job. Which of the following is the most appropriate initial action by the physician?

Inform the local public health department of the diagnosis

Request the patient's permission to discuss the diagnosis with an infectious disease specialist

Assure the patient that his diagnosis will remain confidential

Confirm the diagnosis with a sputum culture

Notify all of the patient's household contacts of the diagnosis

A 72-year-old woman is brought to the emergency department with dyspnea for 2 days. She is on regular hemodialysis at 3 sessions a week but missed her last session due to an unexpected trip. She has a history of congestive heart failure. After urgent hemodialysis, the patient’s dyspnea does not improve as expected. The cardiologist is consulted. After evaluation of the patient, he notes in the patient’s electronic record: “the patient does not have a chronic heart condition and a cardiac cause of dyspnea is unlikely.” The following morning, the nurse finds the cardiologist’s notes about the patient not having congestive heart failure odd. The patient had a clear history of congestive heart failure with an ejection fraction of 35%. After further investigation, the nurse realizes that the cardiologist evaluated the patient’s roommate. She is an elderly woman with a similar first name. She is also on chronic hemodialysis. To prevent similar future errors, the most appropriate strategy is to use which of the following?

Two patient identifiers at every patient encounter by any healthcare provider

Two patient identifiers at every nurse-patient encounter

A patient’s medical identification number at every encounter by any healthcare provider

Two patient identifiers at every physician-patient encounter

A patient’s medical identification number at every physician-patient encounter

A 26-year-old man comes to the emergency department because of a 1-week history of fever, throat pain, and difficulty swallowing. Head and neck examination shows an erythematous pharynx with purulent exudates overlying the palatine tonsils. Microscopic examination of a throat culture shows pink, spherical bacteria arranged in chains. Treatment with amoxicillin is initiated. A day later, a physician colleague from another department approaches the physician in the lobby of the hospital and asks about this patient, saying, "Did you see him? What does he have? He's someone I play football with and he hasn't come to play for the past 5 days. I'm worried about him." Which of the following is the most appropriate action by the physician?

Inform the colleague that they cannot divulge any information about the patient

Inform the colleague that they should ask the patient's attending physician

Tell the colleague the patient's case file number so they can look it up themselves

Tell the colleague that they cannot tell them the diagnosis but that their friend was treated with antibiotics

Ask the colleague to meet in the office so they can discuss the patient in private

On a Sunday afternoon, a surgical oncologist and his family attend a football game in the city where he practices. While at the game, he runs into a physician colleague that works at the same institution. After some casual small talk, his colleague inquires, "Are you taking care of Mr. Clarke, my personal trainer? I heard through the grapevine that he has melanoma, and I didn't know if you have started him on any chemotherapy or performed any surgical intervention yet. Hopefully you'll be able to take very good care of him." In this situation, the surgical oncologist may confirm which of the following?

Only that Mr. Clarke is his patient

A 17-year-old male, accompanied by his uncle, presents to a doctor with his arm in a sling. There is blood dripping down his shirt. He pleads with the physician to not report this injury to authorities, offering to pay extra for his visit, as he is afraid of retaliation from his rival gang. The physician examines the wound, which appears to be a stabbing injury to his left anterior deltoid. This case study in medical ethics asks: How should the physician best handle this patient's request?

Breach confidentiality and report the stab wound to the police

Maintain confidentiality, as reporting stab wounds is not required

Breach confidentiality and discuss the injury with the uncle

Maintain confidentiality and schedule a follow-up visit with the patient

Maintain confidentiality, as retaliation may result in greater harm to the patient

De-identification standards for USMLE Step 1: High-Yield Patient Safety Lessons

HIPAA De-identification - The Anonymity Shield

To prevent patient re-identification, HIPAA provides two pathways to de-identify Protected Health Information (PHI), rendering it exempt from most HIPAA rules. This allows data to be used for research, public health, and other secondary purposes.

Safe Harbor Method: A prescriptive checklist approach. Key identifiers to remove include:
- Names, Social Security Numbers, Medical Record Numbers
- Geographic subdivisions smaller than a state (most zip codes)
- All elements of dates except the year
- Full-face photos & biometric identifiers (fingerprints)
- Vehicle, device, or license plate numbers

⭐ Under Safe Harbor, the first 3 digits of a ZIP code can be retained only if the resulting geographic unit contains > 20,000 people. Otherwise, it must be converted to 000.

Image placeholder? NO Flowchart? YES

De-identification Methods - Pick Your Path

HIPAA provides two routes to de-identify protected health information (PHI), removing its link to an individual. This allows data to be used for research, public health, or operations without compromising privacy.

Safe Harbor Identifiers Removed:
- All names, initials, and contact information (phone/fax numbers, email, URLs).
- All geographic subdivisions smaller than a state.
- All elements of dates (except year) related to an individual.
- All identifying numbers (SSN, medical record, license, etc.).
- Biometric identifiers, full-face photos.

⭐ High-Yield Fact: Under the Safe Harbor method, data is not considered de-identified if the covered entity has actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual.

The Safe Harbor 18 - The No-No List

Under the HIPAA Privacy Rule, the Safe Harbor method requires the removal of all 18 specific identifiers for Protected Health Information (PHI) to be considered de-identified. This allows the data to be used for research, public health, or other purposes without violating patient privacy.

Direct Personal Identifiers
- Names
- Social Security numbers
- Medical record, health plan, or account numbers
- Certificate or license numbers
Contact & Digital Information
- Telephone & fax numbers
- Email, IP addresses, & URLs
Geographic Data
- All geographic subdivisions smaller than a state (e.g., street, city, county).
- Exception: First 3 digits of a ZIP code are permitted if the area contains > 20,000 people.
Dates & Ages
- All date elements (except year) related to an individual.
- All ages over 89.
Biometric & Unique Identifiers
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photos & comparable images
- Vehicle or device serial numbers
- Any other unique identifying code.

⭐ A covered entity is not considered to have de-identified information if it has actual knowledge that the remaining information could be used, alone or in combination with other information, to identify an individual.

High‑Yield Points - ⚡ Biggest Takeaways

HIPAA's Safe Harbor method requires removing 18 specific identifiers to de-identify Protected Health Information (PHI).

Key identifiers include names, all geographic subdivisions smaller than a state, and all elements of dates (except year).

Ages over 89 must be aggregated into a single category.

The alternative is the Expert Determination method, where a statistician certifies a very small re-identification risk.

Re-identification of de-identified data is a significant HIPAA violation.

Continue reading on Oncourse

CONTINUE READING — FREE

or get the app

App Store|Google Play