A 45-year-old man is brought to the emergency department by his friends because of a 1-hour history of shortness of breath and squeezing chest pain. They were at a party where cocaine was consumed. A diagnosis of acute myocardial infarction is made. The physician stabilizes the patient and transfers him to the inpatient unit. Six hours later, his wife arrives at the emergency department and requests information about her husband's condition. Which of the following is the most appropriate action by the physician?

Obtain authorization from the patient to release information

Ask the wife for a marriage certificate

Inform the wife about her husband's condition

Consult the hospital ethics committee

Request the patient's durable power of attorney document

A 15-year-old female presents to her family physician for an annual school physical exam and check-up. She is accompanied by her mother to the visit and is present in the exam room. The patient has no complaints, and she does not have any past medical problems. She takes no medications. The patient reports that she remains active, exercising 5 times a week, and eats a healthy and varied diet. Which of the following would be the best way for the physician to obtain a more in-depth social history, including sexual history and use of alcohol, tobacco, or recreational drugs?

Ask the mother to step outside into the hall for a portion of the visit

Disallow the mother to be present in the examination room throughout the entirety of the visit

Give the patient a social history questionnaire to fill out in the exam room

Ask the patient the questions directly, with her mother still in the exam room

Speak softly to the patient so that the mother does not hear and the patient is not embarrassed

Which of the following study designs would be most appropriate to investigate the association between electronic cigarette use and the subsequent development of lung cancer?

Subjects who smoke electronic cigarettes and subjects who do not smoke

Subjects with lung cancer who smoke and subjects with lung cancer who did not smoke

Subjects who smoke electronic cigarettes and subjects who smoke normal cigarettes

Subjects with lung cancer who smoke and subjects without lung cancer who smoke

Subjects with lung cancer and subjects without lung cancer

A 72-year-old woman is brought to the emergency department with dyspnea for 2 days. She is on regular hemodialysis at 3 sessions a week but missed her last session due to an unexpected trip. She has a history of congestive heart failure. After urgent hemodialysis, the patient’s dyspnea does not improve as expected. The cardiologist is consulted. After evaluation of the patient, he notes in the patient’s electronic record: “the patient does not have a chronic heart condition and a cardiac cause of dyspnea is unlikely.” The following morning, the nurse finds the cardiologist’s notes about the patient not having congestive heart failure odd. The patient had a clear history of congestive heart failure with an ejection fraction of 35%. After further investigation, the nurse realizes that the cardiologist evaluated the patient’s roommate. She is an elderly woman with a similar first name. She is also on chronic hemodialysis. To prevent similar future errors, the most appropriate strategy is to use which of the following?

Two patient identifiers at every patient encounter by any healthcare provider

Two patient identifiers at every nurse-patient encounter

A patient’s medical identification number at every encounter by any healthcare provider

Two patient identifiers at every physician-patient encounter

A patient’s medical identification number at every physician-patient encounter

A 28-year-old male presents to his primary care physician with complaints of intermittent abdominal pain and alternating bouts of constipation and diarrhea. His medical chart is not significant for any past medical problems or prior surgeries. He is not prescribed any current medications. Which of the following questions would be the most useful next question in eliciting further history from this patient?

"Can you tell me more about the symptoms you have been experiencing?"

"Does the diarrhea typically precede the constipation, or vice-versa?"

"Is the diarrhea foul-smelling?"

"Please rate your abdominal pain on a scale of 1-10, with 10 being the worst pain of your life"

"Are the symptoms worse in the morning or at night?"

A 26-year-old man comes to the emergency department because of a 1-week history of fever, throat pain, and difficulty swallowing. Head and neck examination shows an erythematous pharynx with purulent exudates overlying the palatine tonsils. Microscopic examination of a throat culture shows pink, spherical bacteria arranged in chains. Treatment with amoxicillin is initiated. A day later, a physician colleague from another department approaches the physician in the lobby of the hospital and asks about this patient, saying, "Did you see him? What does he have? He's someone I play football with and he hasn't come to play for the past 5 days. I'm worried about him." Which of the following is the most appropriate action by the physician?

Inform the colleague that they cannot divulge any information about the patient

Inform the colleague that they should ask the patient's attending physician

Tell the colleague the patient's case file number so they can look it up themselves

Tell the colleague that they cannot tell them the diagnosis but that their friend was treated with antibiotics

Ask the colleague to meet in the office so they can discuss the patient in private

HIPAA and research for USMLE Step 1: High-Yield Patient Safety Lessons

HIPAA & Research - The Privacy Rulebook

Patient authorization is the default for using Protected Health Information (PHI) in research. Key exceptions allow access while protecting privacy.

Authorization Exceptions:
- De-identified Data: Not PHI if all 18 identifiers are removed. HIPAA's Privacy Rule does not apply.
- Limited Data Set (LDS): PHI with direct identifiers removed. Requires a Data Use Agreement (DUA).
- IRB/Privacy Board Waiver: Granted if research poses minimal privacy risk and obtaining authorization is impracticable.

⭐ Research preparatory activities (e.g., assessing study feasibility) and research on decedents' PHI are also permitted without individual authorization under specific HIPAA provisions.

De-identification Methods - Anonymizing PHI

De-identified health information is not considered Protected Health Information (PHI) and is exempt from the HIPAA Privacy Rule. It is achieved via two pathways:
1. Safe Harbor Method:
- Mandates the removal of 18 specific personal identifiers.
- Key removals include names, all geographic units smaller than a state, all date elements (except year), medical record numbers, and biometric data.
- The provider must have no actual knowledge that the remaining information could identify the subject.
2. Expert Determination Method:
- A statistical expert applies methods to determine that the risk of re-identification is "very small."
- Requires formal documentation of the statistical analysis.

HIPAA Privacy Rule De-identification Methods

⭐ High-Yield: Under Safe Harbor, the first 3 digits of a zip code can be kept if the corresponding geographic area contains >20,000 people. All other geographic data smaller than a state must be removed.

Authorization & Waivers - Getting Permission

Authorization: The default method. Researchers must obtain signed, patient-specific permission to use or disclose Protected Health Information (PHI) for research.
- Core Elements: Plain language, specific purpose, expiration date, and right to revoke.
Waiver of Authorization: An Institutional Review Board (IRB) or Privacy Board can waive authorization if:
- Research poses minimal risk to privacy.
- Research is not practicable without the waiver.
- Waiver won't adversely affect patient rights.

⭐ Research is designed to create generalizable knowledge. Quality Improvement (QI) is for internal processes. This distinction determines if IRB oversight/waiver is needed.

Other Data Types:
- Limited Data Set: PHI with direct identifiers removed. Requires a Data Use Agreement (DUA).
- De-identified Data: All 18 HIPAA identifiers removed. No longer PHI; HIPAA rules do not apply.
Decision Flow:

High-Yield Points - ⚡ Biggest Takeaways

De-identified health information is not PHI and can be used for research without authorization.

Research with PHI requires either written patient authorization or a waiver of authorization from an IRB/Privacy Board.

A Limited Data Set (LDS), which excludes direct identifiers, can be used for research with a Data Use Agreement (DUA).

Authorization forms for research must be specific and are separate from the informed consent.

Recruitment can involve PHI but is strictly regulated.

Continue reading on Oncourse

CONTINUE READING — FREE

or get the app

App Store|Google Play