A 68-year-old man comes to the physician for a follow-up examination, accompanied by his daughter. Two years ago, he was diagnosed with localized prostate cancer, for which he underwent radiation therapy. He moved to the area 1 month ago to be closer to his daughter but continues to live independently. He was recently diagnosed with osteoblastic metastases to the spine and is scheduled to initiate therapy next week. In private, the patient’s daughter says that he has been losing weight and wetting the bed, and she tearfully asks the physician if his prostate cancer has returned. She says that her father has not spoken with her about his health recently. The patient has previously expressed to the physician that he does not want his family members to know about his condition because they “would worry too much.” Which of the following initial statements by the physician is most appropriate?

“I'm sorry, I can't discuss any information with you without his permission. I recommend that you have an open discussion with your father.”

“As your father's physician, I think that it's important that you know that his prostate cancer has returned. However, we are confident that he will respond well to treatment.”

“It concerns me that he's not speaking openly with you. I recommend that you seek medical power of attorney for your father. Then, we can legally discuss his diagnosis and treatment options together.”

“It’s difficult to deal with parents aging, but I have experience helping families cope. We should sit down with your father and discuss this situation together.”

“Your father is very ill and may not want you to know the details. I can imagine it's frustrating for you, but you have to respect his discretion.”

A 19-year-old man presents to an orthopedic surgeon to discuss repair of his torn anterior cruciate ligament. He suffered the injury during a college basketball game 1 week ago and has been using a knee immobilizer since the accident. His past medical history is significant for an emergency appendectomy when he was 12 years of age. At that time, he said that he never wanted to have surgery again. At this visit, the physician explains the procedure to him in detail including potential risks and complications. The patient acknowledges and communicates his understanding of both the diagnosis as well as the surgery and decides to proceed with the surgery in 3 weeks. Afterward, he signs a form giving consent for the operation. Which of the following statements is true about this patient?

He has the right to revoke his consent at any time

He cannot provide consent because he lacks capacity

His parents also need to give consent to this operation

He did not need to provide consent for this procedure since it is obviously beneficial

His consent is invalid because his decision is not stable over time

A psychiatrist receives a call from a patient who expresses thoughts of harming his ex-girlfriend. The patient describes a detailed plan to attack her at her workplace. Which of the following represents the psychiatrist's most appropriate legal obligation?

Warn the ex-girlfriend and notify law enforcement

Only notify the patient's family

Maintain patient confidentiality

A 72-year-old woman is brought to the emergency department with dyspnea for 2 days. She is on regular hemodialysis at 3 sessions a week but missed her last session due to an unexpected trip. She has a history of congestive heart failure. After urgent hemodialysis, the patient’s dyspnea does not improve as expected. The cardiologist is consulted. After evaluation of the patient, he notes in the patient’s electronic record: “the patient does not have a chronic heart condition and a cardiac cause of dyspnea is unlikely.” The following morning, the nurse finds the cardiologist’s notes about the patient not having congestive heart failure odd. The patient had a clear history of congestive heart failure with an ejection fraction of 35%. After further investigation, the nurse realizes that the cardiologist evaluated the patient’s roommate. She is an elderly woman with a similar first name. She is also on chronic hemodialysis. To prevent similar future errors, the most appropriate strategy is to use which of the following?

Two patient identifiers at every patient encounter by any healthcare provider

Two patient identifiers at every nurse-patient encounter

A patient’s medical identification number at every encounter by any healthcare provider

Two patient identifiers at every physician-patient encounter

A patient’s medical identification number at every physician-patient encounter

An 86-year-old man is admitted to the hospital for management of pneumonia. His hospital course has been relatively uneventful, and he is progressing well. On morning rounds nearing the end of the patient's hospital stay, the patient's cousin finally arrives to the hospital for the first time after not being present for most of the patient's hospitalization. He asks about the patient's prognosis and potential future discharge date as he is the primary caretaker of the patient and needs to plan for his arrival home. The patient is doing well and can likely be discharged in the next few days. Which of the following is the most appropriate course of action?

Bring the cousin to the room and ask the patient if it is acceptable to disclose his course

Bring the cousin to the room and explain the plan to both the patient and cousin

Explain the plan to discharge the patient in the next few days

Explain that you cannot discuss the patient's care at this time

Tell the cousin that you do not know the patient's course well

A 26-year-old man comes to the emergency department because of a 1-week history of fever, throat pain, and difficulty swallowing. Head and neck examination shows an erythematous pharynx with purulent exudates overlying the palatine tonsils. Microscopic examination of a throat culture shows pink, spherical bacteria arranged in chains. Treatment with amoxicillin is initiated. A day later, a physician colleague from another department approaches the physician in the lobby of the hospital and asks about this patient, saying, "Did you see him? What does he have? He's someone I play football with and he hasn't come to play for the past 5 days. I'm worried about him." Which of the following is the most appropriate action by the physician?

Inform the colleague that they cannot divulge any information about the patient

Inform the colleague that they should ask the patient's attending physician

Tell the colleague the patient's case file number so they can look it up themselves

Tell the colleague that they cannot tell them the diagnosis but that their friend was treated with antibiotics

Ask the colleague to meet in the office so they can discuss the patient in private

A 36-year-old man comes to the physician because of a 2-week history of productive cough, weight loss, and intermittent fever. He recently returned from a 6-month medical deployment to Indonesia. He appears tired. Physical examination shows nontender, enlarged, palpable cervical lymph nodes. An x-ray of the chest shows right-sided hilar lymphadenopathy. A sputum smear shows acid-fast bacilli. A diagnosis of pulmonary tuberculosis is made from PCR testing of the sputum. The patient requests that the physician does not inform anyone of this diagnosis because he is worried about losing his job. Which of the following is the most appropriate initial action by the physician?

Inform the local public health department of the diagnosis

Request the patient's permission to discuss the diagnosis with an infectious disease specialist

Assure the patient that his diagnosis will remain confidential

Confirm the diagnosis with a sputum culture

Notify all of the patient's household contacts of the diagnosis

On a Sunday afternoon, a surgical oncologist and his family attend a football game in the city where he practices. While at the game, he runs into a physician colleague that works at the same institution. After some casual small talk, his colleague inquires, "Are you taking care of Mr. Clarke, my personal trainer? I heard through the grapevine that he has melanoma, and I didn't know if you have started him on any chemotherapy or performed any surgical intervention yet. Hopefully you'll be able to take very good care of him." In this situation, the surgical oncologist may confirm which of the following?

Only that Mr. Clarke is his patient

A 17-year-old male, accompanied by his uncle, presents to a doctor with his arm in a sling. There is blood dripping down his shirt. He pleads with the physician to not report this injury to authorities, offering to pay extra for his visit, as he is afraid of retaliation from his rival gang. The physician examines the wound, which appears to be a stabbing injury to his left anterior deltoid. This case study in medical ethics asks: How should the physician best handle this patient's request?

Breach confidentiality and report the stab wound to the police

Maintain confidentiality, as reporting stab wounds is not required

Breach confidentiality and discuss the injury with the uncle

Maintain confidentiality and schedule a follow-up visit with the patient

Maintain confidentiality, as retaliation may result in greater harm to the patient

Protected health information (PHI) for USMLE Step 1: High-Yield Patient Safety Lessons

PHI & The 18 Identifiers - Secrets to Keep

Protected Health Information (PHI) is any health data that is individually identifiable. It is created or received by a healthcare provider, health plan, or clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for that care.
Below are the 18 identifiers that make health information PHI. Data is considered de-identified (and not subject to the Privacy Rule) only if all these identifiers are removed.

Category	Identifiers
Personal	Names, All geographic subdivisions smaller than a state, All elements of dates (except year)
Contact	Telephone numbers, Fax numbers, Electronic mail addresses
Numeric	Social Security numbers, Medical record numbers, Health plan beneficiary numbers
Account	Account numbers, Certificate/license numbers, Vehicle identifiers and serial numbers
Device	Device identifiers and serial numbers, Web Universal Resource Locators (URLs)
Biometric	Biometric identifiers (finger and voice prints), Full face photographic images
Other	Any other unique identifying number, characteristic, or code

The Privacy Rule - Who Can Know?

Governs the use and disclosure of Protected Health Information (PHI). The core principle is the 'Minimum Necessary' standard: disclose only the minimum PHI required to achieve the purpose.

Permitted Uses & Disclosures for TPO:
- Treatment: Sharing info with other providers for patient care.
- Payment: Submitting claims to insurance companies.
- Operations: Activities like quality assessment, training, and business planning.
Disclosure WITHOUT Patient Authorization is allowed in specific public interest scenarios:
- Public health activities (e.g., reporting infectious diseases).
- Reporting suspected abuse, neglect, or domestic violence.
- Law enforcement requests (e.g., court orders, warrants).
- Coroner or medical examiner for identifying a deceased person.
- Organ donation processes.

⭐ Exam Favorite: If a patient is present and has capacity, a provider can share PHI with family/friends if the patient agrees or does not object. Professional judgment is key.

Patient Rights & Violations - The Power & The Price

Patient Rights (The Power): Patients have the right to:
- Access & Copy: Obtain a copy of their PHI.
- Amend: Request corrections to their PHI.
- Accounting of Disclosures: Know who their PHI has been shared with.
HIPAA Security Rule (The Protection): Mandates safeguards for electronic PHI (ePHI).
- Administrative: Policies, risk analysis, training.
- Physical: Facility access controls, workstation security.
- Technical: Access control, audit controls, transmission security.

The 3 Types of HIPAA Safeguards

Violations & Penalties (The Price): Civil and criminal penalties are tiered based on the level of culpability, from unintentional ignorance to willful neglect.

⭐ Exam Favorite: The "Minimum Necessary" rule is a cornerstone of HIPAA. Disclosures of PHI should be limited to the minimum amount of information necessary to accomplish the intended purpose.

High-Yield Points - ⚡ Biggest Takeaways

PHI is any individually identifiable health information (demographics, treatment, payment).

It's defined by the presence of one or more of the 18 specific identifiers (e.g., name, address, dates).

De-identified data (all identifiers removed) is not protected by HIPAA.

The Minimum Necessary Rule limits PHI disclosure to the least amount required for the task.

Patients can access, amend, and request an accounting of their PHI disclosures.

Incidental disclosures are not violations if reasonable safeguards are implemented.

Continue reading on Oncourse

CONTINUE READING — FREE

or get the app

App Store|Google Play