A 68-year-old man comes to the physician for a follow-up examination, accompanied by his daughter. Two years ago, he was diagnosed with localized prostate cancer, for which he underwent radiation therapy. He moved to the area 1 month ago to be closer to his daughter but continues to live independently. He was recently diagnosed with osteoblastic metastases to the spine and is scheduled to initiate therapy next week. In private, the patient’s daughter says that he has been losing weight and wetting the bed, and she tearfully asks the physician if his prostate cancer has returned. She says that her father has not spoken with her about his health recently. The patient has previously expressed to the physician that he does not want his family members to know about his condition because they “would worry too much.” Which of the following initial statements by the physician is most appropriate?

“I'm sorry, I can't discuss any information with you without his permission. I recommend that you have an open discussion with your father.”

“As your father's physician, I think that it's important that you know that his prostate cancer has returned. However, we are confident that he will respond well to treatment.”

“It concerns me that he's not speaking openly with you. I recommend that you seek medical power of attorney for your father. Then, we can legally discuss his diagnosis and treatment options together.”

“It’s difficult to deal with parents aging, but I have experience helping families cope. We should sit down with your father and discuss this situation together.”

“Your father is very ill and may not want you to know the details. I can imagine it's frustrating for you, but you have to respect his discretion.”

A 19-year-old man presents to an orthopedic surgeon to discuss repair of his torn anterior cruciate ligament. He suffered the injury during a college basketball game 1 week ago and has been using a knee immobilizer since the accident. His past medical history is significant for an emergency appendectomy when he was 12 years of age. At that time, he said that he never wanted to have surgery again. At this visit, the physician explains the procedure to him in detail including potential risks and complications. The patient acknowledges and communicates his understanding of both the diagnosis as well as the surgery and decides to proceed with the surgery in 3 weeks. Afterward, he signs a form giving consent for the operation. Which of the following statements is true about this patient?

He has the right to revoke his consent at any time

He cannot provide consent because he lacks capacity

His parents also need to give consent to this operation

He did not need to provide consent for this procedure since it is obviously beneficial

His consent is invalid because his decision is not stable over time

A 54-year-old man suffered an anterior wall myocardial infarction that was managed in the cath lab with emergent coronary stenting and revascularization. The patient states that his wife, adult children, and cousins may be disclosed information regarding his care and health information. The patient has been progressing well without any further complications since his initial catheterization. On hospital day #3, a woman stops you in the hall outside of the patient's room whom you recognize as the patient's cousin. She asks you about the patient's prognosis and how the patient is progressing after his heart attack. Which of the following is the most appropriate next step?

Ask for identification confirming that the woman is truly the patient's cousin

Decline to comment per HIPAA patient confidentiality regulations

Direct the woman to discuss these issues with the patient himself

Ask the patient if it is acceptable to share information with this individual

Discuss the patient's hospital course and expected prognosis with the woman

A psychiatrist receives a call from a patient who expresses thoughts of harming his ex-girlfriend. The patient describes a detailed plan to attack her at her workplace. Which of the following represents the psychiatrist's most appropriate legal obligation?

Warn the ex-girlfriend and notify law enforcement

Only notify the patient's family

Maintain patient confidentiality

A healthy, 16-year-old girl is brought in by her mother for a wellness visit. During the appointment, the patient’s mother brings up concerns about her daughter’s acne. The patient has had acne for 2 years. She washes her face twice a day with benzoyl peroxide and has been on doxycycline for 2 months with only mild improvement. The patient does not feel that the acne is related to her menstrual cycles. The patient’s mother states she does well in school and is the captain of the junior varsity cross-country team. She is worried that the acne is starting to affect her daughter’s self-esteem. The patient states that prom is coming up, and she is considering not going because she hates taking pictures. Upon physical exam, there are multiple open and closed comedones and scattered, red nodules on the patient’s face with evidence of scarring. The patient’s mother says her neighbor’s son tried isotretinoin and wants to know if that may work for her daughter. While talking about the risk factors for isotretinoin, you mention that patient will need to be on 2 forms of birth control. The mother asks, “Is that really necessary? We are a very religious family and my daughter knows our household rule about no sex before marriage.” Which of the following is the next step in management?

Ask the mother to leave the room before talking to the patient about her sexual activity

Have the patient take a pregnancy test to prove abstinence

Talk to patient and mother about patient’s sexual activity, since parental permission is needed for isotretinoin

Prescribe the isotretinoin as the patient does not need additional contraception if she is abstinent

Prescribe the isotretinoin after giving the patient a handout about birth control methods

A 36-year-old man comes to the physician because of a 2-week history of productive cough, weight loss, and intermittent fever. He recently returned from a 6-month medical deployment to Indonesia. He appears tired. Physical examination shows nontender, enlarged, palpable cervical lymph nodes. An x-ray of the chest shows right-sided hilar lymphadenopathy. A sputum smear shows acid-fast bacilli. A diagnosis of pulmonary tuberculosis is made from PCR testing of the sputum. The patient requests that the physician does not inform anyone of this diagnosis because he is worried about losing his job. Which of the following is the most appropriate initial action by the physician?

Inform the local public health department of the diagnosis

Request the patient's permission to discuss the diagnosis with an infectious disease specialist

Assure the patient that his diagnosis will remain confidential

Confirm the diagnosis with a sputum culture

Notify all of the patient's household contacts of the diagnosis

A 32-year-old male asks his physician for information regarding a vasectomy. On further questioning, you learn that he and his wife have just had their second child and he asserts that they no longer wish to have additional pregnancies. You ask him if he has discussed a vasectomy with his wife to which he replies, "Well, not yet, but I'm sure she'll agree." What is the next appropriate step prior to scheduling the patient's vasectomy?

Explain the risks and benefits of the procedure and request signed consent from the patient

Insist that the patient first discuss this procedure with his wife

Telephone the patient's wife to inform her of the plan

Refuse to perform the vasectomy

Explain the risks and benefits of the procedure and request signed consent from the patient and his wife

An 86-year-old man is admitted to the hospital for management of pneumonia. His hospital course has been relatively uneventful, and he is progressing well. On morning rounds nearing the end of the patient's hospital stay, the patient's cousin finally arrives to the hospital for the first time after not being present for most of the patient's hospitalization. He asks about the patient's prognosis and potential future discharge date as he is the primary caretaker of the patient and needs to plan for his arrival home. The patient is doing well and can likely be discharged in the next few days. Which of the following is the most appropriate course of action?

Bring the cousin to the room and ask the patient if it is acceptable to disclose his course

Bring the cousin to the room and explain the plan to both the patient and cousin

Explain the plan to discharge the patient in the next few days

Explain that you cannot discuss the patient's care at this time

Tell the cousin that you do not know the patient's course well

A 26-year-old man comes to the emergency department because of a 1-week history of fever, throat pain, and difficulty swallowing. Head and neck examination shows an erythematous pharynx with purulent exudates overlying the palatine tonsils. Microscopic examination of a throat culture shows pink, spherical bacteria arranged in chains. Treatment with amoxicillin is initiated. A day later, a physician colleague from another department approaches the physician in the lobby of the hospital and asks about this patient, saying, "Did you see him? What does he have? He's someone I play football with and he hasn't come to play for the past 5 days. I'm worried about him." Which of the following is the most appropriate action by the physician?

Inform the colleague that they cannot divulge any information about the patient

Inform the colleague that they should ask the patient's attending physician

Tell the colleague the patient's case file number so they can look it up themselves

Tell the colleague that they cannot tell them the diagnosis but that their friend was treated with antibiotics

Ask the colleague to meet in the office so they can discuss the patient in private

Privacy Rule provisions for USMLE Step 2 CK: High-Yield Patient Safety Lessons

Privacy Rule Basics - The HIPAA Handshake

Protected Health Information (PHI): Individually identifiable health information held by a Covered Entity. It links a patient to their health data and includes 18 specific identifiers (e.g., name, address, dates, SSN).
Key Players:
- Covered Entities (CEs): Health plans, clearinghouses, and providers (hospitals, clinics).
- Business Associates (BAs): Entities performing functions for a CE involving PHI (billing services, legal counsel).
Core Principle: Minimum Necessary Rule
- Limit use and disclosure of PHI to the minimum required for the intended purpose.
De-identification: Removes identifiers, rendering data non-PHI.
- Safe Harbor: Remove all 18 identifiers.
- Expert Determination: Statistical certification of low re-identification risk.

⭐ A rare diagnosis combined with a zip code can be enough to identify a patient, making it PHI even without a name.

Patient Privileges - Your Health Info Rights

Right of Access: Patients can inspect & get copies of their PHI.
- Covered entities have 30 days to provide the information.
Right to Amend: Patients can request corrections to inaccurate or incomplete PHI.
- The entity can deny the request if the information is deemed accurate.
Right to an Accounting of Disclosures: Request a list of who has accessed their PHI.
Right to Request Restrictions: Patients can request limits on the use or sharing of their PHI.
- Providers are not required to agree, with one major exception.

⭐ A provider must agree to a restriction request if the disclosure is to a health plan for payment purposes and the patient has paid for the service out-of-pocket in full.

Right to Confidential Communications: Patients can request communication via alternative means or locations (e.g., cell phone vs. home phone).

Disclosure Rules - When Silence Isn't Golden

Treatment, Payment, & Healthcare Operations (TPO): PHI can be used and disclosed without specific authorization for these core activities. 📌 TPO: Think 'The Privacy Office' lets these slide.
Required Disclosures: Must be provided to:
- The individual upon request (their own PHI).
- The Dept. of Health & Human Services (HHS) for compliance reviews.
Permitted Disclosures (Public Interest): Allowed for 12 priority purposes like public health activities, legal orders, or to avert serious threats to safety.
Valid Authorization: For all other disclosures (e.g., marketing, research), a signed, specific, and dated patient authorization is mandatory.

⭐ The "minimum necessary" rule does not apply to disclosures to another healthcare provider for treatment purposes.

High‑Yield Points - ⚡ Biggest Takeaways

The Privacy Rule protects all forms of Protected Health Information (PHI)-oral, written, or electronic.

Patients have a right to access, amend, and receive an accounting of disclosures of their PHI.

PHI can be used for Treatment, Payment, and Operations (TPO) without explicit authorization.

The "minimum necessary" standard applies to most disclosures of PHI.

Incidental disclosures are permissible if reasonable safeguards are implemented.

Psychotherapy notes receive heightened protection and require specific authorization for release.

Continue reading on Oncourse

CONTINUE READING — FREE

or get the app

App Store|Google Play