Which scenario represents a HIPAA privacy breach?

• A. A physical therapist performs an intervention on a patient without the patient's informed consent.
• B. A patient who is at risk of leaving against medical advice is restrained without a physician order.
• C. A patient's family member makes the decision to withdraw care of a patient without having any written documentation from the patient.
• D. A physical therapy student copies a patient's electronic medical record and takes it home in order to complete a school case study assignment.

Answer: (D)

Protecting patient information is the core idea here. HIPAA requires that patient health information (PHI) be accessed only by those who need it for legitimate purposes and stored in a secure, protected setting. Copying a patient’s electronic medical record and taking it home to complete a school assignment is an unauthorized disclosure and handling of PHI outside the secure system. It creates risk of exposure, loss, or theft, and there isn’t a proper authorization that allows taking PHI off-site or using it for a class assignment. Even with good intentions, this violates privacy rules. The other scenarios involve consent, safety, or decision-making issues, but they do not represent a direct breach of PHI privacy under HIPAA.