HIPAA

Subject: Interesting Scenario with an Interesting Approach

1.  Interesting Scenario with an Interesting Approach

Posted 6 days ago
An interesting conversation unfolded this week where the compliance professional that also oversees HIPAA Privacy and Security for a relatively large CE shared during an online discussion that the organization sent a large number (>500) of EOBs to the wrong addresses.

One of the root causes was that the person that set up the mail merge made a few errors when setting up the relationship between the data for the mail merge and the template document.  No problem...it happens.  In other words the address information was correct (the letter went to patient Frank to patient Frank's correct address)  but included in each letter was an EOB with another patient's name, account info, treatment related codes, and dates of service (page 2 included information for Joe and the account info, treatment related codes, and dates of service for Joe).

Before I get into the interesting part...categorically speaking...as I certainly want to make sure all viewpoints are heard as there may be some differences of opinion...

What type of any "impermissible" is this?  Why or why not?
If an "impermissible"...breach or no breach?

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------


2.  RE: Interesting Scenario with an Interesting Approach

Posted 6 days ago
Impermissible disclosure, and likely a breach.



Sent from my Verizon, Samsung Galaxy smartphone





3.  RE: Interesting Scenario with an Interesting Approach

Posted 6 days ago
I agree with Natalie. Impermissible and presumed beach pending risk assessment.

Carly Borenkind, LCSW
Compliance Officer- JASA
247 W. 37th Street 9th Floor
New York, NY 10018
Ph: 212.273.5296
eFax: 929.299.1132

Compliance Concerns can be reported anonymously, if desired, through the Compliance Hotline at 212-273-5288 or click here.  Concerns can also be emailed to complianceconcerns@jasa.org




www.jasa.org

  

Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  JASA's Privacy officer can be reached at 212-273-5296.





4.  RE: Interesting Scenario with an Interesting Approach

Posted 6 days ago

 

If I had one EOB sent to the wrong patient with the information you described, I would talk to the wrong patient and obtain an attestation form.  If the wrong patient was cooperative, etc. I would categorize it as an impermissible disclosure, no breach, as I wouldn't think there was more than a low risk that the information contained in the EOB could compromise the patient.  So times that by >500 and I would be pretty busy for a while!  However, if I could not talk to the patient, obtain an attestation form, or if the wrong patient was uncooperative, I would deem it a breach.

 

Cinda

 

******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.





5.  RE: Interesting Scenario with an Interesting Approach

Posted 5 days ago
Again...and let me stress and say it again as I am not calling your approach right/wrong or whether I agree or disagree...but remember...compare and contrast...

So in your description in your response am I correct in that one of the factors that you would use to determine whether or not to call each of these impermissible disclosures a breach would be based on your conversation with the individual and your obtaining an attestation?

Am I on the right track here with your approach?

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



6.  RE: Interesting Scenario with an Interesting Approach

Posted 5 days ago

Frank, yes, if I talk to the wrong patient and he/she is cooperative and signs an attestation, I believe that would help mitigate the risk to the PHI.

Cinda

******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.





7.  RE: Interesting Scenario with an Interesting Approach

Posted 5 days ago
Again...and let me stress and say it again as I am not calling your approach right/wrong or whether I agree or disagree...but remember...compare and contrast...

So in your description in your response am I correct in that one of the factors that you would use to determine whether or not to call each of these impermissible disclosures a breach would be based on your conversation with the individual and your obtaining an attestation?

Am I on the right track here with your approach?

(Note...I liked your comment about how in either case you would be busy...and certainly you would have to finish these within 30 days following the discovery of the incident...which I know for some folks could be a challenge depending on the numbers involved.)

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



8.  RE: Interesting Scenario with an Interesting Approach

Posted 5 days ago
​I would categorize this an impermissible disclosure, since it went outside the organization. I would do a Risk Assessment (LoProCo) to determine if it rose to the level of a breach. Given the volume or impermissible disclosures, I would like conclude this is a breach and begin the notification process to affected parties, notifying the media and posting the news on our website homepage.

Once done, I would likely retire and move north!

------------------------------
Dr. Randy Lewis, LMFT, CHPC
HIPAA Privacy Officer
Orange County Government
Orlando, FL
------------------------------



9.  RE: Interesting Scenario with an Interesting Approach

Posted 5 days ago
I'll say an impermissible disclosure, but I'm not sure how I'd do the risk assessment.  Would folks look at one EOB and use that assessment for all the disclosures or would you look at EOB's from each payor?

------------------------------
David Garrison CHC,CHPC
Compliance/Privacy Officer
SEARHC
Juneau,AK
------------------------------



10.  RE: Interesting Scenario with an Interesting Approach

Posted 5 days ago
You have an impermissible disclosure because we disclosed PHI in the EOBs to someone else, more than 500 times. I would go through the LoProCo2 process but at first glance I think we are looking at a breach. I understand some say that whether the count is one or one thousand it shouldn't matter in your determination of whether or not it is a breach. But I believe it is impractical to think that we could mitigate all (>500) of the potential breach mailings to the point that I felt confident there would be a low risk of further disclosure. So I'm saying we have a breach.

------------------------------
Carl Russell
Compliance Analyst
Delta Dental of Idaho
Boise,ID

Anything I say is my sole opinion and not of my company.
------------------------------



11.  RE: Interesting Scenario with an Interesting Approach

Posted 4 days ago
Frank

I would say it is an impermissible disclosure, but I don't know if it is a breach yet.  You have not told us if the EOBs were returned unopened which would mean this incident falls under the third exception of a breach.  So, based on what you have told us so far, EOBs with correct addresses but wrong patient data in envelopes mailed out, it is an impermissible disclosure.  How many came back unopened?

------------------------------
Hernan Serrano
Compliance Manager
HIPAAtrek
St Louis,Mo
------------------------------



12.  RE: Interesting Scenario with an Interesting Approach

Posted 4 days ago
Let's keep it simple...for the purposes of this scenario, assume all of the letters were opened by the recipients because recall...all of the recipients saw their name and address on the letter...but then saw someone else's PHI on the second page of the mailing.

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



13.  RE: Interesting Scenario with an Interesting Approach

Posted 4 days ago
Thank goodness most people saw this as an impermissible disclosure...so at a minimum, the entity will need to account for the >500 individuals in whatever system is used to gather and report data to individuals should any of them request an Accounting of Disclosures.

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



14.  RE: Interesting Scenario with an Interesting Approach

Posted 4 days ago

Great discussion agree impermissible disclosure and breach reporting needed.

Thanks Kathy

 

Kathy Wehmer-Brown R.N.

Compliance Specialist

The Women's Hospital

812-842-4522