HIPAA

Breach or Not...by request of an eGroup member

  • 1.  Breach or Not...by request of an eGroup member

    Posted 08-04-2020 11:20 PM
    Posted by request:

    Scenario:

    Dr. Smith left Clinic A and went to work at Clinic B. Over a course of six weeks and due to unclear staff training, Dr. Smith was accidentally sent a copy of Patty Patient's chart at Clinic B.

    Dr. Smith then used the info in Patty's chart to reach out to her in an effort to drum up some business at Clinic B, explaining that since he had seen her recent chart notes, he knew he could still offer her treatment.

    The issues with sending the copy to Dr. Smith were identified and addressed, and everyone at Clinic A agrees it's ethically questionable to try to steal patients this way, but what about HIPAA?

    Is this a breach?  Not a breach?  Any responses are appreciated.


    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    NEXT UP:
    Stay tuned...

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Breach or Not...by request of an eGroup member

    Posted 08-05-2020 07:31 AM
    Yes. It's misdirected PHI to a treating provider who by virtue of the scenario, no longer has a treating relationship with the patient so therefore was not entitled to receive the information. The matter could have been evaluated as low probability of compromise in my opinion since this individual is a provider and under the "who" part of the analysis would be someone obligated to keep the information private and secure. However, I believe the fact the provider kept the information, reviewed it and clearly took advantage of the error for his own personal gain to drum up by business by contacting the patient stating as such changes that analysis.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Breach or Not...by request of an eGroup member

    Posted 08-05-2020 08:43 AM
    The sender of information is who would be guilty of a breach.

    ------------------------------
    Debbie Archer
    Privacy Officer
    Aspire Indiana
    Noblesville,IN
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Breach or Not...by request of an eGroup member

    Posted 08-05-2020 09:47 AM

    Is the receiver of the e-mail also guilty of not recognizing it was PHI that he should not have received?  As a covered entity should he/she have reported and removed the information as well?

    I am so appreciative of these examples!

     

    Jennifer McWain CHC, PT, MHS |Compliance Officer & Clinical Excellence Specialist

    Mary Free Bed Rehabilitation Hospital

    235 Wealthy St. SE Grand Rapids, MI 49503

    office: 616-840-8173

    cell: 616-334-0488

    fax: 616-840-9763

    You may also report compliance concerns through the Anonymous Compliance Hotline: 616-840-8706
    maryfreebed.com

    This email may contain confidential and privileged material work product or information exempt from disclosure under applicable law for the sole use of the intended recipient.  Any review or distribution by others is strictly prohibited. 

     

     



    This message has been scanned for malware by Websense. www.websense.com




    19th Annual CEI Virtual Conference


  • 5.  RE: Breach or Not...by request of an eGroup member

    Posted 08-05-2020 09:55 AM
    Jennifer, 
    Not a Lawyer not legal advice:

    I do not believe there is a legal obligation for the receipt to report. That may be different from State to State. However, if the recipient is a CE the CE must safeguard all PHI the organization CReAMTs (creates, receives, accesses, maintaines, or transmits).

    -Alex-





    19th Annual CEI Virtual Conference


  • 6.  RE: Breach or Not...by request of an eGroup member

    Posted 08-06-2020 08:04 AM
    If the sender of the information is a Covered Entity and therefore subject to HIPAA, I would assess this as a breach. We know that HIPAA considers impermissible disclosures of PHI to be breaches unless the Covered Entity can prove a low probability of compromise to the privacy of the information disclosed. In this scenario, we know that the privacy of the information was in fact compromised; an unintended recipient used the PHI for purposes of personal gain.

    ------------------------------
    Anthony Ambrose, MBA, CHC, CHPC
    Compliance Officer
    Service Access and Management, Inc.
    Lewisburg, PA
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: Breach or Not...by request of an eGroup member

    Posted 08-06-2020 08:48 AM
    There are multiple moving parts. You have to work through the process.

    Is it a impermissible disclosure? Yes, Dr. Smith relationship end when he left clinic A (assumption that clinic A & B have no relationship).
    Is it a breach? Maybe, did clinic A have good faith belief that the information was not going to be further used. Was a risk analysis done? If it was not determined that the risk was low then it was a breach. Not enough information to determine a breach.

    Did clinic A get assurance that the patient records would be destroyed? Did the Dr. retain information to market his services?

    "An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment..."

    One question I had immediately did the Dr. violate the the marketing rule?


    ------------------------------
    Bill Turner
    Chief Privacy & Security Officer
    CHPC, FIP, C\CISO, CIPP /US /G /IT /C
    ------------------------------

    19th Annual CEI Virtual Conference


  • 8.  RE: Breach or Not...by request of an eGroup member

    Posted 08-06-2020 09:03 AM
    Bravo, Bill!

    Whether a breach or not...marketing issue or not...THANKS for posting!  I like how you are looking at this from beyond the perspective of not only what type of "impermissible" it may be, but its relationship to other aspects of HIPAA privacy and security to consider as well.  This is where the "other factors" portion of the breach risk assessment process comes into play.

    Well done!

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    NEXT UP:
    Stay tuned...

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    ------------------------------

    19th Annual CEI Virtual Conference