Breach or no breach

  • 1.  Breach or no breach

    Posted 10-05-2020 11:02 AM
    A bit of a unique scenario:
    An employee sends an email containing an attachment to a Business Associate who is not a Covered Entity. Employee thinks the attachment is a purchase order but is actually a clinical visit summary concerning her spouse. The visit summary is from an unrelated provider (not her employer) and is not part of the employer's medical records.
    Breach/impermissible disclosure or not?  I think no but I'm interested to hear other opinions.

    Charles Colitre BBA, CHC, CHPC
    Compliance & Privacy Officer
    Crystal Clinic Orthopaedic Center

  • 2.  RE: Breach or no breach

    Posted 10-05-2020 12:14 PM

    Hi Charles!


    If I'm understanding correctly, an employee emails her husband's clinical visit summary from an outside provider to her employer's BA.  


    ·         She mistakenly emailed/disclosed information she shouldn't have, it just wasn't information that belonged to her employer.

    ·         So she, at the very least, impermissibly disclosed PHI (since she probably didn't have her husband's consent to email it to a BA that had no business seeing it, and maybe her email isn't secure?).

    ·         The question is, can a Covered Entity be held responsible for the wrongdoing of its employee (who is on the clock) when it comes to PHI that doesn't belong to the Covered Entity?

    ·         I don't know the answer for sure, but I say yes; however, in this case I wouldn't categorize it as a breach.


    I admit I could be waaaay off the mark!



    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.


  • 3.  RE: Breach or no breach

    Posted 10-05-2020 12:25 PM

    I'll take a stab.  The PHI that was impermissibly disclosed did not belong to the covered entity (her employer) therefore they have no duty to safeguard it, therefore no breach. The employee may have violated company policy by using company resources for personal use.  I would leave that to HR.    OR:  One can also argue that the moment the employee scanned the document and attached it to her company email it became PHI that the company now has a duty to safeguard and a four factor analysis is necessary to determine breach or not.


    Curious to see what others think. 


    Michael Scudillo, OTR, CHC 

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.com<mailto:michael.scudillo@uirehab.com> and delete the material from all computers. </mailto:michael.scudillo@uirehab.com>


  • 4.  RE: Breach or no breach

    Posted 10-05-2020 12:34 PM

    I would have to say no it is not a breach as the information does not belong to the CE (her employer) so it is not PHI of the entity.


    Now this may be going down the rabbit hole but I would investigate how she obtained the information from the other CE. Was it through the appropriate channels or did she use her employment at her company to obtain the information without consent. If the latter I would report to the other CE.


    Thank you,




    Erin M. Jack, RHIA, CHC, CHPC

    Privacy & Data Ethics Official

    Data Ethics, Policy, and Privacy Department

    Forbes Hospital - Office: 412-858-2534

    Allegheny Valley Hospital - Office: 724-389-6520

    Highmark Health

    Fax: 412-544-4320



  • 5.  RE: Breach or no breach

    Posted 10-05-2020 12:47 PM
    I'll take a stab:  I think it depends on the purpose she got the information and if it was work-related.  If the husband e-mails his visit summary to wife (employee) and she is suppose to e-mail it to their insurance company for reimbursement of out-of-pocket expenses.  I'd say no impermissible.

    David Garrison
    Compliance/Privacy Officer


  • 6.  RE: Breach or no breach

    Posted 10-05-2020 03:12 PM
    No breach. HR matter and Information Security matter regarding appropriate use of company resources / corporate email and professional conduct.

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.


  • 7.  RE: Breach or no breach

    Posted 10-06-2020 10:08 PM
    This sounds like it was a personal oops. I would not consider this an impermissible disclosure for the purposes of HIPAA.

    Nancy O'Neill, RN, CHC, CHPC
    Sr. Director, Corporate Compliance/Privacy Officer
    Tampa General Hospital
    Tampa, FL
    Responses are my own and not the view of my organization.