If I'm understanding correctly, an employee emails her husband's clinical visit summary from an outside provider to her employer's BA.
· She mistakenly emailed/disclosed information she shouldn't have, it just wasn't information that belonged to her employer.
· So she, at the very least, impermissibly disclosed PHI (since she probably didn't have her husband's consent to email it to a BA that had no business seeing it, and maybe her email isn't secure?).
· The question is, can a Covered Entity be held responsible for the wrongdoing of its employee (who is on the clock) when it comes to PHI that doesn't belong to the Covered Entity?
· I don't know the answer for sure, but I say yes; however, in this case I wouldn't categorize it as a breach.
I admit I could be waaaay off the mark!
I'll take a stab. The PHI that was impermissibly disclosed did not belong to the covered entity (her employer) therefore they have no duty to safeguard it, therefore no breach. The employee may have violated company policy by using company resources for personal use. I would leave that to HR. OR: One can also argue that the moment the employee scanned the document and attached it to her company email it became PHI that the company now has a duty to safeguard and a four factor analysis is necessary to determine breach or not.
Curious to see what others think.
Michael Scudillo, OTR, CHC
I would have to say no it is not a breach as the information does not belong to the CE (her employer) so it is not PHI of the entity.
Now this may be going down the rabbit hole but I would investigate how she obtained the information from the other CE. Was it through the appropriate channels or did she use her employment at her company to obtain the information without consent. If the latter I would report to the other CE.
Erin M. Jack, RHIA, CHC, CHPC
Privacy & Data Ethics Official
Data Ethics, Policy, and Privacy Department
Forbes Hospital - Office: 412-858-2534
Allegheny Valley Hospital - Office: 724-389-6520