Privacy Officer's Roundtable

Expand all | Collapse all

PHI left in room by patient

  • 1.  PHI left in room by patient

    Posted 06-10-2016 12:33 PM

    Hi all.  Wondering what your thoughts are in regards to a situation:  Document given to patient and document contained limited PHI (if found on the street would disclose that person was at the facility).  Document is left behind by patient, in a nightstand drawer, and found by the next patient.

    Since it was given to the patient and left by the patient would you say no disclosure?  Or would you say impermissible disclosure since it was left in the facility and we didn't find it before the next patient found it?

    I'm leaning towards no disclosure since it was given to the patient.


    David Garrison CHC,MPH
    Compliance/Privacy Officer
    SCCE Membership

  • 2.  RE: PHI left in room by patient

    Posted 06-11-2016 01:34 PM
    I would say impermissible disclosure. The risk would be low unless the facility was, say, an inpatient psychiatric hospital or the room was located in a wing for cancer patients or other condition that would easily identify the patient's health condition.

    Chris Apgar, CISSP 
    CEO & President 
    Apgar & Associates, LLC 
    (503) 384-2338 (O)
    (503) 816-8555 (M)
    Sent from my iPad

    SCCE Membership

  • 3.  RE: PHI left in room by patient

    Posted 06-11-2016 03:21 PM


    You know I am one to compare and contrast and I clearly do not follow your reasoning which is what I am trying to do (and certainly not trying to say you are right or I think everyone owns their own decision or conclusion whatever that might be.).

    I see the following:

    CE → Intended Patient problem there.  Now Patient leaves the PHI behind which results in:

    Info left by Patient → Next Patient

    So are you taking the position that though the intended patient left the info behind, that somehow or for some reason the CE is now responsible for an impermissible disclosure because it did not for whatever reason find the information that was left behind which was subsequently found by the next patient.

    Just trying to understand...though personally my though would be to place the fact that the disclosure occurred squarely on the patient who left it behind. 

    Thanks, Chris!

    Frank Ruelas

    SCCE Membership

  • 4.  RE: PHI left in room by patient

    Posted 06-12-2016 09:02 AM

    It would be reasonable to consider the patient who left behind his/her PHI the source responsible for the PHI incident (not necessarily breach). In a conservative culture, one could argue that the CE should've ensured that all of the outgoing patient's data was removed from the room before a new patient was admitted to the room. In the latter scenario, a consistent risk assessment would provide guidance on how to handle the incident based on the facts and the CE's risk mitigation actions.  Given the basic facts, the best course of action maybe to voluntarily notify the patient of your discovery and risk mitigation actions without triggering a breach notice given the circumstances.  

    Mahmood Sher-Jan
    CEO, RADAR Business Unit
    ID Experts

    SCCE Membership

  • 5.  RE: PHI left in room by patient

    Posted 06-12-2016 09:22 AM

    Perhaps a nice compromise...though one I would not necessarily subscribe to.

    Keep those posts coming in!  Nice to see a diversity of opinions on this one.

    Frank Ruelas

    SCCE Membership

  • 6.  RE: PHI left in room by patient

    Posted 06-23-2016 09:46 AM

    I like your analysis. This seems like the most prudent course of action. Notify patient of their mistake. No breach.

    Carl Russell
    Compliance Analyst
    Delta Dental of Idaho

    SCCE Membership

  • 7.  RE: PHI left in room by patient

    Posted 06-13-2016 07:54 AM

    I would consider this a non-HIPAA issue from the facility perspective but make sure that the patient received whatever info that was left behind (especially if it contained D/C type instructions). Once given to the patient, it becomes their responsibility.

    Nancy O'Neill, RN, MBA, CHC
    Manager, Corporate
    BayCare Health System
    Clearwater, Florida

    SCCE Membership

  • 8.  RE: PHI left in room by patient

    Posted 06-13-2016 09:45 AM

    The definition of disclosure in 160.103 is " means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information."  The covered entity wasn't the one "holding the information", the patient was. 

    Brenda Manning, JD, CHC, CHPC
    R&B Solutions
    Waukegan, IL 60085

    SCCE Membership

  • 9.  RE: PHI left in room by patient

    Posted 06-14-2016 08:41 AM

    I agree with Brenda - patient had PHI in his/her possesion and not the CE therefore the CE was not responsible.

    Mutanu Mutuvi-Thomas
    Privacy Director
    MedStar Health

    SCCE Membership

  • 10.  RE: PHI left in room by patient

    Posted 06-14-2016 12:54 PM


    I've run across this before with another client of mine.  In their case it was left behind hospital identification bracelets.  I agree that another patient left behind his or her paperwork.  I see it as the hospital's responsibility to properly dispose of left behind documents that include PHI. This to me is no different than a patient leaving his or her end of clinic visit paperwork on the counter by the check in desk.  If, in this example, the clinic does not police its counters to make sure no PHI is left exposed, it is a breach. 

    This is not an unusual occurrence.  I've talked to a number of CEs who are clients who have experienced similar loss of PHI because left out PHI was left unattended and/or was not retrieved and disposed of and was left behind by a patient.  As I noted, I do not see this as a breach that would require notification (with the exceptions I listed such as the patient was in an inpatient psychiatric facility).  That doesn't mean, though, that the hospital can chalk it up to carelessness on the part of the patient.  PHI was exposed and it was "acquired" by another patient.  This does represent a privacy/security incident and, at the very least, the hospital is required to investigate and document the investigation.  In my opinion, this would also require conducting the four factor risk assessment.

    I was involved in a call with a client and OCR following the filing of a complaint by a former employee.  One of the things the employee alleged was a breach occurred and the clinic didn't report it to OCR.  I initially recommended my client not report the breach because, following the conducting of the four factor risk assessment, I determined the breach was low.  In this case, the breach involved two email addresses that did not include the patients' names and no other PHI.  In this case the clinic was an audiology clinic so if the emails were intercepted, all the unauthorized party would know is the patient was seen at a audiology clinic and that didn't even include the name of the patient.  On the call the OCR investigator told the clinic that even the breach of an email address was a high enough risk to warrant patient and OCR notification.  I think this was a new investigator who believed that even if only the name was breached it would require notification.  I don't agree but it's not a good idea to argue with your regulators. :)  In the end, this means there are OCR auditors out there that would believe a breach of PHI occurred and it should be reported to OCR and the patient.


    Chris Apgar CISSP
    CEO and President
    Apgar and Associates, LLC

    SCCE Membership

  • 11.  RE: PHI left in room by patient

    Posted 06-14-2016 10:47 PM

    Frank - I agree with you.  I see no disclosure here, the patient is responsible for the information they left behind. The hospital cannot be responsible for every piece of paper the patients throw away at the facility in unmarked, unlocked PHI container or leave behind in a drawer.  If the hospital left the papers in the room like the previous patient's chart or something different story.  Just my two cents worth.

    Chris Duprey

    Caris Consulting, LLC

    Christine Duprey
    Caris Consulting, LLC
    Green Bay ,WI

    SCCE Membership

  • 12.  RE: PHI left in room by patient

    Posted 06-15-2016 10:35 AM

    But, as the hospital has now "received" the PHI, it is responsible for the correct disposal of it, right?

    I personally would still conduct an assessment, but likely would find it a low probability of compromise and therefore not a breach.

    Mitigation - ensure that training on thoroughly clearing the discharged patient's room is conducted.

    David Rothery, CHC
    HIPAA Privacy Officer
    Marin County
    San Rafael, CA

    SCCE Membership

  • 13.  RE: PHI left in room by patient

    Posted 06-15-2016 11:52 AM

    yes I believe that once it is received by the CE it has to be protected (which we did. and sent to the patient).

    David Garrison CHC,MPH
    Compliance/Privacy Officer

    SCCE Membership