Frank,
I've run across this before with another client of mine. In their case it was left behind hospital identification bracelets. I agree that another patient left behind his or her paperwork. I see it as the hospital's responsibility to properly dispose of left behind documents that include PHI. This to me is no different than a patient leaving his or her end of clinic visit paperwork on the counter by the check in desk. If, in this example, the clinic does not police its counters to make sure no PHI is left exposed, it is a breach.
This is not an unusual occurrence. I've talked to a number of CEs who are clients who have experienced similar loss of PHI because left out PHI was left unattended and/or was not retrieved and disposed of and was left behind by a patient. As I noted, I do not see this as a breach that would require notification (with the exceptions I listed such as the patient was in an inpatient psychiatric facility). That doesn't mean, though, that the hospital can chalk it up to carelessness on the part of the patient. PHI was exposed and it was "acquired" by another patient. This does represent a privacy/security incident and, at the very least, the hospital is required to investigate and document the investigation. In my opinion, this would also require conducting the four factor risk assessment.
I was involved in a call with a client and OCR following the filing of a complaint by a former employee. One of the things the employee alleged was a breach occurred and the clinic didn't report it to OCR. I initially recommended my client not report the breach because, following the conducting of the four factor risk assessment, I determined the breach was low. In this case, the breach involved two email addresses that did not include the patients' names and no other PHI. In this case the clinic was an audiology clinic so if the emails were intercepted, all the unauthorized party would know is the patient was seen at a audiology clinic and that didn't even include the name of the patient. On the call the OCR investigator told the clinic that even the breach of an email address was a high enough risk to warrant patient and OCR notification. I think this was a new investigator who believed that even if only the name was breached it would require notification. I don't agree but it's not a good idea to argue with your regulators. :) In the end, this means there are OCR auditors out there that would believe a breach of PHI occurred and it should be reported to OCR and the patient.
Chris
------------------------------
Chris Apgar CISSP
CEO and President
Apgar and Associates, LLC
Portland,OR
Original Message:
Sent: 06-13-2016 08:53 AM
From: Nancy O'Neill
Subject: PHI left in room by patient
I would consider this a non-HIPAA issue from the facility perspective but make sure that the patient received whatever info that was left behind (especially if it contained D/C type instructions). Once given to the patient, it becomes their responsibility.
------------------------------
Nancy O'Neill, RN, MBA, CHC
Manager, Corporate
BayCare Health System
Clearwater, Florida
Nancy.O'Neill@baycare.org