Privacy Officer's Roundtable

Returning PHI from breach

  • 1.  Returning PHI from breach

    Posted 02-20-2020 12:05 PM
    We recently had a breach where patient took home PHI of another patient. I have requested patient mail back the PHI in addition to signing attestation. I even sent pre-stamped envelope to send everything back. The incident happened 2 weeks ago and I have not received anything back. I called a few days ago making sure she got the envelope which she confirmed she had and would be sending and still nothing. At what point do you stop calling the patient to remind them and if she does not ever return the document what do you put for your end date for breach when reporting to HHS as there would not be one?

    Savannah Knuettel
    Compliance Officer
    Galen Medical Group

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    2020 SCCE Membership

  • 2.  RE: Returning PHI from breach

    Posted 02-20-2020 12:51 PM
    I use the date of the notification letter as the end date.

    David Garrison
    Compliance/Privacy Officer

    2020 SCCE Membership

  • 3.  RE: Returning PHI from breach

    Posted 02-20-2020 02:26 PM
    ...or is the end date the date that the patient took the data home? That action constituted the breach start and end. It's not like you had a stack of PHI on the waiting room table and people were helping themselves for about a week, creating a week-long breach. Everything that happened after the patient took home the wrong PHI was just part of your response and investigation, not part of a continuous breach.

    I didn't think the end date meant the end of your investigation. Maybe I just don't recall it very well.

    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.

    2020 SCCE Membership