Privacy Officer's Roundtable

Scenario for discussion

  • 1.  Scenario for discussion

    Posted 12-19-2019 02:57 PM
    I'm interested in how others would handle this scenario.

    A covered entity ends their relationship with an employee.  During offboarding, an external storage device is discovered in employee's desk.  In accordance with CE's policies, device must be reviewed by CE personnel to determine whether it contains information belonging to CE.  Upon review, it is determined that the device contains a combination of extremely personal files belonging to employee and PHI from multiple past employers (including CE).

    ------------------------------
    Emily Roberts
    Compliance/Privacy Manager

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Scenario for discussion

    Posted 12-19-2019 03:25 PM
    Hmmmm... despite it being the wrong answer on a lot of the cert questions, this one I might tend to go to Legal for guidance, and for interviewing the departing employee.  Just off the top of my head.

    ------------------------------
    Marie Wagner, CHC, CHRC
    Operations Manager, Corporate Compliance
    The Queen's Health Systems
    Honolulu, HI
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Scenario for discussion

    Posted 12-19-2019 04:15 PM
    1.  I presume the "personal files" is information about the employee, so we can disregard this.

    2.  If the employee was not authorized to put PHI on the device then I'd say it's an impermissible use and do an assessment to determine if there's a breach or not.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Scenario for discussion

    Posted 12-19-2019 05:09 PM

    David,

    Since the drive also contained ePHI from previous employers (assuming they are also CE's)...would you contact them to let them know?

     

    Best Regards,

    Scot Lovejoy  image006.jpg@01D50B1A.1F2C7480 image007.jpg@01D50B1A.1F2C7480

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, 2nd Floor East

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

     

     




    2020 SCCE Membership


  • 5.  RE: Scenario for discussion

    Posted 12-19-2019 05:54 PM
    I don't think we/CE have received PHI so I don't think there is an impermissible disclosure by other CE's.

    Now, as a CO/PO, I would, if possible to know which CE is related to what PHI, contact the other CE's and let them know and they can do what they want.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: Scenario for discussion

    Posted 12-19-2019 06:39 PM
    To add some complexity to this scenario, let's assume that the personal files on the drive are not benign files, but actually contain content which is disturbing enough to make a thorough analysis of all files problematic.  Would the CE really be the appropriate entity to sort through those files and make notifications to the other CEs?

    ------------------------------
    Emily Roberts
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------

    2020 SCCE Membership


  • 7.  RE: Scenario for discussion

    Posted 12-19-2019 06:49 PM
    Emily, if you're alluding that there might be information on the device that is criminal in nature, then I'd contact legal.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership


  • 8.  RE: Scenario for discussion

    Posted 12-19-2019 06:54 PM
    It's unlikely to be criminal, but it's adult in nature and disturbing to view.

    ------------------------------
    Emily Roberts
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------

    2020 SCCE Membership


  • 9.  RE: Scenario for discussion

    Posted 12-19-2019 07:29 PM
    Ahhhh.  Unfortunately, in order to review the device to determine if/how much of your PHI is there, the device has to be viewed.  Perhaps IT could scan it and sort out the types of information (eg. jpeg's, PDF's, word documents, etc) and put in different folders.

    I can say that from a past incident, we had to look through a laptop for company documents and there was some personal stuff on the laptop.  At that point, the laptop was given to legal.  Legal gave it to IT to sort the best they could, then the lawyer looked for the company documents.

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership


  • 10.  RE: Scenario for discussion

    Posted 12-20-2019 09:55 AM

    Emily,

    My question to David was based on my interpretation or your scenario...in that it meant the other information on the drive was ePHI from previous employers. If it could be determined who those other CE's were, I agree that as a CO, I would reach out to them to let them know of the impermissible access and acquisition by the employee.

     

    I'm not sure where you are going with the "disturbing" information path? Disturbing... as in criminal? Then perhaps it's for law enforcement to investigate.

     

    Best Regards,

    Scot Lovejoy  image006.jpg@01D50B1A.1F2C7480 image007.jpg@01D50B1A.1F2C7480

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, 2nd Floor East

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

     

     




    2020 SCCE Membership