CHPC Study Group

  • 1.  Scenario we have all come across

    Posted 06-19-2020 09:10 AM
    Everyone,
    Here is a scenario that I am sure most of us have come across.....

    An employee sends an unencrypted email that contains PHI to an outside agency.  The specifics are, that your company and the agency have a BAA in place, the receiver of the email has a need to know to coordinate healthcare for the patient.  Per the Security Rule, PHI needs to be protected (encrypted) in transmission, is this a breach, an impermissible disclosure, or nothing but lack of judgement and concentration by the employee for not encrypting the email.

    Please let me know your thoughts.

    Thank you,

    ------------------------------
    Patrick Forand, MPH, CHPC
    Director of Risk Management
    CAN Community Health
    Sarasota, Florida
    ------------------------------
    Certification Disclaimer


  • 2.  RE: Scenario we have all come across

    Posted 06-19-2020 10:02 AM

    Patrick...I'll take a crack at this...please let me know your feedback

    An employee sends an unencrypted email that contains PHI to an outside agency.  The specifics are, that your company and the agency have a BAA in place, the receiver of the email has a need to know to coordinate healthcare for the patient.  Per the Security Rule, PHI needs to be protected (encrypted) in transmission,

    ...is this a breach?
    I say yes given that it is an impermissible disclosure given that the transmission is not protected as is required by the regulations (or internal policy).  Therefore, it is presumed to be a breach and one can either assess and take action depending on the conclusion or one can simply move forward with the required notifications (remember DoD + 60)

    an impermissible disclosure...
    Of the four impressibles, I would categorize this as an example of an impermissible disclosure

    or nothing but lack of judgement and concentration by the employee for not encrypting the email.
    No...if policy, training and education, and other efforts are aimed at people sending PHI accurately and in a secured manner, you also have a violation of internal policies and procedures...which also makes this an impermissible disclosure and takes you down the presumed breach road.

    BONUS...breach assessment
    Factor 1: Yes/High
    Factor 2: Yes/High
    Factor 3: Low
    Factor 4: Low
    Conclusion: This impermissible disclosure does not represent where there is more than a low probability of compromise of the security or privacy of the PHI....assessment conclusion...NO BREACH.

    Someone might ask how can I conclude Factor 4 to be low...good question...let's see what some people may have to offer along those lines.

    Thoughts?



    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    ------------------------------

    Original Message
    Certification Disclaimer


  • 3.  RE: Scenario we have all come across

    Posted 06-19-2020 10:12 AM

    I agree that Factor 4 is Low...because of the very low likelihood that anyone at the ISP (or any other section of the electronic transmission route), would intercept that particular e-mail.

    However, if your ISP saves copies of all sent e-mails on the server, you'll want to go there and delete it so you don't have unencrypted ePHI sitting around the ISP. You'll also want to delete it from your sent mail folder on your local machine as well...even f you machine is encrypted, probably better not to have ePHI on it if it can be avoided (just a personal preference).  

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, Suite 200

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    Original Message
    Certification Disclaimer


  • 4.  RE: Scenario we have all come across

    Posted 06-19-2020 10:51 AM
    Scot...a good angle for sure.  Take a quick peek back at the scenario and what can you take from it given the relationship of the involved parties and why this may result in a Low.

    Not saying your answer is incorrect...looking to push a bit here to see what else, if anything one may work into the assessment.

    Thanks!

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    ------------------------------

    Original Message
    Certification Disclaimer


  • 5.  RE: Scenario we have all come across

    Posted 06-19-2020 11:59 AM
    Frank and Scot,
    Thanks for the response.  It really helps to hear from others. I first started by shaking my head as I don't know how many times I have instructed staff on how to encrypt an email. From there it went to now I need to complete my investigation tool. 

    With the point of an impermissible disclosure, since the info is needed and allowed by both parties, is the impermissible, the method of disclosure, then yes. I would say that due to the LoProCo, it is not a breach, as you said. Definitely a breach of internal policies of which staff are trained on an annual basis through LMS.

    I think I need a refresher on the four factors that you are referring to.  I might know them in a different context.

    I will have to check with IT about the ISP saving copies of emails.

    Thank you,

    ------------------------------
    Patrick Forand, MPH, CHPC
    Director of Risk Management
    CAN Community Health
    Sarasota, Florida
    ------------------------------

    Original Message
    Certification Disclaimer


  • 6.  RE: Scenario we have all come across

    Posted 06-19-2020 03:03 PM

    Patrick,

    Here are the four factors...

     

    Four factors must be considered, at minimum:

    1. The nature and extent of the PHI involved -- Was sensitive data, such as Social Security numbers and detailed clinical information, involved in an incident?
    2. The unauthorized person who used the PHI or to whom the disclosure was made -- If the disclosures were to another HIPAA-regulated entity or to a federal agency, for example, this may result in a "lower probability that the [PHI] has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity."
    3. Whether the PHI actually was acquired or viewed -- This would typically involve a forensic analysis or investigation that could determine whether PHI contained on a lost or stolen laptop or other portable electronic device actually was viewed or accessed.
    4. The extent to which the risk to the PHI has been mitigated -- This might involve reaching out to an unauthorized recipient of the PHI to obtain "satisfactory assurances" that any PHI sent to a recipient was not further used or disclosed but instead destroyed.

     

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, Suite 200

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    Original Message
    Certification Disclaimer


  • 7.  RE: Scenario we have all come across

    Posted 06-19-2020 03:06 PM
    Scot,
    Thank you. I have them listed in my breach investigation tool. Have not referred to them as the 4 factors. Now I know. 


    ------------------------------
    Patrick Forand, MPH, CHPC
    Director of Risk Management
    CAN Community Health
    Sarasota, Florida
    ------------------------------

    Original Message
    Certification Disclaimer


  • 8.  RE: Scenario we have all come across

    Posted 06-22-2020 08:08 AM
    Hi Patrick et al

    I guess I always get stuck at the outset with this type of scenario.  Is it really a presumed breach if the unencrypted email went to the intended recipient who is authorized to view the ePHI?  Or is it simply a violation of internal policy since encryption is not required by the security rule?

    This is not like a server containing ePHI and left wide open to the general public's viewing and it has been demonstrated that it was accessed by the public.

    Doing my Monday morning C&C.

    Thoughts?

    ------------------------------
    Hernan Serrano
    St. Louis Metro Area
    ------------------------------

    Original Message
    Certification Disclaimer


  • 9.  RE: Scenario we have all come across

    Posted 06-22-2020 01:51 PM
    Hernan,
    I always presume a breach until I can complete my breach investigation tool. During the investigation, I uncovered what happened from the beginning until it came to my attention. The other issue is with staff, whenever the have an issue with disclosing PHI they call it a "breach", which as we know, is a misnomer because it very well might not be a breach.  

    It is a violation of internal policy because the proper steps were not taken to encrypt an email to an outside source.

    Thank you for the C&C.

    ------------------------------
    Patrick Forand, MPH, CHPC
    Director of Risk Management
    CAN Community Health
    Sarasota, Florida
    ------------------------------

    Original Message
    Certification Disclaimer


Related Content