CHPC Study Group

Ripped from the other eGroups....Good Post for C&C

  • 1.  Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 08:27 AM
    Below is a very interesting situation posted by Scot H. in the HIPAA eGroup.  I brought it over here as our discussion may be a bit different given that our focus is prepping for exams.

    First...keep in mind...C&C...which is Compare and Contrast.  If folks share a different view, at a minimum, try to at least see if you can follow their reasoning.  Don't focus on whether or not you agree...but simply if you can follow it.

    When I read this, something stood out right away and I am comfortable with my first impression that this represents an impermissible acquisition caused by the CE.  My reasoning is that patients are calling a designated number which they believe is connecting them with the CE.  Patients are then sharing PHI with the spouse of a physician.  So now, because of the circumstances described in the posting, you have someone (the spouse) who now has an impermissible acquisition of PHI that was the result of a situation caused by the CE.  Now the CE can blame the phone company...but for me...the CE is accountable.

    So this makes me ask folks two you see as any one of the four impermissibles.

    For those who do...would you LoProCo determine a breach or no breach.

    Good luck!

    Posting from other eGroup below==========================



    I have a "first" for me, and any thoughts/input/guidance will be greatly appreciated.


    Somehow, patients calling one of our physician practice phone numbers after hours are not being rolled over, or routed, to our after-hours answering service.   Rather, the calls are being routed to the physician's home phone, and his wife (who is not a workforce member) answers many/most of the calls.  The patients are apparently calling with treatment-related questions, such as appointment scheduling, checking lab results, asking post-procedure questions, etc.  So, any disclosure of PHI is being made by the patients, and not by our covered entity.   The physician's wife does not have any PHI to disclose and, even if she did, it would be disclosed to the patient or patient's representative that initiated the call. That said, the patients are disclosing PHI (e.g., name, reason calling, etc.) while they are trying to figure out who answered the phone and why the person doesn't have relevant information/responses).


    We assessed our phone system when we learned of this and then contacted "the phone company."  It was apparently determined to be a phone company issue, not an internal phone system problem and, unfortunately, the problem has not yet  been fixed.  Internally, we are now going to "fix" this by blocking all phone calls outgoing to the physician's home number, until the phone company fixes the issue.


    So, is this a HIPAA issue such as an impermissible disclosure or breach, or some other HIPAA privacy/security transgression?  As mentioned above, any disclosure of PHI is going from the patient to the provider's wife, and not the other direction and, further any disclosure that the wife conceivably is making is being disclosed to the patient, and not to a third party.    That said, the patients are trying to access health care by calling a phone number that we request the patients to use, and which number seems to function correctly during business hours.


    Thanks for any input you may have to share.

    ► Week 4 of the 66ers...Sessions Coming Up! ◄
    --------Frank Ruelas---------
    Certification Disclaimer

  • 2.  RE: Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 08:42 AM
    Thanks for posting this here. I will echo my response in the other egroup:

    I see an impermissible disclosure, but only on the CE​ - unless the physician impermissibly gave information to his wife to pass on to the patient - which was not indicated in this scenario.

    SO....doing a LoProCo, I see voluntary disclosure by the patient to someone outside the CE. No Breach.

    Dr. Randy Lewis, LMFT, CHPC
    HIPAA Privacy Officer
    Orange County Government
    Orlando, FL

    Certification Disclaimer

  • 3.  RE: Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 08:58 AM
    I love it...thanks for posting as already we have some very clear differences from a C&C perspective...and that's what it is all about!

    Many thanks Randy!

    ► Week 4 of the 66ers...Sessions Coming Up! ◄
    --------Frank Ruelas---------

    Certification Disclaimer

  • 4.  RE: Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 09:28 AM


    Thanks for encouraging C&C on this. I am still not confident on my LoProCo/AAUD skills so, I'm anxious to see how people figure this one out.


    I have a risk assessment worksheet given to me by our malpractice carrier. If I use this worksheet, I would determine NO breach. One of the questions it asks is "is there a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information". In this situation, I would say the wife wouldn't retain information – unless it was written down, which the situation doesn't indicate. So, according to this worksheet if the person couldn't retain the information there is an 'exception' (not sure if this is accurate).


    I'm looking forward to others C&C thoughts.



    Misty Booker, CHC, OCS |  Compliance Manager | Baptist Eye Surgeons, PLLC 

    4528 Chapman Highway Knoxville, TN  37920 |

    P: 865-579-3920  F: 865-579-3918




    This communication is for use by the intended recipient and contains information that may be privileged, confidential or copyrighted under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by phone at 865-579-3920 and delete this e-mail from your system. Unless explicitly and conspicuously designated as "E-Contract Intended", this e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer. This e-mail does not constitute a consent to the use of sender's contact information for direct marketing purposes or for transfers of data to third parties.

    Certification Disclaimer

  • 5.  RE: Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 10:04 AM

    I tried to use the 5WH1 method.  Not sure if I did so correctly, but I also come up with the same answer as Randy, No Breach.
    Who: The patient To Whom: Non CE What: Their PHI ​  How: By telephone

    This also aligns with Misty's answer in that reasonably what is the Wife going to remember.

    Melanie Schoonover
    Quality Improvement Supervisor

    Certification Disclaimer

  • 6.  RE: Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 12:40 PM
    These incidents always confuse me as to who is responsible.  When I read this my thought was no impermissible.  As I thought about it I just confused myself.  If I have to answer right now, then I'll say no impermissible.

    David Garrison
    Compliance/Privacy Officer

    Certification Disclaimer

  • 7.  RE: Ripped from the other eGroups....Good Post for C&C

    Posted 07-11-2019 05:56 PM
    I was really enjoying being an observer to the discussion on this in the other group. Being new to compliance, I would start with LoProCo to see where that takes me. I would also find someone with more experience to chat it out.

    Katherine Cardona

    Certification Disclaimer