I have a "first" for me, and any thoughts/input/guidance will be greatly appreciated.
Somehow, patients calling one of our physician practice phone numbers after hours are not being rolled over, or routed, to our after-hours answering service. Rather, the calls are being routed to the physician's home phone, and his wife (who is not a workforce member) answers many/most of the calls. The patients are apparently calling with treatment-related questions, such as appointment scheduling, checking lab results, asking post-procedure questions, etc. So, any disclosure of PHI is being made by the patients, and not by our covered entity. The physician's wife does not have any PHI to disclose and, even if she did, it would be disclosed to the patient or patient's representative that initiated the call. That said, the patients are disclosing PHI (e.g., name, reason calling, etc.) while they are trying to figure out who answered the phone and why the person doesn't have relevant information/responses).
We assessed our phone system when we learned of this and then contacted "the phone company." It was apparently determined to be a phone company issue, not an internal phone system problem and, unfortunately, the problem has not yet been fixed. Internally, we are now going to "fix" this by blocking all phone calls outgoing to the physician's home number, until the phone company fixes the issue.
So, is this a HIPAA issue such as an impermissible disclosure or breach, or some other HIPAA privacy/security transgression? As mentioned above, any disclosure of PHI is going from the patient to the provider's wife, and not the other direction and, further any disclosure that the wife conceivably is making is being disclosed to the patient, and not to a third party. That said, the patients are trying to access health care by calling a phone number that we request the patients to use, and which number seems to function correctly during business hours.
Thanks for any input you may have to share.
Thanks for encouraging C&C on this. I am still not confident on my LoProCo/AAUD skills so, I'm anxious to see how people figure this one out.
I have a risk assessment worksheet given to me by our malpractice carrier. If I use this worksheet, I would determine NO breach. One of the questions it asks is "is there a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information". In this situation, I would say the wife wouldn't retain information – unless it was written down, which the situation doesn't indicate. So, according to this worksheet if the person couldn't retain the information there is an 'exception' (not sure if this is accurate).
I'm looking forward to others C&C thoughts.
Misty Booker, CHC, OCS | Compliance Manager | Baptist Eye Surgeons, PLLC
4528 Chapman Highway Knoxville, TN 37920 | firstname.lastname@example.org
P: 865-579-3920 F: 865-579-3918
This communication is for use by the intended recipient and contains information that may be privileged, confidential or copyrighted under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by phone at 865-579-3920 and delete this e-mail from your system. Unless explicitly and conspicuously designated as "E-Contract Intended", this e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer. This e-mail does not constitute a consent to the use of sender's contact information for direct marketing purposes or for transfers of data to third parties.
I tried to use the 5WH1 method. Not sure if I did so correctly, but I also come up with the same answer as Randy, No Breach.Who: The patient To Whom: Non CE What: Their PHI How: By telephoneThis also aligns with Misty's answer in that reasonably what is the Wife going to remember.