Privacy Officer's Roundtable

Would you consider this a HIPAA violation?

  • 1.  Would you consider this a HIPAA violation?

    Posted 18 days ago

    Patient A, immediately prior to discharge, receives an oxygen tank from an outside DME company for him to take home.  The DME representative comes to Patient A's bedside, educates Patient A on the oxygen tank, and then signs a document from the DME company with spaces for Patient A or the DME company to fill in the patient's name, DOB, address, insurance company, etc.  The document is left at Patient A's bedside by DME company.

    Patient B calls the hospital after discharge and says to the hospital "I was discharged with a copy of Patient A's oxygen tank order form."

    An investigation is done which shoes the following:

    (1) Hospital does maintain a copy of the document from the DME company.  It is something that gets given to the patient directly from the DME company and is not maintained in the medical record.
    (2) Because the hospital does not have a copy, and Patient B has not/will not provide the copy he mistakenly received, hospital has no way of knowing which portions of the document were filled out and left blank.
    (3) The patients were not roommates -- they were in separate rooms but the rooms are next to each other.

    No one can recall handing Patient B any paperwork, or can understand why Patient B would have left the hospital with Patient A's oxygen tank receipt.  There is no logical explanation as to how that paper got to another patient in another room.

    Is this a HIPAA breach by the hospital?

    Thank you all for your input!



    ------------------------------
    Jessica Terranova
    VP, General Counsel and Corporate Compliance Officer
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Would you consider this a HIPAA violation?

    Posted 18 days ago

    Here is my thought process. I would presume that the hospital made the contact with the DME company to facilitate setting up home oxygen.  As I understand, you would not need a Business Associate Agreement in place based on this guidance from OCR. 

    https://www.hhs.gov/hipaa/for-professionals/faq/490/when-may-a-covered-health-care-provider-disclose-protected-health-information-without-authorization/index.html

     Applying the four-factor risk assessment:

     

    1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification. PHI was involved because it contained  the patient's name, DOB, address, insurance company, etc.

     

    https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#protected

     

    1. The unauthorized person who used the protected health information or to whom the disclosure was made. Patient B, who was unauthorized to receive the information.

     

    1. Whether the protected health information was actually acquired or viewed. The information was viewed by Patient B.

     

    1. The extent to which the risk to the protected health information has been mitigated. The risk to PHI has not been mitigated. Patient B did not return the copy and can retain the information they have viewed.

     

    A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the factors listed above.

     

    Does it meet an exception to the reporting requirement?

     

    1. Was it an unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority? Maybe
    2. Was it an inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement? No
    3. Does the covered entity or business associate have a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information? No

    https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

     

    Because it presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment, I think it would be prudent to err on the side of caution by making a breach notification to Patient A and OCR.

    There is a possibility that Patient B may have already notified or tried to contact Patient A to inform him/her of receiving the information.

    I'd be interested to see how others in this group would analyze this incident.
    Becky



    ------------------------------
    Rebecca Summey-Lowman, MBA, RDN, CPHRM, CPPS, CHPS
    Senior Risk Consultant
    Curi
    Raleigh, NC
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Would you consider this a HIPAA violation?

    Posted 18 days ago
    Was it actually PHI? As defined in 45 CFR @ 160.103 Protected health information means individually identifiable health information:
    1. Except as provided in paragraph (2) of this definition, that is:
    i. Transmitted by electronic media
    ii. Maintained in electronic media; or
    iii. Transmitted or maintained in any other form or medium.

    The hospital did not create the document. They don't do any of the items above defining PHI.Some other organization created it and gave it directly to the patient. Just because the data on it is very similar to data held by the hospital doesn't suddenly make it the hospital's data. The patient was given the document by the DME company so was in the patient's care, not the care of the hospital. There is no way for the hospital to know how the patient transferred the document (which was in their care) to another patient. But I don't see the hospital responsible for it at all.

    But what do I know? I work for a dental health plan. We don't have patients.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Would you consider this a HIPAA violation?

    Posted 7 days ago
    I would agree with Carl. If the patient was given the document by the DME company it is now in the possession of the patient. Is the patient suppose to fill this form out and leave for the hospital or take with them and mail to the DME company (I may have missed this part) If once the patient was given the document and the hospital has no other part in this form, I can't see how this would be their fault that another patient got the form. Maybe patient A dropped upon leaving hospital and patient B picked up? If this is the case, then I don't see a hipaa violation on the hospital. Just my thoughts as I don't work for a hospital so I don't know how this process typically works.

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Would you consider this a HIPAA violation?

    Posted 7 days ago
    If there was no Business Associate relationship, I don't think the hospital would have a obligation to report it as a breach. 
    Becky
    Sent from my iPhone



    2020 SCCE Membership


  • 6.  RE: Would you consider this a HIPAA violation?

    Posted 7 days ago
    Edited by Brenda Manning 7 days ago
    In the spirit of compare and contrast I view it differently. The scenario states that there is a copy of this form floating around somewhere that the hospital maintains. I don't see that we've dispensed with what happened to the copy - only the original, or am I missing that? Is that a paper copy? I'm reading this scenario as Patient B could have somehow received the hospital's copy and if that's the case I would consider it a breach. I would just file the report and explain, hey we investigated and we're not quite sure.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232
    bkmanning@carilionclinic.org

    Our Mission: Improve the health of the communities we serve.


    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership